Chip-and-PIN is Coming…To the US Government

Davis Wright Tremaine LLP
Contact

Last Friday, in the wake of numerous data breaches, President Obama signed a new Executive Order that will change how federal agencies use payment cards and allow access to certain government portals. Those changes include the adoption of chip-and-PIN (also known as EMV) payment terminals and cards, and the implementation of multi-factor authentication on digital applications where consumers can access personal information.

The Executive Order requires the executive departments and agencies to deploy chip-and-PIN payment processing terminals at government offices “as soon as possible.” Legacy payment processing terminals do not have to be replaced immediately but all new terminals purchased after Jan. 1, 2015 must include the necessary hardware to support the enhanced security features. The Department of Treasury also has until the same deadline to develop a plan on how the agencies can install the associated software-components to support these security features.

More importantly, by Jan. 1, 2015, all Direct Express prepaid debit cards used to pay government benefits will include the embedded chip. The Office of Management and Budget is also charged with developing plans to replace the cards issued by other federal agencies with payment cards that include the enhanced security features. In a speech to the CFPB on the same day, Present Obama announced that the Administration would be holding a summit with industry leaders and consumer advocates to spur the adoption of chip-and-PIN by the private sector ahead of the October 2015 liability shifting deadline set by the major card brands.

The President also mandated that all executive agencies implement certain authentication systems that require two or more independent factors (i.e., something you know, something you have or something you are). The multi-factor authentication requirement applies to every digital application run by the agencies which allows individuals to access “personal data” (undefined by the Executive Order). The plan for adding multi-factor authentication must be developed within 90 days and implemented within another 15 months.

Finally, the Executive Order requires specific federal agencies to coordinate the reporting by federal law enforcement of compromised credentials to the private sector Internet Fraud Alert System and consolidating identity theft resources for consumers on an improved IdentityTheft.gov website.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.