[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] CREDIT CARD DATA PROCESSING: HOW SECURE IS IT? ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON FINANCIAL SERVICES U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ JULY 21, 2005 __________ Printed for the use of the Committee on Financial Services Serial No. 109-48 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2006 29-461 PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 HOUSE COMMITTEE ON FINANCIAL SERVICES MICHAEL G. OXLEY, Ohio, Chairman JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts RICHARD H. BAKER, Louisiana PAUL E. KANJORSKI, Pennsylvania DEBORAH PRYCE, Ohio MAXINE WATERS, California SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York MICHAEL N. CASTLE, Delaware LUIS V. GUTIERREZ, Illinois EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York FRANK D. LUCAS, Oklahoma MELVIN L. WATT, North Carolina ROBERT W. NEY, Ohio GARY L. ACKERMAN, New York SUE W. KELLY, New York, Vice Chair DARLENE HOOLEY, Oregon RON PAUL, Texas JULIA CARSON, Indiana PAUL E. GILLMOR, Ohio BRAD SHERMAN, California JIM RYUN, Kansas GREGORY W. MEEKS, New York STEVEN C. LaTOURETTE, Ohio BARBARA LEE, California DONALD A. MANZULLO, Illinois DENNIS MOORE, Kansas WALTER B. JONES, Jr., North MICHAEL E. CAPUANO, Massachusetts Carolina HAROLD E. FORD, Jr., Tennessee JUDY BIGGERT, Illinois RUBEN HINOJOSA, Texas CHRISTOPHER SHAYS, Connecticut JOSEPH CROWLEY, New York VITO FOSSELLA, New York WM. LACY CLAY, Missouri GARY G. MILLER, California STEVE ISRAEL, New York PATRICK J. TIBERI, Ohio CAROLYN McCARTHY, New York MARK R. KENNEDY, Minnesota JOE BACA, California TOM FEENEY, Florida JIM MATHESON, Utah JEB HENSARLING, Texas STEPHEN F. LYNCH, Massachusetts SCOTT GARRETT, New Jersey BRAD MILLER, North Carolina GINNY BROWN-WAITE, Florida DAVID SCOTT, Georgia J. GRESHAM BARRETT, South Carolina ARTUR DAVIS, Alabama KATHERINE HARRIS, Florida AL GREEN, Texas RICK RENZI, Arizona EMANUEL CLEAVER, Missouri JIM GERLACH, Pennsylvania MELISSA L. BEAN, Illinois STEVAN PEARCE, New Mexico DEBBIE WASSERMAN SCHULTZ, Florida RANDY NEUGEBAUER, Texas GWEN MOORE, Wisconsin, TOM PRICE, Georgia MICHAEL G. FITZPATRICK, BERNARD SANDERS, Vermont Pennsylvania GEOFF DAVIS, Kentucky PATRICK T. McHENRY, North Carolina CAMPBELL, JOHN, California Robert U. Foster, III, Staff Director Subcommittee on Oversight and Investigations SUE W. KELLY, New York, Chair RON PAUL, Texas, Vice Chairman LUIS V. GUTIERREZ, Illinois EDWARD R. ROYCE, California DENNIS MOORE, Kansas STEVEN C. LaTOURETTE, Ohio CAROLYN B. MALONEY, New York MARK R. KENNEDY, Minnesota STEPHEN F. LYNCH, Massachusetts SCOTT GARRETT, New Jersey ARTUR DAVIS, Alabama J. GRESHAM BARRETT, South Carolina EMANUEL CLEAVER, Missouri TOM PRICE, Georgia DAVID SCOTT, Georgia MICHAEL G. FITZPATRICK, DEBBIE WASSERMAN SCHULTZ, Florida Pennsylvania GWEN MOORE, Wisconsin GEOFF DAVIS, Kentucky BARNEY FRANK, Massachusetts PATRICK T. McHENRY, North Carolina MICHAEL G. OXLEY, Ohio C O N T E N T S ---------- Page Hearing held on: July 21, 2005................................................ 1 Appendix: July 21, 2005................................................ 51 WITNESSES Thursday, July 21, 2005 Duncan, Mallory, General Counsel, National Retail Federation..... 23 Gorgol, Zyg, Senior Vice President, Fraud Risk Management, American Express............................................... 17 Hendricks, Evan, Editor and Publisher, Privacy Times............. 26 Minetti, Carlos, Executive Vice President, Cardmember Services, Discover Card.................................................. 19 Peirez, Joshua L., Senior Vice President & Associate General Counsel, Law Department, Mastercard International.............. 14 Perry, John M., President and Chief Executive Officer, CardSystems Solutions, Inc..................................... 25 Ruwe, Steve, Executive Vice President, Operations & Risk Management, Visa U.S.A. Inc.................................... 16 Watson, David B., Chairman, Merrick Bank......................... 21 APPENDIX Prepared statements: Castle, Hon. Michael N....................................... 52 LaTourette, Hon. Steven C.................................... 53 Duncan, Mallory.............................................. 54 Gorgol, Zyg.................................................. 66 Hendricks, Evan.............................................. 78 Minetti, Carlos.............................................. 85 Peirez, Joshua L............................................. 98 Perry, John M................................................ 105 Ruwe, Steve.................................................. 119 Watson, David B.............................................. 127 Additional Material Submitted for the Record LaTourette, Hon. Steven C.: ARMA International statement................................. 136 Cardholder Transaction Process chart......................... 142 CREDIT CARD DATA PROCESSING: HOW SECURE IS IT? ---------- Thursday, July 21, 2005 U.S. House of Representatives, Subcommittee on Oversight and Investigations, Committee on Financial Services, Washington, D.C. The subcommittee met, pursuant to notice, at 10:13 a.m., in room 2128, Rayburn House Office Building, Hon. Sue Kelly [chairwoman of the subcommittee] presiding. Present: Representatives Kelly, Pryce, Bachus, Castle, Kennedy, Garrett, Renzi, Price, McHenry, Gutierrez, Maloney, Hooley, Moore of Kansas, Matheson, Scott, Davis of Alabama, and Cleaver. Chairwoman Kelly. I call this hearing on the Subcommittee on Oversight and Investigations to order. Over the last few months, disturbing information has come to light about breaches in data security across the financial services industry. Millions of consumers have found out that their personal information may have been compromised. Millions more are now worried about personal data protection with the attention given these breaches. This is an issue that personally affects all of us. In cities and towns across my congressional district in New York and all across our country, we rely on credit cards day in and day out. We expect nothing less than a safe and secure system of processing them. These breaches harm the network of financial transactions that gives the United States the most productive economy in the world. These breaches cause consumers to lose confidence in the payment systems that drive sales growth. They impose new risks and costs on merchants and threaten some with the loss of customers and their livelihood. We need to do everything possible to ensure that our personal information remains privileged and protected when we make any financial transaction. Today's hearing will deal specifically with the recent data breach at CardSystems where more than 40 million credit card accounts of 4 major credit card brands may have been exposed. At least 200,000 accounts were definitely stolen, and evidence exists that a routine may have been in place to allow the culling of credit card information on a regular basis. In response to these breaches, Visa and American Express are terminating their relationship with CardSystems, while the company itself is putting in new measures to ensure data security. Yesterday, in testimony to the Financial Services Committee, Federal Reserve Chairman Greenspan noted that increased regulations may have the consequence of killing the electronic innovation and productivity that have kept our economy and our markets growing. He also noted that in a free market economy all companies that hold personal data have a huge financial incentive to keep it as secure as possible. Unfortunately, in this case and others, those incentives either failed or were overcome by the financial incentives of fees. What we need to learn today from the witnesses in this case is, what happened, what was supposed to happen, and what can be done to prevent this from happening again. I welcome the witnesses, and I yield now to the gentleman from Illinois. Mr. Gutierrez. Good morning. I want to thank Chairwoman Kelly for calling this hearing entitled, ``Credit Card Data Processing: How Secure Is It?'' I think the answer to many people reading the news lately is, not secure enough. Data security is very important to many of us here on this committee, and I am pleased that we will be joined later on by some of our colleagues who will ask to participate. This issue is also personally important to me. I am proud to have served as a conferee on the FACT Act, which dealt with similar issues. In March, I coauthored a bill with Congresswoman Melissa Bean on this issue, and I am proud to be an original cosponsor of the recent bill introduced by Representatives Bean and Artur Davis. There are many other worthy bills on this topic, and I suspect we are going to be working together to craft a solution before the end of the year. We need to understand what happened here and where the gaps in the law are so they can be fixed. We also need to determine the proper way to notify and protect consumers and inform the credit rating agencies when consumer data compromise can lead to identity theft. We need to make sure that consumer notification takes place in language the consumer can understand. I look forward to hearing from the witnesses so that we can learn from the problems they experience and minimize similar occurrences. At the proper time, I will inquire about the audit processes or credit processes and how CardSystems could have been certified while maintaining an adequate software and retaining customer data in violation of its Visa contract. Additional checks and balances may be necessary in the system of certification. The largest banks, I am told, have supervision in the form of professional examiners from their regulator onsite every day of the year. It might make sense to employ a similar process when we are talking about security of large amounts of data in an entity that is not a bank but is performing functions of a bank. It would also be helpful to determine the actual scope of the compromised data and the degree of fraudulent activity that may be related to this incident. I am pleased to welcome all of the witnesses, and I especially want to welcome Evan Hendricks whose quarter century of expertise proved invaluable during consideration of the FACT Act issues, and I am certain he will be helpful today. I understand that he has a plane to catch early this afternoon, but we are especially grateful that he could make the time to be with us today. Thank you so much, Mr. Hendricks, for being here. We have been joined by Mr. Matheson, and I ask unanimous consent that he be permitted to make an opening statement. Chairwoman Kelly. So moved. We have been joined by a number of members who are not on this particular subcommittee but that are on the Financial Services Committee as a whole. We are honored by their presence. We have Mr. Kennedy, Mr. Castle, and Mr. Bachus with us this morning, and I ask unanimous consent that they too may be able to make an opening statement. So moved. So without objection, all members' opening statements will be made part of the record. I turn now to Mr. Garrett. Mr. Garrett. Thank you, Madam Chairwoman, for holding today's hearing on data security and credit card systems in light of recent headlines. I think it is both timely and necessary that we have these hearings, not only so that we can learn more about the apparent data breach at CardSystems affecting the four major credit card companies, but also we can learn how this committee may be able to respond in an appropriate manner. The data breaches that were recently disclosed by financial institutions have generally, in the past, involved lost data tapes or similar mishaps which do not necessarily suggest criminal intent. However, in this circumstance it appears that someone was able to compromise their database system to obtain information for malicious purposes. So while the other types of data breaches are obviously cause for concern, it is especially troubling when we learn that sensitive information has fallen into the hands of apparent criminals. Therefore, I am particularly interested in learning about how consumers are protected against credit card fraud or other problems resulting from this breach. I think we also need to examine how the breach at CardSystems could have been avoided. Is there a shortfall in the law? Do we need new laws? Or do companies simply need to be more responsible in complying with existing laws and any of their contractual obligations? My hunch is that CardSystems' apparent lack of an adequate data security regime may simply be that they were running crosswise with existing laws or contractual obligations. So we simply need to learn now how the existing lay of the land has been applied in this situation before we move on and consider making more laws. I think we also may want to use this as an opportunity to at least explore and understand a little bit what potential impact the decisions that may affect CardSystems' future may also have indirectly on any of their vendors or other players in the system. I would also like to say for the record that I appreciate MasterCard's efforts to bring the situation at CardSystems to light, as they were under really no direct obligation to do so, but I think that they did so in thinking what was most responsible for getting the information out in the interest of their cardholders. And for that reason, I believe that they should be commended for their actions. Thank you again, Madam Chairwoman, for holding this hearing, and I yield back the balance of my time. Chairwoman Kelly. Thank you. Ms. Maloney? Mrs. Maloney. Thank you very much, Madam Chairwoman, for having this hearing today that continues to address the really very pressing issue of data security and identity theft through this series of hearings. This hearing focuses on a particularly terrible example of a breach of data security: The exposure of 40 million credit and debit card accounts at a data processing company handling Visa, MasterCard and American Express. Based on an FBI investigation it appears that the data processor, CardSystems, blatantly violated the contractual data security restrictions imposed by each of the credit card companies. But this would not have come to light had it not been for a huge breach and resultant fraudulent transactions. I expect that each of the credit card companies here today will explain to us that they spend a great deal of time, money and resources preventing credit card fraud and protecting consumers from the effects of credit card fraud through zero liability policies and card reissuance. This is all very laudable but the issue before the committee today is not just credit card fraud: the issue before us is the much more complex issue of identity theft, because it does not simply involve a fraudulent charge on a card, it is typically the opening of a new account in the name of the victim. Identity theft is harder to find, harder to assess, and harder to combat, but it is the main issue we need to address. For example, we may have a good idea now of all the credit card fraud that is likely to result from the CardSystems breach, but that does not mean that we know the extent of the identity theft risk. Similarly, the credit card companies often identify credit card fraud right away, but in this case they appear to have been absolutely clueless for months while personal data was removed from the database. At present, the main protections against identity theft are contractual agreements between credit card companies and the banks and data processors that handle the information. The CardSystems incident is a spectacular failure of this private sector protection and suggests that more regulation, more enforcement and more penalties are necessary in this area. For example, until yesterday, it appeared that the credit card companies would continue to do business with CardSystems even though CardSystems had not complied with the data security requirements. Moreover, there is a huge regulatory gap under Gramm-Leach- Bliley. The respective financial regulators are responsible for making sure that financial institutions who contract out data processing functions ensure their contractor's compliance. And the FTC rules require data processors to preserve the confidentiality of personal financial data. But in this case, the regulators appear to have played ``toss the hot potato'' with this whole incident. So far, all the consequences of data security breaches could be viewed by a data processor as the cost of doing business. Yesterday, perhaps bowing to the pressure of this important hearing, Visa and American Express terminated their business with CardSystems, but MasterCard still has its data processing handled by them. This situation is not acceptable, and we need to provide the legal structure to fix it. I am a proud cosponsor and original sponsor of this legislation that has been introduced by my colleague, Representative Bean from Illinois, and it is a good first step in this area. I look forward, as always, to hearing the witnesses' views and some of the alternatives and ideas that they may have, and I hope that we can benefit as we move forward with this bill, and I thank all of you for being here. It is extremely important. I must say that one of the biggest credit card theft rings is in the district that I represent in New York, in Queens, and it is just a terrible problem once it happens, and so our efforts to prevent it are very important. Thank you. Chairwoman Kelly. Thank you, Ms. Maloney. Mr. Kennedy? Mr. Price? Mr. Price. Thank you, Madam Chairwoman. I appreciate the opportunity to participate in this hearing, and I want to thank all of the witnesses for being here. I want to especially welcome Mr. John Perry of CardSystems, who has a portion of his business in my district. I am sorry I am late but I want to echo the comments of others who have talked about the importance of having security within the credit card system. I am somewhat astounded by some of the comments that I just heard, however, in view of the fact that CardSystems, itself, discovered the breach, notified the companies of the breach, and is working aggressively and actively to correct the challenges that they and the industry have. Greater regulation and greater penalties I am not certain-- which is oftentimes the knee-jerk reaction to a challenge that we have in any area--I am not certain that is indeed the answer at all. So I look forward to the testimony before us today. I look forward to increasing my knowledge of this area, and I also hope that individuals will lower the rhetoric, calm down, and work toward solutions in this area as opposed to bomb-throwing. And I yield back. Chairwoman Kelly. Mr. Moore? Mr. Moore of Kansas. Thank you, Madam Chairwoman. I would like to thank you for holding today's hearing and thank the witnesses for appearing today to share their information with us. The focus of this morning's hearing is data security within the credit card payment system, specifically the recently publicized data breach at CardSystems Solutions that could have affected approximately 40 million credit and debit card accounts. I look forward to Mr. Perry's testimony this morning. I appreciate your being here, sir, to discuss what steps CardSystems is taking to secure deficiencies in the system. The CardSystems breach, among many others of businesses as diverse as data brokers, retailers, and banks, begs the question of what Congress should be doing to protect consumers from identity theft. As we have all seen over the last few months, States across our country have been enacting or considering data security notification laws to deal with the problem of data breaches. The proliferation of State activity in the area of data security and notification, though, is now creating a confusing patchwork of conflicting laws that is adding to the cost of doing business nationwide. I think it is time for Congress to act to protect consumers from data breaches and create a uniform national standard that seeks to create a level of certainty for consumers and national businesses. Representatives Deborah Pryce, Mike Castle, and I have been working on data security legislation that would, for the first time under Federal law, require companies to notify consumers when their sensitive personal information has been accessed in a way that could lead to identity theft. There should be a few guiding principles behind any data security bill that Congress considers. Number one, companies should be required to safeguard their data. Number two, breached businesses should be required to notify consumers, law enforcement, regulators, and relevant third parties when sensitive personal information is compromised. Number three, breached entities need to ensure that consumers are protected after their data is compromised through credit file monitoring and other such actions. And, number four, Federal preemption, we believe, is necessary to create a meaningful uniform national standard. Our legislation embodies each of these guiding principles, and we will be introducing our bill today. Additionally, I know you will not believe this but sometimes when Congress sees a problem they overreact, and I hope that--what are you laughing about? [Laughter.] I hope that is not the case here, because we do need to address and correct this problem but at the same time not overreact. We have one of the best credit systems in the whole world right here in this country, and it is a benefit to consumers that they can get a quick answer to a credit check. What we do not need, though, is to go too far and hurt the industry which has set up this wonderful credit system. As Congress considers data security legislation, we need to again correct this problem without overreacting. As this process moves forward, I look forward to continuing to work with Members on both sides of the aisle to pass the best bill we possibly can. This should not be about Republicans and Democrats, it should not be partisan at all. We need to address this in a bipartisan fashion, and I am confident we can do that here. I am very proud of our committee, because we have worked well together in other areas in the past, and I believe we can do that here. Thank you again, Chairwoman Kelly. I look forward to hearing from our witnesses. Chairwoman Kelly. Thank you very much. Mr. McHenry? Mr. McHenry. Thank you, Madam Chairwoman. Thank you so much for having this hearing today, and I appreciate your leadership on this issue. I will make this brief because I know we have a lot of testimony to hear. The last time I saw this many witnesses lined up at a table before a hearing we had baseball players in. So, Mr. Sosa, Mr. McGwire, thank you all for being here today. But in all seriousness, data security should be a top concern of all financial institutions and all financial service industry related folks. And what I would like to examine is what is being done now. I would also like to examine whether or not there are market forces that would influence how you protect data. I do not think that the government should step in when the market can actually dictate, and I think there are repercussions for companies that do not protect data. I think there are repercussions financially on their bottom line for companies that do not do what is appropriate and right and do not secure data appropriately. Customers will leave, merchants will refuse to deal with you, and the market will deal with it. Now, does the government need to intervene if the marketplace is going to deal with companies on these issues? That is what we need to understand as a committee, and we need to see where we need to go. If there is a marketplace that is going to determine data security, government intervention may hurt in this regard and actually may have an adverse effect on data security rather than the true spirit of what we would attempt to do as a government. So I welcome the testimony today. I look forward to hearing from all of you and look forward to hearing what has happened and actually what is occurring currently and what you view as the best way to secure data going forward. Thanks so much. Chairwoman Kelly. Thank you. Mr. Davis? Mr. Davis of Alabama. Thank you, Madam Chairwoman, for calling this hearing, and I am going to try to follow Mr. McHenry's lead and be somewhat brief, given the fact there are so many of you and a lot of us who are here to question you. Let me just make a few general observations. The first one, one of the happy things, I suppose, about this kind of climate is that the industry, frankly, has as much of an incentive to have this institution act in a responsible way as the consumer does. I think all of you who are here as industrial representatives and corporate representatives understand that your ability to provide a service to your consumers, your ability to attract consumers is in peril if they do not have confidence in how their information is being handled. That is the bottom line. So you have the same incentive, and I think that is why Mr. Moore and some of us can confidently say that this should not be a left-right kind of issue, it should not be a business- consumer kind of issue because you are in the same place in terms of wanting to promote consumer confidence. The second observation that I will make--this is something that I see routinely on this committee--is that the world of financial service transactions now, the world of financial service in general is so numbingly complex that a lot of people that you serve every day and that we serve every day frankly just want to throw up their hands and say, ``We do not understand this.'' And they feel so detached from their own ability to go out and make purchases and all of a sudden you have this information about security breaches and I am willing to bet that probably makes them feel even more detached. And then, worst-case scenario, they will learn weeks later that there may have been a breach that they did not even know about. I think we have to speak to that consumer anxiety. I think we have to speak to people who feel that somewhere out there things may be happening that are adverse to their interests that could involve a fraud or a theft and they did not even know for several weeks. We have to speak to that anxiety. The final point that I will make, Ms. Bean, Mr. Frank, and I are the lead sponsors on a bill that I think all of you are aware of. It is referred to by some in the press as the Democratic bill. I hope that this is the beginning of a conversation that can draw the best instincts from my side of the aisle and the best instincts of our partners on the other side of the aisle And this committee has done it before. We did it very recently in the context of GSE's, an enormously complex issue. Most people did not think, given the acrimony of last year's hearings, that we would get to a middle ground on GSE's. We got there. I wish the U.S. Senate would respect the fact that we got there, but we got there. We got there on the question, because of my colleague from Alabama, Mr. Bachus' leadership, on the extension of the Fair Credit Reporting Act several years ago. Nobody expected us to build a consensus that helps protect the best credit system in the world. So I drew inspiration from those things. Again, I thank the chairwoman for having this hearing and look forward to working with all of you. Chairwoman Kelly. Thank you. We turn now to Mr. Bachus. And I would like to say that for the ex officio members, because we have a lot of people here, many opening statements, I am going to ask the people who are ex officio, and we welcome them here, but I am going to ask them to keep their statements to 3 minutes each. Mr. Bachus? Mr. Bachus. I appreciate that, Chairwoman. As with any legislation that comes before the subcommittee on which I am chairman, it obviously is something of great concern to me, and I commend you for having this hearing and for your leadership over the past several years, not only on this issue but identity theft and credit card fraud. Credit card fraud, identity theft, and data security breaches are really three different things, and we sometimes have a tendency to mix and match them. But as we go about this hearing, we should bear that in mind. And I appreciate the remarks of the gentleman from Alabama. The gentleman from Alabama has introduced a bill along with the ranking member, Ms. Bean, and Chairman Pryce and Chairman Castle and Mr. Moore have introduced this morning a bipartisan piece of legislation. And, further, we have had two other members, Mr. LaTourette and Ms. Hooley, who have introduced a third bill. Mr. Garrett questioned whether existing law is sufficient or do we need new laws? Can we just enforce those laws on the books? A great deal of this is going to be, yes, we just need to enforce what is there. Law enforcement has a role in this. This was a criminal violation; somebody hacked in. This was a criminal act not by the victim but by a criminal. But I will answer the question, yes, we do need to address this, and I think that the Members' bills, as we go through this, we just need to do, as Mr. Price said, we need to show caution, and I associate myself with his remarks and Mr. Garrett's remarks. With that, I do want to say two other things, if I could. One, CardSystems Solutions was a victim of a criminal act by a hacker, and they did report this to MasterCard. They voluntarily reported it, and they should be commended for that. That is my understanding. And, furthermore, I would like to note that we learned of the situation at CardSystems Solution through a public announcement by MasterCard International. This announcement was not required by the law; rather, MasterCard played the role of a good citizen, good corporate citizen in notifying the public of the situation, even though MasterCard itself was not the subject of the breach. And I commend MasterCard for their efforts. So in the aftermath of this hacking incident, I think the system worked well, and these companies responded in an appropriate way. But I do believe that really the solution to this is that we first in this Congress pass a law, and I know Chairman Castle and Chairman Pryce and others are working on it with Mr. Moore and others and Mr. Davis, on establishing a national uniform standard protecting all Americans. And with that, I yield back any time I have. Chairwoman Kelly. Thank you, Mr. Bachus. Mr. Cleaver has indicated he has no opening statement, so we will turn to Mr. Scott. Mr. Scott. Thank you very much, Chairwoman Kelly, and I want to thank you and Ranking Member Gutierrez for holding this very important hearing on credit card fraud and identity theft. I certainly also want to take this opportunity to welcome Mr. John Perry, who is president and CEO of CardSystems from Atlanta, Georgia, my hometown. Of course we all know that recent news continues to affirm the viewpoint by many consumers that their personal credit is constantly at risk for fraud or abuse. It is a major, major problem facing this country. Tens of millions of consumers have been exposed to credit fraud or theft, and these data attacks and frauds have hit major credit card issuers and banks, many of whom already have high standards for data protection. And in my hometown of Atlanta, some of the major events and incidents have occurred at ChoicePoint and at CardSystems. But it is important to note that ChoicePoint is recovering from its security breaches, and CardSystems has responded to this and they are working their way through the fallout, and I certainly commend you in the steps that you are taking and wish you speedy success. It is also important to note that the incidence of theft has gained national attention. From my own constituents, for example, we have had many discussions with privacy issues. Many of them are asking what they can do to protect themselves and what Congress can do to punish the credit thieves. Credit theft and identity fraud can be devastating to a family. Their credit can be ruined, it can take countless hours and resources to repair their good name, and I believe that Congress should provide additional protections that are substantive and not merely reactionary. I look forward to learning more in this hearing and hearing this distinguished panel. Thank you. Chairwoman Kelly. Thank you, Mr. Scott. Chairman Castle? Mr. Castle. Thank you, Chairwoman Kelly. Thank you for allowing me to speak in my 3 minutes, so I will jump right to it, and I will jump out of what I was going to say formally and just talk a little bit about our legislation that has been referenced by several people that Chairwoman Pryce and Dennis Moore and I introduced today. I believe very strongly that we do need a national solution, and we need it fairly rapidly. There is a lot happening in the States. Maybe there are certain State-relevant things that need to exist, but I think we need to speak to this sooner rather than later. I am delighted we are doing it on a bipartisan basis. Actually, we have bi-legislative basis right now. We have two bills out there, maybe others before we are done, but we are moving forward. I would like to have compliance. I am not particularly interested in enforcement, but obviously you need the enforcement behind it to get the compliance. But our hope is that once we share information and we have a clear standard, which is something else I want in our legislation, I want everybody to be able to clearly understand what it is that we are doing. I agree with Chairman Bachus, there is a lot out there now, there are a lot of enforcement mechanisms which are out there now, but we need to make sure that everybody understands what they are dealing with in this particular area. We need to expand this to entities not under financial regulation now, Gramm-Leach-Bliley and those who regulate under Gramm-Leach-Bliley, because a lot of the breaches that have happened have happened from entities away from that, and that is also significant. And I think there is an issue of consumer angst here. I was one who received a notice. I did not have much idea of what to do. Eventually, I figured it out. And my concern is who is going to really open that envelope, who is really going to know when you will be mailing it out, the whole business of not over-involving the consumer but making sure the consumer is absolutely protected when the consumer has to be. Those are at least some of our goals in drafting this. I hope that some day we have this legislation before us and we do it unanimously, quite frankly. I have no interest in having something that is divided in this committee with respect to where we are going. So we appreciate you being here today. We appreciate your contributions to this information. It is simple to say what I have just said, but it is a little hard to write it, as we have learned. So we know it is complicated, and we are going to need a lot of help to do it, but I think we have a very strong determination, and it is one of those issues that should move forward and it is one of those issues that really should not get hung up on politics but should be able to be resolved fairly rapidly. And with that, I yield back, Madam Chairwoman. Chairwoman Kelly. Thank you. Ms. Wasserman Schultz? Ms. Wasserman Schultz. Thank you, Chairwoman Kelly and Ranking Member Gutierrez, for convening today's important hearing. I particularly want to welcome Zyg Gorgol from American Express, which is one of the largest employers in my district, in South Florida. What I am hoping to hear from our guests' testimony today will focus on lessons learned from recent events and how to best move forward to ensure that America's consumers are protected. We have a steady drumbeat of high profile data security breaches in the last 6 months, and that has given many Americans, I would say most Americans, cause for concern. My constituents are no different. Since I was first elected and came to Congress in January of this year, my office has received dozens of calls, letters and e-mails on this matter. In fact, it is probably the thing that has gotten the most attention and volume in my office. One woman in Hollywood, Florida, wrote to me and said, ``I am outraged that private companies can hold information about me without any national standards for whether or how they protect that information.'' From another one of my constituents in Fort Lauderdale, she said, ``It is time for Congress to give Americans meaningful identity theft protection, insist on strong security standards for information brokers with real penalties if they fail to keep my personal information secure.'' The apparent ubiquity of these cases has clearly caused a great deal of alarm and also caused some confusion. What I would like to hear from the credit card company representatives today is for you to help clarify the difference between identity theft and credit card fraud, because there is clearly a difference. Both are very serious matters, but the credit card companies have developed effective consumer fraud protections to combat fraud and I think it is important to make that distinction. Part of our challenge here is that many of the industry's guidelines and best practices that have been developed to protect consumer information have not been adopted by third party vendors and retailers; in other words, those in the payment stream. And I have always believed in personal responsibility, and this standard certainly applies to vendor and third party processors. Any company touching consumer data must be responsible and accountable for the way in which that data is managed. Two of the largest security breaches announced this spring involved merchants that had maintained unnecessary credit card magnetic strip information, including card verification and replacement codes in violation of industry security rules. It has become quite clear to me that we need effective and consistent national standards for both how consumer data is managed and when consumers are notified about potential breaches. We also have to make sure that we do not set fire alarms off for no reason. If there has been data that has been compromised but it is not necessarily a danger to the consumer, telling them absolutely everything that they think they need to know is not necessarily wise. Existing regulations are simply not sufficient, though, and I encourage my colleagues on both sides of the aisle, as Chairman Castle has, to build upon the industry's existing best practices and ensure that our consumers are protected. Thank you. I yield back the balance of my time. Chairwoman Kelly. Thank you. Chairwoman Pryce? Ms. Pryce. Thank you, Madam Chairwoman. I appreciate the invitation to be here today. The effects of data breach can be staggering to the American public. It is a problem that has to be addressed sooner or later. I just want to thank you for your interest in it, for you holding this hearing and commend Mr. Castle and Mr. Moore and Ms. Hooley and Mr. LaTourette for working together on a bipartisan basis to address this, and I look forward to moving legislation, as Mike said, sooner rather than later, because it is a problem of national significance, and I think the consumer confidence issues will begin to affect the economy if we do not do something soon. So thank you so much for holding the hearing, Madam Chairwoman. Chairwoman Kelly. Thank you very much. Ms. Hooley? Ms. Hooley. Thank you again for holding this hearing and for allowing me the opportunity to speak. The topic of identity theft is one I have been working on for over 8 years, and the wave of data security breaches over the last few months has been one of the most troubling developments I have witnessed in that time. Identity theft represents a fundamental threat to our e- commerce, to our overall economy and to our homeland security. No longer are we facing just ``hobby hackers'' looking to create a nuisance. Increasingly, these attacks are driven by skilled criminals. ID theft is huge business in this country. Today, with Congressman LaTourette, we have introduced legislation that requires universal and timely notification to consumers when their personal, sensitive financial information is put at risk, as well as one free year of credit monitoring service when a breach places consumers at risk of identity theft. I look forward to working with all of my colleagues on this committee and Ms. Pryce and Mr. Castle and Mr. Moore to pass the best possible legislation. I am particularly concerned about the breach that occurred with CardSystems this May. The behavior of CardSystems was in direct violation of agreements with MasterCard, Visa, and American Express. CardSystems placed 40 million consumers' financial accounts at risk. Now, while I recognize only 200,000 accounts were actually compromised--that is still a lot--in this case, I am not certain that consumer notification is enough. Valuable financial information that was not rightfully owned or stored by CardSystems is what is at question here. I would like to applaud Visa and American Express for no longer doing business with CardSystems until they are sure that the problem has been resolved. And I am looking forward to seeing what CardSystems has done in the last few months. Again, I thank you, and I look forward to this hearing and testimony from the panel. Thank you. Chairwoman Kelly. Thank you. Mr. Renzi? Mr. Renzi. I thank the chairwoman for allowing me to be on the dais today and to participate. I am a member of the Intelligence Committee and every morning have a chance to look and see the threat against the United States. There is no cybersystem security system available in the commercial marketplace that cannot be hacked. There are few systems that the government has that have not been hacked to date, but they necessarily are not in the commercial world. I say that to you in order to make the point that there is no perfect system. I had a chance earlier this morning to meet with both the representatives from CardSystems and Visa. I am thankful that you both have expressed a good faith to meet privately and expeditiously within the next few days to see if you can work through the real facts, not those that just appeared in the paper that were just quoted, but work through some of the real facts and see if you can come up with solutions. I think that needs to happen. We have over 100 Arizonans who work for CardSystems, whose jobs will be immediately lost, but a death knell will be put to CardSystems. Now, that has a chilling effect on those in the industry who have come forward and worked with investigators to show the truth and say, ``Hey, look, this is what happened,'' rather than hide it. So while some may applaud Visa and MasterCard for their actions, think about unintended consequences that may also occur. So let me come back and say thank you to Visa and to CardSystems for giving me their word that they will meet in an expeditious manner, in a good faith manner to work through the facts that hopefully may work and lead to compromise. Either way, I am hopeful that there could be a solution that will be found that will protect both American consumers as well as those people who are an integral part of the credit card system here in America. I thank the gentlelady for yielding me the time. Chairwoman Kelly. Thank you. Mr. Matheson? Mr. Matheson. Thank you, Madam Chairwoman. And thank you, Ranking Member Gutierrez. I am pleased the Oversight Subcommittee has scheduled this hearing regarding data security, and I am also pleased to be here this morning to welcome David Watson, who is chairman of Merrick Bank, based in my home State of Utah. I appreciate Mr. Watson taking the time and effort to travel to Washington to participate in this hearing regarding data security. I know that Merrick Bank and its employees have a good reputation with their clients and customers, and I appreciate their commitment to working with us on the credit card data issue. The issue of data security is incredibly important to all of our constituents. Many people are concerned about the potential for credit card fraud and identity theft. I look forward to hearing the testimony of Merrick and all the other witnesses on the panel so we can learn more from their experiences and understand whether there are more reasonable steps, and I want to emphasize reasonable steps, that we can take to increase data security so that we can prevent theft of data and identity. And with that, I will yield back my time to Madam Chairwoman. Chairwoman Kelly. Thank you very much. I am turning now to the panel. We have a very distinguished panel with us: Mr. Joshua Peirez, who is the senior vice president and associate general counsel of the Legal Department of MasterCard; Mr. Steve Ruwe, executive vice president, Operations and Risk Management, Visa; Mr. Zyg Gorgol, senior vice president, Fraud Risk Management, American Express; Mr. Carlos Minetti, executive vice president, Cardmember Services, Discover Card; Mr. David B. Watson, chairman of the Merrick Bank; Mr. Mallory Duncan, general counsel of the National Retail Federation; Mr. John M. Perry, president and chief executive officer, CardSystems Solutions, Incorporated--and I have to say, sir, I am delighted to have you here, and I admire your courage for being here--and Mr. Evan Hendricks, editor and publisher of Privacy Times. Mr. Peirez, we begin with you. STATEMENT OF JOSHUA PEIREZ, SENIOR VICE PRESIDENT AND ASSOCIATE GENERAL COUNSEL, LAW DEPARTMENT, MASTERCARD INTERNATIONAL Mr. Peirez. Good morning, Chairwoman Kelly, Ranking Member Gutierrez and members of the subcommittee. My name is Joshua Peirez, and I am a senior vice president and associate general counsel at MasterCard International, located in Purchase, New York. It is my pleasure to discuss the important topic of fighting fraud and safeguarding financial information, and I commend the subcommittee for holding this important hearing. MasterCard takes its obligation to safeguard financial information and protect consumers extremely seriously. This issue is a top priority at MasterCard where we have a team of experts devoted to working with law enforcement and maintaining the integrity and security of our payment systems. Our great success in protecting consumers and preventing fraud is due in part to the constant efforts we undertake to keep our networks secure. This is why our overall fraud rates are at an historic low, well below one-tenth of 1 percent of our volume. MasterCard's information security program is comprehensive and we continually update it to ensure that it provides strong protection. MasterCard requires each of our customers and merchants and any third party acting on their behalf to safeguard cardholder information. In addition, MasterCard has a variety of consumer protection and antifraud tools. Importantly, MasterCard has voluntarily implemented a zero liability rule. Under this rule, consumers will generally not be liable for any unauthorized use of their cards. In addition, MasterCard is focused on preventing unauthorized use in the first place through enhanced security features on the card, the MasterCard address verification service and our proprietary fraud reporting system which helps identify and prevent fraud from occurring in the first place. We also offer services to our issuers and assist them in proactively identifying and stopping fraud. I would now like to discuss the CardSystems situation. Several months ago, MasterCard and a few of our issuers noticed a small pattern of fraud. Working with our issuers, we traced the pattern of fraud to the acquirer, Merrick Bank, and then on to CardSystems, a third party processor the bank had hired. Once notified of the situation, CardSystems identified a script in its system designed to export cardholder data. CardSystems then engaged a data security firm to conduct forensic analysis of its networks. The forensic investigation found that, first, CardSystems was storing transaction information on its system in violation of our rules. This was remedied in short order. Second, the investigation confirmed the presence of a malicious computer script on CardSystems systems, along with other serious security vulnerabilities. And, third, there was evidence that some cardholder data had been compromised. Based on the findings, we believe approximately 68,000 different MasterCard accounts and well over 100,000 accounts of other brands were exported from the CardSystems database. The matter is under investigation by the FBI. Upon learning this information, we demanded that we be provided with the account numbers impacted as soon as possible, and we received the file on June 16th. We notified the banks that had issued the impacted accounts beginning the very next day and are continuing to monitor the potentially affected accounts with those banks. Given the circumstances of this case, MasterCard made the decision that a public disclosure of the event was warranted. Thus, on June 17th, we issued a press release to notify the public of the situation at CardSystems. I would like to stress that we provided broad public disclosure because it was the right thing to do, even though we had no legal obligation to do so. We continue to closely monitor CardSystems' efforts to cure their deficiencies and have given them only until the end of August to do so. Let me now turn to a brief discussion of possible legislative measures to help address the issue. MasterCard strongly supports the legislative efforts to enact uniform national standards and believes it is critical that any legislative solution: one, strengthen criminal penalties to be in line with the severity of these crimes; two, provide notification to consumers in appropriate circumstances; and, three, establish strong data protection requirements for entities not already covered by the Gramm-Leach-Bliley Act. MasterCard looks forward to working with you as you tackle these important issues, and I would be pleased to answer any questions you may have. [The prepared statement of Mr. Peirez can be found on page 98 of the appendix.] Chairwoman Kelly. Thank you very much. Mr. Ruwe? STATEMENT OF STEVE RUWE, EXECUTIVE VICE PRESIDENT, OPERATIONS AND RISK MANAGEMENT, VISA U.S.A. INC. Mr. Ruwe. Chairwoman Kelly and members of the subcommittee, my name is Steve Ruwe. I am the executive vice president of Operations and Risk Management for Visa U.S.A., Incorporated. Visa appreciates the opportunity to appear at today's hearing on the issue of information security. The Visa Payment System, of which Visa U.S.A. is a part, is a leading consumer payment system and plays a pivotal role in advancing new payment products and technologies, including initiatives for protecting cardholder information and preventing fraud. Cardholder security is never an afterthought at Visa. For Visa, it is about trust. Our goal is to protect consumers, merchants and our members from fraud by preventing fraud from occurring in the first place. This commitment to protecting consumers from fraud includes Visa's zero liability policy, which protects Visa cardholders from any liability for fraudulent purposes. Because the financial institutions that are Visa members do not charge their cardholder customers for fraudulent transactions, those members absorb most of the cost from fraudulent transactions. Visa has implemented a comprehensive and aggressive security program known as the Cardholder Information Security Program, CISP, which applies to all entities that store, process, transmit, or hold Visa cardholder data. Visa also provides sophisticated neural networks that flag unusual spending patterns for fraud that enable our members to block authorization transactions where fraud is suspected. Only yesterday, Visa announced a new nationwide data security education campaign that will involve both the payments industry and merchants in the fight to protect cardholder information. Visa believes that all parties who participate in the payment system share responsibility to protect cardholder data. When cardholder information is compromised, Visa notifies the issuing financial institution and puts the affected card numbers on a special monitoring status. Visa also uses an array of other security measures that are described in my written statement to prevent particular fraudulent transactions. As a result of these strong security measures, fraud within the Visa system is at an all-time low of 5 cents for every $100 worth of transactions. Visa was recently informed by payment processor, CardSystems Solutions, Incorporated, CSSI, about an unauthorized intrusion into CSSI's computer system. Visa immediately worked with the processor, law enforcement, and affected member institutions to prevent card-related fraud and respected law enforcement protocol to keep the information about the investigation confidential. Visa notified all of the potentially affected card issuing institutions and provided them with the necessary information so that they could monitor the accounts and, if necessary, advise customers to check their statements or cancel or reissue cards to their customers. The card-issuing institutions that are members of the Visa system have the direct responsibility and relationship with their customers, and because of Visa's zero liability policy for cardholders, bear most of the financial loss if fraud occurs. Visa institutions can best determine the appropriate action for each customer that might have been affected. We have determined that about 22 million Visa card numbers from the CSSI database were put at risk. In many of these cases, CSSI, by its own admission, knowingly and improperly retained magnetic stripe information, which was a clear violation of the cardholder information security program. Because of CSSI's failure to follow Visa's security requirements, Visa is terminating CSSI's ability to act as a processor for Visa members. Protecting our cardholders was, and remains, Visa's primary goal in responding to this incident. Significantly, the information retained by CSSI did not include the cardholders' date of birth, address, Social Security number, or driver's license number. Visa believes that the information involved in this incident cannot be used to commit identity theft--identity fraud against an individual in which a criminal opens a new account in the individual's name. Thank you for the opportunity to present this testimony today. I would be happy to answer any questions. [The prepared statement of Mr. Ruwe can be found on page 119 of the appendix.] Chairwoman Kelly. Thank you very much. I wanted to step into a bit of housekeeping. The two boxes at the end of the table indicate green, yellow, and red lights. The green light means you have 5 minutes, the yellow means you have one minute to sum up, the red light means that it is time to end your testimony. I just simply wanted all of you, in case you have not testified before Congress before, to understand how that system works and if you wondered what those lights were doing. Mr. Gorgol? STATEMENT OF ZYG GORGOL, SENIOR VICE PRESIDENT, FRAUD RISK MANAGEMENT, AMERICAN EXPRESS Mr. Gorgol. Chairwoman Kelly, Ranking Member Gutierrez, members of the subcommittee, my name is Zyg Gorgol, and I am a senior vice president of Fraud Risk Management at American Express. My responsibility is to protect our customers by preventing fraud or identifying and minimizing it as quickly as possible. I appreciate the opportunity to testify today about the recent data security breach at CardSystems Solutions and its impact on American Express cardmembers. We view this breach with great concern and have taken steps to protect any cardmembers who may have been affected by it. I would like to highlight a few key points today, so the complete body of my comments have been submitted to the committee. First, I would like to discuss the Payment Card Industry Data Security Standards. They provide an industry-wide approach to safeguarding charge and credit card customer data. These PCI standards were developed by a cross-industry working group that included American Express and the other major card networks. American Express fully endorses these standards as an appropriate industry baseline for data security in the payments industry. Let me now specifically discuss CardSystems. As background, CardSystems Solutions processes less than 1 percent of American Express card transactions. Upon learning of the breach at CardSystems, we began an investigation to determine any impacts on American Express cardmembers. We also put additional security and fraud prevention measures in place for all American Express card accounts that were on their database. We are continuing to closely monitor these accounts for any suspicious activity on an ongoing basis. Based upon our current analysis, we have determined the following: 1.6 million American Express card accounts were stored on the database; information relating to approximately 12,000 American Express card accounts appears to have been acquired by unauthorized persons. Although the information relating to these 12,000 accounts included the card account number and expiration data, it did not include any personally identifiable information, such as name, address or Social Security number. While we have been closely monitoring these accounts, we have not detected any increased incidences of fraud on these 12,000 accounts, nor have we detected any increased incidence of fraud across the total number of accounts that were on the CardSystems database. We are continuing to monitor all of these accounts for any suspicious activity every day, and we continue to investigate where the criminals accessed any other American Express card accounts. It is important to know that American Express employs sophisticated monitoring systems and controls to detect and prevent fraudulent activity. Historically, this has been an area of emphasis for American Express. Over the last several years, we have invested tens of millions of dollars to enhance our fraud prevention capability to better protect cardmembers. If fraudulent charges are placed on an American Express card account, we stand behind our cardmembers. American Express cardmembers are not held liable for fraudulent charges. Finally, we believe there are some tangible steps that can be taken to better protect consumers. Most importantly, we recommend that Congress extend Gramm-Leach-Bliley-like safeguard standards to those companies involved in processing card payments that are not currently subject to those safeguards today. Sensitive customer information should be consistently protected as it passes throughout the payment card transaction cycle. In conclusion, I want to assure the subcommittee that American Express is strongly committed to protecting the security of our cardmembers' personal information. It is clear that recent events have raised the public's concern regarding security of their personal information. We share this concern and are constantly working to protect the security of our cardmembers' information so that when a customer makes a transaction they have a confidence that it will occur in a safe and secure manner. We appreciate the opportunity to share our views on this issue and look forward to working with you and members of the Financial Services Committee. This concludes my testimony. I would be happy to answer any questions you may have. [The prepared statement of Mr. Gorgol can be found on page 66 of the appendix.] Chairwoman Kelly. Thank you very much. Mr. Minetti? STATEMENT OF CARLOS MINETTI, EXECUTIVE VICE PRESIDENT, CARDMEMBER SERVICES, DISCOVER CARD Mr. Minetti. Madam Chairwoman and members of the subcommittee, thank you for inviting Discover Financial Services to share our views on the issue of data security breaches affecting credit card information. My name is Carlos Minetti, and I am responsible for operations and risk management at Discover. This includes oversight of Discover's information security and antifraud efforts. Discover works very hard every day to prevent customer information from falling in the hands of individuals who would hope to use it for criminal purposes, like account fraud or identity theft. Discover Bank, the issuer of Discover cards, is a financial institution subject to Gramm-Leach-Bliley information security standards and the interagency guidance on security breach response programs. The FDIC examines Discover Bank for compliance with those standards, and our data security program is designed to perform with them. At Discover, we have a number of different fraud and identity theft prevention programs, which are described in my written statement. In fact, in 2005, ``Identity Fraud Safety Scorecard for Credit Card Issuers,'' conducted by Javelin Strategy and Research, ranked Discover as number one in overall card safety features. Today, I will focus on our response initiatives. Because we operate both a large merchant network and issue the Discover Card, we are often able to learn about computer hacking and other signs of data compromises when they first occur. In fact, Discover was the first network to uncover evidence of data compromises in many of the recently publicized security breaches involving large merchants and payment processors. Upon learning of a data security breach that may affect Discover Cardmembers, such as the CardSystems Solutions incident, we immediately commence an investigation. We first ascertain the type of information involved to determine whether the data could be used to commit identity theft or otherwise harm the consumers. We also identify the specific accounts that were affected, monitor those accounts, and take further action if necessary, such as contacting our customer or closing the accounts. Where the breach occurs at merchants or processors, we must rely on information from those companies. We work with them and with their party of forensic investigators to validate the breach and its impact on Discover Cardmembers. We also work with other card networks when their account data is affected. It is critically important for all these parties to cooperate fully in the investigative process. Discover carefully weighs all relevant facts and impacts on our customers to determine the proper course of action. If we determine that a breach is likely to harm our customers, we notify them in accordance with the Interagency Guidelines and the requirements of State laws. We also take further action as may be necessary to prevent harm, such as further monitoring or closing the accounts. We coordinate our efforts with the FDIC and with law enforcement personnel who may be investigating the incident. As the subcommittee is aware, not every data breach resulted in any theft of consumer exposure to substantial costs and time-consuming efforts to remedy misuse of personal information. As a result, it is often not necessary to immediately notify consumers, close accounts, provide credit report monitoring, or put fraud alerts in consumers files. Discover Cardmembers are not responsible for unauthorized charges, and our 24-7 customer service allows to quickly remove the fraudulent charges from their account. Industry resistance to across-the-board up-front notification, card reissuance, and other requirements is not based on the cost involved. Given the fact that potential fraud-related losses are incurred by credit card issuers and not by the consumers and can quickly eclipse the cost of notification and/or card reissuance, the customer notification/reissuance is generally not the driving factor for decisions about how best to react in a given situation. Our investigation of the CardSystems Solutions security breach is ongoing. This breach is very troubling and should never have occurred. Based on what we know today, it does not appear that Discover Cardmembers were exposed to a risk of identity theft, because the Discover data was limited to purchase transaction information. While the CardSystems breach did involve a loss of Discover data that could be used to commit account fraud, Discover Cardmembers will not experience financial loss as a result of this incident. As the committee considers the need for legislation, addressing information security and identity theft, we hope you will consider our recommendations. First, a single national standard for responding to security breaches affecting personal information is appropriate. Second, the Interagency Guidelines coupled with onsite compliance examinations establishes an effective and proper regime for information held by the national institutions. It also provides regulators with the flexibility they need to adjust breach response standards. Finally, when a data breach affecting credit card information occurs, notification is best handled by the card issuer, not the entity whose security was breached. An entity whose security was compromised must cooperate fully in investigating the incident and preventing further fraud, but it should not be charged with contacting credit card customers who may have been affected. A single notice is the best way to protect credit card users, and card users are in the best position to determine whether and when that notice is appropriate. We appreciate the opportunity to discuss information security issues, and we would be pleased to provide further information that would be useful to the subcommittee. [The prepared statement of Mr. Minetti can be found on page 85 of the appendix.] Chairwoman Kelly. Thank you. Mr. Watson? STATEMENT OF DAVID WATSON, CHAIRMAN, MERRICK BANK Mr. Watson. Madam Chairwoman, ranking member, and members of the subcommittee, thank you for inviting me to testify today. My name is David Watson. As a cardholder myself and as chairman of a card-issuing bank, I commend this committee for its diligence and its interest in formulating good public policy on credit and security--a topic of importance to virtually every American. Merrick Bank is a Utah financial institution, subject to regulation and annual examination by the FDIC and the Utah Department of Financial Institutions. We issue credit cards to accountholders, and we make payments of processed credit card transactions to merchants. Credit card and account holder security is a fundamental principle of our business; it has to be. First, a little bit about the credit card payment process and then Merrick's relationship with CardSystems. To most consumers, the credit card system seems marvelously simple and dependable but behind the scenes multiple players and a sophisticated series of steps are triggered in each of the millions of daily credit card transactions. Each step must be performed with precision, for the integrity and security of the process is only strong when the performance of each party is strong. The merchant initiates the transaction, the processor authorizes the transaction and sends the notice for payment to the cardholder's bank and then ensures that the merchant is paid. The paying bank is then reimbursed by the card issuer's bank through the Visa and MasterCard settlement networks. All of this is conducted according to rules imposed by the individual card associations. Like many other banks, Merrick Bank makes payment to merchants who use CardSystems for processing. Before September 2003, we did not have any significant business contacts with CardSystems, although they were a known entity in the card processing field. Following 2003 discussions concerning the transfer of certain Provident Bank merchant contracts to Merrick, we advised CardSystems that we could not consider participating in any processing unless and until CardSystems became compliant with the Customer Identification Security Program, which you have heard is the CISP Program, and the Visa Data Security Accreditation Program. CardSystems then engaged Cable & Wireless, an auditor from the Visa group auditor list, to conduct the CISP assessment. Cable & Wireless was selected by CardSystems, paid by CardSystems, and the audit report that resulted was sent to Visa. In June 2004, Visa informed CardSystems that it was just approved, and CardSystems so notified Merrick Bank. We then successfully took over most of Provident Bank's merchant payment contracts effective September 30, 2004. From that point to May 2005, Merrick's payments for the transactions presented by CardSystems proceeded routinely. After initial inquiries from MasterCard regarding potential fraud activity, on May 22, 2005, CardSystems identified a security breach in its operation and on May 23rd, contacted the FBI. On May 25th, CardSystems contacted Merrick and advised us of a possible intrusion and export of cardholder data at CardSystems. Merrick reviewed this information and notified Visa and MasterCard of the potential security breach. On May 27, 2005, with the approval of MasterCard and Visa, Merrick engaged Ubizen, a well known forensic IT audit firm to thoroughly investigate the breach at CardSystems, and Ubizen began an onsite examination of CardSystems at its Tucson facility on May 31, 2005. We also sent our chief security officer and our senior network engineer to the CardSystems site to investigate the issue and see that immediate action was taken to prevent any further breach. The Ubizen audit identified two issues at CardSystems. First, CardSystems had retained certain transaction data on their system in violation of association procedures. Ubizen reports this data retention practice had been followed by CardSystems since 1998, even though it was inconsistent with CISP standards. This was not identified by the Cable & Wireless report in the 2004 Visa certification process. Second, Ubizen identified certain issues with CardSystems servers and software, which were compromised by the intruding party. Again, unfortunately, the Cable & Wireless report did not make any mention of these vulnerabilities. Merrick Bank, Ubizen, CardSystems, Visa, and MasterCard have all been aggressively working together to see that the issues permitting the breach are corrected and that CardSystems' data environment is fully secured. Visa and MasterCard have identified the cardholders whom they believe may have been compromised and have sent notice to the issuing banks of the potentially affected cardholders. This was accomplished by June 17th. Merrick is taking additional steps. We are preparing a contingency plan to assure our merchants are serviced without disruption in a secure environment. In addition, in consultation with security and data experts, Merrick is developing its own set of requirements to assure card processor compliance with all applicable card association standards. I want to conclude by reiterating our absolute commitment to data security. We are very closely monitoring for unusual activity the accounts of any affected cardholders. While we deeply regret any impact that this breach has had on consumers, we understand this presents all of us with an opportunity to help our industry improve our systems and processes and thereby better protect consumers' interests. I want to again commend this committee for its hard work and good work to formulate sound public policy that will assist us in achieving this goal. Thank you. [The prepared statement of Mr. Watson can be found on page 127 of the appendix.] Chairwoman Kelly. Thank you. Mr. Duncan? STATEMENT OF MALLORY DUNCAN, GENERAL COUNSEL, NATIONAL RETAIL FEDERATION Mr. Duncan. Thank you, Madam Chairwoman. I am Mallory Duncan, senior vice president and general counsel for the National Retail Federation. The NRF is the world's largest retail association with membership that comprises all retail formats and channels of commerce. We appreciate the opportunity to testify here today. There has been a substantial increase in the reported incidence of identity theft. Federal Trade Commission data indicates that identity theft complaints increased 8-fold to nearly 250,000 between 2000 and 2004. Recently, an FTC survey estimated 10 million people experienced identity theft within the past year. Even larger numbers have been published elsewhere. The reported numbers are rising, but we do not know how much of that is a real increase as opposed to increased awareness of those reporting; versus mischaracterization of the problem. As striking as these figures are, it is important to recognize that the fraud that they reflect comprises a variety of activities, not all of which are true identity theft. I suggest we look at this issue broadly. We have to ask, how do businesses know who we are? Relatively few of us reside in communities with bankers and shopkeepers who have known us since birth. Instead, proof of our identity has shifted from being something others vouch for to something that is inferred: from identifiers such as driver's license and Social Security numbers, and quick recall of personally related facts, such as date of birth, mother's maiden name, and office telephone numbers. True identity theft occurs when someone appropriates identifying data for the purpose of secretly committing fraud. The thief may attempt to open credit and checking accounts, purchase a car, even buy a condominium using the victim's excellent credit history. So long as the thief makes payments, it might be years before anyone discovers the fraud. On the other hand, the thieves may decide to stiff the creditors, potentially ruining the victim's credit report. In that case, it could takes months or years for victims to recover their good name. Worse, if not apprehended, there is the possibility the thieves will strike again. In contrast, much of what is commonly referred to as identity theft is in fact credit card fraud. While it can be a problem for those affected, credit card fraud is much closer to a serious nuisance than it is the horror of identity theft. Equally important, Congress long ago approved many of the tools needed for its correction. Under the Fair Credit Billing Act, the consumer may challenge charges and be held harmless for the loss. Either the retailer or the card issuer bears the cost of the loss. With this distinction in mind, it is clear that the incidence of identity theft is, fortunately, considerably different than some of the numbers that have been cited. Even if one accepts the 10 million estimate by the FTC, it turns out that two-thirds of that is not truly identity theft. Now, I go into this distinction because the remedies for these two frauds are quite different. Credit card fraud is usually is an on-off event. Once discovered, credit card fraud is relatively simple to stop by closing the account and reopening a new account number--a pain, but it can be stopped. On the other hand, when identity theft occurs, it is not a simple matter to change an individual's Social Security number, date of birth, or mother's maiden name. If society has limited resources that it can devote to fighting crime, then we ought to tilt toward using those resources to help consumers faced with the more serious consequences. Indeed, this committee recently established many new protections for identity theft victims with the FACT Act. Now, although identity theft grabbed the headlines, retailers have devoted considerable attention to reducing the incidence of credit card fraud as well. Several retailers issue their own cards. They want to protect the integrity of their cards and essentially treat all cards with the same level of security. Currently, merchants are coming online with the Visa and MasterCard new security program. Initially developed for your Internet transactions, the card associations are extending these to all channels of commerce. The FTC recently entered into a proposed settlement with BJ's Wholesale Club as a result of system attacks in 2003. Retailers are paying particularly close attention to the requirements of that settlement. And when there are losses, they are typically borne by the retailers, yet another incentive for us to want to reduce the incidence of both types of fraud. In closing, identity theft is a fairly focused but especially pernicious form of fraud. Proof of identity has become a more elusive quality at the very moment that our society is investing greater amounts of trust in its veracity. Viewed from a distance, our credit system is marvelous. Families receive a meal in exchange for a swipe of plastic. Individuals secure home financing from bankers they have never met. These benefits flow not from credit cards but from the trust our society invests in the identities of persons seeking credit. If we are to preserve these benefits, society must crack down on those who would abuse that trust by appropriating the core elements of identity. With the passage of the FACT Act, Congress has begun to provide tools to those who have been victimized. It should now provide incentives to ferret out and prosecute those who make use of those tools necessary. Thank you for the opportunity to appear today. I will take your questions. [The prepared statement of Mr. Duncan can be found on page 54 of the appendix. ] Chairwoman Kelly. Thank you. Mr. Perry? STATEMENT OF JOHN M. PERRY, PRESIDENT AND CHIEF EXECUTIVE OFFICER, CARDSYSTEMS SOLUTIONS, INC. Mr. Perry. Good morning, Madam Chairwoman and members of the subcommittee. Thank you for inviting CardSystems to appear before you today. We appreciate the opportunity to address the issue of data security and more specifically the recent security attacks perpetrated against us. First and foremost, we truly regret this occurrence of data theft. We have readily acknowledged our error and continue to work non-top to ensure that we do not become a target of another breach. I had planned to provide you with some prepared remarks today discussing policy implications of the security incident hat occurred at our company, and I had an opportunity to discuss that important issue with some of your staff yesterday. But today, a small company with 115 employees, in Atlanta and Tucson, is facing imminent extinction. That concerns me greatly, not just because of how it will impact our company but because how it will impact 110,000 merchants who rely on CardSystems to process their transactions. If CardSystems is forced to close its doors, many of these merchants will be unable to process credit card transactions for days or even weeks. Signing up with a new processor is not merely as simple as changing from one phone company to another. It can cause significant disruptions to a business' operation. Moreover, I am concerned about the signal that our experience sends to other payment card processors and businesses, one of which undoubtedly faces a similar security incident in the future. We came forward in May to report this incident to law enforcement officials and our sponsor bank. As a result of coming forward with this important information, CardSystems is being driven out of business. Our experience should send a troubling message to policy makers. Other companies will have less incentive to come forward in the future when similar breaches will undoubtedly occur, knowing the potentially catastrophic effect that they could have on their businesses as well. We are still learning from the ongoing investigation but we do know this: That the attack on our system was very sophisticated. Based on the forensic investigation, we know of only one confirmed instance of which data was exported and that is the May 22nd incident that has brought us here today. I am relieved to report that this breach, to our knowledge, has not resulted in identity theft. By design, information is fragmented among different players in the payment card industry. This means processors like CardSystems do not have access to complete information, such as Social Security numbers, which could greatly facilitate identity theft. Additionally, this breach has not, to our knowledge, resulted in credit card fraud. Make no mistake, exposure of information about one card is too many. We will not be satisfied until we are confident that everything that can be done has been done to prevent this from ever happening again. Turning to the issue of security compliance, all businesses that handle cardholder data are directed by the payment card networks to follow rigorous security standards. CardSystems was audited and certified in the late fall of 2003 by a qualified Visa security assessor. More recently, Via and MasterCard have developed the payment card industry, or PCI, data security standard, which has been adopted by all the card networks. We have hired an independent security auditor who has reviewed our systems and has affirmed that we will be PCI compliant by the end of the month. We are also pleased to hear today that Visa has agreed this morning to meet and discuss and, I am confident, to resolve our differences. As MasterCard has just noted, I am sure that we will complete the necessary work to satisfy all requirements for continuing our work as processors by August 31st. We appreciate the opportunity to participate in this hearing, and we welcome the chance to address any questions from the subcommittee. Thank you. [The prepared statement of Mr. Perry can be found on page 105 of the appendix.] Chairwoman Kelly. Thank you. Mr. Hendricks? STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY TIMES Mr. Hendricks. Thank you, Chairwoman Kelly, Ranking Member Gutierrez. This is my first time back since the 2003 FACT debates. That year inspired me to write my book, ``Credit Scores and Credit Reports,'' which spends a lot of time trying to explain to consumers what to do in situations like this. It also has a chapter dedicated to Congress' and this committee's work, which was an exciting and productive year, I think, for all of us. I think it is also worth pointing out that this committee, your subcommittee, was the first one to hold a hearing on a data breach involving a credit card processor, I think it was April 2003. So you continue to be out in front of this issue, and look at the response you get by shining the spotlight. I think it is very commendable. I think there are several lessons from this event. One is that some companies will not have adequate security unless they are forced to. They will continue to treat security as an afterthought. I think you used to say that privacy is good for consumers and good for business. I think we have elevated to the point now where privacy and security is not only good, it is essential, and that you see by blowing it on privacy and security, that there are serious economic repercussions. Here a company is faced with an enforcement action that could close them down or seriously reduce them in size. It would have been good to have considered not to keep personal information that you were not supposed to keep in the first place and if you were, to encrypt it so it would be rendered useless with robust encryption. I hope other companies will learn the lesson that in ignoring privacy and security, you do so at your own risk. I think the other thing that we have to remember is the consumer. These incidents impose real costs and hardships on consumers. I have already heard from a few who did not receive any notice of this event, went into the retailer and found out that their account had been flagged and were unable to make purchases. Some were accompanied by friends or by business associates. Other people, consumers, have called to try and find out, ``Has my information been compromised?'' Some credit card companies were fairly responsive. Others did not have a clue what to tell people, and so this again contributes to the anxiety. If we are going to have a system where notice is not going to be required for every little event, then it is incumbent upon organizations to have a mechanism in place to inform people who are trying to find out what is going on. The other lesson from this is some companies will not notify consumers unless they have to. Some companies will make the judgment that there is no real harm to people. And the problem with that is that if you get a credit card number in this sophisticated hack, the sophisticated hackers and identity thieves can use a credit card number as leverage to get a Social Security number through pretext and other means. We need to stop treating the lowest priority as the consumer because the consumer is the basis for this entire credit card system. If we look at the breaches that we have had this year, ChoicePoint, Bank of America, CitiFinancial, 3.9 million Social Security numbers about to go out the door and what do they do, they call UPS. They are not encrypted, and the information is lost by UPS. And now with CardSystems and potentially 40 million, the number of Americans that are potentially exposed to these security breaches equals the number of Americans that originally signed up for the ``Do Not Call'' list. So it is sort of an eerie mirror of the privacy issue. The other thing that shows the inadequacy is what is not known. I mean, there are more things that we do not know about what happened with this data, how it went out, who it went to, and, again, there is no transparency, there is no reporting to the public. The lack of encryption is very troubling. We want to encourage encryption, but we also want to keep in mind that encryption by itself is never going to solve the problem. It is a multifaceted problem and encryption has to be robust and meet certain standards. Just because you call it encrypted does not mean that it is adequately protected in this day and age. The biggest threat here, I think, is the one to our society, is the lack of confidence that is going to entail from all of these events. If you look at each event and then total them up, as a consumer you do not think there is anyone out there looking for your data and that lack of confidence could have enormous implications, just as it is having for the Cingular company. If there is falling confidence in our credit card system, the numbers on that could be really scary. And think what Congress did to build confidence in the credit card system. Congress, you like to beat up on yourselves, all the members like to joke about yourselves, but give yourselves credit. You passed the Fair Credit Billing Act a couple decades ago to make sure consumers were protected, to put confidence in the system so that people were not going to lose their finances if something went wrong with their credit card. That is the kind of protection we need in terms of people's data. That is how this has migrated. Chairwoman Kelly. Mr. Hendricks, will you please sum up? Mr. Hendricks. Yes. In closing, I would say this is a very multifaceted problem. I urge the committee to be as comprehensive as possible in addressing it and to look at the key moment, the reason thieves steal identities is because the credit report continues to be disclosed when the thief applies for credit in your name. Thank you, and I am sorry to have gone over. [The prepared statement of Mr. Hendricks can be found on page 78 of the appendix.] Chairwoman Kelly. Thank you very much. I would like to ask a question about a company that is not represented here. I would like to ask Visa, Cable & Wireless security was part of your approved auditor list and CardSystems picked Cable & Wireless from that list. I would like to know how Visa certified Cable & Wireless, and I would like to know since Cable & Wireless has been bought by an international company, now it is called the SAVVIS Company apparently, I would like to know if that SAVVIS Company has been tasked to do a better job than Cable & Wireless. What can you tell me, Mr. Ruwe? Mr. Ruwe. Yes. Cable & Wireless is one of a number of vendors that are approved by Visa and/or MasterCard to perform assessments in this environment. As you said, the processor in this case selects from a list of those assessors and contracts with them to conduct the assessment and provide the assessment results to Visa or MasterCard or whoever it is going to. In the case of Cable & Wireless, they are now, as you mentioned, SAVVIS. Visa has asked SAVVIS to explain how there could be such a discrepancy in the report of compliance between what was reported to Visa in reality. We have temporarily suspended SAVVIS from being able to do any more security assessments, and we have asked them to revalidate the last ``X'' number of assessments they have conducted. So the investigation as to what happened in terms of the discrepancy that was very large of what was the case at CSSI versus what was in the report provided to Visa on behalf of CSSI is still under investigation. Chairwoman Kelly. Mr. Ruwe, and I would ask you too, Mr. Peirez, how do you set up the goals that you expect the auditing companies to meet? What standards are you applying before you put them on your list? Mr. Peirez? Mr. Peirez. Thank you, Madam Chairwoman. Well, obviously at this point in time, a lot of this information is new to us as well, in terms of what happened in this particular instance, as we were not privy to this report. That being said, we obviously are looking at the measures in order to have auditors who are effective, who know what they are doing, and who can give accurate reports. We look for auditors who follow standard auditing practices and look for them to issue reports that are within those guidelines. There are many standards out there for best practices of auditors, and that is what we look at. Chairwoman Kelly. So you use whatever the standards are that are in the industry but do not have separated standards of your own. Mr. Ruwe? Mr. Ruwe. There are in the case of assessors that Visa uses, and I believe this is true now of MasterCard, perhaps it was not at that time, there is a set of documentation that the assessor is given as a minimum that could be provided to the committee if they would like to see it, a minimum of standards that define and delineate and categorize the things that they have to check within that environment. That is as a minimum. Beyond that, as a processor, assessor in this space, these companies have proven themselves to be viable and capable of doing this work, otherwise they would not be on the list. So there is an actual process that is defined that they have to go through as a minimum for the PCI Program, and then beyond that they have their own additional assessments that they conduct. Chairwoman Kelly. Mr. Gorgol, Mr. Minetti, I would like to have you please chime in on this. Tell me what your standards are. Mr. Gorgol. At American Express-- Chairwoman Kelly. Mr. Gorgol, I am sorry-- Mr. Gorgol. Sorry. Chairwoman Kelly. Thank you. Mr. Gorgol. At American Express, we have the data standards in our contract with companies like CardSystems, the processors, and there are consequences to not meeting those standards. And you can see recently that those consequences do have teeth. But we also rely on the industry, and we would expect processors to draw from the industry and bring in professional help to make sure that they are meeting that contractual obligation. Chairwoman Kelly. Mr. Minetti? Mr. Minetti. Our requirements are also outlined in our contracts. In addition to that, when we select the vendors we conduct an RFP, a request for proposal. I am not familiar with the criteria in the RFP, but it was a competitive process and we selected the top vendors of that list. Chairwoman Kelly. Perhaps, Mr. Minetti, you could-- Mr. Minetti. I can provide it. Chairwoman Kelly. --advise the committee in writing. It is something of concern because if you all rely on auditors, then it is important that reliance is a correct one. Mr. Minetti. And I will be happy to provide you with a written statement that outlines the criteria. Chairwoman Kelly. Fine. Thank you very much. My time is up. Mr. Gutierrez? Mr. Gutierrez. Thank you. Well, first, I want to commend Mr. Ruwe and Visa for being a leader in the industry and initiating heightened security which became the PCI standard for the industry, and I commend the other companies for working to make this an industry standard. I think it is a step in the right direction in terms of securing data of the public, which Mr. Hendricks so clearly elaborated we should be most focused on here at this hearing. And I think, Madam Chairwoman, I think your questions about the audits are excellent, and we should examine who performs these audits and what standards are used and what the best practices are for these audits that are used by Visa and MasterCard and all of the other credit issuing companies, because if you have a bad audit, they all have bad information and our checks and balances, I think, are all out of whack. So I think it is a great place. I am happy that you went in that direction, and I am going to be asking Visa to put in writing, if they would for me, just what happens at the audit, what flaws they saw in the audit and what actions they took with the auditor after they saw the vulnerabilities of the audit. I would like to say also that it seems to me that we have a very, very serious problem here, because trying to set aside the issues of the processor and the credit card issuing companies, I mean, as I read these prepared statements and I look back and they say that there were--and I would like to ask Mr. Perry about this--your testimony has indicated that the data relating 239 accounts was transferred out of your system. And this looks as though this number--239,000, thank you very much--this look as though this number can be tracked to only one day of transfer activity since the hacker software was on your system since September of 2004 through May of this year and was designed to download data every 4 days. That is in your testimony that he actually entered your system--he or she, they actually entered your system in September. So it just seems extremely unlikely that a hacker, a sophisticated hacker would enter your system in, say, September, October, November, December, January, February, March, April and finally in May decide to download this information. And Merrick Bank did an audit, a forensic audit and their auditor suspects and found information that your system was probably already vulnerable as early as April of 2004. Do you have any other information, I mean, is it your testimony that the only information that you have is of the 239,000 names downloaded that one day, that was the only security breach at CardSystems? Mr. Perry. Mr. Gutierrez, regarding that question, the only export of data that has actually been confirmed where it is possible to actually describe the number of accounts that were exported from the system was the security incident that occurred on May the 22nd, Sunday afternoon, I believe, when I heard about it. Mr. Gutierrez. Well, it just seems rather unlikely and given the forensic information that Merrick Bank put together in saying that your system was probably already hacked into and that you were vulnerable much earlier than that, that a hacker would just wait that long to download information on one particular day, which only tells us that we need to be more secure, because even in your testimony and other people's testimony, you were vulnerable for months if not for over a year before you found out that somebody actually downloaded some information. And, secondly, the information that you held, why did you hold information that clearly was established in the contract, at least with MasterCard, in the information I have received, with MasterCard and Visa that you were not supposed to have in your system? Mr. Perry. Mr. Gutierrez, the data that was actually exported on that day that we notified the FBI and Merrick about was from a database that was used primarily for research purposes. Mr. Gutierrez. I guess my question is, why did you have the data in your system if your contract with MasterCard and Visa, I do not know about the other two companies, but at least with those two companies they said, ``This is part of our contract. We do not want you to have this information.'' Mr. Perry. Mr. Gutierrez, we have stated that we were in error by keeping that data. That data was specifically designed to provide customer service to the merchants that might have had a transaction that did not properly execute, it did not properly process, and the individuals in that case that managed that database believed it enhanced customer service to provide the merchants with the information they would need to conduct their business. Chairwoman Kelly. Thank you. We turn to Mr. Garrett. Mr. Garrett. Thank you. I appreciate Mr. Watson's opening comments about the simplicity of the system and how the average consumer just deals with it in an easy manner. From a government point of view, I can go to a local government agency, whatever it is, try to transact some sort of action with the government, it may take me some hours or days or even weeks to get some sort of response from the government, but I can go across the country or across the world and just open my wallet and bring out my credit card and given it them and literally within seconds or a minute or 2 they know who I am and I can get into a hotel or, as you say, have dinner or something like that. So it is an amazing ability that we have developed or that you all have developed, and I guess the track record has been fairly good in the scheme of things, and unfortunately we come to this point in time when it occurs as it does here, but I think I want to commend that it has been able to move the economy as it has in the system that we have had so far. The concern we have is whether we need to be taking additional actions right now or, as I see from one of the charts that we have here, literally the litany of regulations that applies to the various players, whether it is the issuing banks, the merchants, the ISO's, the card services, and it goes from the Federal banking laws, the FACT Act, the FTC safeguard rules, the bank regulators acts and so on. So we have a lot on the books already, and I know some of you who are before us are involved in the regulatory side of the game. Let me turn first to Mr. Perry then on that regard. Someone else had made mention, I believe, earlier with regard to Gramm- Leach-Bliley and how that applies here or it does not apply here. Your understanding as to whether that applies to you or not? Mr. Perry. Mr. Garrett, we are currently conformed to the regulations and rules of the card associations who set before us, including Visa and MasterCard, who set before us the rules on how we process timeframes, etc. Mr. Garrett. Okay. If anyone else would like to address the question with regard to Gramm-Leach-Bliley, whether that should be applying to them now or in the future. Yes? Mr. Hendricks. My understanding is that Gramm-Leach-Bliley does not apply to the processors, and one of the reasons was that they do not keep the information. So when they keep the information, it really becomes problematic. Mr. Garrett. Okay. Does anybody else have a comment on that? Mr. Gorgol. We would agree to have Gramm-Leach-Bliley apply to the processors as well. Mr. Garrett. That it should. Mr. Gorgol. It should. Mr. Garrett. Okay. And, Mr. Hendricks, as long as you are answering the question, in the situation that we have right now and the descriptions that you have here and I guess in your book as well, is there recourse for the consumer in some other avenue other than through the regulatory scheme from civil action or anything else on those matters to recourse? Mr. Hendricks. That is why I like Visa taking action here. The only enforcement action after all these breaches has been Visa in this case. There have been several class action lawsuits filed after various breaches, and those are going to drag on forever, and the companies, the defendants are going to say, ``The law does not apply to us,'' and they are going to point out more holes in the law. So there is no simple solution for consumers. It is just an enormous burden on them to constantly be monitoring their credit reports and their credit card statements because the smart thieves are going to wait for the 30-, 60-, 90-day period or even over a year before they use the information, particularly if they get Social Security numbers. Mr. Garrett. The other people that can be harmed to a degree, not as much as the consumer can be, but that is the issuing companies and the small, I guess they are called the acquiring banks, the small merchant banks are involved here, because they have to pay for the reissuance of the card. Can some of you discuss that as far as how they are reimbursed? I understand that sometimes it is in the contract, and sometimes I understand that it is difficult for the smaller players, the credit unions as well, that have to get in under the line here to deal with those contracts. Can some of you address that issue, how that is reimbursed and is made or is not made? Mr. Peirez. Thank you, Congressman. I would be happy to address that in so far as the MasterCard system is involved. First of all, we provide protection against issuers, large and small, both for the cost of monitoring their accounts as well as for the cost of reissuing accounts if that becomes necessary as a result of a data compromise scenario. There is no distinction between how those rules would apply to a small or large institution. Indeed, our experience is that smaller institutions tend to take us up on that more often. So that is how it works with MasterCard. Mr. Garrett. Okay. Mr. Ruwe. In the Visa world, if there is fraud perpetrated on an issuer, whether it is large or small, there is no distinction as well. They have a system of being able to apply for compensation for that through Visa. It is based on actual fraud occurring subsequent to the event. Mr. Garrett. My time is up, but thank you. Chairwoman Kelly. The gentleman's time is up. Please answer the question and then we have to go to another member. Mr. Garrett. I do not know if any of the other gentleman from the other-- Mr. Gorgol. It does not really apply to American Express. We are the only issuer and the only acquirer. Mr. Garrett. Sure. Chairwoman Kelly. Thank you very much. Mr. Davis? Mr. Davis of Alabama. Thank you, Madam Chairwoman. Let me follow Mr. Garrett's lead and kind of ask you in the time that I have to react to some of the legislative issues that Congress will wrestle with in the next few months based on distinctions from these various bills. Let me ask you, obviously one of the differences in the bills around the table is the question of preemption, the question of whether or not State law will be set aside in favor of a Federal standard. Let me ask you, do any of you believe that general State tort laws or general State breach of contract laws that are not specific to data security should be preempted? Is there anybody on this panel who believes that a State breach of contract law that is already in place or a State tort law should be preempted by this bill? Does anyone have an affirmative answer to support that? Mr. Ruwe. Yes, Congressman. I think Visa would support a national level approach. Mr. Davis of Alabama. So you support a national approach which would take a State breach of contract law that is in place right now and say it cannot be applied even if it is not specific to data security. Mr. Ruwe. That is correct. Mr. Davis of Alabama. What about Mr. Peirez, would you support that kind of standard? Just give me a quick yes or no because of the time. Mr. Peirez. Congressman, I will have to follow up with you and look at specifically what you have in mind in terms of the laws in question. Mr. Davis of Alabama. Well, I mean, the specific question was, preexisting State tort law, preexisting State breach of contract law, it is not specific to data security, you have no position. Mr. Gorgol, do you have a position? Mr. Gorgol. I am a little bit out of my league. I would have to get-- Mr. Davis of Alabama. Okay. Mr. Minetti? Mr. Minetti. Same here. Mr. Davis of Alabama. You are out of your league or you do not have a position? Mr. Minetti. Both. Mr. Davis of Alabama. All right. Mr. Watson? Mr. Watson. As I understand what you are saying, it is not just a preemption of regulations but a preemption of remedies, and I guess one needs to go hand in hand with the other. Mr. Davis of Alabama. So your position would be if they go hand in hand with the other, they should be preempted or not. Mr. Watson. Yes. Mr. Davis of Alabama. All right. Mr. Duncan? Mr. Duncan. I am not absolutely clear on the question. Mr. Davis of Alabama. The question is, preexisting State breach of contract law, not a data security law, but a general breach of contract law that a litigant tries to enforce in State court today, should it be preempted by Congress? Mr. Duncan. Again, from a retailer perspective, I am not sure what the cause of action would be. Mr. Davis of Alabama. It would be-- Mr. Duncan. But if Congress is attempting to develop a national standard, then retailers would like to see preemption to the extent that data protection is covered. Mr. Davis of Alabama. Mr. Hendricks, I am not quite sure I have heard an answer to my question yet. Would you like to briefly weigh in on it? Mr. Hendricks. Yes. It would be a really bad idea because contracts are between two parties, and I do not think we want the Federal law jumping in between that kind of relationship. Mr. Davis of Alabama. And let me turn to another scenario. One of the issues or the differences is a question of when you disclose a breach, and the bill that Ms. Bean and I have would, if I can use the shorthand, probably create something of a presumption in favor of disclosure. Some of the other bills would frankly probably create a presumption in favor of nondisclosure. What if you had this scenario, and I will not, for the sake of time, ask you all to react to it, but what if you had this scenario: What if a company believed that its database was compromised but in no specific instance could it identify a specific breach for a particular consumer? Do any of you believe that a company in that instance should not be required to disclose under Federal law if we pass a standard? Anybody want to weigh in on that? Mr. Duncan. I guess I will start by saying I am not sure: if you think there may have been a breach, but you cannot show particular evidence of-- Mr. Davis of Alabama. No, no. Let's say that you know there has been a compromise of your system but you cannot identify the instance of a specific consumer that there has been a breach. Should Congress mandate a company that believes its system has been compromised to go ahead and notify the public or should the company be able to say, ``We know we have been compromised but we cannot tell them the specific instance.'' Mr. Duncan. I think you run the risk in that situation, if you have notification, that unfortunately we run into with some of the Gramm-Leach-Bliley notices. People receive privacy notices by the boatload, and at some point they stop reading them. Mr. Davis of Alabama. And, Mr. Hendricks, I am going to ask one last quick question and you can respond to the one you want to on this one. I am interested from hearing from Mr. Hendricks on how other professions handle this. I used to be a lawyer, well, still am a lawyer, just do not have to practice now. In my profession, confidentiality is at the bedrock of what we do. Doctors, confidentiality is at the bedrock of what they do; same for hospitals. What is the standard, Mr. Hendricks, as someone who is an expert on privacy, for a lawyer who believes that his or her files have been compromised? What are the ethical obligations of that lawyer for notifying the client, and what are the ethical obligations of a doctor or the medical world for notifying the patient if their security or their identity or their information, rather the confidentiality has been compromised? Mr. Hendricks. They basically would have to notify very specifically each client and then take whatever remedial actions were necessary depending on what kind of information was breaches. So it would be some heavy lifting, yes. Mr. Davis of Alabama. So that is the current ethical standard. Chairwoman Kelly. The gentleman's time is up. Thank you very much. Mr. McHenry? Mr. McHenry. Thank you, Madam Chairwoman. As votes are approaching, I will try to not use up my full amount of time. I want to start by saying thank you, first of all, to Visa and to MasterCard and to the others for actually disclosing that this occurred. That was not a motivation mandated by law but it was the right thing to do for your customers, and I certainly appreciate you all stepping forward and disclosing to your cardholders and to the public at large that this occurred. I know it was not easy but it was certainly the right thing to do. And that goes directly to my question for you all, and I will leave this for the panel. Is there a marketplace motivation, is there a market force for data security? We are talking about possibly passing legislation to force you guys to do certain things. My question is, is there a market force for data protection and data security? Now, one at a time. Okay. Slow down here. Chairwoman Kelly. And please remember that we have been called for a vote, and we need to have answers rapidly. Mr. Peirez. Yes. There is a marketplace for data security. Mr. McHenry. Great answer. Next? Mr. Watson. Congressman, I can tell you there is no stronger marketplace call for data security than the potential undermining of the consumers' confidence in this system. If the consumer does not believe in this system, then we do not have a system and we do not have a business. What could be a stronger market force than that? Mr. Gorgol. I would agree. Trust is the bedrock of our business. Mr. Ruwe. We agree. Mr. Perry. We agree as well. Mr. Minetti. We concur as well. Mr. McHenry. The problem is it is kind of a negative market force that would hit in after the fact, which is why I think we need to get in front of the issue. Inside companies where they have officers who push for security, they still run up against, ``Well, why do we really have to do this?'' So that is where the public policy has a good role to play. Mr. Duncan, do you want to chime in? Mr. Duncan. To some extent, it depends on the kind of breach. I spoke with a retailer yesterday who, because they were seeing a fair amount of identity theft, had taken great efforts to reduce that number. Marketplace forces work because they eat those losses. Mr. McHenry. Well, that sounds very encouraging. If there is a marketplace for this to occur, then perhaps legislation is not the right route for us to take. If the marketplace is going to deal with this, let's watch it, let's monitor it, and let's make sure that you all are doing your part to adhere to Gramm- Leach-Bliley, to adhere to the standards we currently have on the books. Let's make sure that is the right thing to do. And I certainly appreciate in particular Visa and MasterCard stepping up to the plate, disclosing fully and doing what was right in a timely manner. That makes a big difference, and it makes a big difference for this committee. Chairwoman Kelly. Thank you, Mr. McHenry. We have been called to a vote at the Capitol. I am going to ask the committee to recess for approximately 15 minutes. We will go, we will vote, it is 2 votes, and we will be back here and reconvene in approximately 15 minutes. [Recess] Chairwoman Kelly. Let us continue. Thank you for your forbearance. We turn now to Mr. Price. Mr. Price. Thank you, Madam Chairwoman, and I appreciate you having a recess and allowing us to come back. You are welcome to take as long as you want answering my questions. I want to thank you all again for coming, and I want to commend you for the work that you do. I am constantly in awe of the literally billions of transactions that occur without any errors or without any violation at all. And so I want to commend you for the work that you do. And I understand, as I think Mr. Garrett said, it may have been Mr. Renzi, that there are bad guys out there and they are trying as hard as they can to break your systems, and I think it is important for us to appreciate that we are all on the same team, we are all interested in making certain that the consumer has the confidence in the system and that it works as easily, frankly, as it does now. Mr. Ruwe, I heard Congressman Renzi say that he had spoken with Visa and with CardSystems and that you all had agreed to get together and work. I heard Mr. Perry say that, but I did not hear you say that. Are you committed to working with CardSystems and trying to work out a solution that is hopefully more equitable to all involved? Mr. Ruwe. I spoke with Congressman Renzi before the meeting and said I would talk to CSSI. That is what I said. I would meet with them. Mr. Price. And help me understand a little bit about-- MasterCard is comfortable apparently right now with allowing CardSystems to continue with the work that they are doing and understanding and I heard a commitment from CardSystems that they would have PCI standards in effect by the end of the month, I believe. How is it that you all reached a different conclusion about your relationship with CardSystems? Mr. Ruwe. I think the crux of our problem is the discrepancies in the audit that we were provided on behalf of CSSI and reality, and there is a huge gap between that, and we feel that CSSI bears responsibility for the accuracy of an audit conducted on their premises. Mr. Price. But CSSI is not the auditor, are they? Mr. Ruwe. They are not the auditor, but they are responsible for what is in the audit report. Mr. Price. Mr. Perry, were you aware--Mr. Gutierrez talked to you about the error being in error and holding that information. Were you aware that you were in error? Was CardSystems aware that they were in error? Mr. Perry. Mr. Price, until the incident that took place in May, I was not aware. When I joined the company in April of 2004, I did look at the CISP report prepared by Cable & Wireless. It was an unqualified report, it was a very clean report, and to be quite--I took that report and reviewed it with management, and we were gratified to get the unqualified certification from Visa. Mr. Price. So you thought you were in complete compliance. Mr. Perry. Yes, sir. Mr. Price. And to Visa, isn't the culpability here potentially with the auditor and not with CardSystems? Mr. Ruwe. In our system, the culpability is with the party who is being audited. Now, if there is a problem with the audit-- Mr. Price. But they believe, however, that they are in compliance because the auditor has told them they are in compliance. Mr. Ruwe. Then I think that if you look at the audit finding versus what turned out to be reality in the environment, the gap is quite large, and we do not understand how there could be a gap of that size between what was true in the environment and what was in the audited report. I do not know what went on between the auditor and CSSI, but it is a joint responsibility in our view. Mr. Price. But you are willing to work with CardSystems and see what that discrepancy was and see if you cannot work out a relationship. Mr. Ruwe. We said we would take a meeting on that. We have asked for explanation on this gap previously and not received satisfactory answers. Mr. Price. Okay. Mr. Hendricks, I would like you to comment, please, on the sense that I believe is possible and that is a chilling effect in the industry if in fact the individual who stands up and says, ``Look, I am in error here, and I am working as hard as I can to comply or correct the situation,'' what about that chilling effect? Mr. Hendricks. Well, yes, we always want people to have full reporting, so we take the remedial measures and make sure it does not happen again. I do like to focus on the fact that there was a decision made by somebody to keep personally identifiable information that was not allowed by contract. And we have to find out why that happened, why that decision was made, because that is what created the problem, what is exposed here today. And I think Visa deserves a lot of credit, because if they know that there is a huge gap there and security is not being protected, they have to take enforcement action; otherwise, they become complicit in it and other processors will think, ``Well, they do not take this seriously either.'' Mr. Price. And I appreciate that. And nobody wants there to be these violations or breaches, understanding that no loss occurred as a result of this, is my understanding. Mr. Hendricks. I mean, in terms of loss, I do not think we really know how much the bad guys got and what they did with it. The whole point that they are in the system for over a year and we only have a record of the stuff going out the back door one month, I look forward to the results of the investigation. Mr. Price. Thanks. My time is up, Madam Chairwoman, but I look forward to being able to submit other questions. Chairwoman Kelly. And, certainly, you may. I would like to ask about the PCI standard. The PCI standard, according to page 6 of CardSystems' testimony, is based on Visa's CISP, and it was adopted by Visa, MasterCard, Discover, American Express, Diner's, and JCB in December of 2004. In theory, the PCI standard did not work here, if you look at it. So are you still using the same standard or has the standard been changed? And let's start with you, Mr. Peirez. Mr. Peirez. Thank you, Madam Chairwoman. I think I would say that the standard is relatively new in terms of being an industry standard and only having been implemented at the end of last year, the compliance date for everyone was June 30th of this year. We, at MasterCard, have gone out with letters to the over 300 third party processors of whom we are aware, making them crystal clear on those standards as well as requiring them to provide us with a certification within 60 days that they are not storing the type of sensitive data that led to this particular breach event. So we think the standards are still sound. We think they were not followed here. Mr. Ruwe. I would like to, if I can, take an opportunity to clarify one thing. The PCI standard became effective in December of 2004, which was the result of the four large card companies getting together and agreeing on a set of rules. However, prior to that, the Visa standards were fully in play and people were fully responsible to be compliant with them. So in the timeframe that we are discussing here, prior to 2004, the CISP standards would have been in place and Visa players would have been responsible for being compliant with them. As far as whether or not they work, I think that the CISP standards do work if they are followed. And in this case, up to this point, it appears to us they were not followed. Chairwoman Kelly. Anyone else like to respond to that? Mr. Gorgol? Mr. Gorgol. I agree. I believe the standard is sound. I believe it is an enforcement issue here. Chairwoman Kelly. Mr. Minetti? Mr. Minetti. I also believe the standard is sound. Again, it is just not following the standard that created the problem. Chairwoman Kelly. Okay. Mr. Duncan. Madam, may I-- Chairwoman Kelly. Yes, by all means. Mr. Duncan. One of the things from the retail perspective, the standards are an excellent idea in terms of trying to work out a coordinated approach, but they are extremely complicated, and that may be part of the issue. Some retailers have mentioned difficulties with the complications as well. Chairwoman Kelly. Thank you. Thank you for that observation. That goes to a question I would like to ask of Mr. Gorgol. In your testimony, on page 2, your explanation of the PCI standard, I would like you to define those standards in light of what Mr. Duncan just said, in terms of their impact on small business customers. Do you impose the same security standards on small businesses for the privilege of using your card that you impose on large businesses? Mr. Gorgol. Yes, to answer your question directly. I think the standards to protect the data need to be the same for everyone throughout the transaction chain. I think it is incumbent upon us as an industry to make it easy as possible for the small mom and pop stores to be able to meet those standards. Chairwoman Kelly. Mr. Duncan, you said you think they are a bit complicated. I am concerned because, as I read Mr. Gorgol's testimony outlining some of the expectation levels here, how a mom and pop store, just a small business retail store on a corner, can maintain the six elements of what Mr. Gorgol's testimony--you probably have the testimony in front of you, I can go through them if you do not remember what they are--but I am concerned about its impact and the cost on small businesses. Mr. Duncan. Ideally, there should be risk-reward basis in the standard, and I think there has been some effort to achieve that; that is, that at the original CISP standards there were more requirements for larger merchants than there were for smaller merchants. And this makes a certain amount of sense because if there is a breach, it is likely there is going to be more data captured from a large merchant than a small merchant. That said, I have heard a number of merchants complain about complications in understanding the enforcement standards, but they are making their best effort to do so. Chairwoman Kelly. Well, I think we need to make sure that the cards must be secure, that the standards of the industry may not need to be all the same for every industry. It may be a little more difficult for someone in the situation I described, the business person in the situation I described, to, for instance, to keep a written notebook. Looking at the standard, they were to build and maintain a secure network. Obviously, that is possible. Protect cardholder data. That is possible. Maintain a vulnerability management program. I am not sure what that means. And I do not know how complicated that is. Does that mean you have to have a notebook, you have to have somebody outside coming in to audit? How expensive is this protection? You have to implement strong access and control measures. That is totally possible for somebody in a small retail business. Regularly monitor and test networks. That is possible. Maintain an information security policy. What does that say? Those are some problems I see for small businesses, Mr. Duncan. I would like you to answer them. Mr. Duncan. Well, for a number of small businesses, it can be a challenge. You think of a modest retailer that might have 6 or 10 stores in their chain. Chances are they are buying their equipment, the point-of-sale equipment already in a single package, and they really have to rely upon the software and hardware provider to have it right. They probably do not have the facility to do an in-depth study. So there have to be some allowances for this, and, as I said, it is a challenge. Chairwoman Kelly. It is a challenge, but I think it is important that we consider this, that the major credit card companies consider this. Having been a retail merchant, a small merchant, and accepting Visa, MasterCard, American Express in my business, I know that I would have been surprised if somebody walked in the door and said, ``How are you protecting this information from someone from the credit card companies? Do you take it on faith, do you go and inspect?'' What are the standards that you are asking small businesses to do to protect the information at that level? It is a concern, it is a cost to small businesses, and it is something I think that we need to think about in terms of protection, both for the customer and the retail merchant as well as the credit card issuer. That being said, I want to go to the concern that I think many small businesses--again, customers of Merrick Bank through the credit card systems will lose their access to credit cards. That could drive them out of business. Was the impact on small business customers considered when the decisions were made from Visa and MasterCard and so on? What are you doing, Visa, in particular, to help the small businesses stay in their card network? Mr. Ruwe. When Visa selected October 31st as the termination date, as has been stated, we took into consideration how much time it would take for an acquirer to move from one processor to another, and that was felt to be a reasonable amount of time. I believe the statements that have been made regarding the small merchants' inability to move or inability to retain new services or the situation where they would be out of touch or unable to operate or transmit or conduct Visa transactions have been overstated. We believe that they will be able to find new processor accommodations within that timeframe, and that is something we will work with our banks on, our acquirer banks. I have not heard this complaint from my acquirer banks. I have only heard it from CSSI. So if my banks tell me we need more time, then we will take that into consideration. We are not going to leave merchants hanging, but the statements that have been made so far regarding merchants and being cut off and being left in the cold have been overstated, in our view. Chairwoman Kelly. But have you done any outreach on that score to allay the fears of the merchants? Mr. Ruwe. That would be done through the acquiring banks who have the direct relationships with the merchants. That is not done by Visa. Chairwoman Kelly. All right. I understand that. I mean, I appreciate your response. When a merchant says to me, ``I am not going to accept American Express, I will accept Visa,'' that is your brand. What has happened here with CardSystems affects your brand. And I understand your wanting to protect your brand, but I also want to make sure that we set standards in such a way that the industry can respond in a way that it is possible for them to. A law is no good unless it can be followed. So it is extremely important that outreach be made, I believe, from your brand to the small businesses to help them understand not to panic, because from what I understand you are letting the banks take care of that, but, sir, are you sure that the banks are actually in touch with their small businesses and helping them understand and get through and find access to what they need? Mr. Ruwe. Madam Chairwoman, we have every intention of working with the acquiring banks and to support them any way we can in this space. My response was more of a factual one than anything else. We do not have direct contact with merchants any more than we have direct contact with cardholders, but we certainly will support our acquirers in this transition. Whatever we need to do to support them or make sure that the merchants are comfortable and feel knowledgeable about what is going on, we will support them in that regard, yes. Chairwoman Kelly. I would be interested in Am Ex and Discover's response to that, as well as MasterCard. Mr. Gorgol. Well, American Express will be offering our merchants a different choice for processing. They will have a number of different options. We will work with them directly over the next couple of months, including the option to come directly to American Express and avoid using a processor all together. Mr. Minetti. From our perspective, we have not finalized a decision. We wanted to be thoughtful and have all the information before we reach a conclusion. We have been working with CSSI all along, and we have a meeting scheduled to talk to them next week. Chairwoman Kelly. Thank you, Mr. Minetti. Mr. Peirez? Mr. Peirez. Madam Chairwoman, similar to Discover, we have not shut off CSSI at this point. We expect them to be in full compliance by the end of the August, as they have told us they can be. If it becomes necessary for something to happen that would put their ability to process MasterCard transactions at risk, we would certainly make sure that the small merchants would not be impacted in any way. We would do the outreach necessary to get to that point, but we are not there at this time. Chairwoman Kelly. Thank you. Yes, Mr. Perry? Mr. Perry. Madam Chairwoman, may I just add that I have been in this industry for a long time with quite a few different payment processors, and we have 110,000 small businesses around the United States that are typically not 6- location merchants but one-location merchants, one-location restaurants, and some of those restaurants take up to 80 percent of their sales, or credit card sales, if not 100 percent. It is my belief that it will not be possible to move a portfolio or part of a portfolio of 110,000 mom and pop merchants over the course of 3 months in an orderly fashion. Changing your credit card processing is not similar to changing your cell phone service, and some of us that have done that also understand how difficult that can be. There are a variety of different issues involved, including underwriting, technology, changing bank accounts, scheduling, as we all know is very difficult with a small business because at the end of the day they are very focused on moving product out the door, not necessarily the payment type that they take. And this will be a huge inconvenience to the small business, and we are very, very concerned how we continue to take care of these small businesses. Chairwoman Kelly. Thank you. Mr. Cleaver, thank you for returning. Mr. Cleaver. Thank you, Madam Chairwoman. I have 6,000 questions. I will reduce it to five. One of the personal issues I have shared, and maybe Mr. Hendricks can respond, about 4 weeks ago the host of one of the ``hate'' radio shows in my hometown went on the air and said that he had my Social Security number, and he said on the air, ``And I plan to use it to find out everything about him.'' I called the FBI. They said, ``Well, we do not get involved in this.'' I called the Federal Communications Commission and they said, ``Well, we do not get involved in this.'' I ended up calling four or five different Federal agencies, and finally I called the U.S. Marshals Office and they began to monitor the radio show. It seems to me that there ought to be something wrong with somebody essentially promoting identity theft. And it was done on radio, the record is there, the tape is there, the whole 9 yards, but there is apparently no law against that. I did not think it was a good idea that people could promote the commission of a crime, but apparently you can do it with impunity on the public airwaves. Is there anything or any way that you think that kind of thing can be corrected? Mr. Hendricks. Well, first of all, I am really sorry to hear that. That is absolutely horrible, and I cannot imagine someone can do that without being ashamed of themselves, but obviously-- Mr. Cleaver. No, he is not ashamed. Mr. Hendricks. Yes. Obviously, he did. We in the privacy and consumer community would like to see a rollback of the Social Security number. It is required for many things in our society, but we need to start getting them out of courthouses, we need to stop using them as insurance company identification numbers if they are doing insurance. And there is legislation pending to have better protections for Social Security numbers so that he could not get it in the first place. That is the first thing. Obviously, using a Social Security number to harass someone, yes, maybe that is not covered by statute now but that is something that we should consider looking at. And in terms of the other problem, where does the consumer go for help, and I have to point out that in every other Western country except the United States there is a national office in charge of privacy issues, where people can go to get answers to these sort of questions, and sometimes you can get an investigation. It is called a privacy commissioner or data protection commissioner, and I think as big as this issue is getting, I think we should start revisiting that issue, because I think we need one here for situations like this. Mr. Cleaver. Thank you. My other question--this will be the last, Madam Chairwoman--I was the mayor in Kansas City and in an attempt to confuse the crooks, we encrypted our system, communications system, so that people who had the radio ban sitting around would not know what we were doing and when we were going to do it. Is encryption an option for us that could possibly either reduce or prevent identity theft, particularly with credit cards? Mr. Duncan. Congressman Gutierrez--excuse me, Cleaver-- Mr. Cleaver. He is shorter. [Laughter.] Mr. Duncan. What am I doing? Encryption can be a partial solution, but there are tradeoffs with encryption. There is highly detailed information on credit cards, but obviously we do not want to have stores retain informatin that one could use to make a clone card. But there is fairly basic information, the original numbers, the name, the expiration date, that if you encrypt it, you may save some problems, but you also may create more problems on the other side. Let me give you an example. Many consumers go into a retail store where they have bought something and they would like to return it but they do not have their receipt. If the checkout clerk who is taking the item back has to decrypt data in order to accomplish a return, it makes it much more difficult or maybe impossible in many situations. So there has to be a balancing as to how we achieve that. As to your first question, may I say that one of the points we wanted to focus on in our testimony is the need for more enforcement. Currently, if retailers find evidence of identity theft and take that to the State attorneys general offices, oftentimes they will not enforce unless they have $100,000 worth of damage. So we would like to see a situation where Congress would encourage State officials to take a more active role in going after those who are committing crimes. Mr. Cleaver. Thank you. Chairwoman Kelly. Thank you, Mr. Cleaver. Mr. Price, you said you had another question. Feel free to ask. Mr. Price. I may? Chairwoman Kelly. Yes. Mr. Price. Thank you, Madam Chairwoman. I appreciate it. I think this is an incredibly important topic, and I think we can overreach in so many ways, but, again, I think it is imperative that we make certain that folks have confidence in the system. Mr. Gorgol, if you would not mind, please, commenting on the potential culpability of the auditor vis-a-vis CSSI review and ultimate problems that they had. Mr. Gorgol. We relied via our contract on CardSystems meeting their contractual obligations to meet the data standard. And they were the ones we worked with. We did not work directly with the auditor, so I cannot comment on it. Mr. Price. Mr. Duncan, there has been a discrepancy between responses on the effect on merchants with the cessation of the relationship between Visa and CardSystems. Would you comment on what you believe that consequence would be or the effect on merchants? Mr. Duncan. We are not privy to all the details involved in this dispute. Obviously, as in this whole issue, you do not want to overreact in a credit card fraud situation as opposed to, say, an identity theft situation. And this strikes me as one where the risks are perhaps lower than a true identity theft, and so maybe that same guidance should apply. Mr. Price. Mr. Ruwe, I have affinity for Mr. Perry and CardSystems, obviously. I also think, again, we are all on the same team in this in trying to make certain that violations of information do not occur. Do you believe that Visa's relationship with CardSystems is fatally flawed? Mr. Ruwe. Well, fatal is a very big word. Mr. Price. Yes. That is what is going to happen to them. Mr. Ruwe. It is certainly stressed. I think that Visa spent a great deal of time trying to evaluate what position we were going to take on this, and I believe we made several attempts to get information that we needed and did not get it. And as we said earlier, we will sit down with CSSI, but I think we are going to have to have more information and more forthcomingness, if you will, than we have had to date before I would make any commitment on anything fatal or otherwise. Mr. Price. I appreciate that. If I am able to facilitate any of that, please let us help. Mr. Perry, I would like you to comment, if you would, on the discrepancy that Mr. Ruwe pointed out or stated existed between the audit and the reality of the information that you all held. Mr. Perry. Yes, Mr. Price. We did receive some requests from Visa for information regarding the discrepancy between the CISP audit and what was subsequently found by the forensic analyst. Unfortunately, I was able to provide to Mr. Ruwe and Visa all of the data that I was able to find prior to my arrival at CardSystems in April of 2004. We stated to Mr. Ruwe and some of his associates at Visa that we were providing all of the information possible. We attempted to contact former employees, former auditors from Cable & Wireless and other former vendors to be able to fully answer Mr. Ruwe's questions. Unfortunately, it was very difficult to track a lot of these people down who had left the company sometime in 2003, early 2004. And, unfortunately, because we were not able to provide all of that information, it was deemed that it was not enough information. Mr. Price. Help me with the audit. Was there an actual question on the audit that said, ``Is CardSystems in full compliance with the agreement with Visa?'' Is that the kind of question that is on there? Mr. Perry. There are several questions that you would see in an audit that are fairly detailed as to very different aspects of the audit having to do with network security and, specifically, the error that we have owned up to, which is the storing of this data that should have been masked. And that is a specific block or question. That specific block had a checkmark by the auditor without qualification or any compensating controls in that area. When I specifically reviewed-- Mr. Price. Checkmark saying? Mr. Perry. We were compliant. When I reviewed that, I felt pretty good and relied upon the audit and the auditor that we were in compliance in that area. Mr. Price. May I ask one more general question, Madam Chairwoman? I am interested from all the card companies as to whether or not there is agreement or consensus in the industry about the definition of a data breach and fraud. Is there consensus among the companies about what that is? Mr. Peirez. Congressman, I think there is general consensus on what would constitute credit card fraud. In terms of your question about breach, it is a very complicated question, and I think we are in general agreement, but any specific case you would have to look at the specifics and see whether we all agree. Mr. Price. Mr. Ruwe? Mr. Ruwe. I would concur with that. Mr. Minetti. Yes, I would agree as well. Mr. Price. Is there a need to define those terms? Are they defined legally as it relates to data breach? Mr. Peirez. Congressman, I think that, first of all, the terms that most often get confused and really do need to be used carefully and accurately are the distinction between fraud and identity theft or identity fraud. Those are the two things that really need to be very, very clearly identified because the consequences of either of those events are quite different and can be handled in different ways effectively. In terms of definition of breach, I think that depends on what happens if there is a breach as so defined. So I would be happy to work with your office if you are looking at something specific, but as to the general question on breach, I really cannot answer. Mr. Price. Any other general comments about that? Mr. Watson. I would say that the language is unclear, and it is unclear with respect to impact and timing. For instance, you could say the system was breached in April of 2004. Accounts were compromised possibly at some other time and certainly in May of 2005. But the definitions are not clear with respect to time or effect, and I think in putting forth any legislation they are going to need to be very clearly defined. Mr. Duncan. Congressman, there is one additional element, and this goes back to the question that the chairwoman mentioned, and that is for smaller retailers in particular, if they are buying off-the-shelf equipment, they want to make certain that if they bought something from IBM or NCR or something else, that they are not deemed to be in breach because of something they innocently purchased. And that is a distinction that has to be maintained. Mr. Hendricks. The California State law does a pretty good job of defining a breach by saying it is personal information or account numbers/Social Security numbers that can be used to commit fraud. And as to the distinction, there is a distinction between identity theft takeover and credit card fraud, but under the Identity Theft Deterrence Act and under FACTA, Congress has defined some forms of credit card fraud as identity theft, as it should, because we need to maximize protection for consumers, and you see this reflected in FTC regulations. So I agree with industry that we need to look very carefully and draw these distinctions so we have appropriations responses to each one, but I want industry to respond that some forms of credit card fraud are also identity theft. Chairwoman Kelly. Thank you. Mr. Price. Thank you, Madam Chairwoman. Chairwoman Kelly. Thank you, Mr. Price. Mr. Cleaver, you said you had another question or two. Mr. Cleaver. Admittedly, this is personal for me, but I am curious as to whether other Western countries, Mr. Hendricks, have strong laws with regard to identity theft. When I say strong laws, I mean when there is a data breach it could result in someone being just wiped out. So do you know of any other country where someone could do something and actually regret it? Mr. Hendricks. Do something in terms of using personal information? Mr. Cleaver. Yes. Mr. Hendricks. Well, a lot of the European countries and others do not have the biggest problem with identity theft as we do because they do not rely on the Social Security number the same way that we do. So they do not have specific laws on identity theft. Mr. Cleaver. What do they rely on? Mr. Hendricks. Well, they have their own usually national identification number or another set of identifiers. We need a country-by-country report. It is a very long question and answer. But they had old-fashioned comprehensive laws which are based on what we know as fair information principles, and that ends up covering a lot of these sorts of events. So they are constantly trying to upgrade them and oversee and implement them, but it becomes more of a compliance issue because they have a general framework which covers most personal information, creates rights for individuals, duties on organizations. Mr. Cleaver. I do not know if you collect data that would provide information about how long it would take after a breach before the fraudulent act begins. And is there any data that would allow us information to know the time between the breach and the time of the commission of a fraud? Mr. Hendricks. There is no real research on that has been made public, but it ranges from immediate to long term. The methamphetamine users that hit mailboxes they try and use something right away, that is just their nature. The very sophisticated criminal rings will sit on information and use it down the road. Mr. Cleaver. So my radio host is sitting on it. Mr. Hendricks. Yes, but I think maybe someone should sit on him. I think he deserves some more attention. Mr. Cleaver. Thank you. Chairwoman Kelly. Thanks, Mr. Cleaver. Mr. Gorgol, you raised a very important issue in your testimony and we have not talked about it, and that concerns phishers with a ``ph.'' I think you mentioned that you were concerned that phishers might take advantage of the breach and other publicized incidents to look around to see what they can find from card customers. I would like this panel to describe whether or not you have seen a reaction like that in this case, and I would also like to know whether small businesses are likely to be contacted by fraudsters that are claiming to represent interested parties in this case? And with the terminations and so on that are imminent, apparently, I am wanting to know what you are doing to reach out to small businesses to keep them secure from phishers who are likely to call them and say, ``We are checking on this information,'' and so forth. They do not know who is at the other end of the phone. I want to know what you are doing to protect these people from a fraudulent inquiry and a fraudulent solicitation during the changeover period. Mr. Gorgol. Well, first, I mean, phishing is a serious problem and I think it is something to consider if we think about legislation that requires notification. If we overnotify people, that will provide, I think, a vehicle for phishers, sort of weeds that they could hide in if we overnotify. It is one of the dangers of overnotification. But I think the most powerful tool we have, to answer your question directly of what we can do and how we can help small businesses, is education and just raise their awareness that phishers are out there and just be very careful in how they share their information. Chairwoman Kelly. How do they know if someone calls and says, ``I represent such and such, and I want this information''? Mr. Gorgol. There are basic rules. They are not to share personal identifiable information over the phone unsolicited or you are not sure who you are sharing it with. Chairwoman Kelly. Well, if they are solicited, they are going to share it because they do not know the difference. My concern is that there be some sort of an interception there, direction, education, however you do it, so that the small businesses during the changeover will not become a victim of phishing. Mr. Gorgol. Well, during this specific changeover, they would be working directly with American Express employees, so we will be able to contact them directly. Chairwoman Kelly. Anybody else? Mr. Ruwe? Mr. Ruwe. I think that would add to the education, and part of the education is making sure they understand that if they get one of these calls, that they should say, ``Thank you very much.'' And they have been trained to say, ``Give me a number where I can call you back, please,'' and then they can verify with their true business relationship. That is one of the things that we have tried to reemphasize over and over again in our educational materials. But, typically, the phishers do not necessarily target small businesses. They may be affected by this, but they really go for the big broadcast over the Internet. That is why it is called phishing. They go out and really attack the masses is usually their MO. Chairwoman Kelly. In the 1970's and 1980's, a number of banks spun off the card processing units and now some of the banks are bringing them back in-house. There are pros and cons on this, and we have not heard from any of you about that. Mr. Watson, you may be the first one to answer that question. What are the pros and cons? Mr. Watson. I actually have worked for data processors in the past prior to my career at Merrick Bank. I think data processing for both card holder and merchant business is very, very much a scale issue, and in-house processing is really only affordable by the very, very largest issuers and the very, very largest merchant banks. Without the access to high quality, secure third party processors, the credit card business, both the issuing side and the merchant banking side, would be in the hands of a very, very small number of banks because they would be the only ones who could afford it. Chairwoman Kelly. Okay. So you think that unless a large bank like Bank of America, Citi, Chase made the decision to bring it back in-house, no one else is likely to because it is expensive; is that correct? Mr. Watson. Yes. Chairwoman Kelly. Okay. Thank you. My last and final question to you, Mr. Perry, there was a 3-day time lag between the time you discovered that there was a problem in the system and the notification that went out, you called the FBI, but it was not until the next day, it was basically a 3-day time lag. You found out on the 22nd and on the 25th Merrick Bank found out and the card people found out. What caused that time lag? Mr. Perry. Madam Chairwoman, the time lag was we found out of a suspicious production issue on Sunday, late afternoon, Sunday, May the 22nd. On Monday, May the 23rd, we contacted the Phoenix office of the FBI and on actually Tuesday, May the 24th, we had not heard back from the Phoenix FBI and then contacted the Atlanta FBI because we were very concerned that this might be a situation that law enforcement needed to be aware of immediately. Once we heard back from the FBI on the 25th that they had assigned a case officer and we had disclosed everything to them, we also asked if it was okay under the investigation to contact the bank and notify the bank so they could go through their proper notification procedures, and they said, yes. Unfortunately, there were 2 days of lag where we missed speaking to the FBI from Atlanta or Phoenix to receive proper instructions. Chairwoman Kelly. So the time lag, if I understand you correctly, was caused by the FBI not getting back to you in a timely manner. In the meantime, the 44 million people whose information had been perhaps compromised were still out there with their information compromised and nobody knew it. Mr. Perry. At that time, all that we were aware of was the export of the 239,000 discrete cards that we found about later. I do not want to say that the FBI did not react, but we did contact the Phoenix office on Monday, and when we did not hear back from them on Tuesday we contacted the Atlanta office. At that point, both offices coordinated and once they got back to us, we also asked them if we could move to the next step of notification, which we saw as critical, which is contacting our sponsor bank, Merrick Bank. Chairwoman Kelly. I am just curious because under a contractual agreement with the credit card companies, wouldn't that have been in the contract that you had to notify them immediately if you discovered any kind of a breach? Mr. Perry. At that point, on May the 22nd and even on May the 23rd, we were unclear as to the scope of the potential compromise. Chairwoman Kelly. But you knew you would been compromised. Mr. Perry. We believed we had, yes. Chairwoman Kelly. But it was just a matter of degree. So if there was a contractual agreement for notification to the credit card people-- Mr. Perry. Because we believed there had been a crime perpetrated against the company and its merchants, we believed it was incumbent upon us to contact law enforcement first and make sure that they would help us and guide us through this situation. This is a situation that we had not previously experienced in the past, and we wanted to make sure that in no way would we compromise any future investigation. Chairwoman Kelly. Thank you. I want to thank this panel for your patience. You have been wonderful for staying with us, and I appreciate very much the fact that you have given us so much of your time and your expertise today. The Chair notes that some members may have additional questions for this panel, which they may wish to submit in writing. So without objection, this hearing record will remain open for 30 days for members to submit written questions to the witnesses and place their responses in the record. This hearing is adjourned. [Whereupon, at 1:12 p.m., the subcommittee was adjourned.] A P P E N D I X July 21, 2005 [GRAPHIC] [TIFF OMITTED] T9461.001 [GRAPHIC] [TIFF OMITTED] T9461.002 [GRAPHIC] [TIFF OMITTED] T9461.003 [GRAPHIC] [TIFF OMITTED] T9461.004 [GRAPHIC] [TIFF OMITTED] T9461.005 [GRAPHIC] [TIFF OMITTED] T9461.006 [GRAPHIC] [TIFF OMITTED] T9461.007 [GRAPHIC] [TIFF OMITTED] T9461.008 [GRAPHIC] [TIFF OMITTED] T9461.009 [GRAPHIC] [TIFF OMITTED] T9461.010 [GRAPHIC] [TIFF OMITTED] T9461.011 [GRAPHIC] [TIFF OMITTED] T9461.012 [GRAPHIC] [TIFF OMITTED] T9461.013 [GRAPHIC] [TIFF OMITTED] T9461.014 [GRAPHIC] [TIFF OMITTED] T9461.015 [GRAPHIC] [TIFF OMITTED] T9461.016 [GRAPHIC] [TIFF OMITTED] T9461.017 [GRAPHIC] [TIFF OMITTED] T9461.018 [GRAPHIC] [TIFF OMITTED] T9461.019 [GRAPHIC] [TIFF OMITTED] T9461.020 [GRAPHIC] [TIFF OMITTED] T9461.021 [GRAPHIC] [TIFF OMITTED] T9461.022 [GRAPHIC] [TIFF OMITTED] T9461.023 [GRAPHIC] [TIFF OMITTED] T9461.024 [GRAPHIC] [TIFF OMITTED] T9461.025 [GRAPHIC] [TIFF OMITTED] T9461.026 [GRAPHIC] [TIFF OMITTED] T9461.027 [GRAPHIC] [TIFF OMITTED] T9461.028 [GRAPHIC] [TIFF OMITTED] T9461.029 [GRAPHIC] [TIFF OMITTED] T9461.030 [GRAPHIC] [TIFF OMITTED] T9461.031 [GRAPHIC] [TIFF OMITTED] T9461.032 [GRAPHIC] [TIFF OMITTED] T9461.033 [GRAPHIC] [TIFF OMITTED] T9461.034 [GRAPHIC] [TIFF OMITTED] T9461.035 [GRAPHIC] [TIFF OMITTED] T9461.036 [GRAPHIC] [TIFF OMITTED] T9461.037 [GRAPHIC] [TIFF OMITTED] T9461.038 [GRAPHIC] [TIFF OMITTED] T9461.039 [GRAPHIC] [TIFF OMITTED] T9461.040 [GRAPHIC] [TIFF OMITTED] T9461.041 [GRAPHIC] [TIFF OMITTED] T9461.042 [GRAPHIC] [TIFF OMITTED] T9461.043 [GRAPHIC] [TIFF OMITTED] T9461.044 [GRAPHIC] [TIFF OMITTED] T9461.045 [GRAPHIC] [TIFF OMITTED] T9461.046 [GRAPHIC] [TIFF OMITTED] T9461.047 [GRAPHIC] [TIFF OMITTED] T9461.048 [GRAPHIC] [TIFF OMITTED] T9461.049 [GRAPHIC] [TIFF OMITTED] T9461.050 [GRAPHIC] [TIFF OMITTED] T9461.051 [GRAPHIC] [TIFF OMITTED] T9461.052 [GRAPHIC] [TIFF OMITTED] T9461.053 [GRAPHIC] [TIFF OMITTED] T9461.054 [GRAPHIC] [TIFF OMITTED] T9461.055 [GRAPHIC] [TIFF OMITTED] T9461.056 [GRAPHIC] [TIFF OMITTED] T9461.057 [GRAPHIC] [TIFF OMITTED] T9461.058 [GRAPHIC] [TIFF OMITTED] T9461.059 [GRAPHIC] [TIFF OMITTED] T9461.060 [GRAPHIC] [TIFF OMITTED] T9461.061 [GRAPHIC] [TIFF OMITTED] T9461.062 [GRAPHIC] [TIFF OMITTED] T9461.063 [GRAPHIC] [TIFF OMITTED] T9461.064 [GRAPHIC] [TIFF OMITTED] T9461.065 [GRAPHIC] [TIFF OMITTED] T9461.066 [GRAPHIC] [TIFF OMITTED] T9461.067 [GRAPHIC] [TIFF OMITTED] T9461.068 [GRAPHIC] [TIFF OMITTED] T9461.069 [GRAPHIC] [TIFF OMITTED] T9461.070 [GRAPHIC] [TIFF OMITTED] T9461.071 [GRAPHIC] [TIFF OMITTED] T9461.072 [GRAPHIC] [TIFF OMITTED] T9461.073 [GRAPHIC] [TIFF OMITTED] T9461.074 [GRAPHIC] [TIFF OMITTED] T9461.075 [GRAPHIC] [TIFF OMITTED] T9461.076 [GRAPHIC] [TIFF OMITTED] T9461.077 [GRAPHIC] [TIFF OMITTED] T9461.078 [GRAPHIC] [TIFF OMITTED] T9461.079 [GRAPHIC] [TIFF OMITTED] T9461.080 [GRAPHIC] [TIFF OMITTED] T9461.081 [GRAPHIC] [TIFF OMITTED] T9461.082 [GRAPHIC] [TIFF OMITTED] T9461.083 [GRAPHIC] [TIFF OMITTED] T9461.084 [GRAPHIC] [TIFF OMITTED] T9461.085 [GRAPHIC] [TIFF OMITTED] T9461.086 [GRAPHIC] [TIFF OMITTED] T9461.087 [GRAPHIC] [TIFF OMITTED] T9461.088 [GRAPHIC] [TIFF OMITTED] T9461.089 [GRAPHIC] [TIFF OMITTED] T9461.090 [GRAPHIC] [TIFF OMITTED] T9461.093 [GRAPHIC] [TIFF OMITTED] T9461.092 [GRAPHIC] [TIFF OMITTED] T9461.091 [GRAPHIC] [TIFF OMITTED] T9461.094 [GRAPHIC] [TIFF OMITTED] T9461.095 [GRAPHIC] [TIFF OMITTED] T9461.096