A National Retail Federation attorney said Wednesday that an updated FBI warning on chip card vulnerabilities waters down the need for PIN security.
The FBI on Friday posted a revised warning about vulnerabilities with new chip-embedded credit cards that deletes language about the need to use PIN security, which had appeared in the FBI's original version last week.
Mallory Duncan, general counsel for the National Retail Federation, characterized the revised FBI warning as ineffective in describing the need for PIN (Personal Identification Number) security.
He also accused U.S. banks of "trying to play fast and loose with security" because bank officials persuaded the FBI to alter the original message to drop some references to PINs.
The FBI's message "has been watered down to the point of not being particularly helpful so that it's … not much of a public service," Duncan said in an interview.
Large U.S. banks oppose using a PIN when making a credit-card purchase while retailers widely support PINs, a difference that's recently reached a boiling point.
The NRF and large retailers have been battling with U.S. banks and card companies for years over whether new chip-based credit cards need a four-digit PIN to effectively fight fraud. The banks and card companies have come out against PINs in the U.S., saying that other technologies, such as encryption and tokenization, along with using a microchip-embedded card with signatures, would be more effective in fighting fraud than PINs. Retailers favor PINs, arguing that PINs will reduce fraud not only for lost and stolen chip cards, but also for online and telephone transactions.
The FBI did not comment on the original warning or the revision. The new version, which is dated Oct. 9, is headlined, "FBI warns that new credit cards may be vulnerable to exploitation by fraudsters."
The new warning also includes two sentences referring to PIN technology as well as EMV, or chip cards: "When the card is equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution, merchants will be able to verify the user's identity. Currently, not all EMV [chip] cards are issued to consumers with the PIN capability and not all merchant [point of sale] terminals can accept PIN entry."
The earlier FBI message, which was posted Oct. 8 and removed less than a day later, contained several references to the need for PIN security with chip cards which were not in the revised message.
The original message stated: "When using the EMV [chip] card at a PoS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card. Consumers should also shield the keypad from bystanders when entering their card PIN. "Merchants are encouraged to require consumers to enter their PIN for each transaction, in order to verify their identity. If a consumer uses a signature, merchants should ask to also see a government-issued photo identification card to verify the cardholder's identity."