FBI EMV gaffe is the latest setback for payments security

It's bad enough when the FBI announces to the world that you're not secure enough. It's even worse when it then reluctantly takes it back.

Citibank credit card with an EMV chip
Blair Hanley Frank

It's bad enough when the FBI announces to the world that you're not secure enough. It's even worse when it then reluctantly takes it back — that second bout of publicity will be even bigger than the first, after all. Such is the current plight for EMV, the payment card security upgrade that is years out of date. It's also managed to accomplish the impossible: uniting retailers in almost unanimous opposition.

Let's start with this FBI kerfuffle and the germane background. Fact: EMV cards are more secure than magstripe cards. Fact: Not by much. Fact: It's really only true in preventing clones, which admittedly was the single-largest payment card fraud issue in the U.S., so attacking that aspect of fraud is a good thing.

But the most essential piece of background here is that the U.S. EMV deployment uses signatures as authentication, instead of PINs. PIN is how the rest of the world does EMV, and no one disputes that PIN is far more secure than signature. To be fair, that's not an especially difficult hurdle to clear today, since retailers have given up using signature for any authentication at all. It provides zero protection. When was the last time you saw a retail associate examining the signature on your card and comparing it to how you signed? That lack of examination is a good thing, given the absolute absence of handwriting-recognition training that store associates are given.

What the FBI said is that PIN is far more secure—which is without debate—and it encouraged shoppers to use a PIN instead of signature. Therein lay the problem. The FBI was giving legitimate security advice, but it's counsel that consumers—thanks to Visa and MasterCard and key banks—can't take. Retailers are not being allowed to accept PINs so the FBI counsel was, in reality, going to be pointless and confusing.

What the FBI should have said is that the U.S. needs to join the rest of the world and accept EMV PINs. It's not as though there would likely be huge consumer resistance. U.S. shoppers are already quite comfortable with PINs, courtesy of both ATM cards and payment debit cards. If it's a united effort, Americans—just like Canadians and Europeans—will deal with it.

Think back to ATMs. Consumers were never wild about the concept, but when the convenience became clear, they accepted it and never looked back. But the banking powers-that-be have this unwarranted fear of consumer revolt. Hence, a reasonably secure system is being deployed as a barely secure system. Yes, it's more secure than magstripe, but there are few things that wouldn't be.

Alas, not supporting PIN is only one of the self-inflicted wounds hurting EMV. EMV is trying to deploy in the U.S. just as mobile payments—especially Apple Pay—are starting to get a little traction. How is that a problem? It involves how EMV is being used. The current system forces an EMV card to be inserted—called "dip" in the payments world—into the card-reader and to stay throughout the transaction. That is a big change from magstripe and will take a lot more time.

Retailers today are sharply accelerating transaction time and this will be a big step back. Starbucks last week, for example, allowed Apple to say that all Starbucks stores will accept Apple Pay in store. This is a big change for the coffee chain, and it's mostly about EMV. Changing from a shopper using the Starbucks app to Apple Pay will sharply accelerate checkout, since the Starbucks app has to be launched to be used, and Apple Pay doesn't. Apple Pay will work even if the phone is in airplane mode and is not on Wi-Fi. As long as the phone is powered on—and Apple Pay was, of course, set up at some earlier point—it will work instantly.

Compare that with a Starbucks shopper trying to use an EMV card. It will have to be inserted and stay there—or else it will be handed to the store associate, who will have to do the same and remember to remove the card and hand it back. Apple Pay is faster than the Starbucks app, and the Starbucks app is faster than magstripe and magstripe is far faster than EMV. And remember that your margin speaks to how many customers you can rush in and out on their way to work. You do the math.

The FBI was right, though, that it should get involved in EMV. The way EMV is being handled is nothing less than a crime.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon