The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message on Friday, less than a day later, following concerns from U.S. bankers that back chip cards.
The original online post was headlined, "New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters," and was replaced by a "page not found" message as of mid-day Friday.
The FBI didn't offer any comment Friday on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer's signature to bolster a chip card has become a heated battle between the nation's major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures.
The American Bankers Association contacted the FBI on Thursday urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards, an ABA official told Computerworld on Friday.
"We saw the PSA yesterday and spoke to the FBI after we saw it and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN," said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, in a telephone interview.
Johnson said it seemed likely the FBI would revise its PSA, but he had no idea when.
Spokeswomen for both Visa and MasterCard said Friday that the FBI was expected to revise the original statement, and had no further comment.
Of all the major card companies, Visa, notably, has supported having consumers provide a signature instead of a PIN to secure an in-store payment with a new chip card. Retailers, including the National Retail Federation and the Merchant Advisory Group have supported the use of a PIN with the chip-embedded card to improve security.
"Retailers have long argued that PINs are essential to providing cardholders with the security that they deserve," said Brian Dodge, executive vice president of the Retail Industry Leaders Association, in a statement issued Friday. Reacting to the FBI's original alert, which has since been removed, he said it was a "wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the U.S. just as it has been around the world for years."
But Johnson asserted that PINs won't be used in the U.S. "PIN is not going to be adopted in the U.S.," Johnson flatly said.
In the FBI's original PSA, there was language that consumers "should use the PIN, instead of a signature, to verify the transaction," even though banks have not been issuing PINs with new chip credit cards. Four-digit PINs are used with debit cards, however, but many merchants are still not accepting chip-enabled debit cards.
"The suggestion and recommendation from the Bureau that a customer request to be able to use their PIN would be confusing…and creates confusion in the market," Johnson explained.
The original FBI statement also noted that while chip cards "offer enhanced security, the FBI is warning law enforcement, merchants and the general public that these cards can still be targeted by fraudsters."
The purpose of the chip on newer cards is to prevent counterfeit fraud when thieves steal card data from merchants' computer servers and manufacture fake cards with stolen 16-digit card numbers and four-digit expiration dates. Because the chip allows a unique code to be used with each transaction, it is difficult for thieves to steal card numbers from merchants' servers.
Johnson added it is also considered "extremely hard" for fraudsters to manufacture a credit card with an embedded computer chip. The original FBI announcement "suggested a chip card is easy to replicate, which it is not," he said. If credit card numbers are somehow stolen from a merchant's database, a fraudster could conceivably imprint an account number on a magnetic stripe on a new card. However, a newer point-of-sale terminal could detect that it should have been a chip card, not a magnetic stripe card, and would deny the transaction, he said.
A lost or stolen chip card can still be used fraudulently by a thief in a store purchase or by phone or online, an event that retailers believe use of a PIN will prevent. However, only about 5% of card fraud comes from stolen or lost cards, Johnson said. In its original message, the FBI pointed out vulnerabilities with chip cards, including that chip cards still have magnetic stripes that are vulnerable to thieves.
Retailers have asserted that their investment of billions of dollars in new terminals to support chip cards should be accompanied by a willingness by banks and card companies to support PIN technology.
Several analysts have described a trend toward the use of PINs in Canada and some countries in Europe, where chip cards have been in use for several years.
However, Stephanie Ericksen, Visa's vice president of risk products, recently said there's a movement away from PINs in both Canada and Europe.
Johnson agreed that the "PIN has been an effective historical mechanism" but added that changes in the payment industry and patterns of fraud make it incumbent on the industry to back investments in newer technologies that dynamically identify fraudsters, both online and in stores. In addition to chip technology, he said banks and some merchants are backing tokenization for use with transactions as well as end-to-end encryption.
Asked to respond to retailers who are in favor of the use of PINs, Johnson said: "Their push for PIN is really an effort politically to change the conversation. If we didn't have [security] breaches at retailers to begin with, we wouldn't have compromised systems. If there was an appropriate effort on data security on the retailer side, we wouldn't have this conversation."