WHY NO PIN ON EMV CREDIT CARDS? A CASE FOR THE FBI
The new “EMV” credit cards slowly making their way into consumers’ wallets are somewhat better at stopping fraud than their magnetic stripe predecessors. But the U.S. version of EMV is not nearly what it is cracked up to be.
Earlier this month, the Federal Bureau of Investigation issued a public service announcement warning that the computer microchips used in EMV cards are only partially protective and saying the cards should be used with a PIN, rather than a signature, in order to really reduce fraud.
The FBI announcement was not groundbreaking — it reflected the consensus of virtually all informed security experts. For years, experts have said that payment cards protected by secret PINs make life difficult for the bad guys, be they card counterfeiters, card pilferers or Internet thieves. Beyond U.S. borders, PINs are routinely used on credit cards, and have been for 20 years or more in some places. Here at home, consumers use PINs every day to withdraw cash from ATMs, and many use PINs when they pay with debit cards at retail stores.
So, while the FBI’s warning might not have been groundbreaking news, what happened next most certainly was.
In response to an outcry from bankers, the FBI pulled down its strong, common sense warning and replaced it with a watered-down public service announcement that was scarcely a public service. The initial announcement’s recognition of PINs’ effectiveness was largely replaced by a milquetoast recommendation to use cards safely.
The FBI explained that the original release needed factual clarifications. And you can’t really blame them for the confusion.
In urging the public to use a PIN with their EMV cards, our nation’s top law enforcement agency took the banks’ ballyhooed rollout of EMV cards to mean exactly what it does nearly everywhere else in the world: cards that have both a chip and a PIN. That’s the standard from Europe to Asia.
What the FBI missed was that the EMV cards being issued in the United States are chip-and-signature rather than chip-and-PIN.
Yes, signature. You don’t need to be a security expert to know that an illegible scrawl is virtually worthless as a fraud prevention device. Could a store clerk without a degree in handwriting analysis tell your signature from a forgery if her life depended on it? Do banks let customers use a signature when taking money out of an ATM? Yet signatures are what banks want to use to “protect” billions of dollars in daily transactions with their new generation of credit cards.
Even the card industry acknowledges the superiority of PINs. On its Australian website, Visa portrays chips and PINs as going hand-in-hand to make cards secure, and emphasizes that the PIN “uniquely identifies the owner of the card and prevents it from being used by someone else.”
Replacing the cards in your wallet is a hassle for consumers. And replacing magnetic-stripe card readers with chip-card readers is costing businesses from retailers to doctors’ offices between $30 billion and $35 billion nationwide. The new readers are virtually all PIN-ready since they’re made for the international market and come equipped that way whether the function is used or not. But after insisting that merchants spend tens of billions of dollars on new card readers, banks are refusing to spend the relatively small amount it would cost to add PINs to their cards. We are all suffering for their savings, because it means that the highly touted new EMV cards offer only a fraction of the protection they are capable of and remain fraud-prone from the get-go. That’s what the banks call progress?
No wonder the FBI was confused.