Senator asks whether FBI succumbed to pressure from banking industry

Senator asks whether FBI succumbed to pressure from banking industry
© Greg Nash

Senate Assistant Democratic Leader Dick DurbinRichard (Dick) Joseph DurbinDemocrats seek to exploit Trump-GOP tensions in COVID-19 talks The Hill's Campaign Report: Who will Biden pick to be his running mate? Don't count out Duckworth in Biden VP race MORE (D-Ill.) on Thursday asked that the FBI explain why it removed a data security recommendation for consumers using new credit and debit card technology.

On Oct. 8, the FBI posted a consumer protection advisory stating that new cards equipped with microchip technology were still vulnerable to fraud and that authentication through a personal identification number (PIN) rather than a signature should still be used to verify transactions.

ADVERTISEMENT

On Oct. 13, the agency released a revised version of the advisory without the recommendation that consumers and merchants use PINs.

Citing media reports that the FBI succumbed to pressure from the banking industry, Durbin demanded to know if the American Bankers Association had contacted the agency.

“The revisions to the FBI advisory raise significant questions about whether current security technology is adequately protecting consumers and whether the FBI is taking appropriate steps to warn against and deter payment card fraud involving lost or stolen cards,” Durbin wrote in a letter to FBI Director James Comey.

“Did the American Bankers Association request that the advisory’s recommendations for consumers and merchants to use PINs be removed?”

The first advisory came a week after an Oct. 1 deadline, when merchants who had not upgraded their technology to accept microchip cards became responsible for covering the cost of fraudulent transactions.

Proponents say the move will drastically reduce counterfeit fraud and help thwart hackers. But disputes over the best form of verification have slowed adoption.

Major retailers largely back PINs as the best form of verification, while financial institutions support signatures.

“While EMV is a step in the right direction that will lead to greater economic efficiency, implementation has been slow on both sides of the equation,” Rep. Nydia Velázquez (D-N.Y.), the top Democrat on the House Small Businesses Committee, said in October.

“Many financial institutions and even more merchants are not yet in compliance. The main barriers have been a lack of awareness in the small business community, high costs to upgrade and disagreements over verification methods.”

Following the original FBI advisory, American Bankers Association senior vice president of payments and cybersecurity policy Doug Johnson told Computerworld that the FBI advisory “was not really reflective of the U.S. marketplace” and that “PIN is not going to be adopted in the U.S.”

"We saw the PSA yesterday and spoke to the FBI after we saw it and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN," Johnson told the publication on Oct. 9.

Retailers believe that “PINs are essential to providing cardholders with the security that they deserve,” said Brian Dodge, executive vice president of the Retail Industry Leaders Association, in a statement issued the day of the original advisory.

He characterized the advisory that recommended PINs as a "wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the U.S. just as it has been around the world for years."

In his letter, Durbin suggested that the incentive for financial institutions to press for signature use is not driven by security concerns. 

"Is the FBI aware that payment card networks and banks in the United States have an incentive to dissuade consumers and merchants from using PINs because the fees that networks and banks receive on non-PIN transactions are higher than on PIN transactions?" Durbin asked. 

"Is the FBI concerned that this incentive may cause card networks and banks to set security specifications that seek to maximize fee revenue instead of maximizing fraud prevention?"
 
Durbin and the banking industry have had an acrimonious relationship in recent years, dating back to the senator's sponsorship of legislation that cut the amount that can be charged merchants for “swipe fees” on debit cards.