The Washington PostDemocracy Dies in Darkness

Obama calls for greater credit card security in light of data breaches

President Obama on Friday directed the federal government to take the lead on improving the security of financial transactions in the United States and announced a greater effort to work with banks and credit card companies to strengthen identity theft protections.

"Last year, millions of Americans became victims of identity theft" Obama said in a speech at the Consumer Financial Protection Bureau. "These crimes don't just cost companies and consumers billions of dollars every year, they also threaten the economic security of middle-class Americans."

As part of the effort, known as the BuySecure Initiative, to improve the nation's financial security standards, Obama said he will sign an executive order will require, starting next year, that all payment cards and terminals issued by the federal government to use chip-and-pin technology -- widely acknowledged to be more secure than the magnetic strip used on all American credit cards.

The technology has been a standard outside the United States for years. Rather than having customers swipe their cards through readers, a store that uses chip-and-pin technology has consumers insert a card embedded with a security chip into the reader and enter a PIN code, similar to an ATM code.

Obama is also asking federal law enforcement to work more closely with the private sector to flag identity-theft rings and give the Federal Trade Commission more resources to improve its Web site, which offers resources and next steps for those affected by identity theft. Obama also called on Congress to pass a national data breach law to provide "one, clear national standard" rather than the patchwork of state laws that currently dictate how businesses should react to data breaches.

The president also called on the private sector to switch to the more secure credit card. In conjunction with the White House, Target, Wal-Mart, Home Depot and others pledged to adopt chip-and-pin technology by the end of 2015. Citi, in partnership with credit scoring company FICO, said it will join other credit card companies in including credit scores on customers' monthly statements. MasterCard agreed to supply its consumers with free identity theft monitoring and support.

Chris McWilton, president of North American markets for MasterCard, said that bankers and retailers have already been working to switch to the chip standard. For years, McWilton said, the costs associated with reissuing millions of cards and changing out the readers in stores across the country far outweighed the risks of data breaches.

But after this latest spate of breaches -- and seeing the trust consumers have lost in firms hit by cyberattacks, particularly Target -- those financial costs have become a "moot point," he said. Mastercard and other major credit firms have worked together in light of the breaches to push more banks and retaliers to issue and accept chipped cards. As of October 2015, new industry breach standards will shift liability costs onto any bank or retailer that has not invested in the new technology.

The industry measures do not address the issues of malware finding its way into the country's cash register systems or fraud in online purchases, which are a rising problem.

Including chips in cards will stop attacks that begin at physical cash registers, said Stephen Orfei, general manager of the PCI Security Standards Council, which sets the standards for protecting card information.  But, he said the technology is not a silver bullet.

"It doesn't protect us in the [online] environment," he said. "You need different layers designed to take on different attack vectors. My concern is that there's a mindset that we put this in and we're good to go."

To address some of those larger concerns, the White House also announced plans to hold a Cybersecurity and Consumer Protection summit, which will bring together security experts, industry leaders and consumer advocates to discuss how companies should deal with breaches, and the best options going forward.

Still, McWilton said, despite the White House initiative's limitations, the fact that the president has called attention to this problem can only help existing momentum.

"I think it's another reinforcement that this has become viral," he said. "When you have the president saying we have a problem and need to what we can, that can't hurt in moving things forward."