FBI Nixes Notice on EMV Cards as Retailers, Banks Battle Over PINs

By Kery Murakami

Oct. 9 — A FBI public service announcement that new EMV payment cards are still vulnerable to fraud was removed from the bureau’s website Oct. 9 after retailers leaped on the statement as evidence the cards are ineffective without the use of PINs and bankers complained to the FBI about its accuracy.

FBI spokesperson Carol Cratty said in an e-mail to Bloomberg BNA that the bureau “is reviewing the PSA for clarity” after it was taken down from the website.

In a notice posted Oct. 8, the FBI said the new chip-based cards will provide greater security than traditional magnetic strip cards, but may still be used for fraud because they “can be counterfeited using stolen card data obtained from the black market.” Another threat is that data on the magnetic strip of an EMV card can still be stolen if the merchant's point-of-sale terminal is infected with data-capturing malware, the FBI warned.

The FBI announcement said that use of a PIN (personal identification number) during transactions “fully utilizes the security features built within the EMV card.” It urged customers to enter a PIN when using it and said merchants should ask customers to use the PIN.

While intended to educate consumers, merchants and law enforcement, the FBI announcement came as banks and card providers are not requiring customers to use PINs with the new technology. Retailers have been very critical of the policy. Although the EMV (Europay, MasterCard and Visa) chips make counterfeiting debit and credit cards more difficult, PINs would combat fraud involving lost and stolen cards for which merchants can be held liable, retailers say.

The FBI notice prompted an Oct. 9 statement from the National Retail Federation (NRF), a longtime advocate for requiring PINs with EMV cards. “What the FBI is saying is what the rest of the world already sees as common sense. It's the right thing to do, and we hope the banks are listening,” said Mallory Duncan, NRF's senior vice president and general counsel.

When asked for a response, a Visa spokesperson told Bloomberg BNA that she understood that the FBI's notice was being revised. By early afternoon Oct. 9, the web link that had gone to the FBI announcement went to an error message: “Oops The page you are looking for could not be found. It may have been removed, renamed, or is temporarily unavailable.”

Banking Group Complains

Doug Johnson, who oversees risk management policy for the American Bankers Association (ABA), told Bloomberg BNA that he raised questions with the FBI shortly after the public service announcement appeared Oct. 8, saying it made EMV chips appear to be more vulnerable than they are.

The advice to use the PINs could also confuse customers and merchants because many of the cards do not require a PIN, he said, backing up the bureau's decision to remove the announcement.

Cratty did not respond via e-mail when asked if ABA's complaint played a role in removal of the FBI notice.

Johnson downplayed the ABA's role, saying it’s likely the FBI would have removed the announcement “as a direct result of anybody’s wishes, unless upon further reflection, they didn’t think it could be refined.”

Johnson said the ABA was only told that the FBI would consult with the banking industry group if the bureau decided to revise the public service announcement.

Visa declined to respond, but Stephanie Ericksen, the company’s vice president of global risk products, acknowledged to the House Small Business Committee Oct. 7 that EMV alone would not prevent all types of fraud, including online fraud. However, she said the new chips would prevent the most prevalent type of payment card fraud, counterfeiting, and that the payments industry is working on ways to adopt other types of card fraud.

A spokesperson for the NRF told Bloomberg BNA that the group intends to bring up the FBI's warning when it testifies before the same House committee later in October.

To contact the reporter on this story: Kery Murakami in Washington at kmurakami@bna.com

To contact the editor responsible for this story: Michael Ferullo at mferullo@bna.com

The Oct. 8 EMV notice is available at http://src.bna.com/xF.