Executive Order Mandates 2FA to Protect Consumer Financial Transactions
On Friday, the White House signed an executive order, the first part of the BuySecure initiative, to improve the security of consumer transactions, requiring agencies to use multiple factors of authentication whenever using web applications to provide citizens with personal data. They also called for an effective identity-proofing process to ensure only authorized persons access their information.
The rest of the executive order reflects the government’s efforts to lock down their own payment systems and payment cards, in addition to improving identity threat remediation for consumers. Check out a summary of the order and their projected due dates:
Section 1. Secure Government Payments
- Executive departments and agencies must transition payment processing terminals and payment cards to use chip and PIN technology (By January 2015)
- Dept. of Treasury must submit a plan to replace Direct Express prepaid debit cards without enhanced security features, while other agencies must provide a plan to ensure their payment cards have enhanced security features (By January 2015)
Section 2. Improved Identity Theft Remediation
Different government agencies will submit plans to:
- Promote regular submissions of compromised credentials to federal cyber-forensics and Internet fraud alert system (By February 2015)
- Identify and consolidate publicly available agency resources for identity theft victims, those found on IdentityTheft.gov (By March 2015)
- Improve the functionality of IdentityTheft.gov, including streamlining the reporting and remediation process with credit bureau systems (By March 2015)
Section 3. Securing Federal Transactions Online
The National Security Council staff, Office of Science and Technology Policy and Office of Management and Budget (OMB) must submit a plan that ensures that all agencies that make personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity-proofing process.
This plan is to be completed within 90 days of the order, while put into place within 18 months after the date of the order.
Technically speaking, the executive order recognizes the need for a highly usable ‘identity solution’ that uses devices in a simple and effective way. They require that the plan is consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace (PDF), in which they state:
Identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training. Many existing technology components in widespread use today, such as cell phones, smart cards, and personal computers, can be leveraged to act as or contain a credential. Whenever possible, identity solutions should be built into online services to enhance their usability.
They even provide a use case of an individual securely accessing their tax documents:
- Parvati uses a credential issued by a third-party and bound to her existing cell phone to access online government tax services.
- She logs in with just the click of a button, no longer does she have to remember the complicated password she previously had to use.
- She views her tax history, changes demographic information, files taxes electronically and monitors her refund status.
After a particularly epic year of reported retail breaches, including Target, Home Depot, Dairy Queen, Goodwill, UPS, Sally Beauty, P.F. Chang’s, Kmart, and now, Staples - it’s no surprise that the U.S. government is paying attention to the need for stronger security features of their own transactions and access to personal data.
In a WhiteHouse.gov blog, The President’s BuySecure Initiative: Protecting Americans from Credit Card Fraud and Identity Theft, they state that Home Depot, Target, Walgreens and Walmart will be rolling out chip and PIN compatible card terminals in their stores by January 2015.
Similarly, major credit card providers, American Express and Visa, will be launching programs to support and educate businesses, consumers and merchants on the new technology, as well as helping smaller businesses upgrade point-of-sale terminals to more secure standards.
Naturally, these are the first steps toward greater security standards within the industry. Hopefully, pairing new payment technology with increased authentication security and identity-proofing will help temper easily-preventable future retail breaches of consumer data. Learn more about two-factor authentication for retail organizations in Retail and E-Commerce: PCI DSS Compliance.