[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
CREDIT CARD DATA PROCESSING:
HOW SECURE IS IT?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
JULY 21, 2005
__________
Printed for the use of the Committee on Financial Services
Serial No. 109-48
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2006
29-461 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio MAXINE WATERS, California
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma MELVIN L. WATT, North Carolina
ROBERT W. NEY, Ohio GARY L. ACKERMAN, New York
SUE W. KELLY, New York, Vice Chair DARLENE HOOLEY, Oregon
RON PAUL, Texas JULIA CARSON, Indiana
PAUL E. GILLMOR, Ohio BRAD SHERMAN, California
JIM RYUN, Kansas GREGORY W. MEEKS, New York
STEVEN C. LaTOURETTE, Ohio BARBARA LEE, California
DONALD A. MANZULLO, Illinois DENNIS MOORE, Kansas
WALTER B. JONES, Jr., North MICHAEL E. CAPUANO, Massachusetts
Carolina HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois RUBEN HINOJOSA, Texas
CHRISTOPHER SHAYS, Connecticut JOSEPH CROWLEY, New York
VITO FOSSELLA, New York WM. LACY CLAY, Missouri
GARY G. MILLER, California STEVE ISRAEL, New York
PATRICK J. TIBERI, Ohio CAROLYN McCARTHY, New York
MARK R. KENNEDY, Minnesota JOE BACA, California
TOM FEENEY, Florida JIM MATHESON, Utah
JEB HENSARLING, Texas STEPHEN F. LYNCH, Massachusetts
SCOTT GARRETT, New Jersey BRAD MILLER, North Carolina
GINNY BROWN-WAITE, Florida DAVID SCOTT, Georgia
J. GRESHAM BARRETT, South Carolina ARTUR DAVIS, Alabama
KATHERINE HARRIS, Florida AL GREEN, Texas
RICK RENZI, Arizona EMANUEL CLEAVER, Missouri
JIM GERLACH, Pennsylvania MELISSA L. BEAN, Illinois
STEVAN PEARCE, New Mexico DEBBIE WASSERMAN SCHULTZ, Florida
RANDY NEUGEBAUER, Texas GWEN MOORE, Wisconsin,
TOM PRICE, Georgia
MICHAEL G. FITZPATRICK, BERNARD SANDERS, Vermont
Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina
CAMPBELL, JOHN, California
Robert U. Foster, III, Staff Director
Subcommittee on Oversight and Investigations
SUE W. KELLY, New York, Chair
RON PAUL, Texas, Vice Chairman LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California DENNIS MOORE, Kansas
STEVEN C. LaTOURETTE, Ohio CAROLYN B. MALONEY, New York
MARK R. KENNEDY, Minnesota STEPHEN F. LYNCH, Massachusetts
SCOTT GARRETT, New Jersey ARTUR DAVIS, Alabama
J. GRESHAM BARRETT, South Carolina EMANUEL CLEAVER, Missouri
TOM PRICE, Georgia DAVID SCOTT, Georgia
MICHAEL G. FITZPATRICK, DEBBIE WASSERMAN SCHULTZ, Florida
Pennsylvania GWEN MOORE, Wisconsin
GEOFF DAVIS, Kentucky BARNEY FRANK, Massachusetts
PATRICK T. McHENRY, North Carolina
MICHAEL G. OXLEY, Ohio
C O N T E N T S
----------
Page
Hearing held on:
July 21, 2005................................................ 1
Appendix:
July 21, 2005................................................ 51
WITNESSES
Thursday, July 21, 2005
Duncan, Mallory, General Counsel, National Retail Federation..... 23
Gorgol, Zyg, Senior Vice President, Fraud Risk Management,
American Express............................................... 17
Hendricks, Evan, Editor and Publisher, Privacy Times............. 26
Minetti, Carlos, Executive Vice President, Cardmember Services,
Discover Card.................................................. 19
Peirez, Joshua L., Senior Vice President & Associate General
Counsel, Law Department, Mastercard International.............. 14
Perry, John M., President and Chief Executive Officer,
CardSystems Solutions, Inc..................................... 25
Ruwe, Steve, Executive Vice President, Operations & Risk
Management, Visa U.S.A. Inc.................................... 16
Watson, David B., Chairman, Merrick Bank......................... 21
APPENDIX
Prepared statements:
Castle, Hon. Michael N....................................... 52
LaTourette, Hon. Steven C.................................... 53
Duncan, Mallory.............................................. 54
Gorgol, Zyg.................................................. 66
Hendricks, Evan.............................................. 78
Minetti, Carlos.............................................. 85
Peirez, Joshua L............................................. 98
Perry, John M................................................ 105
Ruwe, Steve.................................................. 119
Watson, David B.............................................. 127
Additional Material Submitted for the Record
LaTourette, Hon. Steven C.:
ARMA International statement................................. 136
Cardholder Transaction Process chart......................... 142
CREDIT CARD DATA PROCESSING:
HOW SECURE IS IT?
----------
Thursday, July 21, 2005
U.S. House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:13 a.m., in
room 2128, Rayburn House Office Building, Hon. Sue Kelly
[chairwoman of the subcommittee] presiding.
Present: Representatives Kelly, Pryce, Bachus, Castle,
Kennedy, Garrett, Renzi, Price, McHenry, Gutierrez, Maloney,
Hooley, Moore of Kansas, Matheson, Scott, Davis of Alabama, and
Cleaver.
Chairwoman Kelly. I call this hearing on the Subcommittee
on Oversight and Investigations to order.
Over the last few months, disturbing information has come
to light about breaches in data security across the financial
services industry. Millions of consumers have found out that
their personal information may have been compromised. Millions
more are now worried about personal data protection with the
attention given these breaches.
This is an issue that personally affects all of us. In
cities and towns across my congressional district in New York
and all across our country, we rely on credit cards day in and
day out. We expect nothing less than a safe and secure system
of processing them.
These breaches harm the network of financial transactions
that gives the United States the most productive economy in the
world. These breaches cause consumers to lose confidence in the
payment systems that drive sales growth. They impose new risks
and costs on merchants and threaten some with the loss of
customers and their livelihood. We need to do everything
possible to ensure that our personal information remains
privileged and protected when we make any financial
transaction.
Today's hearing will deal specifically with the recent data
breach at CardSystems where more than 40 million credit card
accounts of 4 major credit card brands may have been exposed.
At least 200,000 accounts were definitely stolen, and evidence
exists that a routine may have been in place to allow the
culling of credit card information on a regular basis.
In response to these breaches, Visa and American Express
are terminating their relationship with CardSystems, while the
company itself is putting in new measures to ensure data
security.
Yesterday, in testimony to the Financial Services
Committee, Federal Reserve Chairman Greenspan noted that
increased regulations may have the consequence of killing the
electronic innovation and productivity that have kept our
economy and our markets growing. He also noted that in a free
market economy all companies that hold personal data have a
huge financial incentive to keep it as secure as possible.
Unfortunately, in this case and others, those incentives either
failed or were overcome by the financial incentives of fees.
What we need to learn today from the witnesses in this case
is, what happened, what was supposed to happen, and what can be
done to prevent this from happening again.
I welcome the witnesses, and I yield now to the gentleman
from Illinois.
Mr. Gutierrez. Good morning. I want to thank Chairwoman
Kelly for calling this hearing entitled, ``Credit Card Data
Processing: How Secure Is It?'' I think the answer to many
people reading the news lately is, not secure enough.
Data security is very important to many of us here on this
committee, and I am pleased that we will be joined later on by
some of our colleagues who will ask to participate.
This issue is also personally important to me. I am proud
to have served as a conferee on the FACT Act, which dealt with
similar issues.
In March, I coauthored a bill with Congresswoman Melissa
Bean on this issue, and I am proud to be an original cosponsor
of the recent bill introduced by Representatives Bean and Artur
Davis. There are many other worthy bills on this topic, and I
suspect we are going to be working together to craft a solution
before the end of the year.
We need to understand what happened here and where the gaps
in the law are so they can be fixed. We also need to determine
the proper way to notify and protect consumers and inform the
credit rating agencies when consumer data compromise can lead
to identity theft. We need to make sure that consumer
notification takes place in language the consumer can
understand.
I look forward to hearing from the witnesses so that we can
learn from the problems they experience and minimize similar
occurrences. At the proper time, I will inquire about the audit
processes or credit processes and how CardSystems could have
been certified while maintaining an adequate software and
retaining customer data in violation of its Visa contract.
Additional checks and balances may be necessary in the
system of certification. The largest banks, I am told, have
supervision in the form of professional examiners from their
regulator onsite every day of the year. It might make sense to
employ a similar process when we are talking about security of
large amounts of data in an entity that is not a bank but is
performing functions of a bank. It would also be helpful to
determine the actual scope of the compromised data and the
degree of fraudulent activity that may be related to this
incident.
I am pleased to welcome all of the witnesses, and I
especially want to welcome Evan Hendricks whose quarter century
of expertise proved invaluable during consideration of the FACT
Act issues, and I am certain he will be helpful today. I
understand that he has a plane to catch early this afternoon,
but we are especially grateful that he could make the time to
be with us today.
Thank you so much, Mr. Hendricks, for being here.
We have been joined by Mr. Matheson, and I ask unanimous
consent that he be permitted to make an opening statement.
Chairwoman Kelly. So moved.
We have been joined by a number of members who are not on
this particular subcommittee but that are on the Financial
Services Committee as a whole. We are honored by their
presence. We have Mr. Kennedy, Mr. Castle, and Mr. Bachus with
us this morning, and I ask unanimous consent that they too may
be able to make an opening statement. So moved.
So without objection, all members' opening statements will
be made part of the record.
I turn now to Mr. Garrett.
Mr. Garrett. Thank you, Madam Chairwoman, for holding
today's hearing on data security and credit card systems in
light of recent headlines. I think it is both timely and
necessary that we have these hearings, not only so that we can
learn more about the apparent data breach at CardSystems
affecting the four major credit card companies, but also we can
learn how this committee may be able to respond in an
appropriate manner.
The data breaches that were recently disclosed by financial
institutions have generally, in the past, involved lost data
tapes or similar mishaps which do not necessarily suggest
criminal intent. However, in this circumstance it appears that
someone was able to compromise their database system to obtain
information for malicious purposes.
So while the other types of data breaches are obviously
cause for concern, it is especially troubling when we learn
that sensitive information has fallen into the hands of
apparent criminals. Therefore, I am particularly interested in
learning about how consumers are protected against credit card
fraud or other problems resulting from this breach.
I think we also need to examine how the breach at
CardSystems could have been avoided. Is there a shortfall in
the law? Do we need new laws? Or do companies simply need to be
more responsible in complying with existing laws and any of
their contractual obligations?
My hunch is that CardSystems' apparent lack of an adequate
data security regime may simply be that they were running
crosswise with existing laws or contractual obligations. So we
simply need to learn now how the existing lay of the land has
been applied in this situation before we move on and consider
making more laws.
I think we also may want to use this as an opportunity to
at least explore and understand a little bit what potential
impact the decisions that may affect CardSystems' future may
also have indirectly on any of their vendors or other players
in the system.
I would also like to say for the record that I appreciate
MasterCard's efforts to bring the situation at CardSystems to
light, as they were under really no direct obligation to do so,
but I think that they did so in thinking what was most
responsible for getting the information out in the interest of
their cardholders. And for that reason, I believe that they
should be commended for their actions.
Thank you again, Madam Chairwoman, for holding this
hearing, and I yield back the balance of my time.
Chairwoman Kelly. Thank you.
Ms. Maloney?
Mrs. Maloney. Thank you very much, Madam Chairwoman, for
having this hearing today that continues to address the really
very pressing issue of data security and identity theft through
this series of hearings.
This hearing focuses on a particularly terrible example of
a breach of data security: The exposure of 40 million credit
and debit card accounts at a data processing company handling
Visa, MasterCard and American Express. Based on an FBI
investigation it appears that the data processor, CardSystems,
blatantly violated the contractual data security restrictions
imposed by each of the credit card companies.
But this would not have come to light had it not been for a
huge breach and resultant fraudulent transactions. I expect
that each of the credit card companies here today will explain
to us that they spend a great deal of time, money and resources
preventing credit card fraud and protecting consumers from the
effects of credit card fraud through zero liability policies
and card reissuance.
This is all very laudable but the issue before the
committee today is not just credit card fraud: the issue before
us is the much more complex issue of identity theft, because it
does not simply involve a fraudulent charge on a card, it is
typically the opening of a new account in the name of the
victim. Identity theft is harder to find, harder to assess, and
harder to combat, but it is the main issue we need to address.
For example, we may have a good idea now of all the credit
card fraud that is likely to result from the CardSystems
breach, but that does not mean that we know the extent of the
identity theft risk.
Similarly, the credit card companies often identify credit
card fraud right away, but in this case they appear to have
been absolutely clueless for months while personal data was
removed from the database.
At present, the main protections against identity theft are
contractual agreements between credit card companies and the
banks and data processors that handle the information. The
CardSystems incident is a spectacular failure of this private
sector protection and suggests that more regulation, more
enforcement and more penalties are necessary in this area.
For example, until yesterday, it appeared that the credit
card companies would continue to do business with CardSystems
even though CardSystems had not complied with the data security
requirements.
Moreover, there is a huge regulatory gap under Gramm-Leach-
Bliley. The respective financial regulators are responsible for
making sure that financial institutions who contract out data
processing functions ensure their contractor's compliance. And
the FTC rules require data processors to preserve the
confidentiality of personal financial data. But in this case,
the regulators appear to have played ``toss the hot potato''
with this whole incident.
So far, all the consequences of data security breaches
could be viewed by a data processor as the cost of doing
business.
Yesterday, perhaps bowing to the pressure of this important
hearing, Visa and American Express terminated their business
with CardSystems, but MasterCard still has its data processing
handled by them. This situation is not acceptable, and we need
to provide the legal structure to fix it.
I am a proud cosponsor and original sponsor of this
legislation that has been introduced by my colleague,
Representative Bean from Illinois, and it is a good first step
in this area. I look forward, as always, to hearing the
witnesses' views and some of the alternatives and ideas that
they may have, and I hope that we can benefit as we move
forward with this bill, and I thank all of you for being here.
It is extremely important.
I must say that one of the biggest credit card theft rings
is in the district that I represent in New York, in Queens, and
it is just a terrible problem once it happens, and so our
efforts to prevent it are very important. Thank you.
Chairwoman Kelly. Thank you, Ms. Maloney.
Mr. Kennedy?
Mr. Price?
Mr. Price. Thank you, Madam Chairwoman. I appreciate the
opportunity to participate in this hearing, and I want to thank
all of the witnesses for being here.
I want to especially welcome Mr. John Perry of CardSystems,
who has a portion of his business in my district. I am sorry I
am late but I want to echo the comments of others who have
talked about the importance of having security within the
credit card system. I am somewhat astounded by some of the
comments that I just heard, however, in view of the fact that
CardSystems, itself, discovered the breach, notified the
companies of the breach, and is working aggressively and
actively to correct the challenges that they and the industry
have.
Greater regulation and greater penalties I am not certain--
which is oftentimes the knee-jerk reaction to a challenge that
we have in any area--I am not certain that is indeed the answer
at all.
So I look forward to the testimony before us today. I look
forward to increasing my knowledge of this area, and I also
hope that individuals will lower the rhetoric, calm down, and
work toward solutions in this area as opposed to bomb-throwing.
And I yield back.
Chairwoman Kelly. Mr. Moore?
Mr. Moore of Kansas. Thank you, Madam Chairwoman. I would
like to thank you for holding today's hearing and thank the
witnesses for appearing today to share their information with
us.
The focus of this morning's hearing is data security within
the credit card payment system, specifically the recently
publicized data breach at CardSystems Solutions that could have
affected approximately 40 million credit and debit card
accounts.
I look forward to Mr. Perry's testimony this morning. I
appreciate your being here, sir, to discuss what steps
CardSystems is taking to secure deficiencies in the system.
The CardSystems breach, among many others of businesses as
diverse as data brokers, retailers, and banks, begs the
question of what Congress should be doing to protect consumers
from identity theft. As we have all seen over the last few
months, States across our country have been enacting or
considering data security notification laws to deal with the
problem of data breaches.
The proliferation of State activity in the area of data
security and notification, though, is now creating a confusing
patchwork of conflicting laws that is adding to the cost of
doing business nationwide. I think it is time for Congress to
act to protect consumers from data breaches and create a
uniform national standard that seeks to create a level of
certainty for consumers and national businesses.
Representatives Deborah Pryce, Mike Castle, and I have been
working on data security legislation that would, for the first
time under Federal law, require companies to notify consumers
when their sensitive personal information has been accessed in
a way that could lead to identity theft. There should be a few
guiding principles behind any data security bill that Congress
considers.
Number one, companies should be required to safeguard their
data. Number two, breached businesses should be required to
notify consumers, law enforcement, regulators, and relevant
third parties when sensitive personal information is
compromised. Number three, breached entities need to ensure
that consumers are protected after their data is compromised
through credit file monitoring and other such actions. And,
number four, Federal preemption, we believe, is necessary to
create a meaningful uniform national standard.
Our legislation embodies each of these guiding principles,
and we will be introducing our bill today. Additionally, I know
you will not believe this but sometimes when Congress sees a
problem they overreact, and I hope that--what are you laughing
about?
[Laughter.]
I hope that is not the case here, because we do need to
address and correct this problem but at the same time not
overreact. We have one of the best credit systems in the whole
world right here in this country, and it is a benefit to
consumers that they can get a quick answer to a credit check.
What we do not need, though, is to go too far and hurt the
industry which has set up this wonderful credit system.
As Congress considers data security legislation, we need to
again correct this problem without overreacting. As this
process moves forward, I look forward to continuing to work
with Members on both sides of the aisle to pass the best bill
we possibly can. This should not be about Republicans and
Democrats, it should not be partisan at all. We need to address
this in a bipartisan fashion, and I am confident we can do that
here. I am very proud of our committee, because we have worked
well together in other areas in the past, and I believe we can
do that here.
Thank you again, Chairwoman Kelly. I look forward to
hearing from our witnesses.
Chairwoman Kelly. Thank you very much.
Mr. McHenry?
Mr. McHenry. Thank you, Madam Chairwoman. Thank you so much
for having this hearing today, and I appreciate your leadership
on this issue.
I will make this brief because I know we have a lot of
testimony to hear. The last time I saw this many witnesses
lined up at a table before a hearing we had baseball players
in. So, Mr. Sosa, Mr. McGwire, thank you all for being here
today.
But in all seriousness, data security should be a top
concern of all financial institutions and all financial service
industry related folks. And what I would like to examine is
what is being done now. I would also like to examine whether or
not there are market forces that would influence how you
protect data.
I do not think that the government should step in when the
market can actually dictate, and I think there are
repercussions for companies that do not protect data. I think
there are repercussions financially on their bottom line for
companies that do not do what is appropriate and right and do
not secure data appropriately. Customers will leave, merchants
will refuse to deal with you, and the market will deal with it.
Now, does the government need to intervene if the
marketplace is going to deal with companies on these issues?
That is what we need to understand as a committee, and we need
to see where we need to go. If there is a marketplace that is
going to determine data security, government intervention may
hurt in this regard and actually may have an adverse effect on
data security rather than the true spirit of what we would
attempt to do as a government.
So I welcome the testimony today. I look forward to hearing
from all of you and look forward to hearing what has happened
and actually what is occurring currently and what you view as
the best way to secure data going forward. Thanks so much.
Chairwoman Kelly. Thank you.
Mr. Davis?
Mr. Davis of Alabama. Thank you, Madam Chairwoman, for
calling this hearing, and I am going to try to follow Mr.
McHenry's lead and be somewhat brief, given the fact there are
so many of you and a lot of us who are here to question you.
Let me just make a few general observations.
The first one, one of the happy things, I suppose, about
this kind of climate is that the industry, frankly, has as much
of an incentive to have this institution act in a responsible
way as the consumer does. I think all of you who are here as
industrial representatives and corporate representatives
understand that your ability to provide a service to your
consumers, your ability to attract consumers is in peril if
they do not have confidence in how their information is being
handled. That is the bottom line.
So you have the same incentive, and I think that is why Mr.
Moore and some of us can confidently say that this should not
be a left-right kind of issue, it should not be a business-
consumer kind of issue because you are in the same place in
terms of wanting to promote consumer confidence.
The second observation that I will make--this is something
that I see routinely on this committee--is that the world of
financial service transactions now, the world of financial
service in general is so numbingly complex that a lot of people
that you serve every day and that we serve every day frankly
just want to throw up their hands and say, ``We do not
understand this.''
And they feel so detached from their own ability to go out
and make purchases and all of a sudden you have this
information about security breaches and I am willing to bet
that probably makes them feel even more detached. And then,
worst-case scenario, they will learn weeks later that there may
have been a breach that they did not even know about.
I think we have to speak to that consumer anxiety. I think
we have to speak to people who feel that somewhere out there
things may be happening that are adverse to their interests
that could involve a fraud or a theft and they did not even
know for several weeks. We have to speak to that anxiety.
The final point that I will make, Ms. Bean, Mr. Frank, and
I are the lead sponsors on a bill that I think all of you are
aware of. It is referred to by some in the press as the
Democratic bill. I hope that this is the beginning of a
conversation that can draw the best instincts from my side of
the aisle and the best instincts of our partners on the other
side of the aisle
And this committee has done it before. We did it very
recently in the context of GSE's, an enormously complex issue.
Most people did not think, given the acrimony of last year's
hearings, that we would get to a middle ground on GSE's. We got
there. I wish the U.S. Senate would respect the fact that we
got there, but we got there.
We got there on the question, because of my colleague from
Alabama, Mr. Bachus' leadership, on the extension of the Fair
Credit Reporting Act several years ago. Nobody expected us to
build a consensus that helps protect the best credit system in
the world.
So I drew inspiration from those things.
Again, I thank the chairwoman for having this hearing and
look forward to working with all of you.
Chairwoman Kelly. Thank you.
We turn now to Mr. Bachus.
And I would like to say that for the ex officio members,
because we have a lot of people here, many opening statements,
I am going to ask the people who are ex officio, and we welcome
them here, but I am going to ask them to keep their statements
to 3 minutes each.
Mr. Bachus?
Mr. Bachus. I appreciate that, Chairwoman.
As with any legislation that comes before the subcommittee
on which I am chairman, it obviously is something of great
concern to me, and I commend you for having this hearing and
for your leadership over the past several years, not only on
this issue but identity theft and credit card fraud.
Credit card fraud, identity theft, and data security
breaches are really three different things, and we sometimes
have a tendency to mix and match them. But as we go about this
hearing, we should bear that in mind.
And I appreciate the remarks of the gentleman from Alabama.
The gentleman from Alabama has introduced a bill along with the
ranking member, Ms. Bean, and Chairman Pryce and Chairman
Castle and Mr. Moore have introduced this morning a bipartisan
piece of legislation. And, further, we have had two other
members, Mr. LaTourette and Ms. Hooley, who have introduced a
third bill.
Mr. Garrett questioned whether existing law is sufficient
or do we need new laws? Can we just enforce those laws on the
books? A great deal of this is going to be, yes, we just need
to enforce what is there.
Law enforcement has a role in this. This was a criminal
violation; somebody hacked in. This was a criminal act not by
the victim but by a criminal. But I will answer the question,
yes, we do need to address this, and I think that the Members'
bills, as we go through this, we just need to do, as Mr. Price
said, we need to show caution, and I associate myself with his
remarks and Mr. Garrett's remarks.
With that, I do want to say two other things, if I could.
One, CardSystems Solutions was a victim of a criminal act by a
hacker, and they did report this to MasterCard. They
voluntarily reported it, and they should be commended for that.
That is my understanding.
And, furthermore, I would like to note that we learned of
the situation at CardSystems Solution through a public
announcement by MasterCard International. This announcement was
not required by the law; rather, MasterCard played the role of
a good citizen, good corporate citizen in notifying the public
of the situation, even though MasterCard itself was not the
subject of the breach. And I commend MasterCard for their
efforts.
So in the aftermath of this hacking incident, I think the
system worked well, and these companies responded in an
appropriate way. But I do believe that really the solution to
this is that we first in this Congress pass a law, and I know
Chairman Castle and Chairman Pryce and others are working on it
with Mr. Moore and others and Mr. Davis, on establishing a
national uniform standard protecting all Americans.
And with that, I yield back any time I have.
Chairwoman Kelly. Thank you, Mr. Bachus.
Mr. Cleaver has indicated he has no opening statement, so
we will turn to Mr. Scott.
Mr. Scott. Thank you very much, Chairwoman Kelly, and I
want to thank you and Ranking Member Gutierrez for holding this
very important hearing on credit card fraud and identity theft.
I certainly also want to take this opportunity to welcome
Mr. John Perry, who is president and CEO of CardSystems from
Atlanta, Georgia, my hometown.
Of course we all know that recent news continues to affirm
the viewpoint by many consumers that their personal credit is
constantly at risk for fraud or abuse. It is a major, major
problem facing this country. Tens of millions of consumers have
been exposed to credit fraud or theft, and these data attacks
and frauds have hit major credit card issuers and banks, many
of whom already have high standards for data protection.
And in my hometown of Atlanta, some of the major events and
incidents have occurred at ChoicePoint and at CardSystems. But
it is important to note that ChoicePoint is recovering from its
security breaches, and CardSystems has responded to this and
they are working their way through the fallout, and I certainly
commend you in the steps that you are taking and wish you
speedy success.
It is also important to note that the incidence of theft
has gained national attention. From my own constituents, for
example, we have had many discussions with privacy issues. Many
of them are asking what they can do to protect themselves and
what Congress can do to punish the credit thieves.
Credit theft and identity fraud can be devastating to a
family. Their credit can be ruined, it can take countless hours
and resources to repair their good name, and I believe that
Congress should provide additional protections that are
substantive and not merely reactionary.
I look forward to learning more in this hearing and hearing
this distinguished panel. Thank you.
Chairwoman Kelly. Thank you, Mr. Scott.
Chairman Castle?
Mr. Castle. Thank you, Chairwoman Kelly. Thank you for
allowing me to speak in my 3 minutes, so I will jump right to
it, and I will jump out of what I was going to say formally and
just talk a little bit about our legislation that has been
referenced by several people that Chairwoman Pryce and Dennis
Moore and I introduced today.
I believe very strongly that we do need a national
solution, and we need it fairly rapidly. There is a lot
happening in the States. Maybe there are certain State-relevant
things that need to exist, but I think we need to speak to this
sooner rather than later. I am delighted we are doing it on a
bipartisan basis. Actually, we have bi-legislative basis right
now. We have two bills out there, maybe others before we are
done, but we are moving forward.
I would like to have compliance. I am not particularly
interested in enforcement, but obviously you need the
enforcement behind it to get the compliance. But our hope is
that once we share information and we have a clear standard,
which is something else I want in our legislation, I want
everybody to be able to clearly understand what it is that we
are doing.
I agree with Chairman Bachus, there is a lot out there now,
there are a lot of enforcement mechanisms which are out there
now, but we need to make sure that everybody understands what
they are dealing with in this particular area.
We need to expand this to entities not under financial
regulation now, Gramm-Leach-Bliley and those who regulate under
Gramm-Leach-Bliley, because a lot of the breaches that have
happened have happened from entities away from that, and that
is also significant.
And I think there is an issue of consumer angst here. I was
one who received a notice. I did not have much idea of what to
do. Eventually, I figured it out. And my concern is who is
going to really open that envelope, who is really going to know
when you will be mailing it out, the whole business of not
over-involving the consumer but making sure the consumer is
absolutely protected when the consumer has to be.
Those are at least some of our goals in drafting this. I
hope that some day we have this legislation before us and we do
it unanimously, quite frankly. I have no interest in having
something that is divided in this committee with respect to
where we are going.
So we appreciate you being here today. We appreciate your
contributions to this information. It is simple to say what I
have just said, but it is a little hard to write it, as we have
learned. So we know it is complicated, and we are going to need
a lot of help to do it, but I think we have a very strong
determination, and it is one of those issues that should move
forward and it is one of those issues that really should not
get hung up on politics but should be able to be resolved
fairly rapidly.
And with that, I yield back, Madam Chairwoman.
Chairwoman Kelly. Thank you.
Ms. Wasserman Schultz?
Ms. Wasserman Schultz. Thank you, Chairwoman Kelly and
Ranking Member Gutierrez, for convening today's important
hearing.
I particularly want to welcome Zyg Gorgol from American
Express, which is one of the largest employers in my district,
in South Florida.
What I am hoping to hear from our guests' testimony today
will focus on lessons learned from recent events and how to
best move forward to ensure that America's consumers are
protected. We have a steady drumbeat of high profile data
security breaches in the last 6 months, and that has given many
Americans, I would say most Americans, cause for concern.
My constituents are no different. Since I was first elected
and came to Congress in January of this year, my office has
received dozens of calls, letters and e-mails on this matter.
In fact, it is probably the thing that has gotten the most
attention and volume in my office.
One woman in Hollywood, Florida, wrote to me and said, ``I
am outraged that private companies can hold information about
me without any national standards for whether or how they
protect that information.''
From another one of my constituents in Fort Lauderdale, she
said, ``It is time for Congress to give Americans meaningful
identity theft protection, insist on strong security standards
for information brokers with real penalties if they fail to
keep my personal information secure.''
The apparent ubiquity of these cases has clearly caused a
great deal of alarm and also caused some confusion. What I
would like to hear from the credit card company representatives
today is for you to help clarify the difference between
identity theft and credit card fraud, because there is clearly
a difference. Both are very serious matters, but the credit
card companies have developed effective consumer fraud
protections to combat fraud and I think it is important to make
that distinction.
Part of our challenge here is that many of the industry's
guidelines and best practices that have been developed to
protect consumer information have not been adopted by third
party vendors and retailers; in other words, those in the
payment stream. And I have always believed in personal
responsibility, and this standard certainly applies to vendor
and third party processors. Any company touching consumer data
must be responsible and accountable for the way in which that
data is managed.
Two of the largest security breaches announced this spring
involved merchants that had maintained unnecessary credit card
magnetic strip information, including card verification and
replacement codes in violation of industry security rules. It
has become quite clear to me that we need effective and
consistent national standards for both how consumer data is
managed and when consumers are notified about potential
breaches.
We also have to make sure that we do not set fire alarms
off for no reason. If there has been data that has been
compromised but it is not necessarily a danger to the consumer,
telling them absolutely everything that they think they need to
know is not necessarily wise. Existing regulations are simply
not sufficient, though, and I encourage my colleagues on both
sides of the aisle, as Chairman Castle has, to build upon the
industry's existing best practices and ensure that our
consumers are protected.
Thank you. I yield back the balance of my time.
Chairwoman Kelly. Thank you.
Chairwoman Pryce?
Ms. Pryce. Thank you, Madam Chairwoman. I appreciate the
invitation to be here today.
The effects of data breach can be staggering to the
American public. It is a problem that has to be addressed
sooner or later. I just want to thank you for your interest in
it, for you holding this hearing and commend Mr. Castle and Mr.
Moore and Ms. Hooley and Mr. LaTourette for working together on
a bipartisan basis to address this, and I look forward to
moving legislation, as Mike said, sooner rather than later,
because it is a problem of national significance, and I think
the consumer confidence issues will begin to affect the economy
if we do not do something soon.
So thank you so much for holding the hearing, Madam
Chairwoman.
Chairwoman Kelly. Thank you very much.
Ms. Hooley?
Ms. Hooley. Thank you again for holding this hearing and
for allowing me the opportunity to speak.
The topic of identity theft is one I have been working on
for over 8 years, and the wave of data security breaches over
the last few months has been one of the most troubling
developments I have witnessed in that time.
Identity theft represents a fundamental threat to our e-
commerce, to our overall economy and to our homeland security.
No longer are we facing just ``hobby hackers'' looking to
create a nuisance. Increasingly, these attacks are driven by
skilled criminals. ID theft is huge business in this country.
Today, with Congressman LaTourette, we have introduced
legislation that requires universal and timely notification to
consumers when their personal, sensitive financial information
is put at risk, as well as one free year of credit monitoring
service when a breach places consumers at risk of identity
theft.
I look forward to working with all of my colleagues on this
committee and Ms. Pryce and Mr. Castle and Mr. Moore to pass
the best possible legislation.
I am particularly concerned about the breach that occurred
with CardSystems this May. The behavior of CardSystems was in
direct violation of agreements with MasterCard, Visa, and
American Express. CardSystems placed 40 million consumers'
financial accounts at risk. Now, while I recognize only 200,000
accounts were actually compromised--that is still a lot--in
this case, I am not certain that consumer notification is
enough.
Valuable financial information that was not rightfully
owned or stored by CardSystems is what is at question here. I
would like to applaud Visa and American Express for no longer
doing business with CardSystems until they are sure that the
problem has been resolved. And I am looking forward to seeing
what CardSystems has done in the last few months.
Again, I thank you, and I look forward to this hearing and
testimony from the panel. Thank you.
Chairwoman Kelly. Thank you.
Mr. Renzi?
Mr. Renzi. I thank the chairwoman for allowing me to be on
the dais today and to participate.
I am a member of the Intelligence Committee and every
morning have a chance to look and see the threat against the
United States. There is no cybersystem security system
available in the commercial marketplace that cannot be hacked.
There are few systems that the government has that have not
been hacked to date, but they necessarily are not in the
commercial world. I say that to you in order to make the point
that there is no perfect system.
I had a chance earlier this morning to meet with both the
representatives from CardSystems and Visa. I am thankful that
you both have expressed a good faith to meet privately and
expeditiously within the next few days to see if you can work
through the real facts, not those that just appeared in the
paper that were just quoted, but work through some of the real
facts and see if you can come up with solutions. I think that
needs to happen.
We have over 100 Arizonans who work for CardSystems, whose
jobs will be immediately lost, but a death knell will be put to
CardSystems. Now, that has a chilling effect on those in the
industry who have come forward and worked with investigators to
show the truth and say, ``Hey, look, this is what happened,''
rather than hide it.
So while some may applaud Visa and MasterCard for their
actions, think about unintended consequences that may also
occur.
So let me come back and say thank you to Visa and to
CardSystems for giving me their word that they will meet in an
expeditious manner, in a good faith manner to work through the
facts that hopefully may work and lead to compromise. Either
way, I am hopeful that there could be a solution that will be
found that will protect both American consumers as well as
those people who are an integral part of the credit card system
here in America.
I thank the gentlelady for yielding me the time.
Chairwoman Kelly. Thank you.
Mr. Matheson?
Mr. Matheson. Thank you, Madam Chairwoman.
And thank you, Ranking Member Gutierrez.
I am pleased the Oversight Subcommittee has scheduled this
hearing regarding data security, and I am also pleased to be
here this morning to welcome David Watson, who is chairman of
Merrick Bank, based in my home State of Utah.
I appreciate Mr. Watson taking the time and effort to
travel to Washington to participate in this hearing regarding
data security. I know that Merrick Bank and its employees have
a good reputation with their clients and customers, and I
appreciate their commitment to working with us on the credit
card data issue.
The issue of data security is incredibly important to all
of our constituents. Many people are concerned about the
potential for credit card fraud and identity theft. I look
forward to hearing the testimony of Merrick and all the other
witnesses on the panel so we can learn more from their
experiences and understand whether there are more reasonable
steps, and I want to emphasize reasonable steps, that we can
take to increase data security so that we can prevent theft of
data and identity.
And with that, I will yield back my time to Madam
Chairwoman.
Chairwoman Kelly. Thank you very much.
I am turning now to the panel.
We have a very distinguished panel with us: Mr. Joshua
Peirez, who is the senior vice president and associate general
counsel of the Legal Department of MasterCard; Mr. Steve Ruwe,
executive vice president, Operations and Risk Management, Visa;
Mr. Zyg Gorgol, senior vice president, Fraud Risk Management,
American Express; Mr. Carlos Minetti, executive vice president,
Cardmember Services, Discover Card; Mr. David B. Watson,
chairman of the Merrick Bank; Mr. Mallory Duncan, general
counsel of the National Retail Federation; Mr. John M. Perry,
president and chief executive officer, CardSystems Solutions,
Incorporated--and I have to say, sir, I am delighted to have
you here, and I admire your courage for being here--and Mr.
Evan Hendricks, editor and publisher of Privacy Times.
Mr. Peirez, we begin with you.
STATEMENT OF JOSHUA PEIREZ, SENIOR VICE PRESIDENT AND ASSOCIATE
GENERAL COUNSEL, LAW DEPARTMENT, MASTERCARD INTERNATIONAL
Mr. Peirez. Good morning, Chairwoman Kelly, Ranking Member
Gutierrez and members of the subcommittee. My name is Joshua
Peirez, and I am a senior vice president and associate general
counsel at MasterCard International, located in Purchase, New
York.
It is my pleasure to discuss the important topic of
fighting fraud and safeguarding financial information, and I
commend the subcommittee for holding this important hearing.
MasterCard takes its obligation to safeguard financial
information and protect consumers extremely seriously. This
issue is a top priority at MasterCard where we have a team of
experts devoted to working with law enforcement and maintaining
the integrity and security of our payment systems. Our great
success in protecting consumers and preventing fraud is due in
part to the constant efforts we undertake to keep our networks
secure. This is why our overall fraud rates are at an historic
low, well below one-tenth of 1 percent of our volume.
MasterCard's information security program is comprehensive
and we continually update it to ensure that it provides strong
protection. MasterCard requires each of our customers and
merchants and any third party acting on their behalf to
safeguard cardholder information. In addition, MasterCard has a
variety of consumer protection and antifraud tools.
Importantly, MasterCard has voluntarily implemented a zero
liability rule. Under this rule, consumers will generally not
be liable for any unauthorized use of their cards. In addition,
MasterCard is focused on preventing unauthorized use in the
first place through enhanced security features on the card, the
MasterCard address verification service and our proprietary
fraud reporting system which helps identify and prevent fraud
from occurring in the first place.
We also offer services to our issuers and assist them in
proactively identifying and stopping fraud.
I would now like to discuss the CardSystems situation.
Several months ago, MasterCard and a few of our issuers noticed
a small pattern of fraud. Working with our issuers, we traced
the pattern of fraud to the acquirer, Merrick Bank, and then on
to CardSystems, a third party processor the bank had hired.
Once notified of the situation, CardSystems identified a script
in its system designed to export cardholder data.
CardSystems then engaged a data security firm to conduct
forensic analysis of its networks. The forensic investigation
found that, first, CardSystems was storing transaction
information on its system in violation of our rules. This was
remedied in short order. Second, the investigation confirmed
the presence of a malicious computer script on CardSystems
systems, along with other serious security vulnerabilities.
And, third, there was evidence that some cardholder data had
been compromised.
Based on the findings, we believe approximately 68,000
different MasterCard accounts and well over 100,000 accounts of
other brands were exported from the CardSystems database. The
matter is under investigation by the FBI.
Upon learning this information, we demanded that we be
provided with the account numbers impacted as soon as possible,
and we received the file on June 16th. We notified the banks
that had issued the impacted accounts beginning the very next
day and are continuing to monitor the potentially affected
accounts with those banks.
Given the circumstances of this case, MasterCard made the
decision that a public disclosure of the event was warranted.
Thus, on June 17th, we issued a press release to notify the
public of the situation at CardSystems.
I would like to stress that we provided broad public
disclosure because it was the right thing to do, even though we
had no legal obligation to do so. We continue to closely
monitor CardSystems' efforts to cure their deficiencies and
have given them only until the end of August to do so.
Let me now turn to a brief discussion of possible
legislative measures to help address the issue. MasterCard
strongly supports the legislative efforts to enact uniform
national standards and believes it is critical that any
legislative solution: one, strengthen criminal penalties to be
in line with the severity of these crimes; two, provide
notification to consumers in appropriate circumstances; and,
three, establish strong data protection requirements for
entities not already covered by the Gramm-Leach-Bliley Act.
MasterCard looks forward to working with you as you tackle
these important issues, and I would be pleased to answer any
questions you may have.
[The prepared statement of Mr. Peirez can be found on page
98 of the appendix.]
Chairwoman Kelly. Thank you very much.
Mr. Ruwe?
STATEMENT OF STEVE RUWE, EXECUTIVE VICE PRESIDENT, OPERATIONS
AND RISK MANAGEMENT, VISA U.S.A. INC.
Mr. Ruwe. Chairwoman Kelly and members of the subcommittee,
my name is Steve Ruwe. I am the executive vice president of
Operations and Risk Management for Visa U.S.A., Incorporated.
Visa appreciates the opportunity to appear at today's hearing
on the issue of information security.
The Visa Payment System, of which Visa U.S.A. is a part, is
a leading consumer payment system and plays a pivotal role in
advancing new payment products and technologies, including
initiatives for protecting cardholder information and
preventing fraud.
Cardholder security is never an afterthought at Visa. For
Visa, it is about trust. Our goal is to protect consumers,
merchants and our members from fraud by preventing fraud from
occurring in the first place.
This commitment to protecting consumers from fraud includes
Visa's zero liability policy, which protects Visa cardholders
from any liability for fraudulent purposes.
Because the financial institutions that are Visa members do
not charge their cardholder customers for fraudulent
transactions, those members absorb most of the cost from
fraudulent transactions.
Visa has implemented a comprehensive and aggressive
security program known as the Cardholder Information Security
Program, CISP, which applies to all entities that store,
process, transmit, or hold Visa cardholder data. Visa also
provides sophisticated neural networks that flag unusual
spending patterns for fraud that enable our members to block
authorization transactions where fraud is suspected.
Only yesterday, Visa announced a new nationwide data
security education campaign that will involve both the payments
industry and merchants in the fight to protect cardholder
information. Visa believes that all parties who participate in
the payment system share responsibility to protect cardholder
data.
When cardholder information is compromised, Visa notifies
the issuing financial institution and puts the affected card
numbers on a special monitoring status. Visa also uses an array
of other security measures that are described in my written
statement to prevent particular fraudulent transactions. As a
result of these strong security measures, fraud within the Visa
system is at an all-time low of 5 cents for every $100 worth of
transactions.
Visa was recently informed by payment processor,
CardSystems Solutions, Incorporated, CSSI, about an
unauthorized intrusion into CSSI's computer system. Visa
immediately worked with the processor, law enforcement, and
affected member institutions to prevent card-related fraud and
respected law enforcement protocol to keep the information
about the investigation confidential.
Visa notified all of the potentially affected card issuing
institutions and provided them with the necessary information
so that they could monitor the accounts and, if necessary,
advise customers to check their statements or cancel or reissue
cards to their customers. The card-issuing institutions that
are members of the Visa system have the direct responsibility
and relationship with their customers, and because of Visa's
zero liability policy for cardholders, bear most of the
financial loss if fraud occurs. Visa institutions can best
determine the appropriate action for each customer that might
have been affected.
We have determined that about 22 million Visa card numbers
from the CSSI database were put at risk. In many of these
cases, CSSI, by its own admission, knowingly and improperly
retained magnetic stripe information, which was a clear
violation of the cardholder information security program.
Because of CSSI's failure to follow Visa's security
requirements, Visa is terminating CSSI's ability to act as a
processor for Visa members. Protecting our cardholders was, and
remains, Visa's primary goal in responding to this incident.
Significantly, the information retained by CSSI did not
include the cardholders' date of birth, address, Social
Security number, or driver's license number. Visa believes that
the information involved in this incident cannot be used to
commit identity theft--identity fraud against an individual in
which a criminal opens a new account in the individual's name.
Thank you for the opportunity to present this testimony
today. I would be happy to answer any questions.
[The prepared statement of Mr. Ruwe can be found on page
119 of the appendix.]
Chairwoman Kelly. Thank you very much.
I wanted to step into a bit of housekeeping. The two boxes
at the end of the table indicate green, yellow, and red lights.
The green light means you have 5 minutes, the yellow means you
have one minute to sum up, the red light means that it is time
to end your testimony.
I just simply wanted all of you, in case you have not
testified before Congress before, to understand how that system
works and if you wondered what those lights were doing.
Mr. Gorgol?
STATEMENT OF ZYG GORGOL, SENIOR VICE PRESIDENT, FRAUD RISK
MANAGEMENT, AMERICAN EXPRESS
Mr. Gorgol. Chairwoman Kelly, Ranking Member Gutierrez,
members of the subcommittee, my name is Zyg Gorgol, and I am a
senior vice president of Fraud Risk Management at American
Express.
My responsibility is to protect our customers by preventing
fraud or identifying and minimizing it as quickly as possible.
I appreciate the opportunity to testify today about the recent
data security breach at CardSystems Solutions and its impact on
American Express cardmembers.
We view this breach with great concern and have taken steps
to protect any cardmembers who may have been affected by it.
I would like to highlight a few key points today, so the
complete body of my comments have been submitted to the
committee.
First, I would like to discuss the Payment Card Industry
Data Security Standards. They provide an industry-wide approach
to safeguarding charge and credit card customer data. These PCI
standards were developed by a cross-industry working group that
included American Express and the other major card networks.
American Express fully endorses these standards as an
appropriate industry baseline for data security in the payments
industry.
Let me now specifically discuss CardSystems. As background,
CardSystems Solutions processes less than 1 percent of American
Express card transactions. Upon learning of the breach at
CardSystems, we began an investigation to determine any impacts
on American Express cardmembers. We also put additional
security and fraud prevention measures in place for all
American Express card accounts that were on their database. We
are continuing to closely monitor these accounts for any
suspicious activity on an ongoing basis.
Based upon our current analysis, we have determined the
following: 1.6 million American Express card accounts were
stored on the database; information relating to approximately
12,000 American Express card accounts appears to have been
acquired by unauthorized persons. Although the information
relating to these 12,000 accounts included the card account
number and expiration data, it did not include any personally
identifiable information, such as name, address or Social
Security number.
While we have been closely monitoring these accounts, we
have not detected any increased incidences of fraud on these
12,000 accounts, nor have we detected any increased incidence
of fraud across the total number of accounts that were on the
CardSystems database. We are continuing to monitor all of these
accounts for any suspicious activity every day, and we continue
to investigate where the criminals accessed any other American
Express card accounts.
It is important to know that American Express employs
sophisticated monitoring systems and controls to detect and
prevent fraudulent activity. Historically, this has been an
area of emphasis for American Express. Over the last several
years, we have invested tens of millions of dollars to enhance
our fraud prevention capability to better protect cardmembers.
If fraudulent charges are placed on an American Express
card account, we stand behind our cardmembers. American Express
cardmembers are not held liable for fraudulent charges.
Finally, we believe there are some tangible steps that can
be taken to better protect consumers. Most importantly, we
recommend that Congress extend Gramm-Leach-Bliley-like
safeguard standards to those companies involved in processing
card payments that are not currently subject to those
safeguards today.
Sensitive customer information should be consistently
protected as it passes throughout the payment card transaction
cycle.
In conclusion, I want to assure the subcommittee that
American Express is strongly committed to protecting the
security of our cardmembers' personal information. It is clear
that recent events have raised the public's concern regarding
security of their personal information. We share this concern
and are constantly working to protect the security of our
cardmembers' information so that when a customer makes a
transaction they have a confidence that it will occur in a safe
and secure manner.
We appreciate the opportunity to share our views on this
issue and look forward to working with you and members of the
Financial Services Committee.
This concludes my testimony. I would be happy to answer any
questions you may have.
[The prepared statement of Mr. Gorgol can be found on page
66 of the appendix.]
Chairwoman Kelly. Thank you very much.
Mr. Minetti?
STATEMENT OF CARLOS MINETTI, EXECUTIVE VICE PRESIDENT,
CARDMEMBER SERVICES, DISCOVER CARD
Mr. Minetti. Madam Chairwoman and members of the
subcommittee, thank you for inviting Discover Financial
Services to share our views on the issue of data security
breaches affecting credit card information.
My name is Carlos Minetti, and I am responsible for
operations and risk management at Discover. This includes
oversight of Discover's information security and antifraud
efforts. Discover works very hard every day to prevent customer
information from falling in the hands of individuals who would
hope to use it for criminal purposes, like account fraud or
identity theft.
Discover Bank, the issuer of Discover cards, is a financial
institution subject to Gramm-Leach-Bliley information security
standards and the interagency guidance on security breach
response programs. The FDIC examines Discover Bank for
compliance with those standards, and our data security program
is designed to perform with them.
At Discover, we have a number of different fraud and
identity theft prevention programs, which are described in my
written statement. In fact, in 2005, ``Identity Fraud Safety
Scorecard for Credit Card Issuers,'' conducted by Javelin
Strategy and Research, ranked Discover as number one in overall
card safety features.
Today, I will focus on our response initiatives. Because we
operate both a large merchant network and issue the Discover
Card, we are often able to learn about computer hacking and
other signs of data compromises when they first occur. In fact,
Discover was the first network to uncover evidence of data
compromises in many of the recently publicized security
breaches involving large merchants and payment processors.
Upon learning of a data security breach that may affect
Discover Cardmembers, such as the CardSystems Solutions
incident, we immediately commence an investigation. We first
ascertain the type of information involved to determine whether
the data could be used to commit identity theft or otherwise
harm the consumers.
We also identify the specific accounts that were affected,
monitor those accounts, and take further action if necessary,
such as contacting our customer or closing the accounts.
Where the breach occurs at merchants or processors, we must
rely on information from those companies. We work with them and
with their party of forensic investigators to validate the
breach and its impact on Discover Cardmembers. We also work
with other card networks when their account data is affected.
It is critically important for all these parties to cooperate
fully in the investigative process.
Discover carefully weighs all relevant facts and impacts on
our customers to determine the proper course of action. If we
determine that a breach is likely to harm our customers, we
notify them in accordance with the Interagency Guidelines and
the requirements of State laws. We also take further action as
may be necessary to prevent harm, such as further monitoring or
closing the accounts. We coordinate our efforts with the FDIC
and with law enforcement personnel who may be investigating the
incident.
As the subcommittee is aware, not every data breach
resulted in any theft of consumer exposure to substantial costs
and time-consuming efforts to remedy misuse of personal
information. As a result, it is often not necessary to
immediately notify consumers, close accounts, provide credit
report monitoring, or put fraud alerts in consumers files.
Discover Cardmembers are not responsible for unauthorized
charges, and our 24-7 customer service allows to quickly remove
the fraudulent charges from their account. Industry resistance
to across-the-board up-front notification, card reissuance, and
other requirements is not based on the cost involved.
Given the fact that potential fraud-related losses are
incurred by credit card issuers and not by the consumers and
can quickly eclipse the cost of notification and/or card
reissuance, the customer notification/reissuance is generally
not the driving factor for decisions about how best to react in
a given situation.
Our investigation of the CardSystems Solutions security
breach is ongoing. This breach is very troubling and should
never have occurred. Based on what we know today, it does not
appear that Discover Cardmembers were exposed to a risk of
identity theft, because the Discover data was limited to
purchase transaction information.
While the CardSystems breach did involve a loss of Discover
data that could be used to commit account fraud, Discover
Cardmembers will not experience financial loss as a result of
this incident.
As the committee considers the need for legislation,
addressing information security and identity theft, we hope you
will consider our recommendations. First, a single national
standard for responding to security breaches affecting personal
information is appropriate. Second, the Interagency Guidelines
coupled with onsite compliance examinations establishes an
effective and proper regime for information held by the
national institutions. It also provides regulators with the
flexibility they need to adjust breach response standards.
Finally, when a data breach affecting credit card
information occurs, notification is best handled by the card
issuer, not the entity whose security was breached. An entity
whose security was compromised must cooperate fully in
investigating the incident and preventing further fraud, but it
should not be charged with contacting credit card customers who
may have been affected. A single notice is the best way to
protect credit card users, and card users are in the best
position to determine whether and when that notice is
appropriate.
We appreciate the opportunity to discuss information
security issues, and we would be pleased to provide further
information that would be useful to the subcommittee.
[The prepared statement of Mr. Minetti can be found on page
85 of the appendix.]
Chairwoman Kelly. Thank you.
Mr. Watson?
STATEMENT OF DAVID WATSON, CHAIRMAN, MERRICK BANK
Mr. Watson. Madam Chairwoman, ranking member, and members
of the subcommittee, thank you for inviting me to testify
today. My name is David Watson.
As a cardholder myself and as chairman of a card-issuing
bank, I commend this committee for its diligence and its
interest in formulating good public policy on credit and
security--a topic of importance to virtually every American.
Merrick Bank is a Utah financial institution, subject to
regulation and annual examination by the FDIC and the Utah
Department of Financial Institutions. We issue credit cards to
accountholders, and we make payments of processed credit card
transactions to merchants.
Credit card and account holder security is a fundamental
principle of our business; it has to be.
First, a little bit about the credit card payment process
and then Merrick's relationship with CardSystems.
To most consumers, the credit card system seems marvelously
simple and dependable but behind the scenes multiple players
and a sophisticated series of steps are triggered in each of
the millions of daily credit card transactions. Each step must
be performed with precision, for the integrity and security of
the process is only strong when the performance of each party
is strong.
The merchant initiates the transaction, the processor
authorizes the transaction and sends the notice for payment to
the cardholder's bank and then ensures that the merchant is
paid. The paying bank is then reimbursed by the card issuer's
bank through the Visa and MasterCard settlement networks. All
of this is conducted according to rules imposed by the
individual card associations.
Like many other banks, Merrick Bank makes payment to
merchants who use CardSystems for processing. Before September
2003, we did not have any significant business contacts with
CardSystems, although they were a known entity in the card
processing field.
Following 2003 discussions concerning the transfer of
certain Provident Bank merchant contracts to Merrick, we
advised CardSystems that we could not consider participating in
any processing unless and until CardSystems became compliant
with the Customer Identification Security Program, which you
have heard is the CISP Program, and the Visa Data Security
Accreditation Program.
CardSystems then engaged Cable & Wireless, an auditor from
the Visa group auditor list, to conduct the CISP assessment.
Cable & Wireless was selected by CardSystems, paid by
CardSystems, and the audit report that resulted was sent to
Visa. In June 2004, Visa informed CardSystems that it was just
approved, and CardSystems so notified Merrick Bank.
We then successfully took over most of Provident Bank's
merchant payment contracts effective September 30, 2004. From
that point to May 2005, Merrick's payments for the transactions
presented by CardSystems proceeded routinely.
After initial inquiries from MasterCard regarding potential
fraud activity, on May 22, 2005, CardSystems identified a
security breach in its operation and on May 23rd, contacted the
FBI. On May 25th, CardSystems contacted Merrick and advised us
of a possible intrusion and export of cardholder data at
CardSystems.
Merrick reviewed this information and notified Visa and
MasterCard of the potential security breach. On May 27, 2005,
with the approval of MasterCard and Visa, Merrick engaged
Ubizen, a well known forensic IT audit firm to thoroughly
investigate the breach at CardSystems, and Ubizen began an
onsite examination of CardSystems at its Tucson facility on May
31, 2005. We also sent our chief security officer and our
senior network engineer to the CardSystems site to investigate
the issue and see that immediate action was taken to prevent
any further breach.
The Ubizen audit identified two issues at CardSystems.
First, CardSystems had retained certain transaction data on
their system in violation of association procedures. Ubizen
reports this data retention practice had been followed by
CardSystems since 1998, even though it was inconsistent with
CISP standards.
This was not identified by the Cable & Wireless report in
the 2004 Visa certification process.
Second, Ubizen identified certain issues with CardSystems
servers and software, which were compromised by the intruding
party. Again, unfortunately, the Cable & Wireless report did
not make any mention of these vulnerabilities.
Merrick Bank, Ubizen, CardSystems, Visa, and MasterCard
have all been aggressively working together to see that the
issues permitting the breach are corrected and that
CardSystems' data environment is fully secured. Visa and
MasterCard have identified the cardholders whom they believe
may have been compromised and have sent notice to the issuing
banks of the potentially affected cardholders. This was
accomplished by June 17th.
Merrick is taking additional steps. We are preparing a
contingency plan to assure our merchants are serviced without
disruption in a secure environment. In addition, in
consultation with security and data experts, Merrick is
developing its own set of requirements to assure card processor
compliance with all applicable card association standards.
I want to conclude by reiterating our absolute commitment
to data security. We are very closely monitoring for unusual
activity the accounts of any affected cardholders. While we
deeply regret any impact that this breach has had on consumers,
we understand this presents all of us with an opportunity to
help our industry improve our systems and processes and thereby
better protect consumers' interests.
I want to again commend this committee for its hard work
and good work to formulate sound public policy that will assist
us in achieving this goal. Thank you.
[The prepared statement of Mr. Watson can be found on page
127 of the appendix.]
Chairwoman Kelly. Thank you.
Mr. Duncan?
STATEMENT OF MALLORY DUNCAN, GENERAL COUNSEL, NATIONAL RETAIL
FEDERATION
Mr. Duncan. Thank you, Madam Chairwoman. I am Mallory
Duncan, senior vice president and general counsel for the
National Retail Federation. The NRF is the world's largest
retail association with membership that comprises all retail
formats and channels of commerce. We appreciate the opportunity
to testify here today.
There has been a substantial increase in the reported
incidence of identity theft. Federal Trade Commission data
indicates that identity theft complaints increased 8-fold to
nearly 250,000 between 2000 and 2004. Recently, an FTC survey
estimated 10 million people experienced identity theft within
the past year. Even larger numbers have been published
elsewhere.
The reported numbers are rising, but we do not know how
much of that is a real increase as opposed to increased
awareness of those reporting; versus mischaracterization of the
problem.
As striking as these figures are, it is important to
recognize that the fraud that they reflect comprises a variety
of activities, not all of which are true identity theft.
I suggest we look at this issue broadly. We have to ask,
how do businesses know who we are? Relatively few of us reside
in communities with bankers and shopkeepers who have known us
since birth. Instead, proof of our identity has shifted from
being something others vouch for to something that is inferred:
from identifiers such as driver's license and Social Security
numbers, and quick recall of personally related facts, such as
date of birth, mother's maiden name, and office telephone
numbers.
True identity theft occurs when someone appropriates
identifying data for the purpose of secretly committing fraud.
The thief may attempt to open credit and checking accounts,
purchase a car, even buy a condominium using the victim's
excellent credit history. So long as the thief makes payments,
it might be years before anyone discovers the fraud. On the
other hand, the thieves may decide to stiff the creditors,
potentially ruining the victim's credit report. In that case,
it could takes months or years for victims to recover their
good name. Worse, if not apprehended, there is the possibility
the thieves will strike again.
In contrast, much of what is commonly referred to as
identity theft is in fact credit card fraud. While it can be a
problem for those affected, credit card fraud is much closer to
a serious nuisance than it is the horror of identity theft.
Equally important, Congress long ago approved many of the tools
needed for its correction. Under the Fair Credit Billing Act,
the consumer may challenge charges and be held harmless for the
loss. Either the retailer or the card issuer bears the cost of
the loss.
With this distinction in mind, it is clear that the
incidence of identity theft is, fortunately, considerably
different than some of the numbers that have been cited. Even
if one accepts the 10 million estimate by the FTC, it turns out
that two-thirds of that is not truly identity theft.
Now, I go into this distinction because the remedies for
these two frauds are quite different. Credit card fraud is
usually is an on-off event. Once discovered, credit card fraud
is relatively simple to stop by closing the account and
reopening a new account number--a pain, but it can be stopped.
On the other hand, when identity theft occurs, it is not a
simple matter to change an individual's Social Security number,
date of birth, or mother's maiden name. If society has limited
resources that it can devote to fighting crime, then we ought
to tilt toward using those resources to help consumers faced
with the more serious consequences.
Indeed, this committee recently established many new
protections for identity theft victims with the FACT Act. Now,
although identity theft grabbed the headlines, retailers have
devoted considerable attention to reducing the incidence of
credit card fraud as well.
Several retailers issue their own cards. They want to
protect the integrity of their cards and essentially treat all
cards with the same level of security. Currently, merchants are
coming online with the Visa and MasterCard new security
program. Initially developed for your Internet transactions,
the card associations are extending these to all channels of
commerce.
The FTC recently entered into a proposed settlement with
BJ's Wholesale Club as a result of system attacks in 2003.
Retailers are paying particularly close attention to the
requirements of that settlement. And when there are losses,
they are typically borne by the retailers, yet another
incentive for us to want to reduce the incidence of both types
of fraud.
In closing, identity theft is a fairly focused but
especially pernicious form of fraud. Proof of identity has
become a more elusive quality at the very moment that our
society is investing greater amounts of trust in its veracity.
Viewed from a distance, our credit system is marvelous.
Families receive a meal in exchange for a swipe of plastic.
Individuals secure home financing from bankers they have never
met. These benefits flow not from credit cards but from the
trust our society invests in the identities of persons seeking
credit. If we are to preserve these benefits, society must
crack down on those who would abuse that trust by appropriating
the core elements of identity.
With the passage of the FACT Act, Congress has begun to
provide tools to those who have been victimized. It should now
provide incentives to ferret out and prosecute those who make
use of those tools necessary.
Thank you for the opportunity to appear today. I will take
your questions.
[The prepared statement of Mr. Duncan can be found on page
54 of the appendix. ]
Chairwoman Kelly. Thank you.
Mr. Perry?
STATEMENT OF JOHN M. PERRY, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, CARDSYSTEMS SOLUTIONS, INC.
Mr. Perry. Good morning, Madam Chairwoman and members of
the subcommittee. Thank you for inviting CardSystems to appear
before you today. We appreciate the opportunity to address the
issue of data security and more specifically the recent
security attacks perpetrated against us.
First and foremost, we truly regret this occurrence of data
theft. We have readily acknowledged our error and continue to
work non-top to ensure that we do not become a target of
another breach.
I had planned to provide you with some prepared remarks
today discussing policy implications of the security incident
hat occurred at our company, and I had an opportunity to
discuss that important issue with some of your staff yesterday.
But today, a small company with 115 employees, in Atlanta and
Tucson, is facing imminent extinction. That concerns me
greatly, not just because of how it will impact our company but
because how it will impact 110,000 merchants who rely on
CardSystems to process their transactions.
If CardSystems is forced to close its doors, many of these
merchants will be unable to process credit card transactions
for days or even weeks. Signing up with a new processor is not
merely as simple as changing from one phone company to another.
It can cause significant disruptions to a business' operation.
Moreover, I am concerned about the signal that our experience
sends to other payment card processors and businesses, one of
which undoubtedly faces a similar security incident in the
future.
We came forward in May to report this incident to law
enforcement officials and our sponsor bank. As a result of
coming forward with this important information, CardSystems is
being driven out of business. Our experience should send a
troubling message to policy makers. Other companies will have
less incentive to come forward in the future when similar
breaches will undoubtedly occur, knowing the potentially
catastrophic effect that they could have on their businesses as
well.
We are still learning from the ongoing investigation but we
do know this: That the attack on our system was very
sophisticated. Based on the forensic investigation, we know of
only one confirmed instance of which data was exported and that
is the May 22nd incident that has brought us here today. I am
relieved to report that this breach, to our knowledge, has not
resulted in identity theft. By design, information is
fragmented among different players in the payment card
industry. This means processors like CardSystems do not have
access to complete information, such as Social Security
numbers, which could greatly facilitate identity theft.
Additionally, this breach has not, to our knowledge,
resulted in credit card fraud. Make no mistake, exposure of
information about one card is too many. We will not be
satisfied until we are confident that everything that can be
done has been done to prevent this from ever happening again.
Turning to the issue of security compliance, all businesses
that handle cardholder data are directed by the payment card
networks to follow rigorous security standards. CardSystems was
audited and certified in the late fall of 2003 by a qualified
Visa security assessor. More recently, Via and MasterCard have
developed the payment card industry, or PCI, data security
standard, which has been adopted by all the card networks. We
have hired an independent security auditor who has reviewed our
systems and has affirmed that we will be PCI compliant by the
end of the month.
We are also pleased to hear today that Visa has agreed this
morning to meet and discuss and, I am confident, to resolve our
differences. As MasterCard has just noted, I am sure that we
will complete the necessary work to satisfy all requirements
for continuing our work as processors by August 31st.
We appreciate the opportunity to participate in this
hearing, and we welcome the chance to address any questions
from the subcommittee. Thank you.
[The prepared statement of Mr. Perry can be found on page
105 of the appendix.]
Chairwoman Kelly. Thank you.
Mr. Hendricks?
STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY
TIMES
Mr. Hendricks. Thank you, Chairwoman Kelly, Ranking Member
Gutierrez.
This is my first time back since the 2003 FACT debates.
That year inspired me to write my book, ``Credit Scores and
Credit Reports,'' which spends a lot of time trying to explain
to consumers what to do in situations like this. It also has a
chapter dedicated to Congress' and this committee's work, which
was an exciting and productive year, I think, for all of us.
I think it is also worth pointing out that this committee,
your subcommittee, was the first one to hold a hearing on a
data breach involving a credit card processor, I think it was
April 2003. So you continue to be out in front of this issue,
and look at the response you get by shining the spotlight. I
think it is very commendable.
I think there are several lessons from this event. One is
that some companies will not have adequate security unless they
are forced to. They will continue to treat security as an
afterthought. I think you used to say that privacy is good for
consumers and good for business. I think we have elevated to
the point now where privacy and security is not only good, it
is essential, and that you see by blowing it on privacy and
security, that there are serious economic repercussions.
Here a company is faced with an enforcement action that
could close them down or seriously reduce them in size. It
would have been good to have considered not to keep personal
information that you were not supposed to keep in the first
place and if you were, to encrypt it so it would be rendered
useless with robust encryption. I hope other companies will
learn the lesson that in ignoring privacy and security, you do
so at your own risk.
I think the other thing that we have to remember is the
consumer. These incidents impose real costs and hardships on
consumers. I have already heard from a few who did not receive
any notice of this event, went into the retailer and found out
that their account had been flagged and were unable to make
purchases. Some were accompanied by friends or by business
associates.
Other people, consumers, have called to try and find out,
``Has my information been compromised?'' Some credit card
companies were fairly responsive. Others did not have a clue
what to tell people, and so this again contributes to the
anxiety. If we are going to have a system where notice is not
going to be required for every little event, then it is
incumbent upon organizations to have a mechanism in place to
inform people who are trying to find out what is going on.
The other lesson from this is some companies will not
notify consumers unless they have to. Some companies will make
the judgment that there is no real harm to people. And the
problem with that is that if you get a credit card number in
this sophisticated hack, the sophisticated hackers and identity
thieves can use a credit card number as leverage to get a
Social Security number through pretext and other means. We need
to stop treating the lowest priority as the consumer because
the consumer is the basis for this entire credit card system.
If we look at the breaches that we have had this year,
ChoicePoint, Bank of America, CitiFinancial, 3.9 million Social
Security numbers about to go out the door and what do they do,
they call UPS. They are not encrypted, and the information is
lost by UPS. And now with CardSystems and potentially 40
million, the number of Americans that are potentially exposed
to these security breaches equals the number of Americans that
originally signed up for the ``Do Not Call'' list. So it is
sort of an eerie mirror of the privacy issue.
The other thing that shows the inadequacy is what is not
known. I mean, there are more things that we do not know about
what happened with this data, how it went out, who it went to,
and, again, there is no transparency, there is no reporting to
the public.
The lack of encryption is very troubling. We want to
encourage encryption, but we also want to keep in mind that
encryption by itself is never going to solve the problem. It is
a multifaceted problem and encryption has to be robust and meet
certain standards. Just because you call it encrypted does not
mean that it is adequately protected in this day and age.
The biggest threat here, I think, is the one to our
society, is the lack of confidence that is going to entail from
all of these events. If you look at each event and then total
them up, as a consumer you do not think there is anyone out
there looking for your data and that lack of confidence could
have enormous implications, just as it is having for the
Cingular company. If there is falling confidence in our credit
card system, the numbers on that could be really scary.
And think what Congress did to build confidence in the
credit card system. Congress, you like to beat up on
yourselves, all the members like to joke about yourselves, but
give yourselves credit. You passed the Fair Credit Billing Act
a couple decades ago to make sure consumers were protected, to
put confidence in the system so that people were not going to
lose their finances if something went wrong with their credit
card. That is the kind of protection we need in terms of
people's data. That is how this has migrated.
Chairwoman Kelly. Mr. Hendricks, will you please sum up?
Mr. Hendricks. Yes. In closing, I would say this is a very
multifaceted problem. I urge the committee to be as
comprehensive as possible in addressing it and to look at the
key moment, the reason thieves steal identities is because the
credit report continues to be disclosed when the thief applies
for credit in your name.
Thank you, and I am sorry to have gone over.
[The prepared statement of Mr. Hendricks can be found on
page 78 of the appendix.]
Chairwoman Kelly. Thank you very much.
I would like to ask a question about a company that is not
represented here. I would like to ask Visa, Cable & Wireless
security was part of your approved auditor list and CardSystems
picked Cable & Wireless from that list.
I would like to know how Visa certified Cable & Wireless,
and I would like to know since Cable & Wireless has been bought
by an international company, now it is called the SAVVIS
Company apparently, I would like to know if that SAVVIS Company
has been tasked to do a better job than Cable & Wireless.
What can you tell me, Mr. Ruwe?
Mr. Ruwe. Yes. Cable & Wireless is one of a number of
vendors that are approved by Visa and/or MasterCard to perform
assessments in this environment. As you said, the processor in
this case selects from a list of those assessors and contracts
with them to conduct the assessment and provide the assessment
results to Visa or MasterCard or whoever it is going to.
In the case of Cable & Wireless, they are now, as you
mentioned, SAVVIS. Visa has asked SAVVIS to explain how there
could be such a discrepancy in the report of compliance between
what was reported to Visa in reality. We have temporarily
suspended SAVVIS from being able to do any more security
assessments, and we have asked them to revalidate the last
``X'' number of assessments they have conducted.
So the investigation as to what happened in terms of the
discrepancy that was very large of what was the case at CSSI
versus what was in the report provided to Visa on behalf of
CSSI is still under investigation.
Chairwoman Kelly. Mr. Ruwe, and I would ask you too, Mr.
Peirez, how do you set up the goals that you expect the
auditing companies to meet? What standards are you applying
before you put them on your list?
Mr. Peirez?
Mr. Peirez. Thank you, Madam Chairwoman.
Well, obviously at this point in time, a lot of this
information is new to us as well, in terms of what happened in
this particular instance, as we were not privy to this report.
That being said, we obviously are looking at the measures
in order to have auditors who are effective, who know what they
are doing, and who can give accurate reports. We look for
auditors who follow standard auditing practices and look for
them to issue reports that are within those guidelines. There
are many standards out there for best practices of auditors,
and that is what we look at.
Chairwoman Kelly. So you use whatever the standards are
that are in the industry but do not have separated standards of
your own.
Mr. Ruwe?
Mr. Ruwe. There are in the case of assessors that Visa
uses, and I believe this is true now of MasterCard, perhaps it
was not at that time, there is a set of documentation that the
assessor is given as a minimum that could be provided to the
committee if they would like to see it, a minimum of standards
that define and delineate and categorize the things that they
have to check within that environment. That is as a minimum.
Beyond that, as a processor, assessor in this space, these
companies have proven themselves to be viable and capable of
doing this work, otherwise they would not be on the list.
So there is an actual process that is defined that they
have to go through as a minimum for the PCI Program, and then
beyond that they have their own additional assessments that
they conduct.
Chairwoman Kelly. Mr. Gorgol, Mr. Minetti, I would like to
have you please chime in on this. Tell me what your standards
are.
Mr. Gorgol. At American Express--
Chairwoman Kelly. Mr. Gorgol, I am sorry--
Mr. Gorgol. Sorry.
Chairwoman Kelly. Thank you.
Mr. Gorgol. At American Express, we have the data standards
in our contract with companies like CardSystems, the
processors, and there are consequences to not meeting those
standards. And you can see recently that those consequences do
have teeth. But we also rely on the industry, and we would
expect processors to draw from the industry and bring in
professional help to make sure that they are meeting that
contractual obligation.
Chairwoman Kelly. Mr. Minetti?
Mr. Minetti. Our requirements are also outlined in our
contracts. In addition to that, when we select the vendors we
conduct an RFP, a request for proposal. I am not familiar with
the criteria in the RFP, but it was a competitive process and
we selected the top vendors of that list.
Chairwoman Kelly. Perhaps, Mr. Minetti, you could--
Mr. Minetti. I can provide it.
Chairwoman Kelly. --advise the committee in writing. It is
something of concern because if you all rely on auditors, then
it is important that reliance is a correct one.
Mr. Minetti. And I will be happy to provide you with a
written statement that outlines the criteria.
Chairwoman Kelly. Fine. Thank you very much. My time is up.
Mr. Gutierrez?
Mr. Gutierrez. Thank you.
Well, first, I want to commend Mr. Ruwe and Visa for being
a leader in the industry and initiating heightened security
which became the PCI standard for the industry, and I commend
the other companies for working to make this an industry
standard. I think it is a step in the right direction in terms
of securing data of the public, which Mr. Hendricks so clearly
elaborated we should be most focused on here at this hearing.
And I think, Madam Chairwoman, I think your questions about
the audits are excellent, and we should examine who performs
these audits and what standards are used and what the best
practices are for these audits that are used by Visa and
MasterCard and all of the other credit issuing companies,
because if you have a bad audit, they all have bad information
and our checks and balances, I think, are all out of whack.
So I think it is a great place. I am happy that you went in
that direction, and I am going to be asking Visa to put in
writing, if they would for me, just what happens at the audit,
what flaws they saw in the audit and what actions they took
with the auditor after they saw the vulnerabilities of the
audit.
I would like to say also that it seems to me that we have a
very, very serious problem here, because trying to set aside
the issues of the processor and the credit card issuing
companies, I mean, as I read these prepared statements and I
look back and they say that there were--and I would like to ask
Mr. Perry about this--your testimony has indicated that the
data relating 239 accounts was transferred out of your system.
And this looks as though this number--239,000, thank you
very much--this look as though this number can be tracked to
only one day of transfer activity since the hacker software was
on your system since September of 2004 through May of this year
and was designed to download data every 4 days. That is in your
testimony that he actually entered your system--he or she, they
actually entered your system in September.
So it just seems extremely unlikely that a hacker, a
sophisticated hacker would enter your system in, say,
September, October, November, December, January, February,
March, April and finally in May decide to download this
information. And Merrick Bank did an audit, a forensic audit
and their auditor suspects and found information that your
system was probably already vulnerable as early as April of
2004.
Do you have any other information, I mean, is it your
testimony that the only information that you have is of the
239,000 names downloaded that one day, that was the only
security breach at CardSystems?
Mr. Perry. Mr. Gutierrez, regarding that question, the only
export of data that has actually been confirmed where it is
possible to actually describe the number of accounts that were
exported from the system was the security incident that
occurred on May the 22nd, Sunday afternoon, I believe, when I
heard about it.
Mr. Gutierrez. Well, it just seems rather unlikely and
given the forensic information that Merrick Bank put together
in saying that your system was probably already hacked into and
that you were vulnerable much earlier than that, that a hacker
would just wait that long to download information on one
particular day, which only tells us that we need to be more
secure, because even in your testimony and other people's
testimony, you were vulnerable for months if not for over a
year before you found out that somebody actually downloaded
some information.
And, secondly, the information that you held, why did you
hold information that clearly was established in the contract,
at least with MasterCard, in the information I have received,
with MasterCard and Visa that you were not supposed to have in
your system?
Mr. Perry. Mr. Gutierrez, the data that was actually
exported on that day that we notified the FBI and Merrick about
was from a database that was used primarily for research
purposes.
Mr. Gutierrez. I guess my question is, why did you have the
data in your system if your contract with MasterCard and Visa,
I do not know about the other two companies, but at least with
those two companies they said, ``This is part of our contract.
We do not want you to have this information.''
Mr. Perry. Mr. Gutierrez, we have stated that we were in
error by keeping that data. That data was specifically designed
to provide customer service to the merchants that might have
had a transaction that did not properly execute, it did not
properly process, and the individuals in that case that managed
that database believed it enhanced customer service to provide
the merchants with the information they would need to conduct
their business.
Chairwoman Kelly. Thank you.
We turn to Mr. Garrett.
Mr. Garrett. Thank you.
I appreciate Mr. Watson's opening comments about the
simplicity of the system and how the average consumer just
deals with it in an easy manner. From a government point of
view, I can go to a local government agency, whatever it is,
try to transact some sort of action with the government, it may
take me some hours or days or even weeks to get some sort of
response from the government, but I can go across the country
or across the world and just open my wallet and bring out my
credit card and given it them and literally within seconds or a
minute or 2 they know who I am and I can get into a hotel or,
as you say, have dinner or something like that.
So it is an amazing ability that we have developed or that
you all have developed, and I guess the track record has been
fairly good in the scheme of things, and unfortunately we come
to this point in time when it occurs as it does here, but I
think I want to commend that it has been able to move the
economy as it has in the system that we have had so far.
The concern we have is whether we need to be taking
additional actions right now or, as I see from one of the
charts that we have here, literally the litany of regulations
that applies to the various players, whether it is the issuing
banks, the merchants, the ISO's, the card services, and it goes
from the Federal banking laws, the FACT Act, the FTC safeguard
rules, the bank regulators acts and so on. So we have a lot on
the books already, and I know some of you who are before us are
involved in the regulatory side of the game.
Let me turn first to Mr. Perry then on that regard. Someone
else had made mention, I believe, earlier with regard to Gramm-
Leach-Bliley and how that applies here or it does not apply
here. Your understanding as to whether that applies to you or
not?
Mr. Perry. Mr. Garrett, we are currently conformed to the
regulations and rules of the card associations who set before
us, including Visa and MasterCard, who set before us the rules
on how we process timeframes, etc.
Mr. Garrett. Okay. If anyone else would like to address the
question with regard to Gramm-Leach-Bliley, whether that should
be applying to them now or in the future.
Yes?
Mr. Hendricks. My understanding is that Gramm-Leach-Bliley
does not apply to the processors, and one of the reasons was
that they do not keep the information. So when they keep the
information, it really becomes problematic.
Mr. Garrett. Okay. Does anybody else have a comment on
that?
Mr. Gorgol. We would agree to have Gramm-Leach-Bliley apply
to the processors as well.
Mr. Garrett. That it should.
Mr. Gorgol. It should.
Mr. Garrett. Okay.
And, Mr. Hendricks, as long as you are answering the
question, in the situation that we have right now and the
descriptions that you have here and I guess in your book as
well, is there recourse for the consumer in some other avenue
other than through the regulatory scheme from civil action or
anything else on those matters to recourse?
Mr. Hendricks. That is why I like Visa taking action here.
The only enforcement action after all these breaches has been
Visa in this case. There have been several class action
lawsuits filed after various breaches, and those are going to
drag on forever, and the companies, the defendants are going to
say, ``The law does not apply to us,'' and they are going to
point out more holes in the law.
So there is no simple solution for consumers. It is just an
enormous burden on them to constantly be monitoring their
credit reports and their credit card statements because the
smart thieves are going to wait for the 30-, 60-, 90-day period
or even over a year before they use the information,
particularly if they get Social Security numbers.
Mr. Garrett. The other people that can be harmed to a
degree, not as much as the consumer can be, but that is the
issuing companies and the small, I guess they are called the
acquiring banks, the small merchant banks are involved here,
because they have to pay for the reissuance of the card.
Can some of you discuss that as far as how they are
reimbursed? I understand that sometimes it is in the contract,
and sometimes I understand that it is difficult for the smaller
players, the credit unions as well, that have to get in under
the line here to deal with those contracts. Can some of you
address that issue, how that is reimbursed and is made or is
not made?
Mr. Peirez. Thank you, Congressman. I would be happy to
address that in so far as the MasterCard system is involved.
First of all, we provide protection against issuers, large
and small, both for the cost of monitoring their accounts as
well as for the cost of reissuing accounts if that becomes
necessary as a result of a data compromise scenario.
There is no distinction between how those rules would apply
to a small or large institution. Indeed, our experience is that
smaller institutions tend to take us up on that more often. So
that is how it works with MasterCard.
Mr. Garrett. Okay.
Mr. Ruwe. In the Visa world, if there is fraud perpetrated
on an issuer, whether it is large or small, there is no
distinction as well. They have a system of being able to apply
for compensation for that through Visa. It is based on actual
fraud occurring subsequent to the event.
Mr. Garrett. My time is up, but thank you.
Chairwoman Kelly. The gentleman's time is up. Please answer
the question and then we have to go to another member.
Mr. Garrett. I do not know if any of the other gentleman
from the other--
Mr. Gorgol. It does not really apply to American Express.
We are the only issuer and the only acquirer.
Mr. Garrett. Sure.
Chairwoman Kelly. Thank you very much.
Mr. Davis?
Mr. Davis of Alabama. Thank you, Madam Chairwoman.
Let me follow Mr. Garrett's lead and kind of ask you in the
time that I have to react to some of the legislative issues
that Congress will wrestle with in the next few months based on
distinctions from these various bills.
Let me ask you, obviously one of the differences in the
bills around the table is the question of preemption, the
question of whether or not State law will be set aside in favor
of a Federal standard. Let me ask you, do any of you believe
that general State tort laws or general State breach of
contract laws that are not specific to data security should be
preempted? Is there anybody on this panel who believes that a
State breach of contract law that is already in place or a
State tort law should be preempted by this bill?
Does anyone have an affirmative answer to support that?
Mr. Ruwe. Yes, Congressman. I think Visa would support a
national level approach.
Mr. Davis of Alabama. So you support a national approach
which would take a State breach of contract law that is in
place right now and say it cannot be applied even if it is not
specific to data security.
Mr. Ruwe. That is correct.
Mr. Davis of Alabama. What about Mr. Peirez, would you
support that kind of standard? Just give me a quick yes or no
because of the time.
Mr. Peirez. Congressman, I will have to follow up with you
and look at specifically what you have in mind in terms of the
laws in question.
Mr. Davis of Alabama. Well, I mean, the specific question
was, preexisting State tort law, preexisting State breach of
contract law, it is not specific to data security, you have no
position.
Mr. Gorgol, do you have a position?
Mr. Gorgol. I am a little bit out of my league. I would
have to get--
Mr. Davis of Alabama. Okay.
Mr. Minetti?
Mr. Minetti. Same here.
Mr. Davis of Alabama. You are out of your league or you do
not have a position?
Mr. Minetti. Both.
Mr. Davis of Alabama. All right.
Mr. Watson?
Mr. Watson. As I understand what you are saying, it is not
just a preemption of regulations but a preemption of remedies,
and I guess one needs to go hand in hand with the other.
Mr. Davis of Alabama. So your position would be if they go
hand in hand with the other, they should be preempted or not.
Mr. Watson. Yes.
Mr. Davis of Alabama. All right.
Mr. Duncan?
Mr. Duncan. I am not absolutely clear on the question.
Mr. Davis of Alabama. The question is, preexisting State
breach of contract law, not a data security law, but a general
breach of contract law that a litigant tries to enforce in
State court today, should it be preempted by Congress?
Mr. Duncan. Again, from a retailer perspective, I am not
sure what the cause of action would be.
Mr. Davis of Alabama. It would be--
Mr. Duncan. But if Congress is attempting to develop a
national standard, then retailers would like to see preemption
to the extent that data protection is covered.
Mr. Davis of Alabama. Mr. Hendricks, I am not quite sure I
have heard an answer to my question yet. Would you like to
briefly weigh in on it?
Mr. Hendricks. Yes. It would be a really bad idea because
contracts are between two parties, and I do not think we want
the Federal law jumping in between that kind of relationship.
Mr. Davis of Alabama. And let me turn to another scenario.
One of the issues or the differences is a question of when you
disclose a breach, and the bill that Ms. Bean and I have would,
if I can use the shorthand, probably create something of a
presumption in favor of disclosure. Some of the other bills
would frankly probably create a presumption in favor of
nondisclosure.
What if you had this scenario, and I will not, for the sake
of time, ask you all to react to it, but what if you had this
scenario: What if a company believed that its database was
compromised but in no specific instance could it identify a
specific breach for a particular consumer? Do any of you
believe that a company in that instance should not be required
to disclose under Federal law if we pass a standard? Anybody
want to weigh in on that?
Mr. Duncan. I guess I will start by saying I am not sure:
if you think there may have been a breach, but you cannot show
particular evidence of--
Mr. Davis of Alabama. No, no. Let's say that you know there
has been a compromise of your system but you cannot identify
the instance of a specific consumer that there has been a
breach. Should Congress mandate a company that believes its
system has been compromised to go ahead and notify the public
or should the company be able to say, ``We know we have been
compromised but we cannot tell them the specific instance.''
Mr. Duncan. I think you run the risk in that situation, if
you have notification, that unfortunately we run into with some
of the Gramm-Leach-Bliley notices. People receive privacy
notices by the boatload, and at some point they stop reading
them.
Mr. Davis of Alabama. And, Mr. Hendricks, I am going to ask
one last quick question and you can respond to the one you want
to on this one.
I am interested from hearing from Mr. Hendricks on how
other professions handle this. I used to be a lawyer, well,
still am a lawyer, just do not have to practice now. In my
profession, confidentiality is at the bedrock of what we do.
Doctors, confidentiality is at the bedrock of what they do;
same for hospitals.
What is the standard, Mr. Hendricks, as someone who is an
expert on privacy, for a lawyer who believes that his or her
files have been compromised? What are the ethical obligations
of that lawyer for notifying the client, and what are the
ethical obligations of a doctor or the medical world for
notifying the patient if their security or their identity or
their information, rather the confidentiality has been
compromised?
Mr. Hendricks. They basically would have to notify very
specifically each client and then take whatever remedial
actions were necessary depending on what kind of information
was breaches. So it would be some heavy lifting, yes.
Mr. Davis of Alabama. So that is the current ethical
standard.
Chairwoman Kelly. The gentleman's time is up. Thank you
very much.
Mr. McHenry?
Mr. McHenry. Thank you, Madam Chairwoman. As votes are
approaching, I will try to not use up my full amount of time.
I want to start by saying thank you, first of all, to Visa
and to MasterCard and to the others for actually disclosing
that this occurred. That was not a motivation mandated by law
but it was the right thing to do for your customers, and I
certainly appreciate you all stepping forward and disclosing to
your cardholders and to the public at large that this occurred.
I know it was not easy but it was certainly the right thing to
do.
And that goes directly to my question for you all, and I
will leave this for the panel. Is there a marketplace
motivation, is there a market force for data security? We are
talking about possibly passing legislation to force you guys to
do certain things. My question is, is there a market force for
data protection and data security? Now, one at a time. Okay.
Slow down here.
Chairwoman Kelly. And please remember that we have been
called for a vote, and we need to have answers rapidly.
Mr. Peirez. Yes. There is a marketplace for data security.
Mr. McHenry. Great answer.
Next?
Mr. Watson. Congressman, I can tell you there is no
stronger marketplace call for data security than the potential
undermining of the consumers' confidence in this system. If the
consumer does not believe in this system, then we do not have a
system and we do not have a business. What could be a stronger
market force than that?
Mr. Gorgol. I would agree. Trust is the bedrock of our
business.
Mr. Ruwe. We agree.
Mr. Perry. We agree as well.
Mr. Minetti. We concur as well.
Mr. McHenry. The problem is it is kind of a negative market
force that would hit in after the fact, which is why I think we
need to get in front of the issue. Inside companies where they
have officers who push for security, they still run up against,
``Well, why do we really have to do this?'' So that is where
the public policy has a good role to play.
Mr. Duncan, do you want to chime in?
Mr. Duncan. To some extent, it depends on the kind of
breach. I spoke with a retailer yesterday who, because they
were seeing a fair amount of identity theft, had taken great
efforts to reduce that number. Marketplace forces work because
they eat those losses.
Mr. McHenry. Well, that sounds very encouraging. If there
is a marketplace for this to occur, then perhaps legislation is
not the right route for us to take. If the marketplace is going
to deal with this, let's watch it, let's monitor it, and let's
make sure that you all are doing your part to adhere to Gramm-
Leach-Bliley, to adhere to the standards we currently have on
the books. Let's make sure that is the right thing to do. And I
certainly appreciate in particular Visa and MasterCard stepping
up to the plate, disclosing fully and doing what was right in a
timely manner. That makes a big difference, and it makes a big
difference for this committee.
Chairwoman Kelly. Thank you, Mr. McHenry.
We have been called to a vote at the Capitol. I am going to
ask the committee to recess for approximately 15 minutes. We
will go, we will vote, it is 2 votes, and we will be back here
and reconvene in approximately 15 minutes.
[Recess]
Chairwoman Kelly. Let us continue. Thank you for your
forbearance.
We turn now to Mr. Price.
Mr. Price. Thank you, Madam Chairwoman, and I appreciate
you having a recess and allowing us to come back.
You are welcome to take as long as you want answering my
questions.
I want to thank you all again for coming, and I want to
commend you for the work that you do. I am constantly in awe of
the literally billions of transactions that occur without any
errors or without any violation at all. And so I want to
commend you for the work that you do.
And I understand, as I think Mr. Garrett said, it may have
been Mr. Renzi, that there are bad guys out there and they are
trying as hard as they can to break your systems, and I think
it is important for us to appreciate that we are all on the
same team, we are all interested in making certain that the
consumer has the confidence in the system and that it works as
easily, frankly, as it does now.
Mr. Ruwe, I heard Congressman Renzi say that he had spoken
with Visa and with CardSystems and that you all had agreed to
get together and work. I heard Mr. Perry say that, but I did
not hear you say that. Are you committed to working with
CardSystems and trying to work out a solution that is hopefully
more equitable to all involved?
Mr. Ruwe. I spoke with Congressman Renzi before the meeting
and said I would talk to CSSI. That is what I said. I would
meet with them.
Mr. Price. And help me understand a little bit about--
MasterCard is comfortable apparently right now with allowing
CardSystems to continue with the work that they are doing and
understanding and I heard a commitment from CardSystems that
they would have PCI standards in effect by the end of the
month, I believe. How is it that you all reached a different
conclusion about your relationship with CardSystems?
Mr. Ruwe. I think the crux of our problem is the
discrepancies in the audit that we were provided on behalf of
CSSI and reality, and there is a huge gap between that, and we
feel that CSSI bears responsibility for the accuracy of an
audit conducted on their premises.
Mr. Price. But CSSI is not the auditor, are they?
Mr. Ruwe. They are not the auditor, but they are
responsible for what is in the audit report.
Mr. Price. Mr. Perry, were you aware--Mr. Gutierrez talked
to you about the error being in error and holding that
information. Were you aware that you were in error? Was
CardSystems aware that they were in error?
Mr. Perry. Mr. Price, until the incident that took place in
May, I was not aware. When I joined the company in April of
2004, I did look at the CISP report prepared by Cable &
Wireless. It was an unqualified report, it was a very clean
report, and to be quite--I took that report and reviewed it
with management, and we were gratified to get the unqualified
certification from Visa.
Mr. Price. So you thought you were in complete compliance.
Mr. Perry. Yes, sir.
Mr. Price. And to Visa, isn't the culpability here
potentially with the auditor and not with CardSystems?
Mr. Ruwe. In our system, the culpability is with the party
who is being audited. Now, if there is a problem with the
audit--
Mr. Price. But they believe, however, that they are in
compliance because the auditor has told them they are in
compliance.
Mr. Ruwe. Then I think that if you look at the audit
finding versus what turned out to be reality in the
environment, the gap is quite large, and we do not understand
how there could be a gap of that size between what was true in
the environment and what was in the audited report. I do not
know what went on between the auditor and CSSI, but it is a
joint responsibility in our view.
Mr. Price. But you are willing to work with CardSystems and
see what that discrepancy was and see if you cannot work out a
relationship.
Mr. Ruwe. We said we would take a meeting on that. We have
asked for explanation on this gap previously and not received
satisfactory answers.
Mr. Price. Okay.
Mr. Hendricks, I would like you to comment, please, on the
sense that I believe is possible and that is a chilling effect
in the industry if in fact the individual who stands up and
says, ``Look, I am in error here, and I am working as hard as I
can to comply or correct the situation,'' what about that
chilling effect?
Mr. Hendricks. Well, yes, we always want people to have
full reporting, so we take the remedial measures and make sure
it does not happen again. I do like to focus on the fact that
there was a decision made by somebody to keep personally
identifiable information that was not allowed by contract. And
we have to find out why that happened, why that decision was
made, because that is what created the problem, what is exposed
here today.
And I think Visa deserves a lot of credit, because if they
know that there is a huge gap there and security is not being
protected, they have to take enforcement action; otherwise,
they become complicit in it and other processors will think,
``Well, they do not take this seriously either.''
Mr. Price. And I appreciate that. And nobody wants there to
be these violations or breaches, understanding that no loss
occurred as a result of this, is my understanding.
Mr. Hendricks. I mean, in terms of loss, I do not think we
really know how much the bad guys got and what they did with
it. The whole point that they are in the system for over a year
and we only have a record of the stuff going out the back door
one month, I look forward to the results of the investigation.
Mr. Price. Thanks.
My time is up, Madam Chairwoman, but I look forward to
being able to submit other questions.
Chairwoman Kelly. And, certainly, you may.
I would like to ask about the PCI standard. The PCI
standard, according to page 6 of CardSystems' testimony, is
based on Visa's CISP, and it was adopted by Visa, MasterCard,
Discover, American Express, Diner's, and JCB in December of
2004.
In theory, the PCI standard did not work here, if you look
at it. So are you still using the same standard or has the
standard been changed?
And let's start with you, Mr. Peirez.
Mr. Peirez. Thank you, Madam Chairwoman.
I think I would say that the standard is relatively new in
terms of being an industry standard and only having been
implemented at the end of last year, the compliance date for
everyone was June 30th of this year.
We, at MasterCard, have gone out with letters to the over
300 third party processors of whom we are aware, making them
crystal clear on those standards as well as requiring them to
provide us with a certification within 60 days that they are
not storing the type of sensitive data that led to this
particular breach event. So we think the standards are still
sound. We think they were not followed here.
Mr. Ruwe. I would like to, if I can, take an opportunity to
clarify one thing. The PCI standard became effective in
December of 2004, which was the result of the four large card
companies getting together and agreeing on a set of rules.
However, prior to that, the Visa standards were fully in play
and people were fully responsible to be compliant with them. So
in the timeframe that we are discussing here, prior to 2004,
the CISP standards would have been in place and Visa players
would have been responsible for being compliant with them.
As far as whether or not they work, I think that the CISP
standards do work if they are followed. And in this case, up to
this point, it appears to us they were not followed.
Chairwoman Kelly. Anyone else like to respond to that?
Mr. Gorgol?
Mr. Gorgol. I agree. I believe the standard is sound. I
believe it is an enforcement issue here.
Chairwoman Kelly. Mr. Minetti?
Mr. Minetti. I also believe the standard is sound. Again,
it is just not following the standard that created the problem.
Chairwoman Kelly. Okay.
Mr. Duncan. Madam, may I--
Chairwoman Kelly. Yes, by all means.
Mr. Duncan. One of the things from the retail perspective,
the standards are an excellent idea in terms of trying to work
out a coordinated approach, but they are extremely complicated,
and that may be part of the issue. Some retailers have
mentioned difficulties with the complications as well.
Chairwoman Kelly. Thank you. Thank you for that
observation.
That goes to a question I would like to ask of Mr. Gorgol.
In your testimony, on page 2, your explanation of the PCI
standard, I would like you to define those standards in light
of what Mr. Duncan just said, in terms of their impact on small
business customers. Do you impose the same security standards
on small businesses for the privilege of using your card that
you impose on large businesses?
Mr. Gorgol. Yes, to answer your question directly. I think
the standards to protect the data need to be the same for
everyone throughout the transaction chain. I think it is
incumbent upon us as an industry to make it easy as possible
for the small mom and pop stores to be able to meet those
standards.
Chairwoman Kelly. Mr. Duncan, you said you think they are a
bit complicated. I am concerned because, as I read Mr. Gorgol's
testimony outlining some of the expectation levels here, how a
mom and pop store, just a small business retail store on a
corner, can maintain the six elements of what Mr. Gorgol's
testimony--you probably have the testimony in front of you, I
can go through them if you do not remember what they are--but I
am concerned about its impact and the cost on small businesses.
Mr. Duncan. Ideally, there should be risk-reward basis in
the standard, and I think there has been some effort to achieve
that; that is, that at the original CISP standards there were
more requirements for larger merchants than there were for
smaller merchants. And this makes a certain amount of sense
because if there is a breach, it is likely there is going to be
more data captured from a large merchant than a small merchant.
That said, I have heard a number of merchants complain
about complications in understanding the enforcement standards,
but they are making their best effort to do so.
Chairwoman Kelly. Well, I think we need to make sure that
the cards must be secure, that the standards of the industry
may not need to be all the same for every industry. It may be a
little more difficult for someone in the situation I described,
the business person in the situation I described, to, for
instance, to keep a written notebook.
Looking at the standard, they were to build and maintain a
secure network. Obviously, that is possible. Protect cardholder
data. That is possible. Maintain a vulnerability management
program. I am not sure what that means. And I do not know how
complicated that is. Does that mean you have to have a
notebook, you have to have somebody outside coming in to audit?
How expensive is this protection?
You have to implement strong access and control measures.
That is totally possible for somebody in a small retail
business. Regularly monitor and test networks. That is
possible. Maintain an information security policy. What does
that say?
Those are some problems I see for small businesses, Mr.
Duncan. I would like you to answer them.
Mr. Duncan. Well, for a number of small businesses, it can
be a challenge. You think of a modest retailer that might have
6 or 10 stores in their chain. Chances are they are buying
their equipment, the point-of-sale equipment already in a
single package, and they really have to rely upon the software
and hardware provider to have it right. They probably do not
have the facility to do an in-depth study.
So there have to be some allowances for this, and, as I
said, it is a challenge.
Chairwoman Kelly. It is a challenge, but I think it is
important that we consider this, that the major credit card
companies consider this. Having been a retail merchant, a small
merchant, and accepting Visa, MasterCard, American Express in
my business, I know that I would have been surprised if
somebody walked in the door and said, ``How are you protecting
this information from someone from the credit card companies?
Do you take it on faith, do you go and inspect?'' What are the
standards that you are asking small businesses to do to protect
the information at that level?
It is a concern, it is a cost to small businesses, and it
is something I think that we need to think about in terms of
protection, both for the customer and the retail merchant as
well as the credit card issuer.
That being said, I want to go to the concern that I think
many small businesses--again, customers of Merrick Bank through
the credit card systems will lose their access to credit cards.
That could drive them out of business. Was the impact on small
business customers considered when the decisions were made from
Visa and MasterCard and so on?
What are you doing, Visa, in particular, to help the small
businesses stay in their card network?
Mr. Ruwe. When Visa selected October 31st as the
termination date, as has been stated, we took into
consideration how much time it would take for an acquirer to
move from one processor to another, and that was felt to be a
reasonable amount of time.
I believe the statements that have been made regarding the
small merchants' inability to move or inability to retain new
services or the situation where they would be out of touch or
unable to operate or transmit or conduct Visa transactions have
been overstated. We believe that they will be able to find new
processor accommodations within that timeframe, and that is
something we will work with our banks on, our acquirer banks.
I have not heard this complaint from my acquirer banks. I
have only heard it from CSSI. So if my banks tell me we need
more time, then we will take that into consideration. We are
not going to leave merchants hanging, but the statements that
have been made so far regarding merchants and being cut off and
being left in the cold have been overstated, in our view.
Chairwoman Kelly. But have you done any outreach on that
score to allay the fears of the merchants?
Mr. Ruwe. That would be done through the acquiring banks
who have the direct relationships with the merchants. That is
not done by Visa.
Chairwoman Kelly. All right. I understand that. I mean, I
appreciate your response.
When a merchant says to me, ``I am not going to accept
American Express, I will accept Visa,'' that is your brand.
What has happened here with CardSystems affects your brand. And
I understand your wanting to protect your brand, but I also
want to make sure that we set standards in such a way that the
industry can respond in a way that it is possible for them to.
A law is no good unless it can be followed.
So it is extremely important that outreach be made, I
believe, from your brand to the small businesses to help them
understand not to panic, because from what I understand you are
letting the banks take care of that, but, sir, are you sure
that the banks are actually in touch with their small
businesses and helping them understand and get through and find
access to what they need?
Mr. Ruwe. Madam Chairwoman, we have every intention of
working with the acquiring banks and to support them any way we
can in this space. My response was more of a factual one than
anything else. We do not have direct contact with merchants any
more than we have direct contact with cardholders, but we
certainly will support our acquirers in this transition.
Whatever we need to do to support them or make sure that the
merchants are comfortable and feel knowledgeable about what is
going on, we will support them in that regard, yes.
Chairwoman Kelly. I would be interested in Am Ex and
Discover's response to that, as well as MasterCard.
Mr. Gorgol. Well, American Express will be offering our
merchants a different choice for processing. They will have a
number of different options. We will work with them directly
over the next couple of months, including the option to come
directly to American Express and avoid using a processor all
together.
Mr. Minetti. From our perspective, we have not finalized a
decision. We wanted to be thoughtful and have all the
information before we reach a conclusion. We have been working
with CSSI all along, and we have a meeting scheduled to talk to
them next week.
Chairwoman Kelly. Thank you, Mr. Minetti.
Mr. Peirez?
Mr. Peirez. Madam Chairwoman, similar to Discover, we have
not shut off CSSI at this point. We expect them to be in full
compliance by the end of the August, as they have told us they
can be. If it becomes necessary for something to happen that
would put their ability to process MasterCard transactions at
risk, we would certainly make sure that the small merchants
would not be impacted in any way. We would do the outreach
necessary to get to that point, but we are not there at this
time.
Chairwoman Kelly. Thank you.
Yes, Mr. Perry?
Mr. Perry. Madam Chairwoman, may I just add that I have
been in this industry for a long time with quite a few
different payment processors, and we have 110,000 small
businesses around the United States that are typically not 6-
location merchants but one-location merchants, one-location
restaurants, and some of those restaurants take up to 80
percent of their sales, or credit card sales, if not 100
percent.
It is my belief that it will not be possible to move a
portfolio or part of a portfolio of 110,000 mom and pop
merchants over the course of 3 months in an orderly fashion.
Changing your credit card processing is not similar to changing
your cell phone service, and some of us that have done that
also understand how difficult that can be.
There are a variety of different issues involved, including
underwriting, technology, changing bank accounts, scheduling,
as we all know is very difficult with a small business because
at the end of the day they are very focused on moving product
out the door, not necessarily the payment type that they take.
And this will be a huge inconvenience to the small business,
and we are very, very concerned how we continue to take care of
these small businesses.
Chairwoman Kelly. Thank you.
Mr. Cleaver, thank you for returning.
Mr. Cleaver. Thank you, Madam Chairwoman. I have 6,000
questions. I will reduce it to five.
One of the personal issues I have shared, and maybe Mr.
Hendricks can respond, about 4 weeks ago the host of one of the
``hate'' radio shows in my hometown went on the air and said
that he had my Social Security number, and he said on the air,
``And I plan to use it to find out everything about him.'' I
called the FBI. They said, ``Well, we do not get involved in
this.'' I called the Federal Communications Commission and they
said, ``Well, we do not get involved in this.'' I ended up
calling four or five different Federal agencies, and finally I
called the U.S. Marshals Office and they began to monitor the
radio show.
It seems to me that there ought to be something wrong with
somebody essentially promoting identity theft. And it was done
on radio, the record is there, the tape is there, the whole 9
yards, but there is apparently no law against that. I did not
think it was a good idea that people could promote the
commission of a crime, but apparently you can do it with
impunity on the public airwaves.
Is there anything or any way that you think that kind of
thing can be corrected?
Mr. Hendricks. Well, first of all, I am really sorry to
hear that. That is absolutely horrible, and I cannot imagine
someone can do that without being ashamed of themselves, but
obviously--
Mr. Cleaver. No, he is not ashamed.
Mr. Hendricks. Yes. Obviously, he did. We in the privacy
and consumer community would like to see a rollback of the
Social Security number. It is required for many things in our
society, but we need to start getting them out of courthouses,
we need to stop using them as insurance company identification
numbers if they are doing insurance. And there is legislation
pending to have better protections for Social Security numbers
so that he could not get it in the first place. That is the
first thing.
Obviously, using a Social Security number to harass
someone, yes, maybe that is not covered by statute now but that
is something that we should consider looking at.
And in terms of the other problem, where does the consumer
go for help, and I have to point out that in every other
Western country except the United States there is a national
office in charge of privacy issues, where people can go to get
answers to these sort of questions, and sometimes you can get
an investigation. It is called a privacy commissioner or data
protection commissioner, and I think as big as this issue is
getting, I think we should start revisiting that issue, because
I think we need one here for situations like this.
Mr. Cleaver. Thank you.
My other question--this will be the last, Madam
Chairwoman--I was the mayor in Kansas City and in an attempt to
confuse the crooks, we encrypted our system, communications
system, so that people who had the radio ban sitting around
would not know what we were doing and when we were going to do
it. Is encryption an option for us that could possibly either
reduce or prevent identity theft, particularly with credit
cards?
Mr. Duncan. Congressman Gutierrez--excuse me, Cleaver--
Mr. Cleaver. He is shorter.
[Laughter.]
Mr. Duncan. What am I doing? Encryption can be a partial
solution, but there are tradeoffs with encryption. There is
highly detailed information on credit cards, but obviously we
do not want to have stores retain informatin that one could use
to make a clone card. But there is fairly basic information,
the original numbers, the name, the expiration date, that if
you encrypt it, you may save some problems, but you also may
create more problems on the other side. Let me give you an
example.
Many consumers go into a retail store where they have
bought something and they would like to return it but they do
not have their receipt. If the checkout clerk who is taking the
item back has to decrypt data in order to accomplish a return,
it makes it much more difficult or maybe impossible in many
situations. So there has to be a balancing as to how we achieve
that.
As to your first question, may I say that one of the points
we wanted to focus on in our testimony is the need for more
enforcement. Currently, if retailers find evidence of identity
theft and take that to the State attorneys general offices,
oftentimes they will not enforce unless they have $100,000
worth of damage. So we would like to see a situation where
Congress would encourage State officials to take a more active
role in going after those who are committing crimes.
Mr. Cleaver. Thank you.
Chairwoman Kelly. Thank you, Mr. Cleaver.
Mr. Price, you said you had another question. Feel free to
ask.
Mr. Price. I may?
Chairwoman Kelly. Yes.
Mr. Price. Thank you, Madam Chairwoman. I appreciate it.
I think this is an incredibly important topic, and I think
we can overreach in so many ways, but, again, I think it is
imperative that we make certain that folks have confidence in
the system.
Mr. Gorgol, if you would not mind, please, commenting on
the potential culpability of the auditor vis-a-vis CSSI review
and ultimate problems that they had.
Mr. Gorgol. We relied via our contract on CardSystems
meeting their contractual obligations to meet the data
standard. And they were the ones we worked with. We did not
work directly with the auditor, so I cannot comment on it.
Mr. Price. Mr. Duncan, there has been a discrepancy between
responses on the effect on merchants with the cessation of the
relationship between Visa and CardSystems. Would you comment on
what you believe that consequence would be or the effect on
merchants?
Mr. Duncan. We are not privy to all the details involved in
this dispute. Obviously, as in this whole issue, you do not
want to overreact in a credit card fraud situation as opposed
to, say, an identity theft situation. And this strikes me as
one where the risks are perhaps lower than a true identity
theft, and so maybe that same guidance should apply.
Mr. Price. Mr. Ruwe, I have affinity for Mr. Perry and
CardSystems, obviously. I also think, again, we are all on the
same team in this in trying to make certain that violations of
information do not occur. Do you believe that Visa's
relationship with CardSystems is fatally flawed?
Mr. Ruwe. Well, fatal is a very big word.
Mr. Price. Yes. That is what is going to happen to them.
Mr. Ruwe. It is certainly stressed. I think that Visa spent
a great deal of time trying to evaluate what position we were
going to take on this, and I believe we made several attempts
to get information that we needed and did not get it. And as we
said earlier, we will sit down with CSSI, but I think we are
going to have to have more information and more
forthcomingness, if you will, than we have had to date before I
would make any commitment on anything fatal or otherwise.
Mr. Price. I appreciate that. If I am able to facilitate
any of that, please let us help.
Mr. Perry, I would like you to comment, if you would, on
the discrepancy that Mr. Ruwe pointed out or stated existed
between the audit and the reality of the information that you
all held.
Mr. Perry. Yes, Mr. Price. We did receive some requests
from Visa for information regarding the discrepancy between the
CISP audit and what was subsequently found by the forensic
analyst. Unfortunately, I was able to provide to Mr. Ruwe and
Visa all of the data that I was able to find prior to my
arrival at CardSystems in April of 2004. We stated to Mr. Ruwe
and some of his associates at Visa that we were providing all
of the information possible.
We attempted to contact former employees, former auditors
from Cable & Wireless and other former vendors to be able to
fully answer Mr. Ruwe's questions. Unfortunately, it was very
difficult to track a lot of these people down who had left the
company sometime in 2003, early 2004. And, unfortunately,
because we were not able to provide all of that information, it
was deemed that it was not enough information.
Mr. Price. Help me with the audit. Was there an actual
question on the audit that said, ``Is CardSystems in full
compliance with the agreement with Visa?'' Is that the kind of
question that is on there?
Mr. Perry. There are several questions that you would see
in an audit that are fairly detailed as to very different
aspects of the audit having to do with network security and,
specifically, the error that we have owned up to, which is the
storing of this data that should have been masked. And that is
a specific block or question. That specific block had a
checkmark by the auditor without qualification or any
compensating controls in that area.
When I specifically reviewed--
Mr. Price. Checkmark saying?
Mr. Perry. We were compliant. When I reviewed that, I felt
pretty good and relied upon the audit and the auditor that we
were in compliance in that area.
Mr. Price. May I ask one more general question, Madam
Chairwoman?
I am interested from all the card companies as to whether
or not there is agreement or consensus in the industry about
the definition of a data breach and fraud. Is there consensus
among the companies about what that is?
Mr. Peirez. Congressman, I think there is general consensus
on what would constitute credit card fraud. In terms of your
question about breach, it is a very complicated question, and I
think we are in general agreement, but any specific case you
would have to look at the specifics and see whether we all
agree.
Mr. Price. Mr. Ruwe?
Mr. Ruwe. I would concur with that.
Mr. Minetti. Yes, I would agree as well.
Mr. Price. Is there a need to define those terms? Are they
defined legally as it relates to data breach?
Mr. Peirez. Congressman, I think that, first of all, the
terms that most often get confused and really do need to be
used carefully and accurately are the distinction between fraud
and identity theft or identity fraud. Those are the two things
that really need to be very, very clearly identified because
the consequences of either of those events are quite different
and can be handled in different ways effectively.
In terms of definition of breach, I think that depends on
what happens if there is a breach as so defined. So I would be
happy to work with your office if you are looking at something
specific, but as to the general question on breach, I really
cannot answer.
Mr. Price. Any other general comments about that?
Mr. Watson. I would say that the language is unclear, and
it is unclear with respect to impact and timing. For instance,
you could say the system was breached in April of 2004.
Accounts were compromised possibly at some other time and
certainly in May of 2005. But the definitions are not clear
with respect to time or effect, and I think in putting forth
any legislation they are going to need to be very clearly
defined.
Mr. Duncan. Congressman, there is one additional element,
and this goes back to the question that the chairwoman
mentioned, and that is for smaller retailers in particular, if
they are buying off-the-shelf equipment, they want to make
certain that if they bought something from IBM or NCR or
something else, that they are not deemed to be in breach
because of something they innocently purchased. And that is a
distinction that has to be maintained.
Mr. Hendricks. The California State law does a pretty good
job of defining a breach by saying it is personal information
or account numbers/Social Security numbers that can be used to
commit fraud. And as to the distinction, there is a distinction
between identity theft takeover and credit card fraud, but
under the Identity Theft Deterrence Act and under FACTA,
Congress has defined some forms of credit card fraud as
identity theft, as it should, because we need to maximize
protection for consumers, and you see this reflected in FTC
regulations.
So I agree with industry that we need to look very
carefully and draw these distinctions so we have appropriations
responses to each one, but I want industry to respond that some
forms of credit card fraud are also identity theft.
Chairwoman Kelly. Thank you.
Mr. Price. Thank you, Madam Chairwoman.
Chairwoman Kelly. Thank you, Mr. Price.
Mr. Cleaver, you said you had another question or two.
Mr. Cleaver. Admittedly, this is personal for me, but I am
curious as to whether other Western countries, Mr. Hendricks,
have strong laws with regard to identity theft. When I say
strong laws, I mean when there is a data breach it could result
in someone being just wiped out.
So do you know of any other country where someone could do
something and actually regret it?
Mr. Hendricks. Do something in terms of using personal
information?
Mr. Cleaver. Yes.
Mr. Hendricks. Well, a lot of the European countries and
others do not have the biggest problem with identity theft as
we do because they do not rely on the Social Security number
the same way that we do. So they do not have specific laws on
identity theft.
Mr. Cleaver. What do they rely on?
Mr. Hendricks. Well, they have their own usually national
identification number or another set of identifiers. We need a
country-by-country report. It is a very long question and
answer. But they had old-fashioned comprehensive laws which are
based on what we know as fair information principles, and that
ends up covering a lot of these sorts of events.
So they are constantly trying to upgrade them and oversee
and implement them, but it becomes more of a compliance issue
because they have a general framework which covers most
personal information, creates rights for individuals, duties on
organizations.
Mr. Cleaver. I do not know if you collect data that would
provide information about how long it would take after a breach
before the fraudulent act begins. And is there any data that
would allow us information to know the time between the breach
and the time of the commission of a fraud?
Mr. Hendricks. There is no real research on that has been
made public, but it ranges from immediate to long term. The
methamphetamine users that hit mailboxes they try and use
something right away, that is just their nature. The very
sophisticated criminal rings will sit on information and use it
down the road.
Mr. Cleaver. So my radio host is sitting on it.
Mr. Hendricks. Yes, but I think maybe someone should sit on
him. I think he deserves some more attention.
Mr. Cleaver. Thank you.
Chairwoman Kelly. Thanks, Mr. Cleaver.
Mr. Gorgol, you raised a very important issue in your
testimony and we have not talked about it, and that concerns
phishers with a ``ph.'' I think you mentioned that you were
concerned that phishers might take advantage of the breach and
other publicized incidents to look around to see what they can
find from card customers.
I would like this panel to describe whether or not you have
seen a reaction like that in this case, and I would also like
to know whether small businesses are likely to be contacted by
fraudsters that are claiming to represent interested parties in
this case?
And with the terminations and so on that are imminent,
apparently, I am wanting to know what you are doing to reach
out to small businesses to keep them secure from phishers who
are likely to call them and say, ``We are checking on this
information,'' and so forth. They do not know who is at the
other end of the phone. I want to know what you are doing to
protect these people from a fraudulent inquiry and a fraudulent
solicitation during the changeover period.
Mr. Gorgol. Well, first, I mean, phishing is a serious
problem and I think it is something to consider if we think
about legislation that requires notification. If we overnotify
people, that will provide, I think, a vehicle for phishers,
sort of weeds that they could hide in if we overnotify. It is
one of the dangers of overnotification.
But I think the most powerful tool we have, to answer your
question directly of what we can do and how we can help small
businesses, is education and just raise their awareness that
phishers are out there and just be very careful in how they
share their information.
Chairwoman Kelly. How do they know if someone calls and
says, ``I represent such and such, and I want this
information''?
Mr. Gorgol. There are basic rules. They are not to share
personal identifiable information over the phone unsolicited or
you are not sure who you are sharing it with.
Chairwoman Kelly. Well, if they are solicited, they are
going to share it because they do not know the difference. My
concern is that there be some sort of an interception there,
direction, education, however you do it, so that the small
businesses during the changeover will not become a victim of
phishing.
Mr. Gorgol. Well, during this specific changeover, they
would be working directly with American Express employees, so
we will be able to contact them directly.
Chairwoman Kelly. Anybody else?
Mr. Ruwe?
Mr. Ruwe. I think that would add to the education, and part
of the education is making sure they understand that if they
get one of these calls, that they should say, ``Thank you very
much.'' And they have been trained to say, ``Give me a number
where I can call you back, please,'' and then they can verify
with their true business relationship. That is one of the
things that we have tried to reemphasize over and over again in
our educational materials.
But, typically, the phishers do not necessarily target
small businesses. They may be affected by this, but they really
go for the big broadcast over the Internet. That is why it is
called phishing. They go out and really attack the masses is
usually their MO.
Chairwoman Kelly. In the 1970's and 1980's, a number of
banks spun off the card processing units and now some of the
banks are bringing them back in-house. There are pros and cons
on this, and we have not heard from any of you about that.
Mr. Watson, you may be the first one to answer that
question. What are the pros and cons?
Mr. Watson. I actually have worked for data processors in
the past prior to my career at Merrick Bank. I think data
processing for both card holder and merchant business is very,
very much a scale issue, and in-house processing is really only
affordable by the very, very largest issuers and the very, very
largest merchant banks.
Without the access to high quality, secure third party
processors, the credit card business, both the issuing side and
the merchant banking side, would be in the hands of a very,
very small number of banks because they would be the only ones
who could afford it.
Chairwoman Kelly. Okay. So you think that unless a large
bank like Bank of America, Citi, Chase made the decision to
bring it back in-house, no one else is likely to because it is
expensive; is that correct?
Mr. Watson. Yes.
Chairwoman Kelly. Okay. Thank you.
My last and final question to you, Mr. Perry, there was a
3-day time lag between the time you discovered that there was a
problem in the system and the notification that went out, you
called the FBI, but it was not until the next day, it was
basically a 3-day time lag. You found out on the 22nd and on
the 25th Merrick Bank found out and the card people found out.
What caused that time lag?
Mr. Perry. Madam Chairwoman, the time lag was we found out
of a suspicious production issue on Sunday, late afternoon,
Sunday, May the 22nd. On Monday, May the 23rd, we contacted the
Phoenix office of the FBI and on actually Tuesday, May the
24th, we had not heard back from the Phoenix FBI and then
contacted the Atlanta FBI because we were very concerned that
this might be a situation that law enforcement needed to be
aware of immediately.
Once we heard back from the FBI on the 25th that they had
assigned a case officer and we had disclosed everything to
them, we also asked if it was okay under the investigation to
contact the bank and notify the bank so they could go through
their proper notification procedures, and they said, yes.
Unfortunately, there were 2 days of lag where we missed
speaking to the FBI from Atlanta or Phoenix to receive proper
instructions.
Chairwoman Kelly. So the time lag, if I understand you
correctly, was caused by the FBI not getting back to you in a
timely manner. In the meantime, the 44 million people whose
information had been perhaps compromised were still out there
with their information compromised and nobody knew it.
Mr. Perry. At that time, all that we were aware of was the
export of the 239,000 discrete cards that we found about later.
I do not want to say that the FBI did not react, but we did
contact the Phoenix office on Monday, and when we did not hear
back from them on Tuesday we contacted the Atlanta office. At
that point, both offices coordinated and once they got back to
us, we also asked them if we could move to the next step of
notification, which we saw as critical, which is contacting our
sponsor bank, Merrick Bank.
Chairwoman Kelly. I am just curious because under a
contractual agreement with the credit card companies, wouldn't
that have been in the contract that you had to notify them
immediately if you discovered any kind of a breach?
Mr. Perry. At that point, on May the 22nd and even on May
the 23rd, we were unclear as to the scope of the potential
compromise.
Chairwoman Kelly. But you knew you would been compromised.
Mr. Perry. We believed we had, yes.
Chairwoman Kelly. But it was just a matter of degree. So if
there was a contractual agreement for notification to the
credit card people--
Mr. Perry. Because we believed there had been a crime
perpetrated against the company and its merchants, we believed
it was incumbent upon us to contact law enforcement first and
make sure that they would help us and guide us through this
situation. This is a situation that we had not previously
experienced in the past, and we wanted to make sure that in no
way would we compromise any future investigation.
Chairwoman Kelly. Thank you.
I want to thank this panel for your patience. You have been
wonderful for staying with us, and I appreciate very much the
fact that you have given us so much of your time and your
expertise today.
The Chair notes that some members may have additional
questions for this panel, which they may wish to submit in
writing. So without objection, this hearing record will remain
open for 30 days for members to submit written questions to the
witnesses and place their responses in the record.
This hearing is adjourned.
[Whereupon, at 1:12 p.m., the subcommittee was adjourned.]
A P P E N D I X
July 21, 2005
[GRAPHIC] [TIFF OMITTED] T9461.001
[GRAPHIC] [TIFF OMITTED] T9461.002
[GRAPHIC] [TIFF OMITTED] T9461.003
[GRAPHIC] [TIFF OMITTED] T9461.004
[GRAPHIC] [TIFF OMITTED] T9461.005
[GRAPHIC] [TIFF OMITTED] T9461.006
[GRAPHIC] [TIFF OMITTED] T9461.007
[GRAPHIC] [TIFF OMITTED] T9461.008
[GRAPHIC] [TIFF OMITTED] T9461.009
[GRAPHIC] [TIFF OMITTED] T9461.010
[GRAPHIC] [TIFF OMITTED] T9461.011
[GRAPHIC] [TIFF OMITTED] T9461.012
[GRAPHIC] [TIFF OMITTED] T9461.013
[GRAPHIC] [TIFF OMITTED] T9461.014
[GRAPHIC] [TIFF OMITTED] T9461.015
[GRAPHIC] [TIFF OMITTED] T9461.016
[GRAPHIC] [TIFF OMITTED] T9461.017
[GRAPHIC] [TIFF OMITTED] T9461.018
[GRAPHIC] [TIFF OMITTED] T9461.019
[GRAPHIC] [TIFF OMITTED] T9461.020
[GRAPHIC] [TIFF OMITTED] T9461.021
[GRAPHIC] [TIFF OMITTED] T9461.022
[GRAPHIC] [TIFF OMITTED] T9461.023
[GRAPHIC] [TIFF OMITTED] T9461.024
[GRAPHIC] [TIFF OMITTED] T9461.025
[GRAPHIC] [TIFF OMITTED] T9461.026
[GRAPHIC] [TIFF OMITTED] T9461.027
[GRAPHIC] [TIFF OMITTED] T9461.028
[GRAPHIC] [TIFF OMITTED] T9461.029
[GRAPHIC] [TIFF OMITTED] T9461.030
[GRAPHIC] [TIFF OMITTED] T9461.031
[GRAPHIC] [TIFF OMITTED] T9461.032
[GRAPHIC] [TIFF OMITTED] T9461.033
[GRAPHIC] [TIFF OMITTED] T9461.034
[GRAPHIC] [TIFF OMITTED] T9461.035
[GRAPHIC] [TIFF OMITTED] T9461.036
[GRAPHIC] [TIFF OMITTED] T9461.037
[GRAPHIC] [TIFF OMITTED] T9461.038
[GRAPHIC] [TIFF OMITTED] T9461.039
[GRAPHIC] [TIFF OMITTED] T9461.040
[GRAPHIC] [TIFF OMITTED] T9461.041
[GRAPHIC] [TIFF OMITTED] T9461.042
[GRAPHIC] [TIFF OMITTED] T9461.043
[GRAPHIC] [TIFF OMITTED] T9461.044
[GRAPHIC] [TIFF OMITTED] T9461.045
[GRAPHIC] [TIFF OMITTED] T9461.046
[GRAPHIC] [TIFF OMITTED] T9461.047
[GRAPHIC] [TIFF OMITTED] T9461.048
[GRAPHIC] [TIFF OMITTED] T9461.049
[GRAPHIC] [TIFF OMITTED] T9461.050
[GRAPHIC] [TIFF OMITTED] T9461.051
[GRAPHIC] [TIFF OMITTED] T9461.052
[GRAPHIC] [TIFF OMITTED] T9461.053
[GRAPHIC] [TIFF OMITTED] T9461.054
[GRAPHIC] [TIFF OMITTED] T9461.055
[GRAPHIC] [TIFF OMITTED] T9461.056
[GRAPHIC] [TIFF OMITTED] T9461.057
[GRAPHIC] [TIFF OMITTED] T9461.058
[GRAPHIC] [TIFF OMITTED] T9461.059
[GRAPHIC] [TIFF OMITTED] T9461.060
[GRAPHIC] [TIFF OMITTED] T9461.061
[GRAPHIC] [TIFF OMITTED] T9461.062
[GRAPHIC] [TIFF OMITTED] T9461.063
[GRAPHIC] [TIFF OMITTED] T9461.064
[GRAPHIC] [TIFF OMITTED] T9461.065
[GRAPHIC] [TIFF OMITTED] T9461.066
[GRAPHIC] [TIFF OMITTED] T9461.067
[GRAPHIC] [TIFF OMITTED] T9461.068
[GRAPHIC] [TIFF OMITTED] T9461.069
[GRAPHIC] [TIFF OMITTED] T9461.070
[GRAPHIC] [TIFF OMITTED] T9461.071
[GRAPHIC] [TIFF OMITTED] T9461.072
[GRAPHIC] [TIFF OMITTED] T9461.073
[GRAPHIC] [TIFF OMITTED] T9461.074
[GRAPHIC] [TIFF OMITTED] T9461.075
[GRAPHIC] [TIFF OMITTED] T9461.076
[GRAPHIC] [TIFF OMITTED] T9461.077
[GRAPHIC] [TIFF OMITTED] T9461.078
[GRAPHIC] [TIFF OMITTED] T9461.079
[GRAPHIC] [TIFF OMITTED] T9461.080
[GRAPHIC] [TIFF OMITTED] T9461.081
[GRAPHIC] [TIFF OMITTED] T9461.082
[GRAPHIC] [TIFF OMITTED] T9461.083
[GRAPHIC] [TIFF OMITTED] T9461.084
[GRAPHIC] [TIFF OMITTED] T9461.085
[GRAPHIC] [TIFF OMITTED] T9461.086
[GRAPHIC] [TIFF OMITTED] T9461.087
[GRAPHIC] [TIFF OMITTED] T9461.088
[GRAPHIC] [TIFF OMITTED] T9461.089
[GRAPHIC] [TIFF OMITTED] T9461.090
[GRAPHIC] [TIFF OMITTED] T9461.093
[GRAPHIC] [TIFF OMITTED] T9461.092
[GRAPHIC] [TIFF OMITTED] T9461.091
[GRAPHIC] [TIFF OMITTED] T9461.094
[GRAPHIC] [TIFF OMITTED] T9461.095
[GRAPHIC] [TIFF OMITTED] T9461.096
�