FBI Quickly Pulls Alert About EMVRecommendations for Chip Card Security Draw Criticism
(Editor's Note: The FBI on Oct. 13 posted on its Internet Crime Complaint Center site a revised alert on EMV payment cards, deleting a section in the original notice that encouraged the use of PIN numbers with chip cards.)
An alert issued Oct. 8 - and then yanked - by the Federal Bureau of Investigation about fraud vulnerabilities linked to EMV chip cards is reigniting the debate between bankers and retailers over whether EMV in the U.S. should be chip-and-PIN or chip-and-signature.
"The error may leave the FBI with a bit of egg on its face, but life will go on."
The alert, which was removed from the FBI's Internet Crime Complaint Center site on Oct. 9, noted: "When using the EMV card at a POS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card."
The pulled alert continued: "Consumers should also shield the keypad from bystanders when entering their card PIN. Merchants are encouraged to require consumers to enter their PIN for each transaction, in order to verify their identity. If a consumer uses a signature, merchants should ask to also see a government-issued photo identification card to verify the cardholder's identity."
That recommendation left many of us scratching our heads because the vast majority of U.S. banks and credit unions have opted to roll out EMV as a chip-and-signature, not chip-and-PIN, transaction. And the widespread rollout of chip-and-signature has been the subject of a long-term, high-profile debate that, apparently, the FBI missed.
For nearly a year, we've been talking about why merchants want chip-and-PIN to enhance security, while the card brands and many banks have argued that consumers would prove reluctant to use PINs. The now-deleted FBI alert refueled the debate and reinforced why more education about how EMV is being rolled out in the U.S. is needed, including, apparently, education of federal law enforcement officials.
Release of the short-lived alert sparked immediate, strong reaction.
Julie Conroy, a fraud analyst at consultancy Aite, says the FBI alert was disappointing because it misled consumers about the availability of PINs.
"I've come to expect lawmakers to be clueless about how EMV and the payments system works," she says. "But it's sad to see that extend to the FBI. This week's congressional hearings highlighted the utter lack of understanding that lawmakers have when it comes to the complexity of the payments system, and the danger of lawmakers legislating on sound-bytes. The FBI alert will not only confuse consumers, but also shows that the FBI has been drinking the Kool-Aid of the merchant lobbyists when it comes to the need for PINs, without understanding the ulterior motives that drive those lobbies."
While the FBI's alert included some beneficial information about steps consumers should take to ensure they quickly activate their new EMV cards, its suggestion that PIN authentication is superior to signature definitely stepped on toes, says Al Pascual, director of fraud and security for consultancy Javelin Strategy & Research.
"Encouraging consumers to use the PIN when available and to protect that PIN is a wise proactive measure, as we can expect some increase in lost and stolen cards as EMV becomes more common in the U.S.," Pascual says. "That being said ... many consumers, especially those with an EMV credit card, won't have that option. This could confuse the public as to the security benefits of EMV, which are not inherent to the PIN, but, rather, to the embedded chip and dynamic data exchanged during authorization. I'd chalk this messaging up to a combined lack of understanding, as well as some political mindfulness on the part of the FBI."
Pascual also says the alert could hurt the FBI's reputation with banks. "If it appears that the FBI is either naive or picking sides on this issue, it could alienate financial institutions and issuers that have traditionally partnered with federal law enforcement to further investigations and secure prosecutions in cases of fraud," he adds.
And Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, observes: "The error may leave the bureau with a bit of egg on its face, but life will go on."
A Lesson Learned
I reached out to the FBI soon after the alert was removed from the IC3 site Oct. 9 to find out if a revised version of the alert was expected, or if the FBI had just removed the alert with no plans to replace it. I did not get an immediate response.
I suspect the FBI will reissue some sort of notice to clarify the different ways EMV transactions are being authenticated.
There's a lesson here: Bankers, retailers and law enforcement have to work together and be on the same page about payments security. Obviously, a lot more education needs to take place. And as we are just beginning to embark upon our massive migration to chip technology, we can expect some missteps. What we want to avoid is confusing consumers and merchants, especially those who are still trying to understand what EMV is. To that end, law enforcement must understand how EMV works and how it's being implemented.