The FBI has issued a warning about new chip credit and debit cards being issued to consumers, saying, “When using the EMV (Europay, MasterCard and Visa) card at a PoS terminal, consumers should use the PIN, instead of a signature, to verify the transaction.”
“By October 2015, many US banks will have replaced millions of traditional credit cards, which rely on data stored on magnetic strips, with new credit cards containing a microchip known as an EMV chip,” the FBI said. But, “While EMV cards offer enhanced security, the FBI is warning law enforcement, merchants, and the general public that these cards can still be targeted by fraudsters.”
The FBI warned that the “small gold chip found in many credit cards” referred to as “an EMV chip,” “chip-and-signature,” “chip-and-pin” or “smart” cards are now the global standard for credit card security, and, “Unlike traditional credit cards that store data on a magnetic strip, EMV cards store card data in tiny integrated circuits and are authenticated when the cardholder inputsa PIN into a point of sale (PoS) terminal.”
“Although EMV cards will provide greater security than traditional magnetic strip cards, they are still vulnerable to fraud,” the FBI warned this week, noting that, “EMV cards can be counterfeited using stolen card data obtained from the black market. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the PoS terminal is infected with data-capturing malware. Further, the EMV chip will likely not stop stolen or counterfeit credit cards from being used for online or telephone purchases where the card is not physically seen by the merchant and where the EMV chip is not used to transmit transaction data.”
“Consumers should closely safeguard the security of their EMV cards,” the FBI stressed, saying, “this includes being vigilant in handling, signing and activating a card as soon as it arrives in the mail; reviewing credit card statements for irregularities; and promptly reporting lost or stolen credit cards to the issuing bank. When using the EMV card at a PoS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card. Consumers should also shield the keypad from bystanders when entering their card PIN.”
The FBI explained that, “With traditional credit cards, the magnetic strip on the back of the card contains data and personal information about the cardholder. This information is used to authenticate the card at the PoS before the purchase is authorized."
"While most EMV cards still retain the traditional magnetic strip and the cardholder’s signature on the back of the card, they offer the additional enhancement of the microchip embedded into the card," the FBI stated. "This allows merchants to verify the card’s authenticity by the cardholder’s personal identification number (PIN), which is known only to the cardholder and the issuing financial institution. In addition, EMV cards transmit transaction data between the merchant and the issuing bank with a special code that is unique to each individual transaction. This provides the cardholder greater security and makes the EMV card less vulnerable to hacking while the data is transmitted from the PoS to the issuing bank.”
The FBI’s advisory urged merchants “to require consumers to enter their PIN for each transaction, in order to verify their identity,” and “if a consumer uses a signature, merchants should ask to also see a government-issued photo identification card to verify the cardholder’s identity.”
The FBI further encouraged merchants to handle EMV cards and their data with the same security precautions they use for standard credit cards.
“Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions,” the FBI cautioned. “At a minimum,” the Bureau stated, “merchants should use secure servers and payment links for all Internet transactions with credit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers. Credit card informationtaken over the telephone should be encrypted, and any written copies of the card information should be securely disposed.”
“Retailers have long-argued that PINs are essential to providing cardholders with the security that they deserve. The FBI’s alert should be a wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the US just as it has been around the world for years,” said Brian Dodge, executive vice president of the Retail Industry Leaders Association, (RILA), the trade association of the world’s largest and most innovative retail companies.
“Retailers have invested billions to implement new chip-enabled card readers in stores nationwide. Now, retailers are asking banksand credit unions to meet that commitment by issuing new chip cards with PINs,” Dodge said.
RILA said in a statement that, “It is high time for banks and credit unions to heed the words of both the FBI and the Federal Reserve and issue consumers the most secure standard of payment—chip-and-PIN cards.”
Continuing, RILA said the FBI’s “warning states what retailers have been saying all along, which is that the new chip cards issued by banks need an accompanying PIN. Retailers have consistently urged banks and credit unions to ditch the signature and adopt the PIN. US banks and credit unions have argued that the chip is enough, and will prevent counterfeit chargess from being made.”
RILA stressed that, “The FBI alert also urges retailers to require that PINs be used at the point of sale. Unfortunately, merchants cannot force consumers to enter a PIN if a card has been issued without one, and further, card network rules prohibit merchants from requiring a PIN when one exists.”
"The deployment of EMV chip cards in the United States represents an important step forward. But we should not stop there," Federal Reserve Gov. Jerome Powell told The American Banker, adding, "New approaches to authentication increasingly offer greater assurance and protection. Given the current technologies that we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions."
A 2013 study by the Federal Reserve found that using PINs in debit card transactions reduced fraud by 700 percent.
If you believe you have been a victim of credit card fraud, reach out to your local law enforcement or FBI field office, and file a complaint with the Internet Crime Complaint Center (IC3) at www.IC3.gov.