Opinion: Will private industry follow Obama’s lead on credit-card security?

The Obama administration did its part to speed the switch to more secure credit cards Friday when the president signed an executive order requiring government agencies to start switching to the next generation of cards by January. How much effect this move will have on private industry, though, depends on whether the administration allows the new cards to be accepted by merchants that don’t upgrade their security too.

Credit card fraud causes an estimated $5.5 billion in losses in the United States, thanks largely to antiquated cards that store their account and security information on a magnetic stripe. The rest of the developed world shifted long ago to cards with built-in microchips that change the security settings with every transaction. Unlike the version with a magnetic stripe, chip cards are extremely hard, if not impossible, to counterfeit.

Changing payment systems involves more than just issuing millions of new cards, however. Businesses across the country would have to replace their card-swiping terminals with ones capable of reading chip cards. There’s a great deal of resistance to this idea, meaning that the new cards will have to also be equipped with a magnetic stripe so they can be used at businesses that didn’t bother to upgrade their terminals.

Some businesses have pushed back particularly hard against the idea of chip cards that require the use of personal identification numbers, as bank debit cards do. The chip only guards against counterfeit cards, which account for about half the fraud; the PIN feature helps to ensure that the person using the card is the rightful owner, protecting against the (far less frequent) use of real cards that are lost or stolen. Consumer advocates like the PIN requirement; businesses without checkout lines -- e.g., restaurants and high-end retailers -- don’t.

Here’s where President Obama’s three-part executive order comes in. One part would provide a bit more aid to victims of identity theft, and another would require better authentication techniques on government websites that make “personal data” accessible to the public online. The third, and potentially most significant, would require all agencies to make the switch as soon as possible to credit- and debit-card systems that employ “enhanced security features, including chip-and-PIN technology.”

By January, federal entities that sell products and services to the public, such as post offices and national parks, will either have to start buying payment terminals that accept chip-and-PIN cards, or submit plans to ensure that their payment systems will do so. Agencies that issue debit and credit cards will have to switch to chip-and-PINs for new cards and start replacing the ones they’ve already given out. That’s true both for the payment cards issued to government employees and the Direct Express debit cards issued to those who get government benefits, including veterans, retired federal workers and Social Security recipients.

The latter provision could be a game-changer. There were about 4.8 million people with Direct Express accounts at the start of 2014, with 200,000 more coming on each month. With the federal government sending chip-and-PIN cards to all new federal beneficiaries, the cards will soon be wielded by millions of people with billions of dollars to spend.

Yet, just because a card has a chip and requires a PIN, that doesn’t mean merchants will be required to adapt to them. As noted above, these cards are expected to have a magnetic stripe as well. And according to Jason Oxman, chief executive of the Electronic Transactions Assn., it’s typically left up to the bank that issues the card to decide which types of transactions to authorize.

So unless the Treasury Department says otherwise, Comerica Bank, which issues the Direct Express cards, will determine how strictly to enforce the chip-and-PIN requirement. Will the magnetic stripe be acceptable for buying necessities, such as groceries? At what point does it make sense to require the use of a chip-reading terminal? How about the PIN?

The more Comerica or the Treasury restricts use of the Direct Express cards to chip-and-PIN terminals, the more incentive retailers will have to make the switch. On the other hand, most people with Direct Express cards -- 80%, by one survey -- do not have savings or checking accounts, so if the government plays hardball with retailers, it risks freezing the assets of many beneficiaries. That sounds like a nonstarter.

Still, Oxman said, the Obama administration is sending a powerful message to the market just by switching the government’s payment infrastructure to chip-and-PIN cards. The big payment-processing networks, such as Visa and MasterCard, are sending one of their own: Starting late next year, any retailer that doesn’t install chip-card terminals will be stuck with the bill if shoppers use counterfeit cards. Today, those losses typically are covered by the bank that issued the original card.

Meanwhile, smartphone-based payment apps such as the new Apple Pay are taking security to new levels by using fingerprints to authorize purchase. So by the time they’re finally introduced in the United States, chip-and-PIN cards will no longer be the state of the art when it comes to transaction security. Nevertheless, they’ll be a great leap forward from today’s cards -- assuming retailers and service providers can be weaned off their addition to magnetic stripes.

Follow Healey’s intermittent Twitter feed: @jcahealey