After the major Target and Neiman Marcus security incidents, everyone is talking about data breaches – and rightfully so.
What can (and will) be done in response? Who is responsible for protecting your personal information?
The banks point to retailers. The retailers point to the banks. There was plenty of finger-pointing this past week during Congressional Committee hearings.
Meanwhile, the Obama administration is seeking a tougher cybersecurity law regarding the reporting of data breaches, including more prompt notification to customers after breaches.
So what’s new? Three things have become clearer in the past few weeks:
1) After the Target breach, the public is demanding more immediate action.
2) Retailers must get ready for credit cards with chips and PINs, or new EMV cards, within twenty months.
3) Yes, federal, state and local governments are impacted. Actions must be taken now by government technology leaders. I’ll explain why at the end of this blog.
Point one: Action now
The “cut the air with a knife” atmosphere at US Senate hearings with Target leadership and law enforcement officials this past week, underlines the reality that the status quo in data protections is not sustainable.
Almost every major newspaper and local news station in America covered the hearings, and the focus quickly shifted over to action steps. For example, this CNET article led with the headline: Target works on security-heavy credit cards, after breach. Here is an excerpt:
“Target Chief Financial Officer John Mulligan wrote an opinion piece for The Hill on Monday saying that the company was speeding up its implementation of high-security credit cards.
The credit cards come embedded with a tiny microprocessor chip, which is said to beef up security and make it more difficult for cybercriminals to access user data. Target had already begun work on the cards before the hack, but it is now accelerating this $100 million program. Mulligan said that the technology should be ready for customers on Target's REDcards by early 2015, which is six months before the scheduled release.”
Point Two: What are chip and PIN (or EMV) credit cards anyway?
Most Americans are very familiar with using a four-digit PIN with their automated teller machine (ATM) cards at bank cash machines. The process is easy to use, but most ATM cards in the USA still use magnetic strips.
However, in Europe, a more secure credit card standard called “EMV” was established in the 1990s and is widely used by European banks. The term EMV stands for “Europay, MasterCard and Visa,” who are the originators of the global standard. Some people use the term “smartcard” to describe this new standard.
When I lived in Europe, I was issued EMV cards from Barclays Bank as a standard practice. As Barclays describes on their website, “It’s a technology intended to offer more secure transactions by encrypting your account information on a chip embedded in the card."
I like this detailed description by Tomsguide.com of credits cards that use chip and PIN technology:
“Like magnetic-stripe credit cards, chip-and-PIN cards can be used in person at a point-of-sale (POS) terminal, online or over the telephone. To make an in-store purchase, chip-and-PIN cardholders insert their cards into a point-of-sale terminal and leave it in place throughout the entire transaction.
Once the card is read, cardholders enter a PIN number to authenticate the transaction. The main difference between this method of payment and the older, magnetic-stripe method is that users do not need to provide their signature to complete the transaction. As when making a debit-card purchase, a user's PIN serves as his or her 'digital signature.'
Chip-and-PIN cards can also be used online or over the phone. Depending on the card provider, virtual transactions will either require users to enter the three-digit security code on the back of their card or a secure password provided by their credit card company….”
EMV cards are also safer for consumers because they are not susceptible to "skimming" scams. With traditional credit cards, criminals can clone your credit cards by copying information from the magnetic strip with rigged credit card readers. EMV cards cannot be cloned, as each embedded chip is uniquely encrypted for a specific card.
There is no doubt that EMV credit cards are a step in the right direction. The added security features will certainly reduce credit card fraud using POS devices. However, EMV still won't help solve fraud with online transactions that use credit cards.
So when will we be seeing new EMV cards in the mail from US banks or our credit unions?
Answer: It depends, but probably in the next two years – possibly much sooner for some. The timeline has been accelerated by these recent incidents. (Check with your credit card provider to learn about their schedule for your situation.)
But on the point of sale (POS) device (merchant) side of things, the important date is October 1, 2015. This date is not set by law, but is being implemented by the credit card companies. Also, retailers will not be shut down if they don’t accept EMV cards by this date, but they will likely have more liability for breaches.
More details on the EMV schedules can be found on this BNGholdings.com website. Here’s their explanation on why October 2015 is so important:
“Visa INTENDS to shift liability for card present (POS) transactions from the card issuers to the merchant’s acquirer. Meaning, if the merchant does not switch to EMV/Chip enabled terminal/POS and had a fraudulent transaction/chargeback; the merchant’s acquirer is financially liable for the transaction and must refund the card holder.
Again, the important word to keep in mind here is INTENDS. Visa has not set this date in stone.
It is important to note as well, when this liability shift occurs in October of 2015, the acquirers will most likely pass this liability onto you, the merchants. This is the date by which you will want to be EMV ready in order to protect yourself against fraudulent card present transactions….”
Point three: Impact on government enterprises
Will retailers be ready with upgraded POS devices by October 1, 2015? No doubt some merchants will not. This paymentleader.com website provides a status on world-wide progress towards EMV card compliance.
One thing is for sure, federal, state and local government enterprises must move quickly on their upgrade plans for Point of Sale (POS) card reader technology. Don’t sit back and rely on a lack of current mandates or guidance that describes “optional upgrades.” The mandate is coming eventually and/or the fraud liability shift will force government upgrades.
This move to EMV will impact Secretary of State (SoS) offices – also called the Motor Vehicle Administrations in many states. In addition, state and county parks and many other federal, state and local government agencies and services accept credit cards. Any government office with a POS device needs to take note of this hot trend.
Bottom line, if your government or business accepts credit cards using POS devices and doesn’t have plans to move to the EMV standard compliance, you need to act now. Budgets and project plans need immediate attention.
Talk with your merchant banks about these recent developments. Another option is to consider this topic as a part of your overall Payment Card Industry (PCI) compliance program.
The rules for the credit card industry continue to evolve. No doubt, other changes are coming to add additional credit card security for online transactions.
Nevertheless, get ready for EMV cards – which are credit cards with chips and PINs.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.