The Federal Bureau of Investigation has walked back a Public Service Announcement that urged consumers and merchants to use a PIN for EMV-chip card transactions. The new statement, posted Oct. 13 on the Internet Crime Complaint Center, clarified the use of EMV security.
The initial announcement stated that the rollout of the chip-card technology among U.S. retailers, spurred by a fraud liability shift that took effect Oct. 1, "allows merchants to verify the card's authenticity by the cardholder's personal identification number (PIN)."
However, in the U.S. many chip-enabled credit cards have been issued without PINs. EMV technology protects against counterfeiting, with or without a PIN; in other countries, a PIN is more commonly used as a measure to thwart the use of stolen EMV cards.
American Bankers Association senior vice president for payments and cybersecurity policy Doug Johnson applauded the modifications, which he said "removed confusing language associated with suggestion that customers should ask to use the PIN." Johnson said that upon seeing the PSA first posted on Oct. 8, the ABA "reached out to the Bureau and talked to them about that."
The revised FBI statement "was issued to clarify the security safeguards associated with EMV technology and to highlight some of the potential vulnerabilities fraudsters and cyber criminals may try to exploit," FBI spokeswoman Carol A. Cratty told PaymentsSource in an email. Cratty did not respond to questions regarding the reason for the revisions.
But the FBI made other changes to its PSA, including a more in-depth description of the chip card's anti-fraud technology and a note that "PINs are vulnerable to cybercriminals who work to steal these numbers to commit ATM and cash-back crimes."
"The new statement is essentially watered down," said National Retail Federation senior vice president and general counsel Mallory Duncan, who supported the FBI's initial assessment that PINs could improve the security of transactions made with chip-enabled cards.
"The PIN protects banks, merchants and consumers from a broad range of fraud," he said, adding that signatures are a less secure form of identification, relying on the "amateur handwriting analyst" chops of store clerks.
Duncan said that PINs could safeguard consumers' data against counterfeit fraud, stolen cards and fraudulent card-not-present purchases.
But the ABA's Johnson disagreed, arguing that PINs cannot stop thieves from making fraudulent online purchases. With these attacks "migrating online," he said, transaction systems should move "past the PIN and really, frankly, past the chip."