MAG Insights

Announcements from the MAG & Featured Articles

What's Up in Washington (MAG Quarterly- Volume Two, Issue Four)


An Election, an Executive Order, and What that Means for Payments in 2015
By Liz Garner, Vice President, Merchant Advisory Group

December 4, 2014

Less than a month ago the Obama Administration released an Executive Order supporting Chip and PIN technology that directs the government to lead by example in securing transactions and sensitive data. The November 2014 mid-term elections resulted in a change of party control in the Senate, and Visa recently issued an Honor All Cards acceptance bulletin that will no doubt raise some eyebrows amongst antitrust regulators in DC. So how are all of these events going to impact business – particularly in the payments and security space?

Starting with the 2014 mid-term election, there are two critical areas to monitor in the short-term. First, with Republican takeover in the Senate, it becomes somewhat more difficult to protect the Durbin amendment from any changes. Senator Richard Shelby (R-AL) will likely be named Chairman of the Senate Banking Committee, which will heavily scrutinize the Dodd-Frank Wall Street Reform and Consumer Protection Act - the law that contains the Durbin amendment language. While it is unlikely that the new Senate leadership will want to take any type of vote on interchange-related legislation, Senator Durbin no longer being in the Majority leadership makes it slightly more difficult to protect the existing debit reforms. That said, we do not anticipate much movement in the Senate on any interchange-related legislation in the upcoming Congress.

The House of Representatives will remain under Republican control. The biggest shake-up in the payments space is the loss by House Energy & Commerce Subcommittee Chairman Lee Terry (R-NE). Mr. Terry was the majority party leader in trying to craft meaningful data security and data breach legislation in the Commerce Committee. It has yet to be determined who might step in to this leadership role, and what their ability will be to push through a meaningful data security bill next Congress.

 
Due to jurisdictional battles and piecemeal legislative approaches, there has been minimal legislative progress on data security. However, the President issued and signed an Executive Order in mid-October paving the way for more secure card technology deployment in the United States. The President’s Order (http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions) called for a few specific items:




  1. The transition of government executive departments and agencies to processing terminals and credit, debit, and other payment cards that employ enhanced security features, including chip-and-PIN technology.
  2. The consideration of “relevant voluntary consensus standards and specifications” when determining which enhanced security features to deploy.
  3. Requiring all new hardware purchased after January 1, 2015 be enabled to accept more secure technologies (i.e. Chip and PIN). This requirement notes that the enablement of the hardware and/or software programming can come later.
  4.  Requires the Department of the Treasury by January 1, 2015 to develop a plan for the replacement of existing Direct Express prepaid debit cards without enhanced security features to a product with more secure technology.
  5. Requires by mid-January 2015, that agencies will provide the President with a plan – in accordance with the 2011 National Strategy for Trusted Identities in Cyberspace – to move toward ensuring all agencies which make personal data accessible to citizens through digital applications require the use of multiple factors of authentication online.

So what does all that mean? For chip card acceptance, it means that Chip and PIN cards will be contracted by and issued on behalf of government entities, and that a plan to migrate existing government card portfolios to that technology must be in place by the beginning of next year. Having a guarantee that such cards will be coming to market – perhaps on faster timelines than some issuer portfolios – may be a reason for commercial businesses – especially those who accept government-issued cards - to assess their chip card acceptance capabilities and infrastructure enhancement timelines and strategies.

The government’s announcement is a direct acknowledgement that multi-factor authentication can help reduce fraud. The move to chip and PIN-enabled products by the government may also help drive the card issuing market toward faster adoption of both Chip AND PIN; however, some of the card brands still seem to be trending toward Chip cards without a second layer of enabled multi-factor authentication. The government’s decision to support Chip and PIN is in no way a representation that low-risk transactions (such as those at quick-service restaurants) should have to be accompanied by multi-factor authentication, especially in a commercial setting.

The government’s commitment to Chip and PIN will also help familiarize customers with the technology, and potentially lead to more seamless adoption and customer experience in a shorter timeframe than had the government not taken a stance on card technology.  Additionally, it will help build public perception and knowledge (probably at a slow pace) that PINs and Passwords are important security mechanisms.

Lastly, the Treasury Department migration of the Direct Express prepaid debit product will give government officials some first-hand experience with EMV routing capabilities on debit and whether or not the card brands have truly created an open and competitive EMV product with the advent of a common application for chip cards that allows debit networks to be on the card or device. 

One other very important item to note is the implicit endorsement by the Administration of “consensus standards.” Recognition that standards must be developed and maintained in a “consensus” process is a critical component of fostering an open, efficient, and competitive payments landscape in many facets of U.S. Commerce going forward. This acknowledgement has potential indirect ramifications for the development of closed security standards, such as the tokenization specifications being developed by EMVCo.

Finally, what does all this mean for card-not-present transactions? Especially since fraud has funneled to online, e-commerce channels in other countries that have deployed brick and mortar EMV solutions. The short answer is not much regarding payments - at least not directly. However, the Executive Order does call for government entities to provide a plan to authenticate online user identities through multi-factor authentication. While payments is not an explicit part of that plan at present, the language demonstrates an important recognition of verifying online customers are who they say they are, and have the credentials they claim to have. Payments could be the next logical building block to such platforms. Additionally, the acknowledgement that multi-factor authentication is an important feature to enable on financial products and devices (both in the online identity verification provisions, and recognition of the importance of PIN) could have huge benefits and implications for e-commerce and m-commerce channels, especially as the Administration looks at additional ways to reduce payment card and identity fraud in online environments.  EMV adoption in other countries, such as Canada and the EU happened in eras where e-commerce PIN wasn’t as developed and available as it is today so the U.S. has a tremendous opportunity to be a market-leader in the e-commerce EMV space  -- if multiple stakeholders are willing to make the investment to enable PIN and then support PIN acceptance online.  

The one cautionary note to the potential in the e-commerce and m-commerce channels is that it will be interesting to see where the U.S. ends up with EMV in the mobile commerce space.  The recent news bulletin by Visa is enough to give any antitrust authority in DC or elsewhere a pause, with the edict that “acquirers must ensure that their merchants currently accepting Visa contactless payments accept all forms of Visa NFC contactless form factors, including cards, mobile devices or any approved device containing a valid Visa account credential.” E-commerce and M-Commerce channels are certainly the next frontier in payments, and it will be interesting to see as we move in to 2015 what actions might be taken by government officials and regulators to help ensure a competitive landscape for products in those channels, and also what issues may come to light at the Administration’s Cybersecurity and Consumer Protection Summit convenes in late 2014 or early 2015.

White House Executive Order Fact Sheet available at: http://m.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security

MAG Statement on the White House Executive Order: http://www.merchantadvisorygroup.org/stay-informed/mag-insights/2014/10/17/merchant-advisory-group-supports-white-house-initiative-to-require-pin-technology-on-card-transactions