- Bureau's suggestion to use PINs on credit cards sets off furor
- Director Comey faces Senate questions about the incident
Perhaps the FBI should have stuck to catching bank robbers, rather than weighing in on bank cards.
Last month, the nation’s premier law enforcement agency issued a seemingly innocuous fraud alert telling shoppers to use a PIN with new credit cards embedded with computer chips. Though the goal was to promote security, the bureau instead found itself ensnared in a decade-long dispute between banks and retailers, in which about $50 billion in annual fees are at stake.
The blowback from both sides has been intense.
Banks said they were blindsided by the notice and forced the bureau to retract it. Next, a senior Democratic senator demanded to know why the alert mysteriously disappeared, asking if the Federal Bureau of Investigation was “taking appropriate steps to protect consumers.” A merchants group then accused the “banking lobby” of lying to the agency.
“The FBI has accidentally stepped in a hot-button political issue,” said Nick Holland, who tracked the incident as an analyst at Javelin Strategy & Research, a consulting firm that focuses on the payments industry.
Welcome to the fight over credit-card swipe fees, one of the more antagonistic, long-running battles in Washington where retailers like Wal-Mart Stores Inc. and Target Corp. vie against financial firms including Visa Inc. and JPMorgan Chase & Co. Both sides retain armies of lobbyists, trade associations and public relations specialists to push their agendas. The fight over personal identification numbers, or PINs, is the latest front.
Retailers have long fumed about the cost of accepting credit cards -- about 2 percent of each transaction. Those swipe fees, also known as interchange, are set by Visa and MasterCard. Most of the money ultimately goes to banks, which say they use it to fund security and technology upgrades and cardholders’ beloved reward programs. Merchants counter that reducing the payments will lower prices at the register.
By weighing in on PINs, the FBI inadvertently backed a retailer strategy to slice interchange fees, according to Holland and other analysts tracking the payments industry. But that’s difficult to understand unless one is steeped in the intricacies of the complex policy debate.
On one side, banks oppose setting PINs for credit cards, partly because their research shows it will anger shoppers by slowing them down at the register. And that might prompt them to pay other ways. The firms also are concerned merchants will use the extra security feature to argue credit cards are essentially like debit cards, which use PINs and carry a much lower swipe fee.
Merchant groups say PINs are about protecting shoppers, and that the FBI’s warning proved that. They deny playing any role in getting the bureau involved.
“The FBI’s alert should be a wake-up call to the banks,” said Brian Dodge, a spokesman for the Retail Industry Leaders Association.
The FBI got its own wake-up call from the financial industry. The next day, bank lobbyists took credit for getting the alert taken down after telling the bureau it contained many inaccuracies.
“We did have a conversation with the bureau," said the American Bankers Association’s cyber-security expert, Doug Johnson. “Our main concern, frankly, was the characterization of PIN."
Both retailers and banks concede it’s a fight over fees wrapped in an argument about security. Still, they each blame the other side for that.
“Clearly money is behind it," Mallory Duncan, general counsel at the National Retail Federation, said of the banks’ resistance to issuing cards with PINs.
It’s the merchants who are being disingenuous in backing PINs, said Sam Geduldig, a partner at CGCN Group who lobbies on behalf of a coalition of card companies. “You can’t even engage in a serious discussion about consumer security without some of the retailers turning it into a backdoor, nonsensical argument about interchange,” he said.
The FBI’s Oct. 8 warning was timed to coincide with the U.S. rollout of chip cards, which consumers have been getting in the mail to replace cards that only had a magnetic strip on the back. Chip technology makes it virtually impossible for criminals to create counterfeit cards using a stolen account number. Before cyber attacks surged, retailers resisted that rollout because they didn’t want to replace costly credit-card readers. Now they are advocating PINs, which would make it even harder for criminals to take lost or stolen cards on shopping sprees.
A day after its alert was taken down, the FBI released a revised version, omitting the PIN recommendation. FBI spokeswoman Carol Cratty declined to comment on the flap except to say that the bureau had reissued the statement “to clarify the security safeguards associated" with chip cards.
Asked at an Oct. 22 congressional hearing about why the consumer alert was withdrawn, FBI Director James Comey said the first version was “a miss on our part” because the bureau didn’t realize that few stores or cards are equipped to handle the use of PINs. “We withdrew because our worry was we’re going to confuse a whole lot of people who are going to roll into places saying, ‘Where is the chip and PIN?’” he told the House Judiciary Committee. “And it isn’t widely available.”
The change is now facing scrutiny from Senator Richard Durbin, a longtime supporter of the retail industry who sponsored a controversial provision in the 2010 Dodd-Frank Act that required a reduction in swipe fees for debit cards. The Illinois Democrat wrote Comey, inquiring about the role of the bankers’ association in getting the notice changed. Durbin wondered whether the FBI was being hoodwinked by the banks.
“Is the FBI aware that payment card networks and banks in the United States have an incentive to dissuade consumers and merchants from using PINs?” Durbin wrote. “Is the FBI concerned that this incentive may cause card networks and banks to set security specifications that seek to maximize fee revenue instead of maximizing fraud prevention?”
Comey must respond to Durbin by Nov. 15. This time, at least, the bureau will know that both banks and merchants are ready to pounce on every word.