Thursday , March 28, 2024

The ABA Says the FBI Was ‘Receptive To Getting It Right’ About PINs and EMV Cards

The American Bankers Association seems to have persuaded the Federal Bureau of Investigation to do something the Bureau rarely ever does, at least in public: change its mind.

The FBI’s original position was the consumers should enter a personal identification number whenever possible when using their new EMV chip cards. The admonition came in the form of public service announcement last Thursday (Oct. 8) posted on the government’s Internet Crime Complaint Center (IC3) Web site. But less than 24 hours later, it was gone. A revised posting, less forceful about PINs, is expected to be posted Tuesday on the IC3 site, although at least one local FBI office, in San Diego, has already posted it on its own Web site.

The importance of PIN versus signature authentication with EMV cards undoubtedly ranks far below the importance the FBI assigns to investigating terrorism, white-collar crime or murders and bank robberies. But with the posting, the FBI found itself in the middle of a verbal shooting war between bankers, who mostly oppose using PINs for EMV credit card transactions because the chip alone supposedly provides strong enough security, and retailers, who want PIN authentication added as chip cards proliferate in the wake of the Oct. 1 U.S. EMV liability shift. The original PSA did not distinguish between EMV credit cards, most of which are not being issued with PINs, and debit cards, which are.

The FBI hasn’t yet confirmed to Digital Transactions News whether or not it revised the PSA at the urging of the Washington, D.C.-based ABA. An FBI spokesperson said over the weekend that it did so “to clarify the security safeguards associated with EMV technology and to highlight some of the potential vulnerabilities fraudsters and cyber criminals may try to exploit.”

But Doug Johnson, the ABA’s senior vice president of payments and cybersecurity policy, said the FBI, in a Thursday night phone call, listened attentively to its concerns.

“Once we saw the original posting we contacted the Bureau almost immediately because we saw the need for clarification on a number of things,” Johnson tells Digital Transactions News. “They were very receptive to getting it right.” He adds that “the Bureau was not defensive about the PSA.”

Johnson says he doesn’t know if the FBI was aware of the hot debate in the payments industry about PINs vs. signatures. “It’s really hard to speculate in terms what they, the Bureau, knew.” He also says he believes others also contacted the FBI about the posting, but he didn’t say who.

A piece in the Capitol Hill online newsletter Politico Influence claimed “the ABA is declaring victory for getting it removed Friday,” but Johnson denies the trade group is doing a victory dance. “I don’t look at it that way,” he says. “I think the process worked … I think the consumer is more of the victor, they’ve got accurate information.”

Merchant groups, while supporting the added security EMV chips provide over magnetic-stripe payment cards, saw in the FBI incident another reason to blast banks’ and card networks’ continued support of signatures, and to highlight the issues merchants large and small face in deploying EMV point-of-sale terminals.

“I guess I shouldn’t be surprised that the bankers can tell the FBI what to say and what not to say after they and the card brands staged a hearing before the House Small Business Committee last week that failed to include any small businesses,” Mark Horwedel, chief executive of the Merchant Advisory Group, a Minneapolis-based trade group that represents 175 big-box retailers and airlines on payments matters, tells Digital Transactions News by e-mail.

Adds Mallory Duncan, senior vice president and general counsel of the Washington-based National Retail Federation: “The point is, the FBI [in its first post] fundamentally got it right. PINs are the primary means for reducing fraud across all uses.”

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions