Chase’s tweet backing PIN credit cards was a mistake, bank says

JP Morgan Chase Bank tweeted in error that its chip credit cards would be getting PIN security, a bank spokesman confirmed Thursday.

The tweet, posted mid-day on Wednesday by @ChaseSupport, said: “Your security is our priority! We’re planning to add Chip and PIN to our credit cards in the near future.”

“That tweet was sent in error yesterday,” said JP Morgan Chase Bank spokesman Paul Hartwick in an email to Computerworld. “At this time we do not have current plans to offer chip-and-PIN credit cards.”

[ ALSO ON CSO: Why have most merchants missed the EMV deadline? ]

The bank, one of the nation’s largest card issuers, has already distributed 64 million of the newer, more secure chip cards, he said. Of those, 51 million are credit cards and 13 million are debit cards. The vast majority are on Visa’s network and some are on MasterCard’s.

Chase’s chip-embedded debit cards require a PIN (personal identification number), while its chip credit cards require a signature to make a purchase, although some merchants require neither on purchases under $25 or so.

The tweeted error may not seem significant, except that most banks back a signature alternative to the PIN. Retailers, meanwhile, have battled to require the use of a PIN with a credit card to protect against fraud in cases of theft or a lost card and for online and phone purchases.

“Looks like someone at Chase is in trouble for accidentally telling the truth,” said Jason Brewer, a spokesman for the Retail Industry Leaders Association, in response to Chase’s tweet.

In response to Brewer, Hartwick said the mistaken Chase tweet “was simply an error — we certainly try to avoid them, but mistakes can happen. ” Chase first announced it would issue chip cards in early 2014, but didn’t say whether they would be PIN- or signature-backed, Hartwick said.

Brewer pointed out that FBI Director James Comey had told members of the U.S. Senate Judiciary Committee, which was meeting on another issue on Thursday, that FBI experts believe PIN and chip transactions are more secure than signature and chip.

The FBI recently posted a cybersecurity warning about use of chip cards, initially urging PIN security, but that post was later softened.

On Wednesday, the U.S. House Small Business Committee heard from several business owners and managers about the need for PIN security with chip credit cards.

Bankers generally have been emphatic about opposing chip-and-PIN, with a few exceptions. Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association flatly told Computerworld on Oct. 9 that “PIN is not going to be adopted in the U.S.”

On Thursday, ABA CEO Frank Keating, in an emailed statement, called PIN a “static technology that only addresses a small and steadily declining share of fraud.” The declining share of fraud he referred to is from loss and theft of a card, whereas the bigger concern is fraud against merchant computer systems.

“The high profile retail data breaches that compromised millions of Americans card accounts weren’t caused by petty thieves snatching cards out of wallets — they were caused by criminals exploiting gaps in retailers’ systems,” Keating said. “The financial services community is hard at work on innovative future technologies like tokenization, encryption and biometrics, while the retail lobby remains fixated on … PIN.”