An increased focus on cybersecurity policy was an expected consequences of the high profile breaches at places like Target and Neiman Marcus. So many people had their credit and identity information leaked that those companies had to do something, even if only to restore consumer confidence in their brand. One of the first major changes, as reported by the Wall Street Journal, is a decision by Visa and Mastercard to begin phasing out their swipe and sign credit cards (http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/).
Visa and Mastercard will spend the next year and a half switching over to a new payment system called EMV (here is their website, if you’re interested in the technical aspects of the payment system: http://www.emvco.com/about_emv.aspx). The card works by replacing the magnetic strip (which contains all the necessary payment information) with a computer chip (containing a microprocessor). The chip requires power, which the card typically lacks. The chip therefore only transmits its data when placed within a card reader, which powers up the chip and allows the transaction to proceed. The user then verifies the transaction with a PIN.
The major advantage of this chip (from a technical standpoint) is that the card manufacturer can encrypt the information contained on the chip. This means that if a hack like the Target hack occurs again (where the point of service (PoS) devices redirect the payment information to another service before routing to the credit card company), the hackers only have encrypted data. They would need to decrypt the information before they can use it, so there’s an extra layer of security.
The Wall Street Journal article also mentioned another method that Visa and Mastercard intend to employ to reduce their legal liability during these breaches. The article mentioned that the two companies intend to push a “liability shift” during the change over. The idea behind that is to make the entity using the older technology liable for the data breaches. The examples provided in the article are when merchants consciously maintain the older swipe and sign PoS devices or if a bank fails to issue the new chip and PIN cards. The actual legal mechanisms aren’t stated, through they likely revolve around service agreements that exist between VISA, the banks, and the merchants. Placing pressure on the other relevant parties to adopt the chip and PIN system appears to be the major motivating factor in this liability shift, though minimizing legal exposure during the changeover is not an insignificant concern as well.
From a policy standpoint, I think this is a good idea. The liability shift will probably give some of the attorneys at retailers headaches, but the current credit cards are not particularly safe from a cybersecurity standpoint. The fact that most of the rest of the world switched over to chip and PIN also means that most of the bugs with these systems should have been sorted out awhile ago. Let’s just hope the process goes smoothly here.