SAN DIEGO — The U.S. Federal Bureau of Investigation (FBI) has issued a warning to law enforcement, merchants and consumers that credit cards with the new EMV (Europay MasterCard and Visa) chip can still be the target of fraud.
When using the EMV card at a point-of-sale (POS) terminal, consumers should use the personal identification number (PIN) instead of a signature to verify the transaction, the agency said.
Retail groups including the National Retail Federation (NRF) and the National Association of Convenience Stores (NACS) are telling lawmakers that the new chip cards need PINs to be more secure and effective.
“What the FBI is saying is what the rest of the world already sees as common sense,” Mallory Duncan, senior vice president and general counsel for the National Retail Federation (NRF), said. “It’s the right thing to do, and we hope the banks are listening.”
He added, “Retailers are determined to protect their customers. That’s why we are pushing the banks to use all of the security the new cards are capable of providing, not just half. They shouldn’t lock the front door but leave the back door wide open.”
The FBI is “encouraging consumers to use PIN and they’re encouraging merchants to request PIN—the only thing missing is to encourage the banks to issue PIN cards,” Duncan said.
By October 2015, many U.S. banks will have replaced millions of traditional credit cards with new cards containing the EMV chip. Cards containing the chip are known as EMV cards, as well as “chip-and-signature,” “chip-and-PIN,” or “smart” cards. EMV chips are now the global standard for credit-card security.
Unlike traditional credit cards that store data on a magnetic strip, EMV cards store card data in integrated circuits and are authenticated when the cardholder inputs a personal identification number (PIN) into a point-of-sale (POS) terminal.
While EMV cards still retain the traditional magnetic strip, they transmit transaction data between the merchant and the issuer with a special code that is unique to each individual transaction. This provides the cardholder greater security and makes the EMV card less vulnerable to hacking while the network transmits the data from the POS to the issuer; however, they are still vulnerable to fraud.
EMV cards can be counterfeited using stolen card data obtained from the black market. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the POS terminal is infected with data-capturing malware. Further, the EMV chip will likely not stop stolen or counterfeit credit cards from being used for online or telephone purchases where the merchant does not actually see the card and where the network does not us the EMV chip to transmit transaction data.
The FBI is encouraging merchants to require consumers to enter their PIN for each transaction in order to verify their identity. If a consumer uses a signature, merchants should ask to also see a government-issued photo ID to verify the cardholder’s identity.
The FBI encourages merchants to handle the EMV card and its data with the same security precautions they use for standard credit cards.
Click here to view the full FBI warning.