A National Retail Federation attorney said Wednesday that an updated FBI warning on chip card vulnerabilities waters down the need for PIN security.
The FBI on Friday posted a revised warning about vulnerabilities with new chip-embedded credit cards that deletes language about the need to use PIN security, which had appeared in the FBI's original version last week.
Mallory Duncan, general counsel for the National Retail Federation, characterized the revised FBI warning as ineffective in describing the need for PIN (Personal Identification Number) security.
He also accused U.S. banks of "trying to play fast and loose with security" because bank officials persuaded the FBI to alter the original message to drop some references to PINs.
The FBI's message "has been watered down to the point of not being particularly helpful so that it's … not much of a public service," Duncan said in an interview.
Large U.S. banks oppose using a PIN when making a credit-card purchase while retailers widely support PINs, a difference that's recently reached a boiling point.
The NRF and large retailers have been battling with U.S. banks and card companies for years over whether new chip-based credit cards need a four-digit PIN to effectively fight fraud. The banks and card companies have come out against PINs in the U.S., saying that other technologies, such as encryption and tokenization, along with using a microchip-embedded card with signatures, would be more effective in fighting fraud than PINs. Retailers favor PINs, arguing that PINs will reduce fraud not only for lost and stolen chip cards, but also for online and telephone transactions.
The FBI's national press office said by email that the revised warning "was issued to clarify the security safeguards associated with the [chip card] technology and to highlight some of the potential vulnerabilities fraudsters and cyber criminals may try to exploit." The new version, which is dated Oct. 9, is headlined, “FBI warns that new credit cards may be vulnerable to exploitation by fraudsters.”
The new warning also includes two sentences referring to PIN technology as well as EMV, or chip cards: "When the card is equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution, merchants will be able to verify the user's identity. Currently, not all EMV [chip] cards are issued to consumers with the PIN capability and not all merchant [point of sale] terminals can accept PIN entry."
The earlier FBI message, which was posted Oct. 8 and removed less than a day later, contained several references to the need for PIN security with chip cards which were not in the revised message.
The original message stated: "When using the EMV [chip] card at a PoS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card. Consumers should also shield the keypad from bystanders when entering their card PIN. "Merchants are encouraged to require consumers to enter their PIN for each transaction, in order to verify their identity. If a consumer uses a signature, merchants should ask to also see a government-issued photo identification card to verify the cardholder's identity."
Doug Johnson, American Bankers Association senior vice president of payments and cybersecurity policy, said last week that the original message could have been confusing to the public about the use of PINs. He said the ABA contacted the FBI on Oct. 8 about its concerns. The FBI removed the original message and posted the revision.
On Wednesday, Johnson called the FBI revision more accurate. "The first release created concern for us and presupposed that customers could demand that retailers use a PIN when that's not the case," he said.
He said the NRF's Duncan's comments that bankers are playing "fast and loose" with security are off base. "It's very interesting to have merchants complain about bank security when it is merchant security that has created these breaches to begin with," he said.
Johnson had said in an interview last week that, "PIN is not going to be adopted in the U.S." Johnson's view represents the opinion of the nation's largest banks in the ABA, but a few smaller and regional banks have backed PIN use with chip credit cards, including First Niagara Financial Group, which has 390 branches in New York, Pennsylvania, Connecticut and Massachusetts.
A PIN "will provide an added layer of anti-fraud protection," with new chip credit cards, First Niagara said in a recent statement about its inclusion of PIN technology.
First Niagara said that credit cards haven't required a PIN, unlike most debit cards, but that customers would need to get accustomed to using a PIN. First Niagara plans to launch an awareness and education campaign to help its customers.
The NRF's Duncan called the original FBI message "crystal clear" about the need for PIN technology, which was lost in the revision. "Consumers need to use a PIN, and banks need to get on board and do what everybody else is doing," Duncan said.
Duncan also said that "banks know that PINs are more secure" and noted that cash withdrawals at ATMs are done with the use of a PIN. "When it's a bank's product at risk, like at an ATM, the bank insists on a PIN, and they know that PINs are more secure," Duncan added.
When merchants install new sales terminals that read chip cards, nearly all will have PIN pads included, which is the way that terminal manufacturers are making them, Duncan said. The NRF has argued that it will cost U.S. merchants up to $35 billion to install new chip card readers, but it would only cost "a little bit more" for banks to put PINs on new chip cards and to update their systems, he said.
"Retailers are spending, but banks don't want to invest one cent more in improving their product," Duncan said.
Duncan also criticized the FBI for altering the fraud warning to water down references to PIN technology, contrary to a year-old presidential order affecting federal government payments. "It's interesting that their revised statement ignores the executive order from President Obama to issue new chip cards with PINs," he said.
Duncan referred to an executive order signed by Obama on Oct. 17, 2014, directing executive departments and federal agencies to transition payment processing terminals and credit, debit and other payment cards to "employ enhanced security features, including chip-and-PIN technology."