Monday , November 25, 2024

FBI Notice Warning Consumers To Use PINs With EMV Cards Gone; ABA Protest the Cause?

A public service announcement the FBI posted Thursday warning consumers that the new EMV chip cards “are vulnerable to exploitation by fraudsters” and urging them to enter a PIN instead of a signature during EMV credit card transactions was removed Friday, apparently at the behest of the leading banker trade group.

The PSA on the government’s Internet Crime Complaint Center (IC3) Web site came just a week after the U.S. EMV liability shift took effect. With it, the FBI, apparently unwittingly, put itself in the middle of an ongoing controversy between bankers and retailers over cardholder authentication with the new chip cards that are replacing magnetic-stripe payment cards.

Bankers support signatures with EMV credit card transactions, saying the chip, which generates a one-time cryptogram with each transaction, provides strong security, and they also say consumers are used to signing with credit transactions but not using PINs. But fraud-weary retailers want PIN authentication not only with EMV debit cards, as is traditional, but also with chip credit cards.

The FBI’s PSA, which was addressed to police, merchants, and consumers, reviewed the security advantages of EMV cards over mag-stripe cards, but still urged consumers to enter PINs when making point-of-sale purchases.

“When using the EMV card at a POS terminal, consumers should use the PIN instead of a signature, to verify the transaction,” said the now-removed post. “This fully utilizes the security features built within the EMV card. Consumers should also shield the keypad from bystanders when entering their card PIN.”

The PSA mentioned “credit card” or “credit cards” 16 times, but not once did it say “debit.” It is unclear if the FBI was using the term “credit cards” as a reference for payment cards in general, or indeed referring specifically to credit cards.

The link to the PSA now produces a “Page Not Found” notice. The PSA was removed sometime Friday, according to the Computerworld news site. The removal came after the Washington, D.C.-based American Bankers Association protested to the FBI, the publication said.

“We saw the PSA yesterday and spoke to the FBI after we saw it, and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN,” Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, told Computerworld Friday. He later added that “PIN is not going to be adopted in the U.S.”

A spokesperson for the ABA could not be reached for comment Sunday. In response to a Digital Transactions News email, an FBI spokesperson replied late Sunday that the original post “was being reviewed for clarity,” and that a revised PSA would be issued Tuesday. The spokesperson made no mention of discussions with the ABA, but said the revision “was issued to clarify the security safeguards associated with EMV technology and to highlight some of the potential vulnerabilities fraudsters and cyber criminals may try to exploit.”

An advance of the updated PSA provided to Digital Transactions News by the spokesperson makes no recommendations about using PINs instead of signatures. “When the card is equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution, merchants will be able to verify the user’s identity,” the revision says. “Currently, not all EMV cards are issued to consumers with the PIN capability and not all merchant POS terminals can accept PIN entry.”

n

Executives with payment card manufacturers and processors say most banks and credit unions are opting for signature authentication with their new chip credit cards, but retaining the PIN with EMV debit cards. There are a few exceptions on the credit side, most recently Buffalo, N.Y.-based First Niagara Bank, issuer of 250,000 credit cards and 900,000 debit cards.

Check Also

APP Fraud To Reach $7.6 Billion by 2028 in Six Countries, ACI Says

Authorized push payment fraud could reach $7.6 billion in six markets, ACI Worldwide Inc. says …

Digital Transactions