[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]




                      CREDIT CARD DATA PROCESSING:
                           HOW SECURE IS IT?

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                      OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 21, 2005

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 109-48





                    U.S. GOVERNMENT PRINTING OFFICE
                           WASHINGTON : 2006 
29-461 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001



                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio                  MAXINE WATERS, California
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             MELVIN L. WATT, North Carolina
ROBERT W. NEY, Ohio                  GARY L. ACKERMAN, New York
SUE W. KELLY, New York, Vice Chair   DARLENE HOOLEY, Oregon
RON PAUL, Texas                      JULIA CARSON, Indiana
PAUL E. GILLMOR, Ohio                BRAD SHERMAN, California
JIM RYUN, Kansas                     GREGORY W. MEEKS, New York
STEVEN C. LaTOURETTE, Ohio           BARBARA LEE, California
DONALD A. MANZULLO, Illinois         DENNIS MOORE, Kansas
WALTER B. JONES, Jr., North          MICHAEL E. CAPUANO, Massachusetts
    Carolina                         HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois               RUBEN HINOJOSA, Texas
CHRISTOPHER SHAYS, Connecticut       JOSEPH CROWLEY, New York
VITO FOSSELLA, New York              WM. LACY CLAY, Missouri
GARY G. MILLER, California           STEVE ISRAEL, New York
PATRICK J. TIBERI, Ohio              CAROLYN McCARTHY, New York
MARK R. KENNEDY, Minnesota           JOE BACA, California
TOM FEENEY, Florida                  JIM MATHESON, Utah
JEB HENSARLING, Texas                STEPHEN F. LYNCH, Massachusetts
SCOTT GARRETT, New Jersey            BRAD MILLER, North Carolina
GINNY BROWN-WAITE, Florida           DAVID SCOTT, Georgia
J. GRESHAM BARRETT, South Carolina   ARTUR DAVIS, Alabama
KATHERINE HARRIS, Florida            AL GREEN, Texas
RICK RENZI, Arizona                  EMANUEL CLEAVER, Missouri
JIM GERLACH, Pennsylvania            MELISSA L. BEAN, Illinois
STEVAN PEARCE, New Mexico            DEBBIE WASSERMAN SCHULTZ, Florida
RANDY NEUGEBAUER, Texas              GWEN MOORE, Wisconsin,
TOM PRICE, Georgia                    
MICHAEL G. FITZPATRICK,              BERNARD SANDERS, Vermont
    Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina
CAMPBELL, JOHN, California

                 Robert U. Foster, III, Staff Director
              Subcommittee on Oversight and Investigations

                     SUE W. KELLY, New York, Chair

RON PAUL, Texas, Vice Chairman       LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California          DENNIS MOORE, Kansas
STEVEN C. LaTOURETTE, Ohio           CAROLYN B. MALONEY, New York
MARK R. KENNEDY, Minnesota           STEPHEN F. LYNCH, Massachusetts
SCOTT GARRETT, New Jersey            ARTUR DAVIS, Alabama
J. GRESHAM BARRETT, South Carolina   EMANUEL CLEAVER, Missouri
TOM PRICE, Georgia                   DAVID SCOTT, Georgia
MICHAEL G. FITZPATRICK,              DEBBIE WASSERMAN SCHULTZ, Florida
    Pennsylvania                     GWEN MOORE, Wisconsin
GEOFF DAVIS, Kentucky                BARNEY FRANK, Massachusetts
PATRICK T. McHENRY, North Carolina
MICHAEL G. OXLEY, Ohio


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    July 21, 2005................................................     1
Appendix:
    July 21, 2005................................................    51

                               WITNESSES
                        Thursday, July 21, 2005

Duncan, Mallory, General Counsel, National Retail Federation.....    23
Gorgol, Zyg, Senior Vice President, Fraud Risk Management, 
  American Express...............................................    17
Hendricks, Evan, Editor and Publisher, Privacy Times.............    26
Minetti, Carlos, Executive Vice President, Cardmember Services, 
  Discover Card..................................................    19
Peirez, Joshua L., Senior Vice President & Associate General 
  Counsel, Law Department, Mastercard International..............    14
Perry, John M., President and Chief Executive Officer, 
  CardSystems Solutions, Inc.....................................    25
Ruwe, Steve, Executive Vice President, Operations & Risk 
  Management, Visa U.S.A. Inc....................................    16
Watson, David B., Chairman, Merrick Bank.........................    21

                                APPENDIX

Prepared statements:
    Castle, Hon. Michael N.......................................    52
    LaTourette, Hon. Steven C....................................    53
    Duncan, Mallory..............................................    54
    Gorgol, Zyg..................................................    66
    Hendricks, Evan..............................................    78
    Minetti, Carlos..............................................    85
    Peirez, Joshua L.............................................    98
    Perry, John M................................................   105
    Ruwe, Steve..................................................   119
    Watson, David B..............................................   127

              Additional Material Submitted for the Record

LaTourette, Hon. Steven C.:
    ARMA International statement.................................   136
    Cardholder Transaction Process chart.........................   142

 
                      CREDIT CARD DATA PROCESSING:
                           HOW SECURE IS IT?

                              ----------                              


                        Thursday, July 21, 2005

             U.S. House of Representatives,
      Subcommittee on Oversight and Investigations,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:13 a.m., in 
room 2128, Rayburn House Office Building, Hon. Sue Kelly 
[chairwoman of the subcommittee] presiding.
    Present: Representatives Kelly, Pryce, Bachus, Castle, 
Kennedy, Garrett, Renzi, Price, McHenry, Gutierrez, Maloney, 
Hooley, Moore of Kansas, Matheson, Scott, Davis of Alabama, and 
Cleaver.
    Chairwoman Kelly. I call this hearing on the Subcommittee 
on Oversight and Investigations to order.
    Over the last few months, disturbing information has come 
to light about breaches in data security across the financial 
services industry. Millions of consumers have found out that 
their personal information may have been compromised. Millions 
more are now worried about personal data protection with the 
attention given these breaches.
    This is an issue that personally affects all of us. In 
cities and towns across my congressional district in New York 
and all across our country, we rely on credit cards day in and 
day out. We expect nothing less than a safe and secure system 
of processing them.
    These breaches harm the network of financial transactions 
that gives the United States the most productive economy in the 
world. These breaches cause consumers to lose confidence in the 
payment systems that drive sales growth. They impose new risks 
and costs on merchants and threaten some with the loss of 
customers and their livelihood. We need to do everything 
possible to ensure that our personal information remains 
privileged and protected when we make any financial 
transaction.
    Today's hearing will deal specifically with the recent data 
breach at CardSystems where more than 40 million credit card 
accounts of 4 major credit card brands may have been exposed. 
At least 200,000 accounts were definitely stolen, and evidence 
exists that a routine may have been in place to allow the 
culling of credit card information on a regular basis.
    In response to these breaches, Visa and American Express 
are terminating their relationship with CardSystems, while the 
company itself is putting in new measures to ensure data 
security.
    Yesterday, in testimony to the Financial Services 
Committee, Federal Reserve Chairman Greenspan noted that 
increased regulations may have the consequence of killing the 
electronic innovation and productivity that have kept our 
economy and our markets growing. He also noted that in a free 
market economy all companies that hold personal data have a 
huge financial incentive to keep it as secure as possible. 
Unfortunately, in this case and others, those incentives either 
failed or were overcome by the financial incentives of fees.
    What we need to learn today from the witnesses in this case 
is, what happened, what was supposed to happen, and what can be 
done to prevent this from happening again.
    I welcome the witnesses, and I yield now to the gentleman 
from Illinois.
    Mr. Gutierrez. Good morning. I want to thank Chairwoman 
Kelly for calling this hearing entitled, ``Credit Card Data 
Processing: How Secure Is It?'' I think the answer to many 
people reading the news lately is, not secure enough.
    Data security is very important to many of us here on this 
committee, and I am pleased that we will be joined later on by 
some of our colleagues who will ask to participate.
    This issue is also personally important to me. I am proud 
to have served as a conferee on the FACT Act, which dealt with 
similar issues.
    In March, I coauthored a bill with Congresswoman Melissa 
Bean on this issue, and I am proud to be an original cosponsor 
of the recent bill introduced by Representatives Bean and Artur 
Davis. There are many other worthy bills on this topic, and I 
suspect we are going to be working together to craft a solution 
before the end of the year.
    We need to understand what happened here and where the gaps 
in the law are so they can be fixed. We also need to determine 
the proper way to notify and protect consumers and inform the 
credit rating agencies when consumer data compromise can lead 
to identity theft. We need to make sure that consumer 
notification takes place in language the consumer can 
understand.
    I look forward to hearing from the witnesses so that we can 
learn from the problems they experience and minimize similar 
occurrences. At the proper time, I will inquire about the audit 
processes or credit processes and how CardSystems could have 
been certified while maintaining an adequate software and 
retaining customer data in violation of its Visa contract.
    Additional checks and balances may be necessary in the 
system of certification. The largest banks, I am told, have 
supervision in the form of professional examiners from their 
regulator onsite every day of the year. It might make sense to 
employ a similar process when we are talking about security of 
large amounts of data in an entity that is not a bank but is 
performing functions of a bank. It would also be helpful to 
determine the actual scope of the compromised data and the 
degree of fraudulent activity that may be related to this 
incident.
    I am pleased to welcome all of the witnesses, and I 
especially want to welcome Evan Hendricks whose quarter century 
of expertise proved invaluable during consideration of the FACT 
Act issues, and I am certain he will be helpful today. I 
understand that he has a plane to catch early this afternoon, 
but we are especially grateful that he could make the time to 
be with us today.
    Thank you so much, Mr. Hendricks, for being here.
    We have been joined by Mr. Matheson, and I ask unanimous 
consent that he be permitted to make an opening statement.
    Chairwoman Kelly. So moved.
    We have been joined by a number of members who are not on 
this particular subcommittee but that are on the Financial 
Services Committee as a whole. We are honored by their 
presence. We have Mr. Kennedy, Mr. Castle, and Mr. Bachus with 
us this morning, and I ask unanimous consent that they too may 
be able to make an opening statement. So moved.
    So without objection, all members' opening statements will 
be made part of the record.
    I turn now to Mr. Garrett.
    Mr. Garrett. Thank you, Madam Chairwoman, for holding 
today's hearing on data security and credit card systems in 
light of recent headlines. I think it is both timely and 
necessary that we have these hearings, not only so that we can 
learn more about the apparent data breach at CardSystems 
affecting the four major credit card companies, but also we can 
learn how this committee may be able to respond in an 
appropriate manner.
    The data breaches that were recently disclosed by financial 
institutions have generally, in the past, involved lost data 
tapes or similar mishaps which do not necessarily suggest 
criminal intent. However, in this circumstance it appears that 
someone was able to compromise their database system to obtain 
information for malicious purposes.
    So while the other types of data breaches are obviously 
cause for concern, it is especially troubling when we learn 
that sensitive information has fallen into the hands of 
apparent criminals. Therefore, I am particularly interested in 
learning about how consumers are protected against credit card 
fraud or other problems resulting from this breach.
    I think we also need to examine how the breach at 
CardSystems could have been avoided. Is there a shortfall in 
the law? Do we need new laws? Or do companies simply need to be 
more responsible in complying with existing laws and any of 
their contractual obligations?
    My hunch is that CardSystems' apparent lack of an adequate 
data security regime may simply be that they were running 
crosswise with existing laws or contractual obligations. So we 
simply need to learn now how the existing lay of the land has 
been applied in this situation before we move on and consider 
making more laws.
    I think we also may want to use this as an opportunity to 
at least explore and understand a little bit what potential 
impact the decisions that may affect CardSystems' future may 
also have indirectly on any of their vendors or other players 
in the system.
    I would also like to say for the record that I appreciate 
MasterCard's efforts to bring the situation at CardSystems to 
light, as they were under really no direct obligation to do so, 
but I think that they did so in thinking what was most 
responsible for getting the information out in the interest of 
their cardholders. And for that reason, I believe that they 
should be commended for their actions.
    Thank you again, Madam Chairwoman, for holding this 
hearing, and I yield back the balance of my time.
    Chairwoman Kelly. Thank you.
    Ms. Maloney?
    Mrs. Maloney. Thank you very much, Madam Chairwoman, for 
having this hearing today that continues to address the really 
very pressing issue of data security and identity theft through 
this series of hearings.
    This hearing focuses on a particularly terrible example of 
a breach of data security: The exposure of 40 million credit 
and debit card accounts at a data processing company handling 
Visa, MasterCard and American Express. Based on an FBI 
investigation it appears that the data processor, CardSystems, 
blatantly violated the contractual data security restrictions 
imposed by each of the credit card companies.
    But this would not have come to light had it not been for a 
huge breach and resultant fraudulent transactions. I expect 
that each of the credit card companies here today will explain 
to us that they spend a great deal of time, money and resources 
preventing credit card fraud and protecting consumers from the 
effects of credit card fraud through zero liability policies 
and card reissuance.
    This is all very laudable but the issue before the 
committee today is not just credit card fraud: the issue before 
us is the much more complex issue of identity theft, because it 
does not simply involve a fraudulent charge on a card, it is 
typically the opening of a new account in the name of the 
victim. Identity theft is harder to find, harder to assess, and 
harder to combat, but it is the main issue we need to address.
    For example, we may have a good idea now of all the credit 
card fraud that is likely to result from the CardSystems 
breach, but that does not mean that we know the extent of the 
identity theft risk.
    Similarly, the credit card companies often identify credit 
card fraud right away, but in this case they appear to have 
been absolutely clueless for months while personal data was 
removed from the database.
    At present, the main protections against identity theft are 
contractual agreements between credit card companies and the 
banks and data processors that handle the information. The 
CardSystems incident is a spectacular failure of this private 
sector protection and suggests that more regulation, more 
enforcement and more penalties are necessary in this area.
    For example, until yesterday, it appeared that the credit 
card companies would continue to do business with CardSystems 
even though CardSystems had not complied with the data security 
requirements.
    Moreover, there is a huge regulatory gap under Gramm-Leach-
Bliley. The respective financial regulators are responsible for 
making sure that financial institutions who contract out data 
processing functions ensure their contractor's compliance. And 
the FTC rules require data processors to preserve the 
confidentiality of personal financial data. But in this case, 
the regulators appear to have played ``toss the hot potato'' 
with this whole incident.
    So far, all the consequences of data security breaches 
could be viewed by a data processor as the cost of doing 
business.
    Yesterday, perhaps bowing to the pressure of this important 
hearing, Visa and American Express terminated their business 
with CardSystems, but MasterCard still has its data processing 
handled by them. This situation is not acceptable, and we need 
to provide the legal structure to fix it.
    I am a proud cosponsor and original sponsor of this 
legislation that has been introduced by my colleague, 
Representative Bean from Illinois, and it is a good first step 
in this area. I look forward, as always, to hearing the 
witnesses' views and some of the alternatives and ideas that 
they may have, and I hope that we can benefit as we move 
forward with this bill, and I thank all of you for being here. 
It is extremely important.
    I must say that one of the biggest credit card theft rings 
is in the district that I represent in New York, in Queens, and 
it is just a terrible problem once it happens, and so our 
efforts to prevent it are very important. Thank you.
    Chairwoman Kelly. Thank you, Ms. Maloney.
    Mr. Kennedy?
    Mr. Price?
    Mr. Price. Thank you, Madam Chairwoman. I appreciate the 
opportunity to participate in this hearing, and I want to thank 
all of the witnesses for being here.
    I want to especially welcome Mr. John Perry of CardSystems, 
who has a portion of his business in my district. I am sorry I 
am late but I want to echo the comments of others who have 
talked about the importance of having security within the 
credit card system. I am somewhat astounded by some of the 
comments that I just heard, however, in view of the fact that 
CardSystems, itself, discovered the breach, notified the 
companies of the breach, and is working aggressively and 
actively to correct the challenges that they and the industry 
have.
    Greater regulation and greater penalties I am not certain--
which is oftentimes the knee-jerk reaction to a challenge that 
we have in any area--I am not certain that is indeed the answer 
at all.
    So I look forward to the testimony before us today. I look 
forward to increasing my knowledge of this area, and I also 
hope that individuals will lower the rhetoric, calm down, and 
work toward solutions in this area as opposed to bomb-throwing. 
And I yield back.
    Chairwoman Kelly. Mr. Moore?
    Mr. Moore of Kansas. Thank you, Madam Chairwoman. I would 
like to thank you for holding today's hearing and thank the 
witnesses for appearing today to share their information with 
us.
    The focus of this morning's hearing is data security within 
the credit card payment system, specifically the recently 
publicized data breach at CardSystems Solutions that could have 
affected approximately 40 million credit and debit card 
accounts.
    I look forward to Mr. Perry's testimony this morning. I 
appreciate your being here, sir, to discuss what steps 
CardSystems is taking to secure deficiencies in the system.
    The CardSystems breach, among many others of businesses as 
diverse as data brokers, retailers, and banks, begs the 
question of what Congress should be doing to protect consumers 
from identity theft. As we have all seen over the last few 
months, States across our country have been enacting or 
considering data security notification laws to deal with the 
problem of data breaches.
    The proliferation of State activity in the area of data 
security and notification, though, is now creating a confusing 
patchwork of conflicting laws that is adding to the cost of 
doing business nationwide. I think it is time for Congress to 
act to protect consumers from data breaches and create a 
uniform national standard that seeks to create a level of 
certainty for consumers and national businesses.
    Representatives Deborah Pryce, Mike Castle, and I have been 
working on data security legislation that would, for the first 
time under Federal law, require companies to notify consumers 
when their sensitive personal information has been accessed in 
a way that could lead to identity theft. There should be a few 
guiding principles behind any data security bill that Congress 
considers.
    Number one, companies should be required to safeguard their 
data. Number two, breached businesses should be required to 
notify consumers, law enforcement, regulators, and relevant 
third parties when sensitive personal information is 
compromised. Number three, breached entities need to ensure 
that consumers are protected after their data is compromised 
through credit file monitoring and other such actions. And, 
number four, Federal preemption, we believe, is necessary to 
create a meaningful uniform national standard.
    Our legislation embodies each of these guiding principles, 
and we will be introducing our bill today. Additionally, I know 
you will not believe this but sometimes when Congress sees a 
problem they overreact, and I hope that--what are you laughing 
about?
    [Laughter.]
    I hope that is not the case here, because we do need to 
address and correct this problem but at the same time not 
overreact. We have one of the best credit systems in the whole 
world right here in this country, and it is a benefit to 
consumers that they can get a quick answer to a credit check. 
What we do not need, though, is to go too far and hurt the 
industry which has set up this wonderful credit system.
    As Congress considers data security legislation, we need to 
again correct this problem without overreacting. As this 
process moves forward, I look forward to continuing to work 
with Members on both sides of the aisle to pass the best bill 
we possibly can. This should not be about Republicans and 
Democrats, it should not be partisan at all. We need to address 
this in a bipartisan fashion, and I am confident we can do that 
here. I am very proud of our committee, because we have worked 
well together in other areas in the past, and I believe we can 
do that here.
    Thank you again, Chairwoman Kelly. I look forward to 
hearing from our witnesses.
    Chairwoman Kelly. Thank you very much.
    Mr. McHenry?
    Mr. McHenry. Thank you, Madam Chairwoman. Thank you so much 
for having this hearing today, and I appreciate your leadership 
on this issue.
    I will make this brief because I know we have a lot of 
testimony to hear. The last time I saw this many witnesses 
lined up at a table before a hearing we had baseball players 
in. So, Mr. Sosa, Mr. McGwire, thank you all for being here 
today.
    But in all seriousness, data security should be a top 
concern of all financial institutions and all financial service 
industry related folks. And what I would like to examine is 
what is being done now. I would also like to examine whether or 
not there are market forces that would influence how you 
protect data.
    I do not think that the government should step in when the 
market can actually dictate, and I think there are 
repercussions for companies that do not protect data. I think 
there are repercussions financially on their bottom line for 
companies that do not do what is appropriate and right and do 
not secure data appropriately. Customers will leave, merchants 
will refuse to deal with you, and the market will deal with it.
    Now, does the government need to intervene if the 
marketplace is going to deal with companies on these issues? 
That is what we need to understand as a committee, and we need 
to see where we need to go. If there is a marketplace that is 
going to determine data security, government intervention may 
hurt in this regard and actually may have an adverse effect on 
data security rather than the true spirit of what we would 
attempt to do as a government.
    So I welcome the testimony today. I look forward to hearing 
from all of you and look forward to hearing what has happened 
and actually what is occurring currently and what you view as 
the best way to secure data going forward. Thanks so much.
    Chairwoman Kelly. Thank you.
    Mr. Davis?
    Mr. Davis of Alabama. Thank you, Madam Chairwoman, for 
calling this hearing, and I am going to try to follow Mr. 
McHenry's lead and be somewhat brief, given the fact there are 
so many of you and a lot of us who are here to question you. 
Let me just make a few general observations.
    The first one, one of the happy things, I suppose, about 
this kind of climate is that the industry, frankly, has as much 
of an incentive to have this institution act in a responsible 
way as the consumer does. I think all of you who are here as 
industrial representatives and corporate representatives 
understand that your ability to provide a service to your 
consumers, your ability to attract consumers is in peril if 
they do not have confidence in how their information is being 
handled. That is the bottom line.
    So you have the same incentive, and I think that is why Mr. 
Moore and some of us can confidently say that this should not 
be a left-right kind of issue, it should not be a business-
consumer kind of issue because you are in the same place in 
terms of wanting to promote consumer confidence.
    The second observation that I will make--this is something 
that I see routinely on this committee--is that the world of 
financial service transactions now, the world of financial 
service in general is so numbingly complex that a lot of people 
that you serve every day and that we serve every day frankly 
just want to throw up their hands and say, ``We do not 
understand this.''
    And they feel so detached from their own ability to go out 
and make purchases and all of a sudden you have this 
information about security breaches and I am willing to bet 
that probably makes them feel even more detached. And then, 
worst-case scenario, they will learn weeks later that there may 
have been a breach that they did not even know about.
    I think we have to speak to that consumer anxiety. I think 
we have to speak to people who feel that somewhere out there 
things may be happening that are adverse to their interests 
that could involve a fraud or a theft and they did not even 
know for several weeks. We have to speak to that anxiety.
    The final point that I will make, Ms. Bean, Mr. Frank, and 
I are the lead sponsors on a bill that I think all of you are 
aware of. It is referred to by some in the press as the 
Democratic bill. I hope that this is the beginning of a 
conversation that can draw the best instincts from my side of 
the aisle and the best instincts of our partners on the other 
side of the aisle
    And this committee has done it before. We did it very 
recently in the context of GSE's, an enormously complex issue. 
Most people did not think, given the acrimony of last year's 
hearings, that we would get to a middle ground on GSE's. We got 
there. I wish the U.S. Senate would respect the fact that we 
got there, but we got there.
    We got there on the question, because of my colleague from 
Alabama, Mr. Bachus' leadership, on the extension of the Fair 
Credit Reporting Act several years ago. Nobody expected us to 
build a consensus that helps protect the best credit system in 
the world.
    So I drew inspiration from those things.
    Again, I thank the chairwoman for having this hearing and 
look forward to working with all of you.
    Chairwoman Kelly. Thank you.
    We turn now to Mr. Bachus.
    And I would like to say that for the ex officio members, 
because we have a lot of people here, many opening statements, 
I am going to ask the people who are ex officio, and we welcome 
them here, but I am going to ask them to keep their statements 
to 3 minutes each.
    Mr. Bachus?
    Mr. Bachus. I appreciate that, Chairwoman.
    As with any legislation that comes before the subcommittee 
on which I am chairman, it obviously is something of great 
concern to me, and I commend you for having this hearing and 
for your leadership over the past several years, not only on 
this issue but identity theft and credit card fraud.
    Credit card fraud, identity theft, and data security 
breaches are really three different things, and we sometimes 
have a tendency to mix and match them. But as we go about this 
hearing, we should bear that in mind.
    And I appreciate the remarks of the gentleman from Alabama. 
The gentleman from Alabama has introduced a bill along with the 
ranking member, Ms. Bean, and Chairman Pryce and Chairman 
Castle and Mr. Moore have introduced this morning a bipartisan 
piece of legislation. And, further, we have had two other 
members, Mr. LaTourette and Ms. Hooley, who have introduced a 
third bill.
    Mr. Garrett questioned whether existing law is sufficient 
or do we need new laws? Can we just enforce those laws on the 
books? A great deal of this is going to be, yes, we just need 
to enforce what is there.
    Law enforcement has a role in this. This was a criminal 
violation; somebody hacked in. This was a criminal act not by 
the victim but by a criminal. But I will answer the question, 
yes, we do need to address this, and I think that the Members' 
bills, as we go through this, we just need to do, as Mr. Price 
said, we need to show caution, and I associate myself with his 
remarks and Mr. Garrett's remarks.
    With that, I do want to say two other things, if I could. 
One, CardSystems Solutions was a victim of a criminal act by a 
hacker, and they did report this to MasterCard. They 
voluntarily reported it, and they should be commended for that. 
That is my understanding.
    And, furthermore, I would like to note that we learned of 
the situation at CardSystems Solution through a public 
announcement by MasterCard International. This announcement was 
not required by the law; rather, MasterCard played the role of 
a good citizen, good corporate citizen in notifying the public 
of the situation, even though MasterCard itself was not the 
subject of the breach. And I commend MasterCard for their 
efforts.
    So in the aftermath of this hacking incident, I think the 
system worked well, and these companies responded in an 
appropriate way. But I do believe that really the solution to 
this is that we first in this Congress pass a law, and I know 
Chairman Castle and Chairman Pryce and others are working on it 
with Mr. Moore and others and Mr. Davis, on establishing a 
national uniform standard protecting all Americans.
    And with that, I yield back any time I have.
    Chairwoman Kelly. Thank you, Mr. Bachus.
    Mr. Cleaver has indicated he has no opening statement, so 
we will turn to Mr. Scott.
    Mr. Scott. Thank you very much, Chairwoman Kelly, and I 
want to thank you and Ranking Member Gutierrez for holding this 
very important hearing on credit card fraud and identity theft.
    I certainly also want to take this opportunity to welcome 
Mr. John Perry, who is president and CEO of CardSystems from 
Atlanta, Georgia, my hometown.
    Of course we all know that recent news continues to affirm 
the viewpoint by many consumers that their personal credit is 
constantly at risk for fraud or abuse. It is a major, major 
problem facing this country. Tens of millions of consumers have 
been exposed to credit fraud or theft, and these data attacks 
and frauds have hit major credit card issuers and banks, many 
of whom already have high standards for data protection.
    And in my hometown of Atlanta, some of the major events and 
incidents have occurred at ChoicePoint and at CardSystems. But 
it is important to note that ChoicePoint is recovering from its 
security breaches, and CardSystems has responded to this and 
they are working their way through the fallout, and I certainly 
commend you in the steps that you are taking and wish you 
speedy success.
    It is also important to note that the incidence of theft 
has gained national attention. From my own constituents, for 
example, we have had many discussions with privacy issues. Many 
of them are asking what they can do to protect themselves and 
what Congress can do to punish the credit thieves.
    Credit theft and identity fraud can be devastating to a 
family. Their credit can be ruined, it can take countless hours 
and resources to repair their good name, and I believe that 
Congress should provide additional protections that are 
substantive and not merely reactionary.
    I look forward to learning more in this hearing and hearing 
this distinguished panel. Thank you.
    Chairwoman Kelly. Thank you, Mr. Scott.
    Chairman Castle?
    Mr. Castle. Thank you, Chairwoman Kelly. Thank you for 
allowing me to speak in my 3 minutes, so I will jump right to 
it, and I will jump out of what I was going to say formally and 
just talk a little bit about our legislation that has been 
referenced by several people that Chairwoman Pryce and Dennis 
Moore and I introduced today.
    I believe very strongly that we do need a national 
solution, and we need it fairly rapidly. There is a lot 
happening in the States. Maybe there are certain State-relevant 
things that need to exist, but I think we need to speak to this 
sooner rather than later. I am delighted we are doing it on a 
bipartisan basis. Actually, we have bi-legislative basis right 
now. We have two bills out there, maybe others before we are 
done, but we are moving forward.
    I would like to have compliance. I am not particularly 
interested in enforcement, but obviously you need the 
enforcement behind it to get the compliance. But our hope is 
that once we share information and we have a clear standard, 
which is something else I want in our legislation, I want 
everybody to be able to clearly understand what it is that we 
are doing.
    I agree with Chairman Bachus, there is a lot out there now, 
there are a lot of enforcement mechanisms which are out there 
now, but we need to make sure that everybody understands what 
they are dealing with in this particular area.
    We need to expand this to entities not under financial 
regulation now, Gramm-Leach-Bliley and those who regulate under 
Gramm-Leach-Bliley, because a lot of the breaches that have 
happened have happened from entities away from that, and that 
is also significant.
    And I think there is an issue of consumer angst here. I was 
one who received a notice. I did not have much idea of what to 
do. Eventually, I figured it out. And my concern is who is 
going to really open that envelope, who is really going to know 
when you will be mailing it out, the whole business of not 
over-involving the consumer but making sure the consumer is 
absolutely protected when the consumer has to be.
    Those are at least some of our goals in drafting this. I 
hope that some day we have this legislation before us and we do 
it unanimously, quite frankly. I have no interest in having 
something that is divided in this committee with respect to 
where we are going.
    So we appreciate you being here today. We appreciate your 
contributions to this information. It is simple to say what I 
have just said, but it is a little hard to write it, as we have 
learned. So we know it is complicated, and we are going to need 
a lot of help to do it, but I think we have a very strong 
determination, and it is one of those issues that should move 
forward and it is one of those issues that really should not 
get hung up on politics but should be able to be resolved 
fairly rapidly.
    And with that, I yield back, Madam Chairwoman.
    Chairwoman Kelly. Thank you.
    Ms. Wasserman Schultz?
    Ms. Wasserman Schultz. Thank you, Chairwoman Kelly and 
Ranking Member Gutierrez, for convening today's important 
hearing.
    I particularly want to welcome Zyg Gorgol from American 
Express, which is one of the largest employers in my district, 
in South Florida.
    What I am hoping to hear from our guests' testimony today 
will focus on lessons learned from recent events and how to 
best move forward to ensure that America's consumers are 
protected. We have a steady drumbeat of high profile data 
security breaches in the last 6 months, and that has given many 
Americans, I would say most Americans, cause for concern.
    My constituents are no different. Since I was first elected 
and came to Congress in January of this year, my office has 
received dozens of calls, letters and e-mails on this matter. 
In fact, it is probably the thing that has gotten the most 
attention and volume in my office.
    One woman in Hollywood, Florida, wrote to me and said, ``I 
am outraged that private companies can hold information about 
me without any national standards for whether or how they 
protect that information.''
    From another one of my constituents in Fort Lauderdale, she 
said, ``It is time for Congress to give Americans meaningful 
identity theft protection, insist on strong security standards 
for information brokers with real penalties if they fail to 
keep my personal information secure.''
    The apparent ubiquity of these cases has clearly caused a 
great deal of alarm and also caused some confusion. What I 
would like to hear from the credit card company representatives 
today is for you to help clarify the difference between 
identity theft and credit card fraud, because there is clearly 
a difference. Both are very serious matters, but the credit 
card companies have developed effective consumer fraud 
protections to combat fraud and I think it is important to make 
that distinction.
    Part of our challenge here is that many of the industry's 
guidelines and best practices that have been developed to 
protect consumer information have not been adopted by third 
party vendors and retailers; in other words, those in the 
payment stream. And I have always believed in personal 
responsibility, and this standard certainly applies to vendor 
and third party processors. Any company touching consumer data 
must be responsible and accountable for the way in which that 
data is managed.
    Two of the largest security breaches announced this spring 
involved merchants that had maintained unnecessary credit card 
magnetic strip information, including card verification and 
replacement codes in violation of industry security rules. It 
has become quite clear to me that we need effective and 
consistent national standards for both how consumer data is 
managed and when consumers are notified about potential 
breaches.
    We also have to make sure that we do not set fire alarms 
off for no reason. If there has been data that has been 
compromised but it is not necessarily a danger to the consumer, 
telling them absolutely everything that they think they need to 
know is not necessarily wise. Existing regulations are simply 
not sufficient, though, and I encourage my colleagues on both 
sides of the aisle, as Chairman Castle has, to build upon the 
industry's existing best practices and ensure that our 
consumers are protected.
    Thank you. I yield back the balance of my time.
    Chairwoman Kelly. Thank you.
    Chairwoman Pryce?
    Ms. Pryce. Thank you, Madam Chairwoman. I appreciate the 
invitation to be here today.
    The effects of data breach can be staggering to the 
American public. It is a problem that has to be addressed 
sooner or later. I just want to thank you for your interest in 
it, for you holding this hearing and commend Mr. Castle and Mr. 
Moore and Ms. Hooley and Mr. LaTourette for working together on 
a bipartisan basis to address this, and I look forward to 
moving legislation, as Mike said, sooner rather than later, 
because it is a problem of national significance, and I think 
the consumer confidence issues will begin to affect the economy 
if we do not do something soon.
    So thank you so much for holding the hearing, Madam 
Chairwoman.
    Chairwoman Kelly. Thank you very much.
    Ms. Hooley?
    Ms. Hooley. Thank you again for holding this hearing and 
for allowing me the opportunity to speak.
    The topic of identity theft is one I have been working on 
for over 8 years, and the wave of data security breaches over 
the last few months has been one of the most troubling 
developments I have witnessed in that time.
    Identity theft represents a fundamental threat to our e-
commerce, to our overall economy and to our homeland security. 
No longer are we facing just ``hobby hackers'' looking to 
create a nuisance. Increasingly, these attacks are driven by 
skilled criminals. ID theft is huge business in this country.
    Today, with Congressman LaTourette, we have introduced 
legislation that requires universal and timely notification to 
consumers when their personal, sensitive financial information 
is put at risk, as well as one free year of credit monitoring 
service when a breach places consumers at risk of identity 
theft.
    I look forward to working with all of my colleagues on this 
committee and Ms. Pryce and Mr. Castle and Mr. Moore to pass 
the best possible legislation.
    I am particularly concerned about the breach that occurred 
with CardSystems this May. The behavior of CardSystems was in 
direct violation of agreements with MasterCard, Visa, and 
American Express. CardSystems placed 40 million consumers' 
financial accounts at risk. Now, while I recognize only 200,000 
accounts were actually compromised--that is still a lot--in 
this case, I am not certain that consumer notification is 
enough.
    Valuable financial information that was not rightfully 
owned or stored by CardSystems is what is at question here. I 
would like to applaud Visa and American Express for no longer 
doing business with CardSystems until they are sure that the 
problem has been resolved. And I am looking forward to seeing 
what CardSystems has done in the last few months.
    Again, I thank you, and I look forward to this hearing and 
testimony from the panel. Thank you.
    Chairwoman Kelly. Thank you.
    Mr. Renzi?
    Mr. Renzi. I thank the chairwoman for allowing me to be on 
the dais today and to participate.
    I am a member of the Intelligence Committee and every 
morning have a chance to look and see the threat against the 
United States. There is no cybersystem security system 
available in the commercial marketplace that cannot be hacked. 
There are few systems that the government has that have not 
been hacked to date, but they necessarily are not in the 
commercial world. I say that to you in order to make the point 
that there is no perfect system.
    I had a chance earlier this morning to meet with both the 
representatives from CardSystems and Visa. I am thankful that 
you both have expressed a good faith to meet privately and 
expeditiously within the next few days to see if you can work 
through the real facts, not those that just appeared in the 
paper that were just quoted, but work through some of the real 
facts and see if you can come up with solutions. I think that 
needs to happen.
    We have over 100 Arizonans who work for CardSystems, whose 
jobs will be immediately lost, but a death knell will be put to 
CardSystems. Now, that has a chilling effect on those in the 
industry who have come forward and worked with investigators to 
show the truth and say, ``Hey, look, this is what happened,'' 
rather than hide it.
    So while some may applaud Visa and MasterCard for their 
actions, think about unintended consequences that may also 
occur.
    So let me come back and say thank you to Visa and to 
CardSystems for giving me their word that they will meet in an 
expeditious manner, in a good faith manner to work through the 
facts that hopefully may work and lead to compromise. Either 
way, I am hopeful that there could be a solution that will be 
found that will protect both American consumers as well as 
those people who are an integral part of the credit card system 
here in America.
    I thank the gentlelady for yielding me the time.
    Chairwoman Kelly. Thank you.
    Mr. Matheson?
    Mr. Matheson. Thank you, Madam Chairwoman.
    And thank you, Ranking Member Gutierrez.
    I am pleased the Oversight Subcommittee has scheduled this 
hearing regarding data security, and I am also pleased to be 
here this morning to welcome David Watson, who is chairman of 
Merrick Bank, based in my home State of Utah.
    I appreciate Mr. Watson taking the time and effort to 
travel to Washington to participate in this hearing regarding 
data security. I know that Merrick Bank and its employees have 
a good reputation with their clients and customers, and I 
appreciate their commitment to working with us on the credit 
card data issue.
    The issue of data security is incredibly important to all 
of our constituents. Many people are concerned about the 
potential for credit card fraud and identity theft. I look 
forward to hearing the testimony of Merrick and all the other 
witnesses on the panel so we can learn more from their 
experiences and understand whether there are more reasonable 
steps, and I want to emphasize reasonable steps, that we can 
take to increase data security so that we can prevent theft of 
data and identity.
    And with that, I will yield back my time to Madam 
Chairwoman.
    Chairwoman Kelly. Thank you very much.
    I am turning now to the panel.
    We have a very distinguished panel with us: Mr. Joshua 
Peirez, who is the senior vice president and associate general 
counsel of the Legal Department of MasterCard; Mr. Steve Ruwe, 
executive vice president, Operations and Risk Management, Visa; 
Mr. Zyg Gorgol, senior vice president, Fraud Risk Management, 
American Express; Mr. Carlos Minetti, executive vice president, 
Cardmember Services, Discover Card; Mr. David B. Watson, 
chairman of the Merrick Bank; Mr. Mallory Duncan, general 
counsel of the National Retail Federation; Mr. John M. Perry, 
president and chief executive officer, CardSystems Solutions, 
Incorporated--and I have to say, sir, I am delighted to have 
you here, and I admire your courage for being here--and Mr. 
Evan Hendricks, editor and publisher of Privacy Times.
    Mr. Peirez, we begin with you.

STATEMENT OF JOSHUA PEIREZ, SENIOR VICE PRESIDENT AND ASSOCIATE 
   GENERAL COUNSEL, LAW DEPARTMENT, MASTERCARD INTERNATIONAL

    Mr. Peirez. Good morning, Chairwoman Kelly, Ranking Member 
Gutierrez and members of the subcommittee. My name is Joshua 
Peirez, and I am a senior vice president and associate general 
counsel at MasterCard International, located in Purchase, New 
York.
    It is my pleasure to discuss the important topic of 
fighting fraud and safeguarding financial information, and I 
commend the subcommittee for holding this important hearing.
    MasterCard takes its obligation to safeguard financial 
information and protect consumers extremely seriously. This 
issue is a top priority at MasterCard where we have a team of 
experts devoted to working with law enforcement and maintaining 
the integrity and security of our payment systems. Our great 
success in protecting consumers and preventing fraud is due in 
part to the constant efforts we undertake to keep our networks 
secure. This is why our overall fraud rates are at an historic 
low, well below one-tenth of 1 percent of our volume.
    MasterCard's information security program is comprehensive 
and we continually update it to ensure that it provides strong 
protection. MasterCard requires each of our customers and 
merchants and any third party acting on their behalf to 
safeguard cardholder information. In addition, MasterCard has a 
variety of consumer protection and antifraud tools.
    Importantly, MasterCard has voluntarily implemented a zero 
liability rule. Under this rule, consumers will generally not 
be liable for any unauthorized use of their cards. In addition, 
MasterCard is focused on preventing unauthorized use in the 
first place through enhanced security features on the card, the 
MasterCard address verification service and our proprietary 
fraud reporting system which helps identify and prevent fraud 
from occurring in the first place.
    We also offer services to our issuers and assist them in 
proactively identifying and stopping fraud.
    I would now like to discuss the CardSystems situation. 
Several months ago, MasterCard and a few of our issuers noticed 
a small pattern of fraud. Working with our issuers, we traced 
the pattern of fraud to the acquirer, Merrick Bank, and then on 
to CardSystems, a third party processor the bank had hired. 
Once notified of the situation, CardSystems identified a script 
in its system designed to export cardholder data.
    CardSystems then engaged a data security firm to conduct 
forensic analysis of its networks. The forensic investigation 
found that, first, CardSystems was storing transaction 
information on its system in violation of our rules. This was 
remedied in short order. Second, the investigation confirmed 
the presence of a malicious computer script on CardSystems 
systems, along with other serious security vulnerabilities. 
And, third, there was evidence that some cardholder data had 
been compromised.
    Based on the findings, we believe approximately 68,000 
different MasterCard accounts and well over 100,000 accounts of 
other brands were exported from the CardSystems database. The 
matter is under investigation by the FBI.
    Upon learning this information, we demanded that we be 
provided with the account numbers impacted as soon as possible, 
and we received the file on June 16th. We notified the banks 
that had issued the impacted accounts beginning the very next 
day and are continuing to monitor the potentially affected 
accounts with those banks.
    Given the circumstances of this case, MasterCard made the 
decision that a public disclosure of the event was warranted. 
Thus, on June 17th, we issued a press release to notify the 
public of the situation at CardSystems.
    I would like to stress that we provided broad public 
disclosure because it was the right thing to do, even though we 
had no legal obligation to do so. We continue to closely 
monitor CardSystems' efforts to cure their deficiencies and 
have given them only until the end of August to do so.
    Let me now turn to a brief discussion of possible 
legislative measures to help address the issue. MasterCard 
strongly supports the legislative efforts to enact uniform 
national standards and believes it is critical that any 
legislative solution: one, strengthen criminal penalties to be 
in line with the severity of these crimes; two, provide 
notification to consumers in appropriate circumstances; and, 
three, establish strong data protection requirements for 
entities not already covered by the Gramm-Leach-Bliley Act.
    MasterCard looks forward to working with you as you tackle 
these important issues, and I would be pleased to answer any 
questions you may have.
    [The prepared statement of Mr. Peirez can be found on page 
98 of the appendix.]
    Chairwoman Kelly. Thank you very much.
    Mr. Ruwe?

 STATEMENT OF STEVE RUWE, EXECUTIVE VICE PRESIDENT, OPERATIONS 
             AND RISK MANAGEMENT, VISA U.S.A. INC.

    Mr. Ruwe. Chairwoman Kelly and members of the subcommittee, 
my name is Steve Ruwe. I am the executive vice president of 
Operations and Risk Management for Visa U.S.A., Incorporated. 
Visa appreciates the opportunity to appear at today's hearing 
on the issue of information security.
    The Visa Payment System, of which Visa U.S.A. is a part, is 
a leading consumer payment system and plays a pivotal role in 
advancing new payment products and technologies, including 
initiatives for protecting cardholder information and 
preventing fraud.
    Cardholder security is never an afterthought at Visa. For 
Visa, it is about trust. Our goal is to protect consumers, 
merchants and our members from fraud by preventing fraud from 
occurring in the first place.
    This commitment to protecting consumers from fraud includes 
Visa's zero liability policy, which protects Visa cardholders 
from any liability for fraudulent purposes.
    Because the financial institutions that are Visa members do 
not charge their cardholder customers for fraudulent 
transactions, those members absorb most of the cost from 
fraudulent transactions.
    Visa has implemented a comprehensive and aggressive 
security program known as the Cardholder Information Security 
Program, CISP, which applies to all entities that store, 
process, transmit, or hold Visa cardholder data. Visa also 
provides sophisticated neural networks that flag unusual 
spending patterns for fraud that enable our members to block 
authorization transactions where fraud is suspected.
    Only yesterday, Visa announced a new nationwide data 
security education campaign that will involve both the payments 
industry and merchants in the fight to protect cardholder 
information. Visa believes that all parties who participate in 
the payment system share responsibility to protect cardholder 
data.
    When cardholder information is compromised, Visa notifies 
the issuing financial institution and puts the affected card 
numbers on a special monitoring status. Visa also uses an array 
of other security measures that are described in my written 
statement to prevent particular fraudulent transactions. As a 
result of these strong security measures, fraud within the Visa 
system is at an all-time low of 5 cents for every $100 worth of 
transactions.
    Visa was recently informed by payment processor, 
CardSystems Solutions, Incorporated, CSSI, about an 
unauthorized intrusion into CSSI's computer system. Visa 
immediately worked with the processor, law enforcement, and 
affected member institutions to prevent card-related fraud and 
respected law enforcement protocol to keep the information 
about the investigation confidential.
    Visa notified all of the potentially affected card issuing 
institutions and provided them with the necessary information 
so that they could monitor the accounts and, if necessary, 
advise customers to check their statements or cancel or reissue 
cards to their customers. The card-issuing institutions that 
are members of the Visa system have the direct responsibility 
and relationship with their customers, and because of Visa's 
zero liability policy for cardholders, bear most of the 
financial loss if fraud occurs. Visa institutions can best 
determine the appropriate action for each customer that might 
have been affected.
    We have determined that about 22 million Visa card numbers 
from the CSSI database were put at risk. In many of these 
cases, CSSI, by its own admission, knowingly and improperly 
retained magnetic stripe information, which was a clear 
violation of the cardholder information security program.
    Because of CSSI's failure to follow Visa's security 
requirements, Visa is terminating CSSI's ability to act as a 
processor for Visa members. Protecting our cardholders was, and 
remains, Visa's primary goal in responding to this incident.
    Significantly, the information retained by CSSI did not 
include the cardholders' date of birth, address, Social 
Security number, or driver's license number. Visa believes that 
the information involved in this incident cannot be used to 
commit identity theft--identity fraud against an individual in 
which a criminal opens a new account in the individual's name.
    Thank you for the opportunity to present this testimony 
today. I would be happy to answer any questions.
    [The prepared statement of Mr. Ruwe can be found on page 
119 of the appendix.]
    Chairwoman Kelly. Thank you very much.
    I wanted to step into a bit of housekeeping. The two boxes 
at the end of the table indicate green, yellow, and red lights. 
The green light means you have 5 minutes, the yellow means you 
have one minute to sum up, the red light means that it is time 
to end your testimony.
    I just simply wanted all of you, in case you have not 
testified before Congress before, to understand how that system 
works and if you wondered what those lights were doing.
    Mr. Gorgol?

  STATEMENT OF ZYG GORGOL, SENIOR VICE PRESIDENT, FRAUD RISK 
                  MANAGEMENT, AMERICAN EXPRESS

    Mr. Gorgol. Chairwoman Kelly, Ranking Member Gutierrez, 
members of the subcommittee, my name is Zyg Gorgol, and I am a 
senior vice president of Fraud Risk Management at American 
Express.
    My responsibility is to protect our customers by preventing 
fraud or identifying and minimizing it as quickly as possible. 
I appreciate the opportunity to testify today about the recent 
data security breach at CardSystems Solutions and its impact on 
American Express cardmembers.
    We view this breach with great concern and have taken steps 
to protect any cardmembers who may have been affected by it.
    I would like to highlight a few key points today, so the 
complete body of my comments have been submitted to the 
committee.
    First, I would like to discuss the Payment Card Industry 
Data Security Standards. They provide an industry-wide approach 
to safeguarding charge and credit card customer data. These PCI 
standards were developed by a cross-industry working group that 
included American Express and the other major card networks.
    American Express fully endorses these standards as an 
appropriate industry baseline for data security in the payments 
industry.
    Let me now specifically discuss CardSystems. As background, 
CardSystems Solutions processes less than 1 percent of American 
Express card transactions. Upon learning of the breach at 
CardSystems, we began an investigation to determine any impacts 
on American Express cardmembers. We also put additional 
security and fraud prevention measures in place for all 
American Express card accounts that were on their database. We 
are continuing to closely monitor these accounts for any 
suspicious activity on an ongoing basis.
    Based upon our current analysis, we have determined the 
following: 1.6 million American Express card accounts were 
stored on the database; information relating to approximately 
12,000 American Express card accounts appears to have been 
acquired by unauthorized persons. Although the information 
relating to these 12,000 accounts included the card account 
number and expiration data, it did not include any personally 
identifiable information, such as name, address or Social 
Security number.
    While we have been closely monitoring these accounts, we 
have not detected any increased incidences of fraud on these 
12,000 accounts, nor have we detected any increased incidence 
of fraud across the total number of accounts that were on the 
CardSystems database. We are continuing to monitor all of these 
accounts for any suspicious activity every day, and we continue 
to investigate where the criminals accessed any other American 
Express card accounts.
    It is important to know that American Express employs 
sophisticated monitoring systems and controls to detect and 
prevent fraudulent activity. Historically, this has been an 
area of emphasis for American Express. Over the last several 
years, we have invested tens of millions of dollars to enhance 
our fraud prevention capability to better protect cardmembers.
    If fraudulent charges are placed on an American Express 
card account, we stand behind our cardmembers. American Express 
cardmembers are not held liable for fraudulent charges.
    Finally, we believe there are some tangible steps that can 
be taken to better protect consumers. Most importantly, we 
recommend that Congress extend Gramm-Leach-Bliley-like 
safeguard standards to those companies involved in processing 
card payments that are not currently subject to those 
safeguards today.
    Sensitive customer information should be consistently 
protected as it passes throughout the payment card transaction 
cycle.
    In conclusion, I want to assure the subcommittee that 
American Express is strongly committed to protecting the 
security of our cardmembers' personal information. It is clear 
that recent events have raised the public's concern regarding 
security of their personal information. We share this concern 
and are constantly working to protect the security of our 
cardmembers' information so that when a customer makes a 
transaction they have a confidence that it will occur in a safe 
and secure manner.
    We appreciate the opportunity to share our views on this 
issue and look forward to working with you and members of the 
Financial Services Committee.
    This concludes my testimony. I would be happy to answer any 
questions you may have.
    [The prepared statement of Mr. Gorgol can be found on page 
66 of the appendix.]
    Chairwoman Kelly. Thank you very much.
    Mr. Minetti?

    STATEMENT OF CARLOS MINETTI, EXECUTIVE VICE PRESIDENT, 
               CARDMEMBER SERVICES, DISCOVER CARD

    Mr. Minetti. Madam Chairwoman and members of the 
subcommittee, thank you for inviting Discover Financial 
Services to share our views on the issue of data security 
breaches affecting credit card information.
    My name is Carlos Minetti, and I am responsible for 
operations and risk management at Discover. This includes 
oversight of Discover's information security and antifraud 
efforts. Discover works very hard every day to prevent customer 
information from falling in the hands of individuals who would 
hope to use it for criminal purposes, like account fraud or 
identity theft.
    Discover Bank, the issuer of Discover cards, is a financial 
institution subject to Gramm-Leach-Bliley information security 
standards and the interagency guidance on security breach 
response programs. The FDIC examines Discover Bank for 
compliance with those standards, and our data security program 
is designed to perform with them.
    At Discover, we have a number of different fraud and 
identity theft prevention programs, which are described in my 
written statement. In fact, in 2005, ``Identity Fraud Safety 
Scorecard for Credit Card Issuers,'' conducted by Javelin 
Strategy and Research, ranked Discover as number one in overall 
card safety features.
    Today, I will focus on our response initiatives. Because we 
operate both a large merchant network and issue the Discover 
Card, we are often able to learn about computer hacking and 
other signs of data compromises when they first occur. In fact, 
Discover was the first network to uncover evidence of data 
compromises in many of the recently publicized security 
breaches involving large merchants and payment processors.
    Upon learning of a data security breach that may affect 
Discover Cardmembers, such as the CardSystems Solutions 
incident, we immediately commence an investigation. We first 
ascertain the type of information involved to determine whether 
the data could be used to commit identity theft or otherwise 
harm the consumers.
    We also identify the specific accounts that were affected, 
monitor those accounts, and take further action if necessary, 
such as contacting our customer or closing the accounts.
    Where the breach occurs at merchants or processors, we must 
rely on information from those companies. We work with them and 
with their party of forensic investigators to validate the 
breach and its impact on Discover Cardmembers. We also work 
with other card networks when their account data is affected. 
It is critically important for all these parties to cooperate 
fully in the investigative process.
    Discover carefully weighs all relevant facts and impacts on 
our customers to determine the proper course of action. If we 
determine that a breach is likely to harm our customers, we 
notify them in accordance with the Interagency Guidelines and 
the requirements of State laws. We also take further action as 
may be necessary to prevent harm, such as further monitoring or 
closing the accounts. We coordinate our efforts with the FDIC 
and with law enforcement personnel who may be investigating the 
incident.
    As the subcommittee is aware, not every data breach 
resulted in any theft of consumer exposure to substantial costs 
and time-consuming efforts to remedy misuse of personal 
information. As a result, it is often not necessary to 
immediately notify consumers, close accounts, provide credit 
report monitoring, or put fraud alerts in consumers files.
    Discover Cardmembers are not responsible for unauthorized 
charges, and our 24-7 customer service allows to quickly remove 
the fraudulent charges from their account. Industry resistance 
to across-the-board up-front notification, card reissuance, and 
other requirements is not based on the cost involved.
    Given the fact that potential fraud-related losses are 
incurred by credit card issuers and not by the consumers and 
can quickly eclipse the cost of notification and/or card 
reissuance, the customer notification/reissuance is generally 
not the driving factor for decisions about how best to react in 
a given situation.
    Our investigation of the CardSystems Solutions security 
breach is ongoing. This breach is very troubling and should 
never have occurred. Based on what we know today, it does not 
appear that Discover Cardmembers were exposed to a risk of 
identity theft, because the Discover data was limited to 
purchase transaction information.
    While the CardSystems breach did involve a loss of Discover 
data that could be used to commit account fraud, Discover 
Cardmembers will not experience financial loss as a result of 
this incident.
    As the committee considers the need for legislation, 
addressing information security and identity theft, we hope you 
will consider our recommendations. First, a single national 
standard for responding to security breaches affecting personal 
information is appropriate. Second, the Interagency Guidelines 
coupled with onsite compliance examinations establishes an 
effective and proper regime for information held by the 
national institutions. It also provides regulators with the 
flexibility they need to adjust breach response standards.
    Finally, when a data breach affecting credit card 
information occurs, notification is best handled by the card 
issuer, not the entity whose security was breached. An entity 
whose security was compromised must cooperate fully in 
investigating the incident and preventing further fraud, but it 
should not be charged with contacting credit card customers who 
may have been affected. A single notice is the best way to 
protect credit card users, and card users are in the best 
position to determine whether and when that notice is 
appropriate.
    We appreciate the opportunity to discuss information 
security issues, and we would be pleased to provide further 
information that would be useful to the subcommittee.
    [The prepared statement of Mr. Minetti can be found on page 
85 of the appendix.]
    Chairwoman Kelly. Thank you.
    Mr. Watson?

       STATEMENT OF DAVID WATSON, CHAIRMAN, MERRICK BANK

    Mr. Watson. Madam Chairwoman, ranking member, and members 
of the subcommittee, thank you for inviting me to testify 
today. My name is David Watson.
    As a cardholder myself and as chairman of a card-issuing 
bank, I commend this committee for its diligence and its 
interest in formulating good public policy on credit and 
security--a topic of importance to virtually every American.
    Merrick Bank is a Utah financial institution, subject to 
regulation and annual examination by the FDIC and the Utah 
Department of Financial Institutions. We issue credit cards to 
accountholders, and we make payments of processed credit card 
transactions to merchants.
    Credit card and account holder security is a fundamental 
principle of our business; it has to be.
    First, a little bit about the credit card payment process 
and then Merrick's relationship with CardSystems.
    To most consumers, the credit card system seems marvelously 
simple and dependable but behind the scenes multiple players 
and a sophisticated series of steps are triggered in each of 
the millions of daily credit card transactions. Each step must 
be performed with precision, for the integrity and security of 
the process is only strong when the performance of each party 
is strong.
    The merchant initiates the transaction, the processor 
authorizes the transaction and sends the notice for payment to 
the cardholder's bank and then ensures that the merchant is 
paid. The paying bank is then reimbursed by the card issuer's 
bank through the Visa and MasterCard settlement networks. All 
of this is conducted according to rules imposed by the 
individual card associations.
    Like many other banks, Merrick Bank makes payment to 
merchants who use CardSystems for processing. Before September 
2003, we did not have any significant business contacts with 
CardSystems, although they were a known entity in the card 
processing field.
    Following 2003 discussions concerning the transfer of 
certain Provident Bank merchant contracts to Merrick, we 
advised CardSystems that we could not consider participating in 
any processing unless and until CardSystems became compliant 
with the Customer Identification Security Program, which you 
have heard is the CISP Program, and the Visa Data Security 
Accreditation Program.
    CardSystems then engaged Cable & Wireless, an auditor from 
the Visa group auditor list, to conduct the CISP assessment. 
Cable & Wireless was selected by CardSystems, paid by 
CardSystems, and the audit report that resulted was sent to 
Visa. In June 2004, Visa informed CardSystems that it was just 
approved, and CardSystems so notified Merrick Bank.
    We then successfully took over most of Provident Bank's 
merchant payment contracts effective September 30, 2004. From 
that point to May 2005, Merrick's payments for the transactions 
presented by CardSystems proceeded routinely.
    After initial inquiries from MasterCard regarding potential 
fraud activity, on May 22, 2005, CardSystems identified a 
security breach in its operation and on May 23rd, contacted the 
FBI. On May 25th, CardSystems contacted Merrick and advised us 
of a possible intrusion and export of cardholder data at 
CardSystems.
    Merrick reviewed this information and notified Visa and 
MasterCard of the potential security breach. On May 27, 2005, 
with the approval of MasterCard and Visa, Merrick engaged 
Ubizen, a well known forensic IT audit firm to thoroughly 
investigate the breach at CardSystems, and Ubizen began an 
onsite examination of CardSystems at its Tucson facility on May 
31, 2005. We also sent our chief security officer and our 
senior network engineer to the CardSystems site to investigate 
the issue and see that immediate action was taken to prevent 
any further breach.
    The Ubizen audit identified two issues at CardSystems. 
First, CardSystems had retained certain transaction data on 
their system in violation of association procedures. Ubizen 
reports this data retention practice had been followed by 
CardSystems since 1998, even though it was inconsistent with 
CISP standards.
    This was not identified by the Cable & Wireless report in 
the 2004 Visa certification process.
    Second, Ubizen identified certain issues with CardSystems 
servers and software, which were compromised by the intruding 
party. Again, unfortunately, the Cable & Wireless report did 
not make any mention of these vulnerabilities.
    Merrick Bank, Ubizen, CardSystems, Visa, and MasterCard 
have all been aggressively working together to see that the 
issues permitting the breach are corrected and that 
CardSystems' data environment is fully secured. Visa and 
MasterCard have identified the cardholders whom they believe 
may have been compromised and have sent notice to the issuing 
banks of the potentially affected cardholders. This was 
accomplished by June 17th.
    Merrick is taking additional steps. We are preparing a 
contingency plan to assure our merchants are serviced without 
disruption in a secure environment. In addition, in 
consultation with security and data experts, Merrick is 
developing its own set of requirements to assure card processor 
compliance with all applicable card association standards.
    I want to conclude by reiterating our absolute commitment 
to data security. We are very closely monitoring for unusual 
activity the accounts of any affected cardholders. While we 
deeply regret any impact that this breach has had on consumers, 
we understand this presents all of us with an opportunity to 
help our industry improve our systems and processes and thereby 
better protect consumers' interests.
    I want to again commend this committee for its hard work 
and good work to formulate sound public policy that will assist 
us in achieving this goal. Thank you.
    [The prepared statement of Mr. Watson can be found on page 
127 of the appendix.]
    Chairwoman Kelly. Thank you.
    Mr. Duncan?

 STATEMENT OF MALLORY DUNCAN, GENERAL COUNSEL, NATIONAL RETAIL 
                           FEDERATION

    Mr. Duncan. Thank you, Madam Chairwoman. I am Mallory 
Duncan, senior vice president and general counsel for the 
National Retail Federation. The NRF is the world's largest 
retail association with membership that comprises all retail 
formats and channels of commerce. We appreciate the opportunity 
to testify here today.
    There has been a substantial increase in the reported 
incidence of identity theft. Federal Trade Commission data 
indicates that identity theft complaints increased 8-fold to 
nearly 250,000 between 2000 and 2004. Recently, an FTC survey 
estimated 10 million people experienced identity theft within 
the past year. Even larger numbers have been published 
elsewhere.
    The reported numbers are rising, but we do not know how 
much of that is a real increase as opposed to increased 
awareness of those reporting; versus mischaracterization of the 
problem.
    As striking as these figures are, it is important to 
recognize that the fraud that they reflect comprises a variety 
of activities, not all of which are true identity theft.
    I suggest we look at this issue broadly. We have to ask, 
how do businesses know who we are? Relatively few of us reside 
in communities with bankers and shopkeepers who have known us 
since birth. Instead, proof of our identity has shifted from 
being something others vouch for to something that is inferred: 
from identifiers such as driver's license and Social Security 
numbers, and quick recall of personally related facts, such as 
date of birth, mother's maiden name, and office telephone 
numbers.
    True identity theft occurs when someone appropriates 
identifying data for the purpose of secretly committing fraud. 
The thief may attempt to open credit and checking accounts, 
purchase a car, even buy a condominium using the victim's 
excellent credit history. So long as the thief makes payments, 
it might be years before anyone discovers the fraud. On the 
other hand, the thieves may decide to stiff the creditors, 
potentially ruining the victim's credit report. In that case, 
it could takes months or years for victims to recover their 
good name. Worse, if not apprehended, there is the possibility 
the thieves will strike again.
    In contrast, much of what is commonly referred to as 
identity theft is in fact credit card fraud. While it can be a 
problem for those affected, credit card fraud is much closer to 
a serious nuisance than it is the horror of identity theft. 
Equally important, Congress long ago approved many of the tools 
needed for its correction. Under the Fair Credit Billing Act, 
the consumer may challenge charges and be held harmless for the 
loss. Either the retailer or the card issuer bears the cost of 
the loss.
    With this distinction in mind, it is clear that the 
incidence of identity theft is, fortunately, considerably 
different than some of the numbers that have been cited. Even 
if one accepts the 10 million estimate by the FTC, it turns out 
that two-thirds of that is not truly identity theft.
    Now, I go into this distinction because the remedies for 
these two frauds are quite different. Credit card fraud is 
usually is an on-off event. Once discovered, credit card fraud 
is relatively simple to stop by closing the account and 
reopening a new account number--a pain, but it can be stopped.
    On the other hand, when identity theft occurs, it is not a 
simple matter to change an individual's Social Security number, 
date of birth, or mother's maiden name. If society has limited 
resources that it can devote to fighting crime, then we ought 
to tilt toward using those resources to help consumers faced 
with the more serious consequences.
    Indeed, this committee recently established many new 
protections for identity theft victims with the FACT Act. Now, 
although identity theft grabbed the headlines, retailers have 
devoted considerable attention to reducing the incidence of 
credit card fraud as well.
    Several retailers issue their own cards. They want to 
protect the integrity of their cards and essentially treat all 
cards with the same level of security. Currently, merchants are 
coming online with the Visa and MasterCard new security 
program. Initially developed for your Internet transactions, 
the card associations are extending these to all channels of 
commerce.
    The FTC recently entered into a proposed settlement with 
BJ's Wholesale Club as a result of system attacks in 2003. 
Retailers are paying particularly close attention to the 
requirements of that settlement. And when there are losses, 
they are typically borne by the retailers, yet another 
incentive for us to want to reduce the incidence of both types 
of fraud.
    In closing, identity theft is a fairly focused but 
especially pernicious form of fraud. Proof of identity has 
become a more elusive quality at the very moment that our 
society is investing greater amounts of trust in its veracity.
    Viewed from a distance, our credit system is marvelous. 
Families receive a meal in exchange for a swipe of plastic. 
Individuals secure home financing from bankers they have never 
met. These benefits flow not from credit cards but from the 
trust our society invests in the identities of persons seeking 
credit. If we are to preserve these benefits, society must 
crack down on those who would abuse that trust by appropriating 
the core elements of identity.
    With the passage of the FACT Act, Congress has begun to 
provide tools to those who have been victimized. It should now 
provide incentives to ferret out and prosecute those who make 
use of those tools necessary.
    Thank you for the opportunity to appear today. I will take 
your questions.
    [The prepared statement of Mr. Duncan can be found on page 
54 of the appendix. ]
    Chairwoman Kelly. Thank you.
    Mr. Perry?

   STATEMENT OF JOHN M. PERRY, PRESIDENT AND CHIEF EXECUTIVE 
              OFFICER, CARDSYSTEMS SOLUTIONS, INC.

    Mr. Perry. Good morning, Madam Chairwoman and members of 
the subcommittee. Thank you for inviting CardSystems to appear 
before you today. We appreciate the opportunity to address the 
issue of data security and more specifically the recent 
security attacks perpetrated against us.
    First and foremost, we truly regret this occurrence of data 
theft. We have readily acknowledged our error and continue to 
work non-top to ensure that we do not become a target of 
another breach.
    I had planned to provide you with some prepared remarks 
today discussing policy implications of the security incident 
hat occurred at our company, and I had an opportunity to 
discuss that important issue with some of your staff yesterday. 
But today, a small company with 115 employees, in Atlanta and 
Tucson, is facing imminent extinction. That concerns me 
greatly, not just because of how it will impact our company but 
because how it will impact 110,000 merchants who rely on 
CardSystems to process their transactions.
    If CardSystems is forced to close its doors, many of these 
merchants will be unable to process credit card transactions 
for days or even weeks. Signing up with a new processor is not 
merely as simple as changing from one phone company to another. 
It can cause significant disruptions to a business' operation. 
Moreover, I am concerned about the signal that our experience 
sends to other payment card processors and businesses, one of 
which undoubtedly faces a similar security incident in the 
future.
    We came forward in May to report this incident to law 
enforcement officials and our sponsor bank. As a result of 
coming forward with this important information, CardSystems is 
being driven out of business. Our experience should send a 
troubling message to policy makers. Other companies will have 
less incentive to come forward in the future when similar 
breaches will undoubtedly occur, knowing the potentially 
catastrophic effect that they could have on their businesses as 
well.
    We are still learning from the ongoing investigation but we 
do know this: That the attack on our system was very 
sophisticated. Based on the forensic investigation, we know of 
only one confirmed instance of which data was exported and that 
is the May 22nd incident that has brought us here today. I am 
relieved to report that this breach, to our knowledge, has not 
resulted in identity theft. By design, information is 
fragmented among different players in the payment card 
industry. This means processors like CardSystems do not have 
access to complete information, such as Social Security 
numbers, which could greatly facilitate identity theft.
    Additionally, this breach has not, to our knowledge, 
resulted in credit card fraud. Make no mistake, exposure of 
information about one card is too many. We will not be 
satisfied until we are confident that everything that can be 
done has been done to prevent this from ever happening again.
    Turning to the issue of security compliance, all businesses 
that handle cardholder data are directed by the payment card 
networks to follow rigorous security standards. CardSystems was 
audited and certified in the late fall of 2003 by a qualified 
Visa security assessor. More recently, Via and MasterCard have 
developed the payment card industry, or PCI, data security 
standard, which has been adopted by all the card networks. We 
have hired an independent security auditor who has reviewed our 
systems and has affirmed that we will be PCI compliant by the 
end of the month.
    We are also pleased to hear today that Visa has agreed this 
morning to meet and discuss and, I am confident, to resolve our 
differences. As MasterCard has just noted, I am sure that we 
will complete the necessary work to satisfy all requirements 
for continuing our work as processors by August 31st.
    We appreciate the opportunity to participate in this 
hearing, and we welcome the chance to address any questions 
from the subcommittee. Thank you.
    [The prepared statement of Mr. Perry can be found on page 
105 of the appendix.]
    Chairwoman Kelly. Thank you.
    Mr. Hendricks?

  STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY 
                             TIMES

    Mr. Hendricks. Thank you, Chairwoman Kelly, Ranking Member 
Gutierrez.
    This is my first time back since the 2003 FACT debates. 
That year inspired me to write my book, ``Credit Scores and 
Credit Reports,'' which spends a lot of time trying to explain 
to consumers what to do in situations like this. It also has a 
chapter dedicated to Congress' and this committee's work, which 
was an exciting and productive year, I think, for all of us.
    I think it is also worth pointing out that this committee, 
your subcommittee, was the first one to hold a hearing on a 
data breach involving a credit card processor, I think it was 
April 2003. So you continue to be out in front of this issue, 
and look at the response you get by shining the spotlight. I 
think it is very commendable.
    I think there are several lessons from this event. One is 
that some companies will not have adequate security unless they 
are forced to. They will continue to treat security as an 
afterthought. I think you used to say that privacy is good for 
consumers and good for business. I think we have elevated to 
the point now where privacy and security is not only good, it 
is essential, and that you see by blowing it on privacy and 
security, that there are serious economic repercussions.
    Here a company is faced with an enforcement action that 
could close them down or seriously reduce them in size. It 
would have been good to have considered not to keep personal 
information that you were not supposed to keep in the first 
place and if you were, to encrypt it so it would be rendered 
useless with robust encryption. I hope other companies will 
learn the lesson that in ignoring privacy and security, you do 
so at your own risk.
    I think the other thing that we have to remember is the 
consumer. These incidents impose real costs and hardships on 
consumers. I have already heard from a few who did not receive 
any notice of this event, went into the retailer and found out 
that their account had been flagged and were unable to make 
purchases. Some were accompanied by friends or by business 
associates.
    Other people, consumers, have called to try and find out, 
``Has my information been compromised?'' Some credit card 
companies were fairly responsive. Others did not have a clue 
what to tell people, and so this again contributes to the 
anxiety. If we are going to have a system where notice is not 
going to be required for every little event, then it is 
incumbent upon organizations to have a mechanism in place to 
inform people who are trying to find out what is going on.
    The other lesson from this is some companies will not 
notify consumers unless they have to. Some companies will make 
the judgment that there is no real harm to people. And the 
problem with that is that if you get a credit card number in 
this sophisticated hack, the sophisticated hackers and identity 
thieves can use a credit card number as leverage to get a 
Social Security number through pretext and other means. We need 
to stop treating the lowest priority as the consumer because 
the consumer is the basis for this entire credit card system.
    If we look at the breaches that we have had this year, 
ChoicePoint, Bank of America, CitiFinancial, 3.9 million Social 
Security numbers about to go out the door and what do they do, 
they call UPS. They are not encrypted, and the information is 
lost by UPS. And now with CardSystems and potentially 40 
million, the number of Americans that are potentially exposed 
to these security breaches equals the number of Americans that 
originally signed up for the ``Do Not Call'' list. So it is 
sort of an eerie mirror of the privacy issue.
    The other thing that shows the inadequacy is what is not 
known. I mean, there are more things that we do not know about 
what happened with this data, how it went out, who it went to, 
and, again, there is no transparency, there is no reporting to 
the public.
    The lack of encryption is very troubling. We want to 
encourage encryption, but we also want to keep in mind that 
encryption by itself is never going to solve the problem. It is 
a multifaceted problem and encryption has to be robust and meet 
certain standards. Just because you call it encrypted does not 
mean that it is adequately protected in this day and age.
    The biggest threat here, I think, is the one to our 
society, is the lack of confidence that is going to entail from 
all of these events. If you look at each event and then total 
them up, as a consumer you do not think there is anyone out 
there looking for your data and that lack of confidence could 
have enormous implications, just as it is having for the 
Cingular company. If there is falling confidence in our credit 
card system, the numbers on that could be really scary.
    And think what Congress did to build confidence in the 
credit card system. Congress, you like to beat up on 
yourselves, all the members like to joke about yourselves, but 
give yourselves credit. You passed the Fair Credit Billing Act 
a couple decades ago to make sure consumers were protected, to 
put confidence in the system so that people were not going to 
lose their finances if something went wrong with their credit 
card. That is the kind of protection we need in terms of 
people's data. That is how this has migrated.
    Chairwoman Kelly. Mr. Hendricks, will you please sum up?
    Mr. Hendricks. Yes. In closing, I would say this is a very 
multifaceted problem. I urge the committee to be as 
comprehensive as possible in addressing it and to look at the 
key moment, the reason thieves steal identities is because the 
credit report continues to be disclosed when the thief applies 
for credit in your name.
    Thank you, and I am sorry to have gone over.
    [The prepared statement of Mr. Hendricks can be found on 
page 78 of the appendix.]
    Chairwoman Kelly. Thank you very much.
    I would like to ask a question about a company that is not 
represented here. I would like to ask Visa, Cable & Wireless 
security was part of your approved auditor list and CardSystems 
picked Cable & Wireless from that list.
    I would like to know how Visa certified Cable & Wireless, 
and I would like to know since Cable & Wireless has been bought 
by an international company, now it is called the SAVVIS 
Company apparently, I would like to know if that SAVVIS Company 
has been tasked to do a better job than Cable & Wireless.
    What can you tell me, Mr. Ruwe?
    Mr. Ruwe. Yes. Cable & Wireless is one of a number of 
vendors that are approved by Visa and/or MasterCard to perform 
assessments in this environment. As you said, the processor in 
this case selects from a list of those assessors and contracts 
with them to conduct the assessment and provide the assessment 
results to Visa or MasterCard or whoever it is going to.
    In the case of Cable & Wireless, they are now, as you 
mentioned, SAVVIS. Visa has asked SAVVIS to explain how there 
could be such a discrepancy in the report of compliance between 
what was reported to Visa in reality. We have temporarily 
suspended SAVVIS from being able to do any more security 
assessments, and we have asked them to revalidate the last 
``X'' number of assessments they have conducted.
    So the investigation as to what happened in terms of the 
discrepancy that was very large of what was the case at CSSI 
versus what was in the report provided to Visa on behalf of 
CSSI is still under investigation.
    Chairwoman Kelly. Mr. Ruwe, and I would ask you too, Mr. 
Peirez, how do you set up the goals that you expect the 
auditing companies to meet? What standards are you applying 
before you put them on your list?
    Mr. Peirez?
    Mr. Peirez. Thank you, Madam Chairwoman.
    Well, obviously at this point in time, a lot of this 
information is new to us as well, in terms of what happened in 
this particular instance, as we were not privy to this report.
    That being said, we obviously are looking at the measures 
in order to have auditors who are effective, who know what they 
are doing, and who can give accurate reports. We look for 
auditors who follow standard auditing practices and look for 
them to issue reports that are within those guidelines. There 
are many standards out there for best practices of auditors, 
and that is what we look at.
    Chairwoman Kelly. So you use whatever the standards are 
that are in the industry but do not have separated standards of 
your own.
    Mr. Ruwe?
    Mr. Ruwe. There are in the case of assessors that Visa 
uses, and I believe this is true now of MasterCard, perhaps it 
was not at that time, there is a set of documentation that the 
assessor is given as a minimum that could be provided to the 
committee if they would like to see it, a minimum of standards 
that define and delineate and categorize the things that they 
have to check within that environment. That is as a minimum.
    Beyond that, as a processor, assessor in this space, these 
companies have proven themselves to be viable and capable of 
doing this work, otherwise they would not be on the list.
    So there is an actual process that is defined that they 
have to go through as a minimum for the PCI Program, and then 
beyond that they have their own additional assessments that 
they conduct.
    Chairwoman Kelly. Mr. Gorgol, Mr. Minetti, I would like to 
have you please chime in on this. Tell me what your standards 
are.
    Mr. Gorgol. At American Express--
    Chairwoman Kelly. Mr. Gorgol, I am sorry--
    Mr. Gorgol. Sorry.
    Chairwoman Kelly. Thank you.
    Mr. Gorgol. At American Express, we have the data standards 
in our contract with companies like CardSystems, the 
processors, and there are consequences to not meeting those 
standards. And you can see recently that those consequences do 
have teeth. But we also rely on the industry, and we would 
expect processors to draw from the industry and bring in 
professional help to make sure that they are meeting that 
contractual obligation.
    Chairwoman Kelly. Mr. Minetti?
    Mr. Minetti. Our requirements are also outlined in our 
contracts. In addition to that, when we select the vendors we 
conduct an RFP, a request for proposal. I am not familiar with 
the criteria in the RFP, but it was a competitive process and 
we selected the top vendors of that list.
    Chairwoman Kelly. Perhaps, Mr. Minetti, you could--
    Mr. Minetti. I can provide it.
    Chairwoman Kelly. --advise the committee in writing. It is 
something of concern because if you all rely on auditors, then 
it is important that reliance is a correct one.
    Mr. Minetti. And I will be happy to provide you with a 
written statement that outlines the criteria.
    Chairwoman Kelly. Fine. Thank you very much. My time is up.
    Mr. Gutierrez?
    Mr. Gutierrez. Thank you.
    Well, first, I want to commend Mr. Ruwe and Visa for being 
a leader in the industry and initiating heightened security 
which became the PCI standard for the industry, and I commend 
the other companies for working to make this an industry 
standard. I think it is a step in the right direction in terms 
of securing data of the public, which Mr. Hendricks so clearly 
elaborated we should be most focused on here at this hearing.
    And I think, Madam Chairwoman, I think your questions about 
the audits are excellent, and we should examine who performs 
these audits and what standards are used and what the best 
practices are for these audits that are used by Visa and 
MasterCard and all of the other credit issuing companies, 
because if you have a bad audit, they all have bad information 
and our checks and balances, I think, are all out of whack.
    So I think it is a great place. I am happy that you went in 
that direction, and I am going to be asking Visa to put in 
writing, if they would for me, just what happens at the audit, 
what flaws they saw in the audit and what actions they took 
with the auditor after they saw the vulnerabilities of the 
audit.
    I would like to say also that it seems to me that we have a 
very, very serious problem here, because trying to set aside 
the issues of the processor and the credit card issuing 
companies, I mean, as I read these prepared statements and I 
look back and they say that there were--and I would like to ask 
Mr. Perry about this--your testimony has indicated that the 
data relating 239 accounts was transferred out of your system.
    And this looks as though this number--239,000, thank you 
very much--this look as though this number can be tracked to 
only one day of transfer activity since the hacker software was 
on your system since September of 2004 through May of this year 
and was designed to download data every 4 days. That is in your 
testimony that he actually entered your system--he or she, they 
actually entered your system in September.
    So it just seems extremely unlikely that a hacker, a 
sophisticated hacker would enter your system in, say, 
September, October, November, December, January, February, 
March, April and finally in May decide to download this 
information. And Merrick Bank did an audit, a forensic audit 
and their auditor suspects and found information that your 
system was probably already vulnerable as early as April of 
2004.
    Do you have any other information, I mean, is it your 
testimony that the only information that you have is of the 
239,000 names downloaded that one day, that was the only 
security breach at CardSystems?
    Mr. Perry. Mr. Gutierrez, regarding that question, the only 
export of data that has actually been confirmed where it is 
possible to actually describe the number of accounts that were 
exported from the system was the security incident that 
occurred on May the 22nd, Sunday afternoon, I believe, when I 
heard about it.
    Mr. Gutierrez. Well, it just seems rather unlikely and 
given the forensic information that Merrick Bank put together 
in saying that your system was probably already hacked into and 
that you were vulnerable much earlier than that, that a hacker 
would just wait that long to download information on one 
particular day, which only tells us that we need to be more 
secure, because even in your testimony and other people's 
testimony, you were vulnerable for months if not for over a 
year before you found out that somebody actually downloaded 
some information.
    And, secondly, the information that you held, why did you 
hold information that clearly was established in the contract, 
at least with MasterCard, in the information I have received, 
with MasterCard and Visa that you were not supposed to have in 
your system?
    Mr. Perry. Mr. Gutierrez, the data that was actually 
exported on that day that we notified the FBI and Merrick about 
was from a database that was used primarily for research 
purposes.
    Mr. Gutierrez. I guess my question is, why did you have the 
data in your system if your contract with MasterCard and Visa, 
I do not know about the other two companies, but at least with 
those two companies they said, ``This is part of our contract. 
We do not want you to have this information.''
    Mr. Perry. Mr. Gutierrez, we have stated that we were in 
error by keeping that data. That data was specifically designed 
to provide customer service to the merchants that might have 
had a transaction that did not properly execute, it did not 
properly process, and the individuals in that case that managed 
that database believed it enhanced customer service to provide 
the merchants with the information they would need to conduct 
their business.
    Chairwoman Kelly. Thank you.
    We turn to Mr. Garrett.
    Mr. Garrett. Thank you.
    I appreciate Mr. Watson's opening comments about the 
simplicity of the system and how the average consumer just 
deals with it in an easy manner. From a government point of 
view, I can go to a local government agency, whatever it is, 
try to transact some sort of action with the government, it may 
take me some hours or days or even weeks to get some sort of 
response from the government, but I can go across the country 
or across the world and just open my wallet and bring out my 
credit card and given it them and literally within seconds or a 
minute or 2 they know who I am and I can get into a hotel or, 
as you say, have dinner or something like that.
    So it is an amazing ability that we have developed or that 
you all have developed, and I guess the track record has been 
fairly good in the scheme of things, and unfortunately we come 
to this point in time when it occurs as it does here, but I 
think I want to commend that it has been able to move the 
economy as it has in the system that we have had so far.
    The concern we have is whether we need to be taking 
additional actions right now or, as I see from one of the 
charts that we have here, literally the litany of regulations 
that applies to the various players, whether it is the issuing 
banks, the merchants, the ISO's, the card services, and it goes 
from the Federal banking laws, the FACT Act, the FTC safeguard 
rules, the bank regulators acts and so on. So we have a lot on 
the books already, and I know some of you who are before us are 
involved in the regulatory side of the game.
    Let me turn first to Mr. Perry then on that regard. Someone 
else had made mention, I believe, earlier with regard to Gramm-
Leach-Bliley and how that applies here or it does not apply 
here. Your understanding as to whether that applies to you or 
not?
    Mr. Perry. Mr. Garrett, we are currently conformed to the 
regulations and rules of the card associations who set before 
us, including Visa and MasterCard, who set before us the rules 
on how we process timeframes, etc.
    Mr. Garrett. Okay. If anyone else would like to address the 
question with regard to Gramm-Leach-Bliley, whether that should 
be applying to them now or in the future.
    Yes?
    Mr. Hendricks. My understanding is that Gramm-Leach-Bliley 
does not apply to the processors, and one of the reasons was 
that they do not keep the information. So when they keep the 
information, it really becomes problematic.
    Mr. Garrett. Okay. Does anybody else have a comment on 
that?
    Mr. Gorgol. We would agree to have Gramm-Leach-Bliley apply 
to the processors as well.
    Mr. Garrett. That it should.
    Mr. Gorgol. It should.
    Mr. Garrett. Okay.
    And, Mr. Hendricks, as long as you are answering the 
question, in the situation that we have right now and the 
descriptions that you have here and I guess in your book as 
well, is there recourse for the consumer in some other avenue 
other than through the regulatory scheme from civil action or 
anything else on those matters to recourse?
    Mr. Hendricks. That is why I like Visa taking action here. 
The only enforcement action after all these breaches has been 
Visa in this case. There have been several class action 
lawsuits filed after various breaches, and those are going to 
drag on forever, and the companies, the defendants are going to 
say, ``The law does not apply to us,'' and they are going to 
point out more holes in the law.
    So there is no simple solution for consumers. It is just an 
enormous burden on them to constantly be monitoring their 
credit reports and their credit card statements because the 
smart thieves are going to wait for the 30-, 60-, 90-day period 
or even over a year before they use the information, 
particularly if they get Social Security numbers.
    Mr. Garrett. The other people that can be harmed to a 
degree, not as much as the consumer can be, but that is the 
issuing companies and the small, I guess they are called the 
acquiring banks, the small merchant banks are involved here, 
because they have to pay for the reissuance of the card.
    Can some of you discuss that as far as how they are 
reimbursed? I understand that sometimes it is in the contract, 
and sometimes I understand that it is difficult for the smaller 
players, the credit unions as well, that have to get in under 
the line here to deal with those contracts. Can some of you 
address that issue, how that is reimbursed and is made or is 
not made?
    Mr. Peirez. Thank you, Congressman. I would be happy to 
address that in so far as the MasterCard system is involved.
    First of all, we provide protection against issuers, large 
and small, both for the cost of monitoring their accounts as 
well as for the cost of reissuing accounts if that becomes 
necessary as a result of a data compromise scenario.
    There is no distinction between how those rules would apply 
to a small or large institution. Indeed, our experience is that 
smaller institutions tend to take us up on that more often. So 
that is how it works with MasterCard.
    Mr. Garrett. Okay.
    Mr. Ruwe. In the Visa world, if there is fraud perpetrated 
on an issuer, whether it is large or small, there is no 
distinction as well. They have a system of being able to apply 
for compensation for that through Visa. It is based on actual 
fraud occurring subsequent to the event.
    Mr. Garrett. My time is up, but thank you.
    Chairwoman Kelly. The gentleman's time is up. Please answer 
the question and then we have to go to another member.
    Mr. Garrett. I do not know if any of the other gentleman 
from the other--
    Mr. Gorgol. It does not really apply to American Express. 
We are the only issuer and the only acquirer.
    Mr. Garrett. Sure.
    Chairwoman Kelly. Thank you very much.
    Mr. Davis?
    Mr. Davis of Alabama. Thank you, Madam Chairwoman.
    Let me follow Mr. Garrett's lead and kind of ask you in the 
time that I have to react to some of the legislative issues 
that Congress will wrestle with in the next few months based on 
distinctions from these various bills.
    Let me ask you, obviously one of the differences in the 
bills around the table is the question of preemption, the 
question of whether or not State law will be set aside in favor 
of a Federal standard. Let me ask you, do any of you believe 
that general State tort laws or general State breach of 
contract laws that are not specific to data security should be 
preempted? Is there anybody on this panel who believes that a 
State breach of contract law that is already in place or a 
State tort law should be preempted by this bill?
    Does anyone have an affirmative answer to support that?
    Mr. Ruwe. Yes, Congressman. I think Visa would support a 
national level approach.
    Mr. Davis of Alabama. So you support a national approach 
which would take a State breach of contract law that is in 
place right now and say it cannot be applied even if it is not 
specific to data security.
    Mr. Ruwe. That is correct.
    Mr. Davis of Alabama. What about Mr. Peirez, would you 
support that kind of standard? Just give me a quick yes or no 
because of the time.
    Mr. Peirez. Congressman, I will have to follow up with you 
and look at specifically what you have in mind in terms of the 
laws in question.
    Mr. Davis of Alabama. Well, I mean, the specific question 
was, preexisting State tort law, preexisting State breach of 
contract law, it is not specific to data security, you have no 
position.
    Mr. Gorgol, do you have a position?
    Mr. Gorgol. I am a little bit out of my league. I would 
have to get--
    Mr. Davis of Alabama. Okay.
    Mr. Minetti?
    Mr. Minetti. Same here.
    Mr. Davis of Alabama. You are out of your league or you do 
not have a position?
    Mr. Minetti. Both.
    Mr. Davis of Alabama. All right.
    Mr. Watson?
    Mr. Watson. As I understand what you are saying, it is not 
just a preemption of regulations but a preemption of remedies, 
and I guess one needs to go hand in hand with the other.
    Mr. Davis of Alabama. So your position would be if they go 
hand in hand with the other, they should be preempted or not.
    Mr. Watson. Yes.
    Mr. Davis of Alabama. All right.
    Mr. Duncan?
    Mr. Duncan. I am not absolutely clear on the question.
    Mr. Davis of Alabama. The question is, preexisting State 
breach of contract law, not a data security law, but a general 
breach of contract law that a litigant tries to enforce in 
State court today, should it be preempted by Congress?
    Mr. Duncan. Again, from a retailer perspective, I am not 
sure what the cause of action would be.
    Mr. Davis of Alabama. It would be--
    Mr. Duncan. But if Congress is attempting to develop a 
national standard, then retailers would like to see preemption 
to the extent that data protection is covered.
    Mr. Davis of Alabama. Mr. Hendricks, I am not quite sure I 
have heard an answer to my question yet. Would you like to 
briefly weigh in on it?
    Mr. Hendricks. Yes. It would be a really bad idea because 
contracts are between two parties, and I do not think we want 
the Federal law jumping in between that kind of relationship.
    Mr. Davis of Alabama. And let me turn to another scenario. 
One of the issues or the differences is a question of when you 
disclose a breach, and the bill that Ms. Bean and I have would, 
if I can use the shorthand, probably create something of a 
presumption in favor of disclosure. Some of the other bills 
would frankly probably create a presumption in favor of 
nondisclosure.
    What if you had this scenario, and I will not, for the sake 
of time, ask you all to react to it, but what if you had this 
scenario: What if a company believed that its database was 
compromised but in no specific instance could it identify a 
specific breach for a particular consumer? Do any of you 
believe that a company in that instance should not be required 
to disclose under Federal law if we pass a standard? Anybody 
want to weigh in on that?
    Mr. Duncan. I guess I will start by saying I am not sure: 
if you think there may have been a breach, but you cannot show 
particular evidence of--
    Mr. Davis of Alabama. No, no. Let's say that you know there 
has been a compromise of your system but you cannot identify 
the instance of a specific consumer that there has been a 
breach. Should Congress mandate a company that believes its 
system has been compromised to go ahead and notify the public 
or should the company be able to say, ``We know we have been 
compromised but we cannot tell them the specific instance.''
    Mr. Duncan. I think you run the risk in that situation, if 
you have notification, that unfortunately we run into with some 
of the Gramm-Leach-Bliley notices. People receive privacy 
notices by the boatload, and at some point they stop reading 
them.
    Mr. Davis of Alabama. And, Mr. Hendricks, I am going to ask 
one last quick question and you can respond to the one you want 
to on this one.
    I am interested from hearing from Mr. Hendricks on how 
other professions handle this. I used to be a lawyer, well, 
still am a lawyer, just do not have to practice now. In my 
profession, confidentiality is at the bedrock of what we do. 
Doctors, confidentiality is at the bedrock of what they do; 
same for hospitals.
    What is the standard, Mr. Hendricks, as someone who is an 
expert on privacy, for a lawyer who believes that his or her 
files have been compromised? What are the ethical obligations 
of that lawyer for notifying the client, and what are the 
ethical obligations of a doctor or the medical world for 
notifying the patient if their security or their identity or 
their information, rather the confidentiality has been 
compromised?
    Mr. Hendricks. They basically would have to notify very 
specifically each client and then take whatever remedial 
actions were necessary depending on what kind of information 
was breaches. So it would be some heavy lifting, yes.
    Mr. Davis of Alabama. So that is the current ethical 
standard.
    Chairwoman Kelly. The gentleman's time is up. Thank you 
very much.
    Mr. McHenry?
    Mr. McHenry. Thank you, Madam Chairwoman. As votes are 
approaching, I will try to not use up my full amount of time.
    I want to start by saying thank you, first of all, to Visa 
and to MasterCard and to the others for actually disclosing 
that this occurred. That was not a motivation mandated by law 
but it was the right thing to do for your customers, and I 
certainly appreciate you all stepping forward and disclosing to 
your cardholders and to the public at large that this occurred. 
I know it was not easy but it was certainly the right thing to 
do.
    And that goes directly to my question for you all, and I 
will leave this for the panel. Is there a marketplace 
motivation, is there a market force for data security? We are 
talking about possibly passing legislation to force you guys to 
do certain things. My question is, is there a market force for 
data protection and data security? Now, one at a time. Okay. 
Slow down here.
    Chairwoman Kelly. And please remember that we have been 
called for a vote, and we need to have answers rapidly.
    Mr. Peirez. Yes. There is a marketplace for data security.
    Mr. McHenry. Great answer.
    Next?
    Mr. Watson. Congressman, I can tell you there is no 
stronger marketplace call for data security than the potential 
undermining of the consumers' confidence in this system. If the 
consumer does not believe in this system, then we do not have a 
system and we do not have a business. What could be a stronger 
market force than that?
    Mr. Gorgol. I would agree. Trust is the bedrock of our 
business.
    Mr. Ruwe. We agree.
    Mr. Perry. We agree as well.
    Mr. Minetti. We concur as well.
    Mr. McHenry. The problem is it is kind of a negative market 
force that would hit in after the fact, which is why I think we 
need to get in front of the issue. Inside companies where they 
have officers who push for security, they still run up against, 
``Well, why do we really have to do this?'' So that is where 
the public policy has a good role to play.
    Mr. Duncan, do you want to chime in?
    Mr. Duncan. To some extent, it depends on the kind of 
breach. I spoke with a retailer yesterday who, because they 
were seeing a fair amount of identity theft, had taken great 
efforts to reduce that number. Marketplace forces work because 
they eat those losses.
    Mr. McHenry. Well, that sounds very encouraging. If there 
is a marketplace for this to occur, then perhaps legislation is 
not the right route for us to take. If the marketplace is going 
to deal with this, let's watch it, let's monitor it, and let's 
make sure that you all are doing your part to adhere to Gramm-
Leach-Bliley, to adhere to the standards we currently have on 
the books. Let's make sure that is the right thing to do. And I 
certainly appreciate in particular Visa and MasterCard stepping 
up to the plate, disclosing fully and doing what was right in a 
timely manner. That makes a big difference, and it makes a big 
difference for this committee.
    Chairwoman Kelly. Thank you, Mr. McHenry.
    We have been called to a vote at the Capitol. I am going to 
ask the committee to recess for approximately 15 minutes. We 
will go, we will vote, it is 2 votes, and we will be back here 
and reconvene in approximately 15 minutes.
    [Recess]
    Chairwoman Kelly. Let us continue. Thank you for your 
forbearance.
    We turn now to Mr. Price.
    Mr. Price. Thank you, Madam Chairwoman, and I appreciate 
you having a recess and allowing us to come back.
    You are welcome to take as long as you want answering my 
questions.
    I want to thank you all again for coming, and I want to 
commend you for the work that you do. I am constantly in awe of 
the literally billions of transactions that occur without any 
errors or without any violation at all. And so I want to 
commend you for the work that you do.
    And I understand, as I think Mr. Garrett said, it may have 
been Mr. Renzi, that there are bad guys out there and they are 
trying as hard as they can to break your systems, and I think 
it is important for us to appreciate that we are all on the 
same team, we are all interested in making certain that the 
consumer has the confidence in the system and that it works as 
easily, frankly, as it does now.
    Mr. Ruwe, I heard Congressman Renzi say that he had spoken 
with Visa and with CardSystems and that you all had agreed to 
get together and work. I heard Mr. Perry say that, but I did 
not hear you say that. Are you committed to working with 
CardSystems and trying to work out a solution that is hopefully 
more equitable to all involved?
    Mr. Ruwe. I spoke with Congressman Renzi before the meeting 
and said I would talk to CSSI. That is what I said. I would 
meet with them.
    Mr. Price. And help me understand a little bit about--
MasterCard is comfortable apparently right now with allowing 
CardSystems to continue with the work that they are doing and 
understanding and I heard a commitment from CardSystems that 
they would have PCI standards in effect by the end of the 
month, I believe. How is it that you all reached a different 
conclusion about your relationship with CardSystems?
    Mr. Ruwe. I think the crux of our problem is the 
discrepancies in the audit that we were provided on behalf of 
CSSI and reality, and there is a huge gap between that, and we 
feel that CSSI bears responsibility for the accuracy of an 
audit conducted on their premises.
    Mr. Price. But CSSI is not the auditor, are they?
    Mr. Ruwe. They are not the auditor, but they are 
responsible for what is in the audit report.
    Mr. Price. Mr. Perry, were you aware--Mr. Gutierrez talked 
to you about the error being in error and holding that 
information. Were you aware that you were in error? Was 
CardSystems aware that they were in error?
    Mr. Perry. Mr. Price, until the incident that took place in 
May, I was not aware. When I joined the company in April of 
2004, I did look at the CISP report prepared by Cable & 
Wireless. It was an unqualified report, it was a very clean 
report, and to be quite--I took that report and reviewed it 
with management, and we were gratified to get the unqualified 
certification from Visa.
    Mr. Price. So you thought you were in complete compliance.
    Mr. Perry. Yes, sir.
    Mr. Price. And to Visa, isn't the culpability here 
potentially with the auditor and not with CardSystems?
    Mr. Ruwe. In our system, the culpability is with the party 
who is being audited. Now, if there is a problem with the 
audit--
    Mr. Price. But they believe, however, that they are in 
compliance because the auditor has told them they are in 
compliance.
    Mr. Ruwe. Then I think that if you look at the audit 
finding versus what turned out to be reality in the 
environment, the gap is quite large, and we do not understand 
how there could be a gap of that size between what was true in 
the environment and what was in the audited report. I do not 
know what went on between the auditor and CSSI, but it is a 
joint responsibility in our view.
    Mr. Price. But you are willing to work with CardSystems and 
see what that discrepancy was and see if you cannot work out a 
relationship.
    Mr. Ruwe. We said we would take a meeting on that. We have 
asked for explanation on this gap previously and not received 
satisfactory answers.
    Mr. Price. Okay.
    Mr. Hendricks, I would like you to comment, please, on the 
sense that I believe is possible and that is a chilling effect 
in the industry if in fact the individual who stands up and 
says, ``Look, I am in error here, and I am working as hard as I 
can to comply or correct the situation,'' what about that 
chilling effect?
    Mr. Hendricks. Well, yes, we always want people to have 
full reporting, so we take the remedial measures and make sure 
it does not happen again. I do like to focus on the fact that 
there was a decision made by somebody to keep personally 
identifiable information that was not allowed by contract. And 
we have to find out why that happened, why that decision was 
made, because that is what created the problem, what is exposed 
here today.
    And I think Visa deserves a lot of credit, because if they 
know that there is a huge gap there and security is not being 
protected, they have to take enforcement action; otherwise, 
they become complicit in it and other processors will think, 
``Well, they do not take this seriously either.''
    Mr. Price. And I appreciate that. And nobody wants there to 
be these violations or breaches, understanding that no loss 
occurred as a result of this, is my understanding.
    Mr. Hendricks. I mean, in terms of loss, I do not think we 
really know how much the bad guys got and what they did with 
it. The whole point that they are in the system for over a year 
and we only have a record of the stuff going out the back door 
one month, I look forward to the results of the investigation.
    Mr. Price. Thanks.
    My time is up, Madam Chairwoman, but I look forward to 
being able to submit other questions.
    Chairwoman Kelly. And, certainly, you may.
    I would like to ask about the PCI standard. The PCI 
standard, according to page 6 of CardSystems' testimony, is 
based on Visa's CISP, and it was adopted by Visa, MasterCard, 
Discover, American Express, Diner's, and JCB in December of 
2004.
    In theory, the PCI standard did not work here, if you look 
at it. So are you still using the same standard or has the 
standard been changed?
    And let's start with you, Mr. Peirez.
    Mr. Peirez. Thank you, Madam Chairwoman.
    I think I would say that the standard is relatively new in 
terms of being an industry standard and only having been 
implemented at the end of last year, the compliance date for 
everyone was June 30th of this year.
    We, at MasterCard, have gone out with letters to the over 
300 third party processors of whom we are aware, making them 
crystal clear on those standards as well as requiring them to 
provide us with a certification within 60 days that they are 
not storing the type of sensitive data that led to this 
particular breach event. So we think the standards are still 
sound. We think they were not followed here.
    Mr. Ruwe. I would like to, if I can, take an opportunity to 
clarify one thing. The PCI standard became effective in 
December of 2004, which was the result of the four large card 
companies getting together and agreeing on a set of rules. 
However, prior to that, the Visa standards were fully in play 
and people were fully responsible to be compliant with them. So 
in the timeframe that we are discussing here, prior to 2004, 
the CISP standards would have been in place and Visa players 
would have been responsible for being compliant with them.
    As far as whether or not they work, I think that the CISP 
standards do work if they are followed. And in this case, up to 
this point, it appears to us they were not followed.
    Chairwoman Kelly. Anyone else like to respond to that?
    Mr. Gorgol?
    Mr. Gorgol. I agree. I believe the standard is sound. I 
believe it is an enforcement issue here.
    Chairwoman Kelly. Mr. Minetti?
    Mr. Minetti. I also believe the standard is sound. Again, 
it is just not following the standard that created the problem.
    Chairwoman Kelly. Okay.
    Mr. Duncan. Madam, may I--
    Chairwoman Kelly. Yes, by all means.
    Mr. Duncan. One of the things from the retail perspective, 
the standards are an excellent idea in terms of trying to work 
out a coordinated approach, but they are extremely complicated, 
and that may be part of the issue. Some retailers have 
mentioned difficulties with the complications as well.
    Chairwoman Kelly. Thank you. Thank you for that 
observation.
    That goes to a question I would like to ask of Mr. Gorgol.
    In your testimony, on page 2, your explanation of the PCI 
standard, I would like you to define those standards in light 
of what Mr. Duncan just said, in terms of their impact on small 
business customers. Do you impose the same security standards 
on small businesses for the privilege of using your card that 
you impose on large businesses?
    Mr. Gorgol. Yes, to answer your question directly. I think 
the standards to protect the data need to be the same for 
everyone throughout the transaction chain. I think it is 
incumbent upon us as an industry to make it easy as possible 
for the small mom and pop stores to be able to meet those 
standards.
    Chairwoman Kelly. Mr. Duncan, you said you think they are a 
bit complicated. I am concerned because, as I read Mr. Gorgol's 
testimony outlining some of the expectation levels here, how a 
mom and pop store, just a small business retail store on a 
corner, can maintain the six elements of what Mr. Gorgol's 
testimony--you probably have the testimony in front of you, I 
can go through them if you do not remember what they are--but I 
am concerned about its impact and the cost on small businesses.
    Mr. Duncan. Ideally, there should be risk-reward basis in 
the standard, and I think there has been some effort to achieve 
that; that is, that at the original CISP standards there were 
more requirements for larger merchants than there were for 
smaller merchants. And this makes a certain amount of sense 
because if there is a breach, it is likely there is going to be 
more data captured from a large merchant than a small merchant.
    That said, I have heard a number of merchants complain 
about complications in understanding the enforcement standards, 
but they are making their best effort to do so.
    Chairwoman Kelly. Well, I think we need to make sure that 
the cards must be secure, that the standards of the industry 
may not need to be all the same for every industry. It may be a 
little more difficult for someone in the situation I described, 
the business person in the situation I described, to, for 
instance, to keep a written notebook.
    Looking at the standard, they were to build and maintain a 
secure network. Obviously, that is possible. Protect cardholder 
data. That is possible. Maintain a vulnerability management 
program. I am not sure what that means. And I do not know how 
complicated that is. Does that mean you have to have a 
notebook, you have to have somebody outside coming in to audit? 
How expensive is this protection?
    You have to implement strong access and control measures. 
That is totally possible for somebody in a small retail 
business. Regularly monitor and test networks. That is 
possible. Maintain an information security policy. What does 
that say?
    Those are some problems I see for small businesses, Mr. 
Duncan. I would like you to answer them.
    Mr. Duncan. Well, for a number of small businesses, it can 
be a challenge. You think of a modest retailer that might have 
6 or 10 stores in their chain. Chances are they are buying 
their equipment, the point-of-sale equipment already in a 
single package, and they really have to rely upon the software 
and hardware provider to have it right. They probably do not 
have the facility to do an in-depth study.
    So there have to be some allowances for this, and, as I 
said, it is a challenge.
    Chairwoman Kelly. It is a challenge, but I think it is 
important that we consider this, that the major credit card 
companies consider this. Having been a retail merchant, a small 
merchant, and accepting Visa, MasterCard, American Express in 
my business, I know that I would have been surprised if 
somebody walked in the door and said, ``How are you protecting 
this information from someone from the credit card companies? 
Do you take it on faith, do you go and inspect?'' What are the 
standards that you are asking small businesses to do to protect 
the information at that level?
    It is a concern, it is a cost to small businesses, and it 
is something I think that we need to think about in terms of 
protection, both for the customer and the retail merchant as 
well as the credit card issuer.
    That being said, I want to go to the concern that I think 
many small businesses--again, customers of Merrick Bank through 
the credit card systems will lose their access to credit cards. 
That could drive them out of business. Was the impact on small 
business customers considered when the decisions were made from 
Visa and MasterCard and so on?
    What are you doing, Visa, in particular, to help the small 
businesses stay in their card network?
    Mr. Ruwe. When Visa selected October 31st as the 
termination date, as has been stated, we took into 
consideration how much time it would take for an acquirer to 
move from one processor to another, and that was felt to be a 
reasonable amount of time.
    I believe the statements that have been made regarding the 
small merchants' inability to move or inability to retain new 
services or the situation where they would be out of touch or 
unable to operate or transmit or conduct Visa transactions have 
been overstated. We believe that they will be able to find new 
processor accommodations within that timeframe, and that is 
something we will work with our banks on, our acquirer banks.
    I have not heard this complaint from my acquirer banks. I 
have only heard it from CSSI. So if my banks tell me we need 
more time, then we will take that into consideration. We are 
not going to leave merchants hanging, but the statements that 
have been made so far regarding merchants and being cut off and 
being left in the cold have been overstated, in our view.
    Chairwoman Kelly. But have you done any outreach on that 
score to allay the fears of the merchants?
    Mr. Ruwe. That would be done through the acquiring banks 
who have the direct relationships with the merchants. That is 
not done by Visa.
    Chairwoman Kelly. All right. I understand that. I mean, I 
appreciate your response.
    When a merchant says to me, ``I am not going to accept 
American Express, I will accept Visa,'' that is your brand. 
What has happened here with CardSystems affects your brand. And 
I understand your wanting to protect your brand, but I also 
want to make sure that we set standards in such a way that the 
industry can respond in a way that it is possible for them to. 
A law is no good unless it can be followed.
    So it is extremely important that outreach be made, I 
believe, from your brand to the small businesses to help them 
understand not to panic, because from what I understand you are 
letting the banks take care of that, but, sir, are you sure 
that the banks are actually in touch with their small 
businesses and helping them understand and get through and find 
access to what they need?
    Mr. Ruwe. Madam Chairwoman, we have every intention of 
working with the acquiring banks and to support them any way we 
can in this space. My response was more of a factual one than 
anything else. We do not have direct contact with merchants any 
more than we have direct contact with cardholders, but we 
certainly will support our acquirers in this transition. 
Whatever we need to do to support them or make sure that the 
merchants are comfortable and feel knowledgeable about what is 
going on, we will support them in that regard, yes.
    Chairwoman Kelly. I would be interested in Am Ex and 
Discover's response to that, as well as MasterCard.
    Mr. Gorgol. Well, American Express will be offering our 
merchants a different choice for processing. They will have a 
number of different options. We will work with them directly 
over the next couple of months, including the option to come 
directly to American Express and avoid using a processor all 
together.
    Mr. Minetti. From our perspective, we have not finalized a 
decision. We wanted to be thoughtful and have all the 
information before we reach a conclusion. We have been working 
with CSSI all along, and we have a meeting scheduled to talk to 
them next week.
    Chairwoman Kelly. Thank you, Mr. Minetti.
    Mr. Peirez?
    Mr. Peirez. Madam Chairwoman, similar to Discover, we have 
not shut off CSSI at this point. We expect them to be in full 
compliance by the end of the August, as they have told us they 
can be. If it becomes necessary for something to happen that 
would put their ability to process MasterCard transactions at 
risk, we would certainly make sure that the small merchants 
would not be impacted in any way. We would do the outreach 
necessary to get to that point, but we are not there at this 
time.
    Chairwoman Kelly. Thank you.
    Yes, Mr. Perry?
    Mr. Perry. Madam Chairwoman, may I just add that I have 
been in this industry for a long time with quite a few 
different payment processors, and we have 110,000 small 
businesses around the United States that are typically not 6-
location merchants but one-location merchants, one-location 
restaurants, and some of those restaurants take up to 80 
percent of their sales, or credit card sales, if not 100 
percent.
    It is my belief that it will not be possible to move a 
portfolio or part of a portfolio of 110,000 mom and pop 
merchants over the course of 3 months in an orderly fashion. 
Changing your credit card processing is not similar to changing 
your cell phone service, and some of us that have done that 
also understand how difficult that can be.
    There are a variety of different issues involved, including 
underwriting, technology, changing bank accounts, scheduling, 
as we all know is very difficult with a small business because 
at the end of the day they are very focused on moving product 
out the door, not necessarily the payment type that they take. 
And this will be a huge inconvenience to the small business, 
and we are very, very concerned how we continue to take care of 
these small businesses.
    Chairwoman Kelly. Thank you.
    Mr. Cleaver, thank you for returning.
    Mr. Cleaver. Thank you, Madam Chairwoman. I have 6,000 
questions. I will reduce it to five.
    One of the personal issues I have shared, and maybe Mr. 
Hendricks can respond, about 4 weeks ago the host of one of the 
``hate'' radio shows in my hometown went on the air and said 
that he had my Social Security number, and he said on the air, 
``And I plan to use it to find out everything about him.'' I 
called the FBI. They said, ``Well, we do not get involved in 
this.'' I called the Federal Communications Commission and they 
said, ``Well, we do not get involved in this.'' I ended up 
calling four or five different Federal agencies, and finally I 
called the U.S. Marshals Office and they began to monitor the 
radio show.
    It seems to me that there ought to be something wrong with 
somebody essentially promoting identity theft. And it was done 
on radio, the record is there, the tape is there, the whole 9 
yards, but there is apparently no law against that. I did not 
think it was a good idea that people could promote the 
commission of a crime, but apparently you can do it with 
impunity on the public airwaves.
    Is there anything or any way that you think that kind of 
thing can be corrected?
    Mr. Hendricks. Well, first of all, I am really sorry to 
hear that. That is absolutely horrible, and I cannot imagine 
someone can do that without being ashamed of themselves, but 
obviously--
    Mr. Cleaver. No, he is not ashamed.
    Mr. Hendricks. Yes. Obviously, he did. We in the privacy 
and consumer community would like to see a rollback of the 
Social Security number. It is required for many things in our 
society, but we need to start getting them out of courthouses, 
we need to stop using them as insurance company identification 
numbers if they are doing insurance. And there is legislation 
pending to have better protections for Social Security numbers 
so that he could not get it in the first place. That is the 
first thing.
    Obviously, using a Social Security number to harass 
someone, yes, maybe that is not covered by statute now but that 
is something that we should consider looking at.
    And in terms of the other problem, where does the consumer 
go for help, and I have to point out that in every other 
Western country except the United States there is a national 
office in charge of privacy issues, where people can go to get 
answers to these sort of questions, and sometimes you can get 
an investigation. It is called a privacy commissioner or data 
protection commissioner, and I think as big as this issue is 
getting, I think we should start revisiting that issue, because 
I think we need one here for situations like this.
    Mr. Cleaver. Thank you.
    My other question--this will be the last, Madam 
Chairwoman--I was the mayor in Kansas City and in an attempt to 
confuse the crooks, we encrypted our system, communications 
system, so that people who had the radio ban sitting around 
would not know what we were doing and when we were going to do 
it. Is encryption an option for us that could possibly either 
reduce or prevent identity theft, particularly with credit 
cards?
    Mr. Duncan. Congressman Gutierrez--excuse me, Cleaver--
    Mr. Cleaver. He is shorter.
    [Laughter.]
    Mr. Duncan. What am I doing? Encryption can be a partial 
solution, but there are tradeoffs with encryption. There is 
highly detailed information on credit cards, but obviously we 
do not want to have stores retain informatin that one could use 
to make a clone card. But there is fairly basic information, 
the original numbers, the name, the expiration date, that if 
you encrypt it, you may save some problems, but you also may 
create more problems on the other side. Let me give you an 
example.
    Many consumers go into a retail store where they have 
bought something and they would like to return it but they do 
not have their receipt. If the checkout clerk who is taking the 
item back has to decrypt data in order to accomplish a return, 
it makes it much more difficult or maybe impossible in many 
situations. So there has to be a balancing as to how we achieve 
that.
    As to your first question, may I say that one of the points 
we wanted to focus on in our testimony is the need for more 
enforcement. Currently, if retailers find evidence of identity 
theft and take that to the State attorneys general offices, 
oftentimes they will not enforce unless they have $100,000 
worth of damage. So we would like to see a situation where 
Congress would encourage State officials to take a more active 
role in going after those who are committing crimes.
    Mr. Cleaver. Thank you.
    Chairwoman Kelly. Thank you, Mr. Cleaver.
    Mr. Price, you said you had another question. Feel free to 
ask.
    Mr. Price. I may?
    Chairwoman Kelly. Yes.
    Mr. Price. Thank you, Madam Chairwoman. I appreciate it.
    I think this is an incredibly important topic, and I think 
we can overreach in so many ways, but, again, I think it is 
imperative that we make certain that folks have confidence in 
the system.
    Mr. Gorgol, if you would not mind, please, commenting on 
the potential culpability of the auditor vis-a-vis CSSI review 
and ultimate problems that they had.
    Mr. Gorgol. We relied via our contract on CardSystems 
meeting their contractual obligations to meet the data 
standard. And they were the ones we worked with. We did not 
work directly with the auditor, so I cannot comment on it.
    Mr. Price. Mr. Duncan, there has been a discrepancy between 
responses on the effect on merchants with the cessation of the 
relationship between Visa and CardSystems. Would you comment on 
what you believe that consequence would be or the effect on 
merchants?
    Mr. Duncan. We are not privy to all the details involved in 
this dispute. Obviously, as in this whole issue, you do not 
want to overreact in a credit card fraud situation as opposed 
to, say, an identity theft situation. And this strikes me as 
one where the risks are perhaps lower than a true identity 
theft, and so maybe that same guidance should apply.
    Mr. Price. Mr. Ruwe, I have affinity for Mr. Perry and 
CardSystems, obviously. I also think, again, we are all on the 
same team in this in trying to make certain that violations of 
information do not occur. Do you believe that Visa's 
relationship with CardSystems is fatally flawed?
    Mr. Ruwe. Well, fatal is a very big word.
    Mr. Price. Yes. That is what is going to happen to them.
    Mr. Ruwe. It is certainly stressed. I think that Visa spent 
a great deal of time trying to evaluate what position we were 
going to take on this, and I believe we made several attempts 
to get information that we needed and did not get it. And as we 
said earlier, we will sit down with CSSI, but I think we are 
going to have to have more information and more 
forthcomingness, if you will, than we have had to date before I 
would make any commitment on anything fatal or otherwise.
    Mr. Price. I appreciate that. If I am able to facilitate 
any of that, please let us help.
    Mr. Perry, I would like you to comment, if you would, on 
the discrepancy that Mr. Ruwe pointed out or stated existed 
between the audit and the reality of the information that you 
all held.
    Mr. Perry. Yes, Mr. Price. We did receive some requests 
from Visa for information regarding the discrepancy between the 
CISP audit and what was subsequently found by the forensic 
analyst. Unfortunately, I was able to provide to Mr. Ruwe and 
Visa all of the data that I was able to find prior to my 
arrival at CardSystems in April of 2004. We stated to Mr. Ruwe 
and some of his associates at Visa that we were providing all 
of the information possible.
    We attempted to contact former employees, former auditors 
from Cable & Wireless and other former vendors to be able to 
fully answer Mr. Ruwe's questions. Unfortunately, it was very 
difficult to track a lot of these people down who had left the 
company sometime in 2003, early 2004. And, unfortunately, 
because we were not able to provide all of that information, it 
was deemed that it was not enough information.
    Mr. Price. Help me with the audit. Was there an actual 
question on the audit that said, ``Is CardSystems in full 
compliance with the agreement with Visa?'' Is that the kind of 
question that is on there?
    Mr. Perry. There are several questions that you would see 
in an audit that are fairly detailed as to very different 
aspects of the audit having to do with network security and, 
specifically, the error that we have owned up to, which is the 
storing of this data that should have been masked. And that is 
a specific block or question. That specific block had a 
checkmark by the auditor without qualification or any 
compensating controls in that area.
    When I specifically reviewed--
    Mr. Price. Checkmark saying?
    Mr. Perry. We were compliant. When I reviewed that, I felt 
pretty good and relied upon the audit and the auditor that we 
were in compliance in that area.
    Mr. Price. May I ask one more general question, Madam 
Chairwoman?
    I am interested from all the card companies as to whether 
or not there is agreement or consensus in the industry about 
the definition of a data breach and fraud. Is there consensus 
among the companies about what that is?
    Mr. Peirez. Congressman, I think there is general consensus 
on what would constitute credit card fraud. In terms of your 
question about breach, it is a very complicated question, and I 
think we are in general agreement, but any specific case you 
would have to look at the specifics and see whether we all 
agree.
    Mr. Price. Mr. Ruwe?
    Mr. Ruwe. I would concur with that.
    Mr. Minetti. Yes, I would agree as well.
    Mr. Price. Is there a need to define those terms? Are they 
defined legally as it relates to data breach?
    Mr. Peirez. Congressman, I think that, first of all, the 
terms that most often get confused and really do need to be 
used carefully and accurately are the distinction between fraud 
and identity theft or identity fraud. Those are the two things 
that really need to be very, very clearly identified because 
the consequences of either of those events are quite different 
and can be handled in different ways effectively.
    In terms of definition of breach, I think that depends on 
what happens if there is a breach as so defined. So I would be 
happy to work with your office if you are looking at something 
specific, but as to the general question on breach, I really 
cannot answer.
    Mr. Price. Any other general comments about that?
    Mr. Watson. I would say that the language is unclear, and 
it is unclear with respect to impact and timing. For instance, 
you could say the system was breached in April of 2004. 
Accounts were compromised possibly at some other time and 
certainly in May of 2005. But the definitions are not clear 
with respect to time or effect, and I think in putting forth 
any legislation they are going to need to be very clearly 
defined.
    Mr. Duncan. Congressman, there is one additional element, 
and this goes back to the question that the chairwoman 
mentioned, and that is for smaller retailers in particular, if 
they are buying off-the-shelf equipment, they want to make 
certain that if they bought something from IBM or NCR or 
something else, that they are not deemed to be in breach 
because of something they innocently purchased. And that is a 
distinction that has to be maintained.
    Mr. Hendricks. The California State law does a pretty good 
job of defining a breach by saying it is personal information 
or account numbers/Social Security numbers that can be used to 
commit fraud. And as to the distinction, there is a distinction 
between identity theft takeover and credit card fraud, but 
under the Identity Theft Deterrence Act and under FACTA, 
Congress has defined some forms of credit card fraud as 
identity theft, as it should, because we need to maximize 
protection for consumers, and you see this reflected in FTC 
regulations.
    So I agree with industry that we need to look very 
carefully and draw these distinctions so we have appropriations 
responses to each one, but I want industry to respond that some 
forms of credit card fraud are also identity theft.
    Chairwoman Kelly. Thank you.
    Mr. Price. Thank you, Madam Chairwoman.
    Chairwoman Kelly. Thank you, Mr. Price.
    Mr. Cleaver, you said you had another question or two.
    Mr. Cleaver. Admittedly, this is personal for me, but I am 
curious as to whether other Western countries, Mr. Hendricks, 
have strong laws with regard to identity theft. When I say 
strong laws, I mean when there is a data breach it could result 
in someone being just wiped out.
    So do you know of any other country where someone could do 
something and actually regret it?
    Mr. Hendricks. Do something in terms of using personal 
information?
    Mr. Cleaver. Yes.
    Mr. Hendricks. Well, a lot of the European countries and 
others do not have the biggest problem with identity theft as 
we do because they do not rely on the Social Security number 
the same way that we do. So they do not have specific laws on 
identity theft.
    Mr. Cleaver. What do they rely on?
    Mr. Hendricks. Well, they have their own usually national 
identification number or another set of identifiers. We need a 
country-by-country report. It is a very long question and 
answer. But they had old-fashioned comprehensive laws which are 
based on what we know as fair information principles, and that 
ends up covering a lot of these sorts of events.
    So they are constantly trying to upgrade them and oversee 
and implement them, but it becomes more of a compliance issue 
because they have a general framework which covers most 
personal information, creates rights for individuals, duties on 
organizations.
    Mr. Cleaver. I do not know if you collect data that would 
provide information about how long it would take after a breach 
before the fraudulent act begins. And is there any data that 
would allow us information to know the time between the breach 
and the time of the commission of a fraud?
    Mr. Hendricks. There is no real research on that has been 
made public, but it ranges from immediate to long term. The 
methamphetamine users that hit mailboxes they try and use 
something right away, that is just their nature. The very 
sophisticated criminal rings will sit on information and use it 
down the road.
    Mr. Cleaver. So my radio host is sitting on it.
    Mr. Hendricks. Yes, but I think maybe someone should sit on 
him. I think he deserves some more attention.
    Mr. Cleaver. Thank you.
    Chairwoman Kelly. Thanks, Mr. Cleaver.
    Mr. Gorgol, you raised a very important issue in your 
testimony and we have not talked about it, and that concerns 
phishers with a ``ph.'' I think you mentioned that you were 
concerned that phishers might take advantage of the breach and 
other publicized incidents to look around to see what they can 
find from card customers.
    I would like this panel to describe whether or not you have 
seen a reaction like that in this case, and I would also like 
to know whether small businesses are likely to be contacted by 
fraudsters that are claiming to represent interested parties in 
this case?
    And with the terminations and so on that are imminent, 
apparently, I am wanting to know what you are doing to reach 
out to small businesses to keep them secure from phishers who 
are likely to call them and say, ``We are checking on this 
information,'' and so forth. They do not know who is at the 
other end of the phone. I want to know what you are doing to 
protect these people from a fraudulent inquiry and a fraudulent 
solicitation during the changeover period.
    Mr. Gorgol. Well, first, I mean, phishing is a serious 
problem and I think it is something to consider if we think 
about legislation that requires notification. If we overnotify 
people, that will provide, I think, a vehicle for phishers, 
sort of weeds that they could hide in if we overnotify. It is 
one of the dangers of overnotification.
    But I think the most powerful tool we have, to answer your 
question directly of what we can do and how we can help small 
businesses, is education and just raise their awareness that 
phishers are out there and just be very careful in how they 
share their information.
    Chairwoman Kelly. How do they know if someone calls and 
says, ``I represent such and such, and I want this 
information''?
    Mr. Gorgol. There are basic rules. They are not to share 
personal identifiable information over the phone unsolicited or 
you are not sure who you are sharing it with.
    Chairwoman Kelly. Well, if they are solicited, they are 
going to share it because they do not know the difference. My 
concern is that there be some sort of an interception there, 
direction, education, however you do it, so that the small 
businesses during the changeover will not become a victim of 
phishing.
    Mr. Gorgol. Well, during this specific changeover, they 
would be working directly with American Express employees, so 
we will be able to contact them directly.
    Chairwoman Kelly. Anybody else?
    Mr. Ruwe?
    Mr. Ruwe. I think that would add to the education, and part 
of the education is making sure they understand that if they 
get one of these calls, that they should say, ``Thank you very 
much.'' And they have been trained to say, ``Give me a number 
where I can call you back, please,'' and then they can verify 
with their true business relationship. That is one of the 
things that we have tried to reemphasize over and over again in 
our educational materials.
    But, typically, the phishers do not necessarily target 
small businesses. They may be affected by this, but they really 
go for the big broadcast over the Internet. That is why it is 
called phishing. They go out and really attack the masses is 
usually their MO.
    Chairwoman Kelly. In the 1970's and 1980's, a number of 
banks spun off the card processing units and now some of the 
banks are bringing them back in-house. There are pros and cons 
on this, and we have not heard from any of you about that.
    Mr. Watson, you may be the first one to answer that 
question. What are the pros and cons?
    Mr. Watson. I actually have worked for data processors in 
the past prior to my career at Merrick Bank. I think data 
processing for both card holder and merchant business is very, 
very much a scale issue, and in-house processing is really only 
affordable by the very, very largest issuers and the very, very 
largest merchant banks.
    Without the access to high quality, secure third party 
processors, the credit card business, both the issuing side and 
the merchant banking side, would be in the hands of a very, 
very small number of banks because they would be the only ones 
who could afford it.
    Chairwoman Kelly. Okay. So you think that unless a large 
bank like Bank of America, Citi, Chase made the decision to 
bring it back in-house, no one else is likely to because it is 
expensive; is that correct?
    Mr. Watson. Yes.
    Chairwoman Kelly. Okay. Thank you.
    My last and final question to you, Mr. Perry, there was a 
3-day time lag between the time you discovered that there was a 
problem in the system and the notification that went out, you 
called the FBI, but it was not until the next day, it was 
basically a 3-day time lag. You found out on the 22nd and on 
the 25th Merrick Bank found out and the card people found out. 
What caused that time lag?
    Mr. Perry. Madam Chairwoman, the time lag was we found out 
of a suspicious production issue on Sunday, late afternoon, 
Sunday, May the 22nd. On Monday, May the 23rd, we contacted the 
Phoenix office of the FBI and on actually Tuesday, May the 
24th, we had not heard back from the Phoenix FBI and then 
contacted the Atlanta FBI because we were very concerned that 
this might be a situation that law enforcement needed to be 
aware of immediately.
    Once we heard back from the FBI on the 25th that they had 
assigned a case officer and we had disclosed everything to 
them, we also asked if it was okay under the investigation to 
contact the bank and notify the bank so they could go through 
their proper notification procedures, and they said, yes. 
Unfortunately, there were 2 days of lag where we missed 
speaking to the FBI from Atlanta or Phoenix to receive proper 
instructions.
    Chairwoman Kelly. So the time lag, if I understand you 
correctly, was caused by the FBI not getting back to you in a 
timely manner. In the meantime, the 44 million people whose 
information had been perhaps compromised were still out there 
with their information compromised and nobody knew it.
    Mr. Perry. At that time, all that we were aware of was the 
export of the 239,000 discrete cards that we found about later. 
I do not want to say that the FBI did not react, but we did 
contact the Phoenix office on Monday, and when we did not hear 
back from them on Tuesday we contacted the Atlanta office. At 
that point, both offices coordinated and once they got back to 
us, we also asked them if we could move to the next step of 
notification, which we saw as critical, which is contacting our 
sponsor bank, Merrick Bank.
    Chairwoman Kelly. I am just curious because under a 
contractual agreement with the credit card companies, wouldn't 
that have been in the contract that you had to notify them 
immediately if you discovered any kind of a breach?
    Mr. Perry. At that point, on May the 22nd and even on May 
the 23rd, we were unclear as to the scope of the potential 
compromise.
    Chairwoman Kelly. But you knew you would been compromised.
    Mr. Perry. We believed we had, yes.
    Chairwoman Kelly. But it was just a matter of degree. So if 
there was a contractual agreement for notification to the 
credit card people--
    Mr. Perry. Because we believed there had been a crime 
perpetrated against the company and its merchants, we believed 
it was incumbent upon us to contact law enforcement first and 
make sure that they would help us and guide us through this 
situation. This is a situation that we had not previously 
experienced in the past, and we wanted to make sure that in no 
way would we compromise any future investigation.
    Chairwoman Kelly. Thank you.
    I want to thank this panel for your patience. You have been 
wonderful for staying with us, and I appreciate very much the 
fact that you have given us so much of your time and your 
expertise today.
    The Chair notes that some members may have additional 
questions for this panel, which they may wish to submit in 
writing. So without objection, this hearing record will remain 
open for 30 days for members to submit written questions to the 
witnesses and place their responses in the record.
    This hearing is adjourned.
    [Whereupon, at 1:12 p.m., the subcommittee was adjourned.]


                            A P P E N D I X

                             July 21, 2005

[GRAPHIC] [TIFF OMITTED] T9461.001

[GRAPHIC] [TIFF OMITTED] T9461.002

[GRAPHIC] [TIFF OMITTED] T9461.003

[GRAPHIC] [TIFF OMITTED] T9461.004

[GRAPHIC] [TIFF OMITTED] T9461.005

[GRAPHIC] [TIFF OMITTED] T9461.006

[GRAPHIC] [TIFF OMITTED] T9461.007

[GRAPHIC] [TIFF OMITTED] T9461.008

[GRAPHIC] [TIFF OMITTED] T9461.009

[GRAPHIC] [TIFF OMITTED] T9461.010

[GRAPHIC] [TIFF OMITTED] T9461.011

[GRAPHIC] [TIFF OMITTED] T9461.012

[GRAPHIC] [TIFF OMITTED] T9461.013

[GRAPHIC] [TIFF OMITTED] T9461.014

[GRAPHIC] [TIFF OMITTED] T9461.015

[GRAPHIC] [TIFF OMITTED] T9461.016

[GRAPHIC] [TIFF OMITTED] T9461.017

[GRAPHIC] [TIFF OMITTED] T9461.018

[GRAPHIC] [TIFF OMITTED] T9461.019

[GRAPHIC] [TIFF OMITTED] T9461.020

[GRAPHIC] [TIFF OMITTED] T9461.021

[GRAPHIC] [TIFF OMITTED] T9461.022

[GRAPHIC] [TIFF OMITTED] T9461.023

[GRAPHIC] [TIFF OMITTED] T9461.024

[GRAPHIC] [TIFF OMITTED] T9461.025

[GRAPHIC] [TIFF OMITTED] T9461.026

[GRAPHIC] [TIFF OMITTED] T9461.027

[GRAPHIC] [TIFF OMITTED] T9461.028

[GRAPHIC] [TIFF OMITTED] T9461.029

[GRAPHIC] [TIFF OMITTED] T9461.030

[GRAPHIC] [TIFF OMITTED] T9461.031

[GRAPHIC] [TIFF OMITTED] T9461.032

[GRAPHIC] [TIFF OMITTED] T9461.033

[GRAPHIC] [TIFF OMITTED] T9461.034

[GRAPHIC] [TIFF OMITTED] T9461.035

[GRAPHIC] [TIFF OMITTED] T9461.036

[GRAPHIC] [TIFF OMITTED] T9461.037

[GRAPHIC] [TIFF OMITTED] T9461.038

[GRAPHIC] [TIFF OMITTED] T9461.039

[GRAPHIC] [TIFF OMITTED] T9461.040

[GRAPHIC] [TIFF OMITTED] T9461.041

[GRAPHIC] [TIFF OMITTED] T9461.042

[GRAPHIC] [TIFF OMITTED] T9461.043

[GRAPHIC] [TIFF OMITTED] T9461.044

[GRAPHIC] [TIFF OMITTED] T9461.045

[GRAPHIC] [TIFF OMITTED] T9461.046

[GRAPHIC] [TIFF OMITTED] T9461.047

[GRAPHIC] [TIFF OMITTED] T9461.048

[GRAPHIC] [TIFF OMITTED] T9461.049

[GRAPHIC] [TIFF OMITTED] T9461.050

[GRAPHIC] [TIFF OMITTED] T9461.051

[GRAPHIC] [TIFF OMITTED] T9461.052

[GRAPHIC] [TIFF OMITTED] T9461.053

[GRAPHIC] [TIFF OMITTED] T9461.054

[GRAPHIC] [TIFF OMITTED] T9461.055

[GRAPHIC] [TIFF OMITTED] T9461.056

[GRAPHIC] [TIFF OMITTED] T9461.057

[GRAPHIC] [TIFF OMITTED] T9461.058

[GRAPHIC] [TIFF OMITTED] T9461.059

[GRAPHIC] [TIFF OMITTED] T9461.060

[GRAPHIC] [TIFF OMITTED] T9461.061

[GRAPHIC] [TIFF OMITTED] T9461.062

[GRAPHIC] [TIFF OMITTED] T9461.063

[GRAPHIC] [TIFF OMITTED] T9461.064

[GRAPHIC] [TIFF OMITTED] T9461.065

[GRAPHIC] [TIFF OMITTED] T9461.066

[GRAPHIC] [TIFF OMITTED] T9461.067

[GRAPHIC] [TIFF OMITTED] T9461.068

[GRAPHIC] [TIFF OMITTED] T9461.069

[GRAPHIC] [TIFF OMITTED] T9461.070

[GRAPHIC] [TIFF OMITTED] T9461.071

[GRAPHIC] [TIFF OMITTED] T9461.072

[GRAPHIC] [TIFF OMITTED] T9461.073

[GRAPHIC] [TIFF OMITTED] T9461.074

[GRAPHIC] [TIFF OMITTED] T9461.075

[GRAPHIC] [TIFF OMITTED] T9461.076

[GRAPHIC] [TIFF OMITTED] T9461.077

[GRAPHIC] [TIFF OMITTED] T9461.078

[GRAPHIC] [TIFF OMITTED] T9461.079

[GRAPHIC] [TIFF OMITTED] T9461.080

[GRAPHIC] [TIFF OMITTED] T9461.081

[GRAPHIC] [TIFF OMITTED] T9461.082

[GRAPHIC] [TIFF OMITTED] T9461.083

[GRAPHIC] [TIFF OMITTED] T9461.084

[GRAPHIC] [TIFF OMITTED] T9461.085

[GRAPHIC] [TIFF OMITTED] T9461.086

[GRAPHIC] [TIFF OMITTED] T9461.087

[GRAPHIC] [TIFF OMITTED] T9461.088

[GRAPHIC] [TIFF OMITTED] T9461.089

[GRAPHIC] [TIFF OMITTED] T9461.090

[GRAPHIC] [TIFF OMITTED] T9461.093

[GRAPHIC] [TIFF OMITTED] T9461.092

[GRAPHIC] [TIFF OMITTED] T9461.091

[GRAPHIC] [TIFF OMITTED] T9461.094

[GRAPHIC] [TIFF OMITTED] T9461.095

[GRAPHIC] [TIFF OMITTED] T9461.096

