FBI's warning to consumers to use PINs with chip cards stokes controversy and backlash

The FBI's warning to consumers that they should use PINs with their new chip-enabled credit and debit cards is setting off a new fight between banks and retailers, and triggering a little bit of controversy too.

The FBI issued a warning Thursday that encouraged consumers to use their PINs with chip cards, instead of just signing sales receipts.

The problem is: Most new credit and debit cards being issued in the United States aren't enabled with PINs.

Groups representing retailers pounced on that during the weekend, because merchants have been lobbying intensely for at least a year that credit and debit cards aren't nearly as secure if they don't contain PINs.

Here's what the FBI said Thursday in a public service announcement under the headline:"New Microchip-Enabled Credit Cards May Still Be Vulnerable to Exploitation by Fraudsters."

"When using the EMV card at a PoS (point-of-sale) terminal," the FBI said, "consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card."

The link to the alert has now been removed from the FBI's website and FBI offices around the country are now republishing the warning but omitting the advice about using a PIN, apparently because it's not an option to the majority of us. An FBI spokesperson couldn't be reached Monday since it's a federal holiday.

Banks for the past year have been rolling out credit and debit cards that contain microprocessor chips that make transactions at stores and restaurants more secure when the payment terminals contain software to read the chips. You know you have a card with a chip if it has a half-inch metallic box on the front.

A transaction with a chip card is approved using a one-time authentication code, so even if the information is stolen in a data breach, such as the ones at Target and Home Depot, the data could not be used to create counterfeit cards that could be used at other chip-enabled payment terminals.

That's good, but the cards would be even more secure if consumers had to punch in PINs to use the cards.

Banks in the United States, however, have chosen not to convert to cards with PINs at this point. Cards with PINs are standard in Europe and many other parts of the world. Using a PIN can make a transaction up to 700 percent more secure, according to the Retail Industry Leaders Association, an industry trade association, which cites a Federal Reserve study.

"This warning states what retailers have been saying all along, which is that the new chip cards issued by banks need an accompanying PIN. Retailers have consistently urged banks and credit unions to ditch the signature and adopt the PIN," the RILA said in a statement. "U.S. banks and credit unions have argued that the chip is enough, and will prevent counterfeit charges from being made."

Added Brian Dodge, executive vice president of RILA, "Retailers have long-argued that PINs are essential to providing cardholders with the security that they deserve. The FBI's alert should be a wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the U.S. just as it has been around the world for years."

The powerful National Retail Federation also quickly came out swinging: "What the FBI is saying is what the rest of the world already sees as common sense," NRF Senior Vice President and General Counsel Mallory Duncan said. "It's the right thing to do, and we hope the banks are listening.

"Retailers are determined to protect their customers," Duncan added. "That's why we are pushing the banks to use all of the security the new cards are capable of providing, not just half. They shouldn't lock the front door but leave the back door wide open."

Banks and other card issuers say that chip cards without PINs should address about 40 percent of the credit and debit card fraud in this country. Adding PINs would indeed be an extra layer of protection, banks say, but perhaps only 10 to 15 percent of card fraud could be prevented with PINs.

When asked about stores and restaurants that don't have PIN capability, National Retail Federation spokesman Craig Shearman said, "And all of the new chip card readers have PIN pads - the manufacturers of them make them for the international market, so the readers have PIN capability whether it's turned on or not."

He added that it may not be obvious that a terminal can actually process a PIN. "Keep in mind that just because you don't see keypads, that doesn't mean a terminal can't do PIN. With some of them, it's 'virtual' keys on an LCD just like a smartphone that doesn't have physical keys to punch.

There are some types of businesses, such as sit-down restaurants, that don't have payment terminals with PIN pads. Jason Brewer, spokesman for RILA, said, "You are correct on the restaurant side of things that this would ultimately require new equipment, particularly for sit-down establishments."

Oct. 1 was the deadline for banks to replace 1.2 billion credit and debit cards in the United States with the new EMV chip cards and for retailers to install new technology in 10 million payment terminals nationwide. The mandate set by MasterCard, Visa, Discover and American Express says that any banks or retailers that haven't rolled out EMV chip technology with new cards and terminals will be liable for any fraud that occurs at a point-of-sale transaction. (Gasoline stations have two extra years to convert to pumps that process chip cards.)

Still, more than half the cards in people's wallets haven't yet been replaced with chip cards. If you don't have one yet, you can still use your old card. And more than half of the payment terminals nationwide haven't been converted to the new technology. Those percentages are expected to improve dramatically by year end.

If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.