Sometimes government impacts markets by means of legislation and statute, and sometimes it only a signature of the executive pen. Perhaps it’s a testament to the framers of the constitution that the latter can sometimes have as much impact on markets as the former. I predict that an Executive Order President Obama signed ten days ago has the potential for deep and broad impacts on use of cryptography in the next short number of years. This single order impacts two disparate areas of the data protection market very directly, payment card security and online identity management.
On October 17, 2014, the President signed Executive Order 13681, titled “Improving the Security of Consumer Financial Transactions”. First, the order focuses on changes agencies must put in place beginning not later than the start of 2015 to support EMV payment card processing. While the wording of the document does not explicitly dictate that only the “chip & PIN” implementation of EMV is allowed, it strongly leans in that direction in how the order is phrased:
“In order to strengthen data security and thereby better protect citizens doing business with the Government, executive departments and agencies … shall, as soon as possible, transition payment processing terminals and credit, debit, and other payment cards to employ enhanced security features, including chip-and-PIN technology.” [Section 1, paragraph 1]
While the language does not exclude chip-and-signature, my experience working with federal agencies is that they will gravitate to implementing solutions that have an easily shown direct line of sight to the directive as written.
The order goes on to specify this directive applies to:
- All the card readers the agencies have in place to accept transactions
- All the payment cards issued to federal employees
- All Direct Express payment cards issued to beneficiaries of federal entitlements programs
While the first two bullets are significant, the last may have the largest impact on market adoption of EMV. During recent webinars and discussions with customers, the “chicken & egg” dynamic of EMV has been repeatedly raised. “When will there be enough EMV-compliant cards in the market to make migration to EMV-enabled POS devices worthwhile?” According to the WSJ, over 5.5M Social Security recipients alone receive their benefits via Direct Express, with more receiving benefits from the VA and other agencies. I believe that the combination of the federal agencies adopting compliant terminals and the migration of Direct Express to compliant cards has the profile to put an elbow in the current payment market adoption curve.
Learn more about EMV Basics by viewing an on-demand replay of our recent webinar.
Section 3 of the order may be more subtle in its phrasing but potentially much further reaching impacts:
“To help ensure that sensitive data are shared only with the appropriate person or people, within 90 days of the date of this order, the National Security Council staff, the Office of Science and Technology Policy, and OMB shall present to the President a plan, consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace, to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate. Within 18 months of the date of this order, relevant agencies shall complete any required implementation steps set forth in the plan prepared pursuant to this section.”
[Bolding is mine for emphasis]
The issue of online identity is far from trivial – the axiom “On the internet, nobody knows you’re a dog” remains as true now as it was in 1993. A rapid introduction of higher level user authentication requirements for interaction with the federal government could build a foundation that finally addresses the fraud risks that “faceless” transactions have been demonstrated to pose in recent years. While I have no expectation that this directive, or any subsequent federal actions, will do away with online anonymity, it could create a subset of the online world where online merchants interact with buyers only when they interact with this higher order of user authentication, to reduce the volume of card-not-present fraud online transactions are prone to have. This will drive a great deal of interest in the cryptographic key management systems required to create, maintain, communicate, and validate the mandated multi-factor authentication elements.
I predict that each of these directives, from this one executive order, can have as much impact on the data security industry as California SB 1386 (State Bill 1386) had on the adoption of encryption for data privacy protection in the commercial sector and OMB 06-16 (the sixteenth Office of Management and Budget Memo of 2006) had on adoption of encryption in federal agencies over the last decade.
For a paper discussing the Five Key Management Fundamentals to Encryption Success, click on the image below: