The FBI’s warning Friday about cybersecurity risks associated with EMV (Europay, MasterCard and Visa) chip technology Homeland Security Today reported on, was pulled and replaced Saturday with a new Public Service Announcement (PSA) stating that, “While EMV cards offer enhanced security, the FBI is warning law enforcement, merchants and the general public that no one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information.”
The FBI warned that, “Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction.”
In addition, the FBI said “the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware.”
The FBI explained that, “The small gold chip found in many credit cards is most often referred to as an EMV chip. Cards containing this chip are known as EMV cards, as well as ‘chip-and-signature,’ ‘chip-and-pin’ or ‘smart’ cards.”
EMV chips are now the global standard for credit card security, and, unlike traditional credit cards that store data on a magnetic strip, EMV cards store card data in tiny integrated circuits and are authenticated when the cardholder inputs a PIN into a PoS terminal.
In its updated PSA, the FBI urged consumers to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.
Additionally, the FBI warned consumers to “closely safeguard the security of their EMV cards and PINs. This includes being vigilant in handling, signing and activating a card as soon as it arrives in the mail, reviewing statements for irregularities and promptly reporting lost or stolen credit cards to the issuing bank.”
The Bureau further urged consumers to shield the keypad from bystanders when entering a PIN, as PINs are vulnerable to cybercriminals who work to steal these numbers to commit ATM and cash-back crimes.”
The FBI also encouraged “merchants to handle the EMV card and its data with the same security precautions they use for standard credit cards. Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions."
"At a minimum," the FBI said, "merchants should use secure servers and payment links for all Internet transactions with credit and debit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers. Credit card information taken over the telephone or through online means should be protected by the retailer to include encrypting digital information and securely disposing written credit card information.”
In response to the FBI’s updated PSA, the Electronic Payments Coalition (EPC) said in a statement that, “We commend the FBI for their recent Public Service Announcement which provides consumers with valuable information about the rollout of EMV Chip Cards in the United States, the ways in which their personal information is being protected and how they can effectively prevent fraud. Consumer education is a critical component of any effort to improve security and this announcement is an important part of the FBI’s ongoing effort to combat fraud and cybersecurity threats.”
“For decades,” EPC said, “the payments industry has invested in improving the security and safety of the electronic payments system. Most recently, this has taken the form of the rollout of EMV chip cards, which create a unique one-time code to authenticate debit and credit card transactions. This technology provides a new and effective way to essentially eliminate in-store counterfeit fraud when merchants turn on their chip readers. This has been clearly demonstrated in other countries around the world, where adoption of EMV has led a decline in in store counterfeit fraud by 60 percent to 70 percent.”
However, the trade group stated, “implementing EMV alone is not a panacea.” The group stated that, “Securing the payments system requires stopping fraudulent transactions wherever they may happen (in person, online, via mobile device or over the phone).”
And that requires a layered approach to security, including solutions like tokenization, encryption and biometrics.
“And, it’s not just about securing transactions,” EPC said. “Over the pastfew years, millions of Americans have seen their card information exposed as a result of merchant data breaches. Preventing breaches means the holders of that data – merchants – need to take basic security precautions like protecting their networks. Unlike the payments industry, which has a legal obligation to abide by security standards, merchants have fought tooth and nail to avoid having even basic rules.”
The trade group said, “These are all straightforward and effective steps that the payments industry is already taking to protect consumers, using technology that exists today. Unfortunately, instead of helping their members to implement these solutions – according to the Strawhecker group, only 27 percent of merchants are ready to accept EMV chip cards and – merchant trade associations are fighting every effort to improve security and make chip cards a reality.
In fact … the National Retail Federation suggested merchants not invest in chip technology at all, the group pointed out, adding, “Make no mistake, merchant efforts to hamstring the roll-out of new security technologies are about politics, not consumers or security.”