The FBI was strongly in favor of chip-and-PIN cards over chip-and-signature and then, all of a sudden, apparently less so.
On Thursday (Oct. 8), the Federal Bureau of Investigation issued a warning to consumers, merchants and law enforcement that chip-based payment cards — while safer than traditional mag stripe cards — were more secure when used in conjunction with a PIN than with a signature.
"When using the EMV card at a point-of-sale terminal, consumers should use the PIN instead of a signature,” stated the FBI in the alert. “This fully utilizes the security features built within the EMV card."
The National Retail Federation (NRF) shared the FBI statement in a press release on Friday (Oct. 9), in which NRF Senior Vice President and General Counsel Mallory Duncan expressed her support for it.
“What the FBI is saying is what the rest of the world already sees as common sense. It’s the right thing to do, and we hope the banks are listening,” stated Duncan. “Retailers are determined to protect their customers. That’s why we are pushing the banks to use all of the security the new cards are capable of providing, not just half. They shouldn’t lock the front door but leave the back door wide open."
However, on the same day that the NRF shared its press release, the posting in question on the FBI site — which had been titled “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters” — was taken down (replaced by a “Page Not Found” message).
As Computerworld reported on Friday, no explanation was given by the FBI as to the removal of the post. The outlet did learn, however, that the American Bankers Association (ABA) had contacted the bureau on Thursday and urged it to revise and clarify its message.
“We saw the PSA yesterday and spoke to the FBI after we saw it, and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN,” Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, told Computerworld on Friday.
Virtually all of the chip cards being issued in the United States are chip-and-signature-based rather than chip-and-PIN. Visa in particular, as the Computerworld story notes, supports signature over PIN, contrary to the stance of organizations like the NRF and the Merchant Advisory Group.