Last week the FBI posted an online advisory about credit card chip technology and vulnerabilities with new chip-enabled credit cards that could potentially lead to credit card fraud. However, they removed the message less than a day later, following concerns from U.S. bankers that back a more traditional approach that supports chip cards with the use of signatures rather than Personal Identification Numbers (PINs).
The original online post was headlined, “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters.” The public service announcement the FBI posted Thursday warned consumers that the new EMV chip cards “are vulnerable to exploitation by fraudsters” and urged consumers to enter a PIN instead of a signature during EMV credit card transactions. The FBI advisory further warned consumers that EMV-compliant cards are still vulnerable to credit card fraud; and PIN authentication is the best means to prevent personal data theft. The FBI statement states that EMV cards can still be counterfeited with stolen card data obtained on the black market.
The announcement was removed Friday, apparently following requests from the leading banker trade group. The American Bankers Association (ABA) contacted the FBI following the original post on Thursday, urging it to revise and clarify the content “to reduce confusion over the use of PINs with chip cards,” said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA on Friday.
Bankers support signatures with EMV credit card transactions, saying the chip—which generates a one-time encrypted code with each transaction—provides strong security. They further state consumers are used to signing with credit transactions but not using PINs.
“We saw the PSA yesterday and spoke to the FBI after we saw it and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN,” said Johnson. He further asserted that PINs won’t be used in the U.S.
But credit card fraud-weary retailers want PIN authentication not only with EMV debit cards, as is traditional, but also with chip credit cards. A number of retail trade organizations have been publicly calling for the adoption of chip and PIN technology, which is the global standard, and the FBI advisory lends additional credibility. Retailers have asserted that their investment of billions of dollars in new terminals to support the new credit card technology through the use of chip cards should be accompanied by a willingness by banks and card companies to support PIN technology. The National Retail Federation (NRF) and the Retail Industry Leaders Association (RILA) are among those aligned with the nation’s top law enforcement agency to ensure consumers have access to the most secure payment methods.
“Retailers have long-argued that PINs are essential to providing cardholders with the security that they deserve,” said Brian Dodge, executive VP of RILA. “The FBI’s alert should be a wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the U.S. just as it has been around the world for years.”
“What the FBI is saying is what the rest of the world already sees as common sense,” says NRF senior VP and general counsel Mallory Duncan. “It’s the right thing to do, and we hope the banks are listening. Retailers are determined to protect their customers. That’s why we are pushing the banks to use all of the security the new cards are capable of providing, not just half. They shouldn’t lock the front door but leave the back door wide open,” she says.
The FBI didn’t offer any comment Friday on what happened to the original post, apparently putting itself in the middle of an ongoing controversy between bankers and retailers over cardholder authentication with the new credit card chip technology that is replacing the magnetic-stripe payment cards that have been traditionally used in the United States.