FBI rewrote its PSA on credit card fraud after banks complained. Why?
The U.S. Federal Bureau of Investigation posted a public service announcement on the web last week warning that new micro-chip enabled credit cards are not perfectly secure. (“Perfect security” is a pipe dream—so no surprises there.) Less than a day after the notice went up, a “page not found” message took its place.
After the post’s removal, an FBI spokeswoman told Fortune last Friday afternoon that “We’re in the process—our headquarters is in the process—of reviewing it because there is a clarity issue.”
“We’re going to put it back up,” said Kelly Langmesser, press contact in the local office. (She said to “keep checking back.”) “Part of the content needed some more clarity,” she added, though she said she could not say which part.
The FBI’s quiet retraction came just a week after the payment card fraud “liability shift” took place on Oct. 1. The new policy, pushed by payment companies and banks, offloads responsibility for the cost of in-store fraudulent charges on chip-enabled payment cards onto merchants; that is, until the merchants update their payment systems to be compatible with the new cards. Then the liability for covering those fraud costs switches back to the banks.
You can read about that controversial transition in this article in the Sept. 1, 2015 issue of Fortune, It describes why some retailers are unhappy about the terms of the deal. In short: the new technology—chip-enabled cards, which make it more difficult for thieves to make in-store purchases using fake credit cards spun up from stolen magnetic strip data—is not as secure as it could be.
Other countries, such as Canada and a number of European states, for instance, have adopted an an extra layer of security: a personal identification number (PIN) known only to the card-holder. This additional measure prevents criminals from making purchases with lost or stolen cards.
The subject of PINs, in fact, appears to be the reason why the FBI struck the first version of its PSA, though no one at the bureau has confirmed that as the reason.
With the liability battle between banks and merchants as backdrop, the FBI published a second, revised PSA on Tuesday at the same web address as the old post, available on the bureau’s Internet crime complaint center site, with no indication that anything had changed. While the title of the post remained the same—”New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters”—the text bore differences.
Foremost, whereas the prior post advocated for the use of a PIN in conjunction with a chip-enabled credit card, the new post downplays this aspect. As Computerworld reported last weekend, the American Bankers Association, a lobbying group that represents many big players in the financial industry (and also a recent data breach victim), contacted the FBI and urged it “to revise and clarify its original post…to reduce confusion over the use of PINs with chip cards.” The banks complained, in other words.
Doug Johnson, senior VP of payments and cybersecurity policy at the association, told Fortune, “Once we saw the release we wanted to have a conversation with the bureau and make sure we were clear about what we thought were some issues with the release that might have some customer confusion related to it.” In particular, he cited the PSA’s recommendation of using a PIN; he noted that the vast majority of U.S. banks have decided not to enable this feature on their new credit cards. “It was up to the bureau to do whatever with that information,” he said.
Langmesser, speaking on behalf of the FBI, told Fortune in a follow-up email that the updated version of the PSA “was issued to clarify the security safeguards associated with EMV [chip-enabled card] technology and to highlight some of the potential vulnerabilities fraudsters and cyber criminals may try to exploit.” She did not expand on the nature of the PIN changes when pressed.
So what changed between the two versions of the PSA? Here’s a rundown of the major revisions.
In the first copy, the introductory paragraph concluded:
“While EMV cards offer enhanced security, the FBI is warning law enforcement, merchants, and the general public that these cards can still be targeted by fraudsters.”
In the new version, there is a subtle shift of focus off the cards. It states, instead, that “…no one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information.” (Emphasis Fortune’s.)
See the difference?
Here’s another change. While the first post made it seem as though PINs are enabled by default in the U.S., the latter version clarified the reality: They’re not.
The original: “This [embedded microchip] allows merchants to verify the card’s authenticity by the cardholder’s personal identification number (PIN), which is known only to the cardholder and the issuing financial institution.”
And revised: “When the card is equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution, issuers will be able to verify the user’s identity. Currently, not all EMV cards are issued to consumers with the PIN capability and not all merchant PoS terminals can accept PIN entry.”
The first makes it seem as though the chip cards automatically come with PINs, which is not the case.
The coup de grâce of revisions arrives in the final section, under the heading “Defense.” While the original post recommends using a PIN instead of a signature to authorize transactions, the revised post omits this guidance entirely. When making purchases, “consumers should use the PIN, instead of a signature, to verify the transaction,” the first version reads. There is no equivalent in the newer version.
It’s not surprising that the FBI’s well-intentioned PSA has been caught in the cross-fire of this heated dispute. Payment companies like Visa V and MasterCard MA have been waging a charm offensive to win support in their push for chip-and-signature cards. But many retailers and merchants have a long list of gripes about the forced transition—not least of which is the the absence of a mandate for chip-and-PIN cards—which they say would better secure payment and consumer data. (Even though banks are typically responsible for covering the costs of the lost or stolen credit card fraud that PINs protect against, anyway.)
Payment companies, for their part, maintain that newer authentication technologies, like facial recognition and fingerprint scanning, could replace signatures and PINs altogether. Tokenization technology, which renders stolen card numbers effectively worthless, could help eliminate the costs associated with more prevalent fraud, such as that which occurs online, too.
It’s worth noting that this is not the first time the FBI has backtracked on a cybersecurity tip.
Earlier this year, the FBI had recommended on its website that people activate encryption on their phones to secure their data against criminals. Later, the bureau struck that safety pointer from the record around the same time that the law enforcement agency began testifying about its desire to have access to encrypted data on devices such as Apple AAPL iPhones, which by then had adopted strong encryption by default. (In March, the FBI told the National Journal that the tips were deleted unintentionally as part of “the agency’s ongoing website redesign.”)
The new FBI’s new advisory is legitimately clearer in many respects, which is good given how convoluted the fraud liability subject is. The quiet nixing of the PIN recommendation, however, is more questionable. PINs are more definitively more secure than signatures in protecting against lost or stolen card fraud, although they’re arguably less convenient for shoppers.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
For more on payment security, watch this video.