[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
DO THE PAYMENT CARD INDUSTRY DATA STANDARDS REDUCE CYBERCRIME?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON EMERGING
THREATS, CYBERSECURITY,
AND SCIENCE AND TECHNOLOGY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
MARCH 31, 2009
__________
Serial No. 111-14
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
52-239 PDF WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California Peter T. King, New York
Jane Harman, California Lamar Smith, Texas
Peter A. DeFazio, Oregon Mark E. Souder, Indiana
Eleanor Holmes Norton, District of Daniel E. Lungren, California
Columbia Mike Rogers, Alabama
Zoe Lofgren, California Michael T. McCaul, Texas
Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania
Henry Cuellar, Texas Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania Paul C. Broun, Georgia
Yvette D. Clarke, New York Candice S. Miller, Michigan
Laura Richardson, California Pete Olson, Texas
Ann Kirkpatrick, Arizona Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey
Emanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
Vacancy
I. Lanier Avant, Staff Director
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
------
SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND
TECHNOLOGY
Yvette D. Clarke, New York, Chairwoman
Loretta Sanchez, California Daniel E. Lungren, California
Laura Richardson, California Paul C. Broun, Georgia
Ben Ray Lujan, New Mexico Steve Austria, Ohio
Mary Jo Kilroy, Ohio Peter T. King, New York (Ex
Bennie G. Thompson, Mississippi (Ex Officio)
Officio)
Jacob Olcott, Staff Director
Dr. Chris Beck, Senior Advisor for Science and Technology
Carla Zamudio-Dolan, Clerk
Coley O'Brien, Minority Subcommittee Lead
C O N T E N T S
----------
Page
Statements
The Honorable Yvette D. Clark, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology............. 1
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Ranking Member, Subcommittee
on Emerging Threats, Cybersecurity, and Science and Technology. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security.............................................. 6
Witnesses
Ms. Rita M. Glavin, Acting Assistant Attorney General, Criminal
Division, Department of Justice:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Robert Russo, Director, Payment Card Industry Data Security
Standards Council:
Oral Statement................................................. 24
Prepared Statement............................................. 26
Mr. W. Joseph Majka, Head of Fraud Control and Investigations,
Global Enterprise Risk, Visa, Inc.:
Oral Statement................................................. 30
Prepared Statement............................................. 32
Mr. Michael Jones, Senior Vice President and Chief Information
Officer, Michaels Stores, Inc.:
Oral Statement................................................. 35
Prepared Statement............................................. 37
Mr. David Hogan, Senior Vice President, Retail Operations, and
Chief Information Officer, National Retail Federation:
Oral Statement................................................. 40
Prepared Statement............................................. 42
For The Record
Submitted for the Record by Chairwoman Yvette D. Clarke:
Statement of Andrew R. Cochran, Founder and Co-editor, The
Counterterrorism Blog........................................ 18
Statement of Kirsten Trusko, on Behalf of the Network Branded
Prepaid Card Association..................................... 20
Appendix
Questions Submitted by Chairwoman Yvette D. Clarke............... 51
DO THE PAYMENT CARD INDUSTRY DATA STANDARDS REDUCE CYBERCRIME?
----------
Tuesday, March 31, 2009
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emerging Threats, Cybersecurity, and
Science and Technology,
Washington, DC.
The subcommittee met, pursuant to call, at 2:11 p.m., in
Room 311, Cannon House Office Building, Hon. Yvette D. Clarke
[Chairwoman of the subcommittee], presiding.
Present: Representatives Clarke, Richardson, Lujan,
Thompson [ex officio], and Lungren.
Ms. Clarke. The subcommittee will come to order. The
subcommittee is meeting today to receive testimony on whether
the payment card industry data standards reduce cybercrime.
Good afternoon. In recent years, a number of well-known
companies have experienced massive data breaches in their
internal computer networks, resulting in the compromise of
sensitive customer data. The criminals who perpetrated these
intrusions targeted the credit and debit card account
information held by merchants or third-party data processors as
the result of retail transactions.
With a thriving black market that rapidly packages and
sells stolen cardholder data, the information compromised
during these breaches may ultimately aid a number of criminal
organizations. We know that some percentage of the fraudulent
charges and illicit businesses from these activities is used to
fund terrorist activity throughout the world.
In his 2002 autobiography, the Bali nightclub bomber
specifically referred to on-line credit card fraud and carding
as a means to fund terrorist activities and encouraged his
followers to use this method to obtain financing.
More recently, a British case involving three jihadis,
alleged that the men used stolen credit card numbers obtained
through fishing scams and Trojan horses to make more than 3.5
million in fraudulent charges. The jihadis reportedly used the
numbers at hundreds of on-line stores to purchase equipment and
other items, including prepaid cell phones and airline tickets,
in order to aid jihadi groups in the field.
The subcommittee is holding this hearing today to voice our
concern about the growing number of data breaches and to
understand what is being done to curb this activity and to
suggest that both merchants and the pay card industry have
significant work ahead to meet our expectations. The payment
card industry--Visa, MasterCard, Discover, American Express,
and JCB--requires every business that stores, processes, or
transmits computer data to comply with specific data security
standards. The intent of these standards is to reduce the
likelihood of successful data security breaches. On an annual
basis, these merchants must certify that they are compliant
with the payment card industry data security standards known as
PCI standards.
The PCI standards contain a number of security controls
that businesses must implement. The PCI standards allow smaller
businesses to self-certify compliance, while larger merchants
must be validated by a qualified security assessor. Enforcement
comes through the card companies themselves who can levy fines
and/or prohibit noncompliant merchants from using their
services.
To be clear, the PCI standards are not Government
regulations and are not enforced by the Government. This
committee supports industry-created and -managed security
standards as long as they are strong and effective.
In light of the rising number of publicly reported data
breaches, Chairman Thompson launched an investigation to
determine whether the PCI standards have been effective in
reducing cybercrime. The results of this investigation suggest
that the PCI standards are of questionable strength and
effectiveness.
The effort to become PCI-compliant is a daunting challenge
for merchants whose core competency is the selling of
merchandise rather than expertise in security. The cost for the
largest merchants can be as high as $18 million a year. Many
believe that if they complete this arduous task, they will be
rewarded with a secure system. But the committee's
investigation confirms what many analysts have known for years.
In the words of one credit card company, full compliance with
the PCI standard does not guarantee that the merchant or vendor
will not be the victim of a data breach.
Take last year's data breach of Hannaford Brothers Company,
for example. Hackers installed malicious code on servers to
every one of the grocery stores in the Hannaford chain. The
malware intercepted the data stored on the magnetic stripe of
payment cards as customers used them at the checkout counter.
Hannaford received certification that they were PCI-compliant
on February 28, 2008. But on February 27, 2008, according to
the documents obtained by the committee, Hannaford was notified
that a number of the credit card numbers from its network were
stolen and being used on the black market. In other words,
Hannaford was being certified as PCI-compliant while an illegal
intrusion into its network was in progress.
I do not believe that PCI standards are worthless. In the
absence of other requirements they do serve some purpose, but I
do want to dispel the myth, once and for all, that PCI
compliance is enough to keep a company secure. It is not. The
credit card companies acknowledge that.
The bottom line is that if we care about keeping money out
of the hands of terrorists and organized criminals, we have to
do more, and we have to do it now. Specifically, we must
improve our policies and our technology.
First, the standards have to be better because they are
inadequate to protect against the methods being used by modern
hackers and attackers. Despite what the credit card companies
say, for millions of small and large businesses out there, the
PCI standards are the ceiling and not the floor. The bar must
be raised. In this dynamic threat environment, attackers are
constantly ahead of defenders, and yet the PCI standards are
updated only by unanimous consent every 2 years.
But part of the problem is that the standards do not
require more frequent penetration testing. The only way to
reduce breaches is by continuously testing and attacking a
system through penetration testing and timely mitigation.
Second, the payment card industry and issuing banks need to
commit to investing in infrastructure upgrades here in the
United States. In a response to the committee's investigation,
one breached company noted that the effectiveness of data
security standards is inherently limited by the technology base
of U.S. credit and signature debit card processing networks.
Credit and signature debit transactions are not protected by
encrypted PINs. Implementation of encrypted PINs for all debit
and credit transactions could be useful.
Countries in Europe and Asia are deploying new technologies
like Chip and PIN to fight fraud that could lead to organized
crime and terrorism and it is working. According to the U.K.
Payments Association, 3 years after beginning the migration to
chip-card technology, losses on transactions had reduced by 67
percent, from 219 million pounds in 2004 to 73 million pounds
in 2007. However, despite card fraud dropping 32 percent
domestically between 2006 and 2007, overall counterfeit card
fraud affecting U.K. customers was up 46 percent.
Why? The cards were being used by malicious actors in
countries that had not yet implemented the technology. The
United States is being blown away by security investments
overseas and our 1950s-era system is making us a weak link in
the security chain.
Magnetic stripe-based technology is outmoded and inherently
less secure when compared to smart cards or other developing
technologies. While I am deeply concerned about our security,
the payment card industry and issuing banks should be ashamed
about the current state of play and doing everything possible
to immediately institute improvements in infrastructure.
I know that our witnesses care about keeping financial
information out of the hands of terrorists and other organized
crime elements and I know that the payment card industry cares.
I know that the merchant community cares. But the time for
waiting is over. The time for shifting risk is over. Today, the
responsibility is yours to make this situation better.
This is the first step in the committee's review of the
payment card industry's efforts, a review that I believe the
Chairman plans to continue. We look forward to hearing about
your plans to improve America's cybersecurity posture and
working with you in all the weeks and months ahead.
The Chairwoman now recognizes the Ranking Member of the
subcommittee, the gentleman from California, Mr. Lungren, for
an opening statement.
Mr. Lungren. Thank you very much, Madam Chairwoman. I want
to compliment you for scheduling this important data security
hearing. It is an issue that most people are aware of, but few
seem to understand the full extent of this threat or the
remedies required to eliminate it as much as possible.
The new Information Age created by computers, the internet,
and instant communication offers many benefits to the Nation,
particularly our economy. Transacting business on the internet
is one of the key benefits of the Information Age.
Utilizing, obviously, credit cards today is the way people
normally transact business. It is the new currency of our age.
A lot of people don't even carry cash around anymore. In fact,
sometimes you try to pay with cash and people look at you,
trying figure out what scam you have going on.
I was at one place where I actually had a 50-cent piece
that I was trying to utilize and the woman would not recognize
it as an American currency. I was trying to explain to her the
image on the surface, and she just evidently missed that
history lesson about that President.
The internet has acted as a powerful economic engine for
the U.S. economy. Unfortunately, these new business
opportunities carried via the internet have also transformed
the landscape for the criminal, making available a wider array
of new methods that identity thieves can use to access and
exploit the personal and financial information of others.
Today's skilled computer hackers are capable of
perpetrating large-scale data breaches that leave tens of
millions of individuals at risk of identity theft. I recall my
wife and I were at dinner one night, I gave the card to the
waiter. After 5 minutes, the waiter came back kind of
embarrassed and said, well, Mr. Lungren, this card doesn't seem
to be working. So I turned to my wife and said, Why don't you
give them the card? She gave them the card with the same
account. They came back later and said it is not working.
Luckily my wife had another card.
If I had been in Chicago, changing planes, and needed to
stay overnight there, I would have been up the creek without a
paddle, as we say. I went home that night, called in to the
credit card company and they informed us there had been a
credit card compromise. Our account had been compromised. They
would tell us nothing more than that. My wife went on-line to
see what our account was at that point in time. There was no
such account. It was as if it had vanished.
The point I am making is we were never notified by the
credit card company. We have a number of automatic payments
that are made against the card and we tried to track every one
of them, and missed one of them and got a notice that we had
not paid that month for something.
So we are putting a tremendous obligation on the entire
industry in this case. One is to try and secure things. The
other one is when there is a breach, what is your requirement
to notify people? Under what circumstances do you notify
people? If you are not giving that information to those of us
who are the consumer, is that information being given to law
enforcement to follow up in all circumstances? Those are just
some of the questions.
The key to this internet economic engine running smoothly
is data security. There is no doubt about it. If we are unable
to secure our on-line financial transactions from financial
criminals, even those not involved in terrorism, then our
economic growth will be jeopardized, and actually we have
fulfilled the terrorist dreams of pulling down our country
through an economic attack. Customers will reject on-line
purchases if they can't be assured that their payment card
transactions are protected. Without consumer or customer
confidence in the safety of the payment card transaction,
internet commerce would dry up and we could have problems with
people just using the card when they are actually at brick-and-
mortar stores.
We know it was a huge problem in the early days of the
internet when it was an unknown frontier. Unchecked criminal
activity will bring back those wild west days, undermine
customer confidence, and cripple internet commerce. I applaud
the payment card industry for investing their resources and
personnel to develop and promote a universal data security
standard. As was mentioned, it is voluntary. We understand
that. A lot of work has gone into it. We understand that there
is always the challenge. It is easy for those of us in
Government to say we can do a better job. Thank God we haven't
had any security breaches on the part--excuse me--I guess we
have had a couple of them here and there. All that points out
is it is a real challenge to stay ahead of the bad guys.
I mean, you have got mischievous hackers, you have got
individual criminal hackers, you have got criminal enterprise
hackers, you have got transnational organization hackers, you
have got nation-state hackers and, frankly, you have got to try
to protect against all of that.
The PCI Security Standards Council that includes all of the
major card brands has at least understood that there is a need
for a set of comprehensive requirements for enhancing payment
account security. One of the questions I would ask: Is there
any place for the retailers to be involved in discussion of
those standards and part of that? Another question I would ask
is: I know you have some flexibility within the standards as
they exist now. But is it still too much of one size fits all?
In other words, I know you have a demarcation between mom-and-
pop stores and the big retailer, but in between does it make
sense? Are the standards flexible enough to be effective on the
one hand and at the same time allow for different business
models to operate in a reasonable fashion for them?
So I realize that the first standard was developed in 2006
to improve the standard security in the payment card industry.
It has improved the situation. More needs to be done. We are
trying to identify those areas that need to be done. We have
trying to make sure all the parties are brought to bear on the
question. We are looking to see if Government regulation is
needed.
The last thing I would say is this. The challenge for us in
Government is to try to ensure that we don't interfere with the
ingenuity of the private sector in being able to put the fixes
into the security system that are necessary. If you can help us
in that regard, not only will you benefit, we will benefit as
well. Thank you very much, Madam Chairwoman.
Ms. Clarke. The Chairwoman now recognizes the Chairman of
the full committee on Homeland Security, the gentleman from
Mississippi, Mr. Thompson, for an opening statement.
Mr. Thompson. Good afternoon. Thank you, Madam Chair, for
holding this very critical hearing on the effectiveness of the
PCI standards.
From our personal computers to Government networks to our
critical infrastructure, the United States is under attack in
cyberspace. This adversary ranges in skill from unsophisticated
to highly capable, from loan hackers to organized crime and
nation-states. Their intent ranges from nuisance and disruption
to theft, espionage, and warfare. Their successes are varied.
From every hacker that we have caught and prosecuted,
thousands continue to work unabated. In December 2008, the
Center for Strategic and International Studies concluded that
the battle for cyberspace is one that we are not winning.
Willy Sutton was rumored to have said he robbed banks
because that is where the money is. In today's world of payment
card transactions, the money is now located on computer
networks. On any given day, billions of dollars float back and
forth between merchants and payment card networks which process
credit card numbers for transactions in an area that is ripe
for hackers to exploit, and they are taking advantage of
weaknesses in the system.
We are here today to learn about the private sector's
efforts to combat data breaches and cybercrime and to assess
the quality of the payment card industry data security
standards. The standards have been around for several years,
but massive on-going data breaches at some of America's largest
merchants suggest that the standards are inadequate to prevent
breaches.
The essential flaw with the PCI standards is that it allows
companies to check boxes, but not necessarily be secure.
Checking boxes makes it easier to assess compliance with the
standard, but compliance does not equal security. We have to
get beyond check-box security. It provides a false sense of
security for everyone involved, and it is ineffective in
reducing the real threats. Companies need to understand that
even if 100 percent compliance with PCI standards is achieved,
hackers will continue to develop techniques to exploit the
computer systems of companies holding cardholder data. You are
not safe unless you continually test your systems.
Today we are calling for change. I call on the payment card
industry, and the thousands of merchants and vendors who have
to comply with the standards, to rededicate themselves to the
goal of securing their networks. For the payment card industry
and the issuing banks, this is going to mean significant
investment in the infrastructure upgrades. As the Chairwoman
has pointed out, these investments are already on-going
overseas.
I am puzzled and disappointed that we are not seeing
similar upgrades here domestically, and I hope our witnesses
can explain why the card industry appears not to be moving
quickly to address these issues. I am also deeply troubled by
the testimony that suggests credit card companies are less
interested in substantially improving their product and
procedures than they are in reallocating their fraud costs. The
payment card industry's efforts to shift risk appears to have
contributed to our current state of insecurity, and I am
concerned that as long as the card industry is writing the
standards, we will never see a more secure system.
We in Congress must seriously consider whether we can
continue to rely on industry-created and -enforced standards,
particularly if they are inadequate to address the on-going
threats.
I look forward to working with my colleagues on both sides
of the aisle and across committee lines to further explore
whether Government action is necessary to protect against these
threats. One thing is certain: The current system is not
working.
Madam Chairwoman, I thank you for your work in this area,
and I look forward to the testimony of both panels.
Ms. Clarke. Thank you very much, Mr. Chairman. Other
Members of the subcommittee are reminded that under the
committee rules, opening statements may be submitted for the
record.
We are going to take a break right now for votes. They have
come up and we are scheduled for three votes, which puts us at
about 25 minutes. Well, now it is less than 25 minutes, maybe
about 15. So please excuse us as we go and recess for votes.
[Recess.]
Ms. Clarke. I welcome our only panelist on the Federal
panel, Ms. Rita Glavin, Acting Assistant Attorney General,
Criminal Division, Department of Justice. In June 2008, Ms.
Glavin joined the Criminal Division as the Acting Principal
Deputy Assistant Attorney General. Ms. Glavin began her service
to the Department in 1998 through the Department's honors
program as a trial attorney in the public integrity section
where she worked until 2003. Since 2003, Ms. Glavin has been an
assistant U.S. attorney with the United States Attorneys Office
for the Southern District of New York.
Without objection, this witness' full statement will be
inserted into the record. I now ask you to introduce yourself
and summarize your testimony for 5 minutes.
STATEMENT OF RITA M. GLAVIN, ACTING ASSISTANT ATTORNEY GENERAL,
CRIMINAL DIVISION, DEPARTMENT OF JUSTICE
Ms. Glavin. Good afternoon, Chairwoman Clarke, and thank
you for the invitation to address the subcommittee. As you
know, identity theft is not a new problem. However, in recent
years, identity thieves have begun to capitalize on a variety
of new methods to access and exploit the personal information
of others. Skilled hackers are now capable of perpetrating
large-scale data breaches that leave hundreds of thousands of
individuals and, in some cases, millions of individuals at risk
of identity theft.
The Department of Justice, along with our law enforcement
partners, has been aggressively investigating and prosecuting
these data breaches and other criminal activity associated with
them. We are committed to continuing our efforts. We have
historically had tremendous success in identifying,
investigating, and prosecuting the perpetrators of these acts.
But as always, we can and we will do more.
To that end, the continued and improving coordination with
our partners in the international community and in the private
sector will be critical to ensuring our success. We are glad to
have this opportunity to discuss these issues with your
subcommittee.
The Department has responsibility for the investigation and
prosecution of a wide range of cybercrime cases. But large-
scale breaches are of significant concern to us because their
effects can be amplified exponentially when criminals use the
internet to quickly and widely distribute vast quantities of
information stolen during these breaches.
The threat we face is wide and it is varied, ranging from
very sophisticated individual hackers to international criminal
organizations. The resulting losses, as you know, can be
devastating and the criminals perpetrating these acts may be
motivated by any number of factors, including personal
financial gain and the desire to use this illegal activity to
fund and facilitate other dangerous crimes.
The Department's benchmark prosecutions of large-scale data
breaches and the criminal activity that results from such
breaches highlight the range of our efforts that we have been
using to address the growing problem. I want to give you a
couple of examples. Most recently, the FBI announced the
results of a 2-year undercover operation that targeted members
of the on-line carding forum known as Dark Market. At its peak,
the Dark Market Web site had over 2,500 registered members
around the world. This operation has resulted in 60 arrests
worldwide and it has prevented what we estimate to be
approximately $70 million in economic loss.
In another example, in August 2008, the Department
announced the largest hacking and identity theft case ever
prosecuted, in which charges were brought against 11 members of
an international hacking ring. Now, these various defendants
who were from the United States, Estonia, the Ukraine, Peoples
Republic of China, Belarus, were charged with, among other
things, the theft and sale of more than 40 million credit and
debit card numbers obtained from various retailers.
Another example, in 2004 the U.S. Secret Service and
several components of the Justice Department coordinated the
search and arrest of more than 28 members of the Shadow Crew, a
criminal organization located in eight States in the United
States and six foreign countries. Members of the group were
later charged in a 62-count indictment with trafficking in at
least 1.5 million stolen credit and bank card numbers that
resulted in losses in excess of $4 million. The Shadow Crew Web
site was disabled, which we believe prevented hundreds of
millions of dollars in additional losses to the credit card
industry. This was known as Operation Firewall, and this early
effort paved the way for our more recent successes in this
area.
Now, while investigation and prosecution are important,
prevention and detection are key elements in the fight against
this criminal activity. Keeping credit, debit, and other
financial account information out of the hands of criminals in
the first place is an essential step in reducing the frequency
and minimizing the impact of large-scale data compromises. We
suggest that all entities that store, process, or transmit
credit, debit, and other financial account information should
take steps, including complying with the payment card industry
data security standards, to improve the security of their
computer systems and to decrease the vulnerability of the
information they handle.
Of course, even 100 percent compliance with the PCI DSS, if
that were achieved, it is likely that hackers will continue to
develop techniques to exploit the computer system of companies
holding cardholder data. For instance, in those instances where
the hackers have succeeded, efforts by the Department and
efforts by investigative agencies to look into and prosecute
and punish those hackers and carders have been critical to
deterring future criminals.
For us to have continued success on this front, it is
imperative that, No. 1, victim companies embrace new measures
to swiftly detect data breaches and system compromises. No. 2,
that the victim companies immediately and consistently report
detected data breaches to law enforcement. Finally, that the
United States builds on its existing relationships with our
international partners to strengthen law enforcement
cooperation channels internationally. Thank you.
Ms. Chairwoman, I am prepared to answer your questions.
Ms. Clarke. I thank you for your testimony.
[The statement of Ms. Glavin follows:]
Prepared Statement of Rita M. Glavin
March 31, 2009
Good morning, Chairwoman Clarke and Ranking Member Lungren. Thank
you for your invitation to address the committee. The Department of
Justice welcomes this opportunity to testify about our commitment to
combating large-scale data breaches and the payment card fraud that
results from such breaches.
As you know, identity theft is not a new problem. However, in
recent years, the information age has transformed the landscape in
which criminals operate, making available a wide array of new methods
that identity thieves can use to access and exploit the personal
information of others. Criminals have capitalized on these new and far-
ranging opportunities. Skilled hackers are now capable of perpetrating
large-scale data breaches that leave hundreds of thousands--and in many
cases, tens of millions--of individuals at risk of identity theft.
Today's criminals now have the opportunity to remotely access the
computer systems of Government agencies, universities, merchants,
financial institutions, credit card companies, and data processors, to
steal large volumes of personal information, including individuals'
financial information, made available simply by virtue of everyday acts
like making credit and debit card retail transactions. Reflecting this
trend, there are currently over 2,000 active cases related to identity
theft pending in the U.S. Attorney's Offices (USAOs), and there has
been a 138.2% increase in identity theft convictions by USAOs between
fiscal year 2004 and fiscal year 2008. The Department of Justice,
through its Criminal Division, the Federal Bureau of Investigation
(FBI), the USAOs, and other components, along with our partners at the
U.S. Secret Service (USSS) and the U.S. Postal Inspection Service, has
been aggressively investigating and prosecuting these data breaches and
other criminal activity associated with them, and we are committed to
continuing our efforts. Historically, the Department has had tremendous
success in identifying, investigating, and prosecuting the perpetrators
of these acts. But as always, we can and will do more. To that end, the
continued and improved coordination with our partners in the
international community and the private sector will be critical to
ensuring our success, and we are glad to have this opportunity to
discuss these issues in particular with you.
the ``carder'' threat
The Department has responsibility for the investigation and
prosecution of a wide range of cyber crime cases, but large-scale
breaches are of significant concern to us because their fallout can be
amplified exponentially when criminals harness the power of the
internet to quickly and widely distribute for future fraudulent use the
vast quantities of information stolen during these breaches. For
example, international organized crime is currently one of the fastest-
growing threats in the computer intrusion arena, and these groups--who
are continuing to expand and become more sophisticated--along with
hosts of other cyber criminals, have made large-scale data breaches one
powerful part of their profile.
Through activity known as ``carding,'' large volumes of data are
stolen, resold, and ultimately used by criminals to commit fraud. In
recent years, the problem of ``carding'' has grown. ``Carding'' means
not only the unauthorized use of credit and debit card account
information to fraudulently purchase goods and services, but also a
growing assortment of related activities including computer hacking,
phishing, cashing out stolen account numbers, re-shipping schemes, and
internet auction fraud. I will describe some of these schemes in more
detail in a moment.
The internet provides a unique venue in which ``carders'' can
advertise and sell stolen data to the highest bidder and self-organize
to facilitate their activities. For example, carders often become
members of Web site forums designed to provide an active marketplace
for the sale of, among other contraband, stolen credit and debit card
numbers; compromised personally-identifiable information, including an
individual's address, phone number, social security number, personal
identification numbers (PINs), credit history report, and mother's
maiden name; and false identification documents.
Once stolen identity information is sold, the purchasers frequently
engage in fraudulent activity including, among other things, the use of
stolen credit card information to make purchases on-line and in person,
and ``cashing,'' which refers to the act of obtaining money--rather
than retail goods and services--with the unauthorized use of stolen
financial information. In recent years, criminal carding organizations
engaged in what is known as ``PIN cashing'' have developed
sophisticated ``cash-out networks'' in which stolen financial
information is immediately disseminated to designated groups of
criminals who withdraw money from ATMs all over the world within a
short time period. In one example, PIN cashers made 9,000 withdrawals
worldwide totaling $5 million in less than 48 hours from four
compromised prepaid debit card accounts.
the link between carding and other crimes
In addition to the financial fraud perpetrated by carders, the
Department focuses on criminals who engage in carding activities with a
motivation other than personal financial gain. We know, for example,
that drug traffickers engage in identity theft for the purpose of
financing their activities.
Similarly, there is a well-documented connection between identity
theft--in particular as it relates to obtaining fraudulent
identification documents, but also as it may relate to credit card
fraud--and terrorism. As one example, a convicted terrorist in
Indonesia, Imam Samudra, wrote about the use of credit card fraud and
carding as a means to fund terrorist activities in his 280-page
autobiography. Samudra sought to fund the 2002 Bali nightclub bombings,
of which he was convicted, in part through on-line credit card fraud.
Also illustrative of the connection between terrorism and credit
card fraud, three British men were convicted in 2007 of inciting
terrorist murder via the internet under the United Kingdom's Terrorism
Act of 2000. Younes Tsouli, Waseem Mughal, and Tariq Al-Daour were
participants in a network of extremist Web sites and communication
forums through which al Qaeda statements were issued and which
disseminated videos of beheadings, suicide bombings in Iraq, and other
jihadi propaganda. The three men also pleaded guilty to conspiracy to
defraud banks and credit card companies. Tsouli was sentenced to 16
years in prison, Mughal was sentenced to 12 years in prison, and Al
Daour was sentenced to 10 years in prison. Al-Daour and his associates
used stolen credit card numbers obtained through phishing scams to make
more than $3.5 million in fraudulent charges in order to purchase
equipment, prepaid cell phones, airline tickets, and other items, to
support jihadi groups in the field. Tsouli and Mughal also used stolen
credit card numbers to set up and host jihadi Web sites. Significantly,
the investigation revealed that these individuals were members of
carding organizations.
the department's investigations and prosecutions
The Department of Justice plays a critical role in combating
payment card breaches and the fraud and other criminal activity that
results. United States Attorney's offices throughout the country
actively prosecute these cases. Within the Criminal Division, the
Computer Crime and Intellectual Property Section (CCIPS) also
investigates and prosecutes large-scale data breaches and coordinates
prosecutions that involve multiple USAOs and foreign countries. In
addition, the Fraud Section of the Criminal Division recently
established the Payments Fraud Working Group (PFWG), which it co-chairs
with the Board of Governors of the Federal Reserve System. The PFWG is
an inter-agency cooperative effort between law enforcement and the bank
regulatory agencies designed to examine issues related to various
payments systems and establish initiatives to protect payments systems
against fraud and other misuse. The Department also helped to lead the
Identity Theft Task Force, which also addressed many of these issues.
Finally, the Office of International Affairs in the Criminal Division
supports international cooperation efforts by implementing mutual legal
assistance treaties (MLATs) and international conventions that have
yielded significant evidence for use in U.S. and foreign prosecutions
and by marshaling efforts to extradite international fugitives.
The combined force of all of these efforts, along with the efforts
of the FBI and the Department's other law enforcement partners, has
resulted in a number of benchmark prosecutions that highlight the range
of the Department's efforts to address the growing problem of large-
scale data breaches and associated criminal activity.
Recent Successes
The Department, in coordination with its various USAOs, has worked
with investigative agencies including the USSS, the FBI, and the United
States Postal Inspection Service to combat carding and associated
crimes, with great success:
Dark Market carding forum.--Most recently, on October 16,
2008, the FBI announced the results of a 2-year undercover
operation, conducted in conjunction with CCIPS, targeting
members of the on-line carding forum known as Dark Market. At
its peak, the Dark Market Web site had over 2,500 registered
members around the world. This operation has resulted in 60
arrests worldwide and prevented an estimated $70 million in
economic loss.
International hacking ring.--In August 2008, the Department
announced the largest hacking and identity theft case ever
prosecuted, in which charges were brought by the USAOs in the
District of Massachusetts, the Southern District of California,
and the Eastern District of New York against 11 members of an
international hacking ring, including Maksik, discussed later.
The various defendants--who were from the United States,
Estonia, Ukraine, the People's Republic of China, and Belarus--
were charged with, among other things, the theft and sale of
more than 40 million credit and debit card numbers obtained
from various retailers including TJX Companies, BJ's Wholesale
Club, OfficeMax, Boston Market, Barnes & Noble, Sports
Authority, Forever 21, Dave & Buster's, and DSW.
Operation CardKeeper.--Operation CardKeeper, led by the FBI
and the USAO for the Eastern District of Virginia, resulted in
the arrests of 13 individuals in Poland and eight in the United
States. International cooperation was required to execute
search warrants in the United States and in Romania.
Significantly, Operation CardKeeper resulted in the U.S.
conviction of an individual known on-line as ``John
Dillinger.'' This defendant was sentenced in 2007 to 94 months
in Federal prison for his carding activity, including
aggravated identity theft, access device fraud, and conspiracy
to commit bank fraud. Computers seized from him revealed more
than 4,300 compromised account numbers and full identity
information for over 1,600 individual victims.
``Iceman''.--In late 2007, a major supplier of tens of
thousands of credit card accounts to carding forums was
indicted for wire fraud and identity fraud; he is currently
awaiting trial. Max Ray Butler, known on-line as ``Iceman,''
was the co-founder and administrator of the carding forum
Cardersmarket. This case is being prosecuted by the United
States Attorney's Office for the Western District of
Pennsylvania.
``Maksik'' and ``Lord Kaisersose''.--Maksym Yastremskiy,
known on-line as ``Maksik,'' believed to be one of the top
traffickers in stolen account information, was arrested for his
carding activity in Turkey in 2007. He was also indicted in
several U.S. districts as the result of the Department's
prosecution of the international hacking ring I discussed
earlier. Maksik allegedly sold hundreds of thousands of credit
and debit card numbers. One of his customers, an infamous
carder known on-line as ``Lord Kaisersose,'' was previously
searched and arrested in France as the result of a joint
investigation conducted by the USSS and the French National
Police. He is currently awaiting sentencing.
``Operation Firewall''
Much of this successful investigative work has its roots in some of
the Department's early efforts to dismantle highly-organized carding
enterprises. As just one example, in 2004, as part of an undercover
investigation known as Operation Firewall, the U.S. Secret Service
(USSS) and several components of the Department of Justice coordinated
the search and arrest of more than 28 members of the ``Shadowcrew''
criminal organization, located in eight States in the United States and
six foreign countries. Members of the group were later charged in a 62-
count indictment with trafficking in at least 1.5 million stolen credit
and bank card numbers that resulted in losses in excess of $4 million.
As part of this takedown, the USSS disabled the Shadowcrew Web site. We
believe that had the organization not been interrupted, the credit card
industry could have faced hundreds of millions of dollars in additional
losses. Instead, the Shadowcrew criminal organization's activity
stopped, and to date, with the exception of two fugitives, all of the
domestic Shadowcrew defendants have pleaded guilty and received
sentences of up to 90 months in prison. This prosecution was the first
of its kind--by prosecuting top-tier members of the organization for
conspiracy, it held individuals responsible for the criminal offenses
facilitated through the carding forum by virtue of their leadership
role in a criminal organization that operated solely on-line. Operation
Firewall enabled many of our more recent successes. In addition, the
investigation into the Shadowcrew organization also revealed that the
defendants were conspiring internationally to commit specific carding-
related crimes, including bank fraud, and enabled us to successfully
prosecute individuals for that conduct separately.
Operation Firewall, like many of the examples I have mentioned
today, also illustrates how we can effectively respond to the
increasingly global nature of carding organizations. With the
cooperation of law enforcement agencies in the United Kingdom, Canada,
Bulgaria, Belarus, Poland, Sweden, the Netherlands, and Ukraine,
foreign searches and arrests went smoothly, and foreign individuals
were successfully indicted in the United States. In addition, the
United Kingdom pursued a separate domestic prosecution of Shadowcrew
members, which has led to a number of guilty pleas.
prevention, detection, and response
Keeping credit, debit, and other financial account information out
of the hands of criminals in the first place is an essential first step
in reducing the frequency, and minimizing the impact, of large-scale
data compromises. Merchants and processors who hold individuals'
sensitive financial information are prime targets for hackers and
carders. To address this vulnerability, the credit card associations
developed a set of security standards, known as the Payment Card
Industry Data Security Standards (PCI DSS), for merchants and third-
party processors. We suggest that all entities that store, process, or
transmit credit, debit, and other financial account information should
ensure that they comply with all requirements of the PCI DSS in order
to improve the security of their computer systems.
As is well understood throughout the security community, however,
perfect security is impossible. Therefore, even if 100% compliance with
PCI DSS were achieved, it is likely that hackers will continue to
develop techniques to exploit the computer systems of companies holding
cardholder data. For instances in which those hackers succeed, efforts
by the Department and investigative agencies to investigate, prosecute,
and punish hackers and carders are critical to deterring future
carders, learning more about the nature of these crimes, and punishing
offenders. For continued success on these fronts, it is imperative
that: (1) Victim companies embrace measures to swiftly detect data
breaches and system compromises; (2) victim companies report data
breaches to law enforcement; and (3) the United States builds upon its
existing relationships with international partners to strengthen law
enforcement cooperation channels internationally.
Early Detection
Early detection plays two important roles in efforts to combat
carding activity. First, it can assist in mitigation of potential
damage. When victim companies are notified by law enforcement, credit
card companies, or other entities about a potential compromise to their
system, they should take all reasonable measures to determine whether a
compromise did indeed occur. Successful detection empowers victim
companies to take steps to address the vulnerability, fortify their
systems, and notify individual victims as necessary. But to date, it
has been our experience that following notification, victim companies
can not and do not always do enough to determine the scope and severity
of data breaches of their computer networks.
Moreover, law enforcement faces continued investigative challenges
as a result of delayed detection and response. Often, victim companies
detect compromises to their system weeks, months, or years after they
occur, and as a result, meaningful investigative leads may have
disappeared by the time the compromise is reported to law enforcement,
if it is reported at all. Private entities must have the capabilities
to identify compromises more quickly. To accomplish this, we recommend
that all entities that store, process, or transmit credit, debit, and
other financial account information implement security mechanisms
designed to detect system breaches, such as tracking and monitoring all
access to network resources and cardholder data.
Breach Reporting
Immediate reporting of incidents to law enforcement is also vital
to law enforcement's ability to investigate large-scale data breaches.
Immediate reporting necessarily relies upon each potential victim
company's capacity to promptly detect an incident, but we know from
experience that prompt detection will not itself result in a report
from the victim company. For a variety of reasons, data breaches are
significantly underreported, and as a result, law enforcement efforts
to bring criminals to justice are significantly hampered. If law
enforcement never learns of the incident, we will not investigate it;
if we hear about it too late, we may be unable to preserve critical
evidence or identify the perpetrators. On the other hand, several
recent successes in tracking down the perpetrators of high-profile data
breaches are the direct result of immediate information from victim
companies on how the hackers entered and exited their systems,
including the specific IP addresses used in the attack. For example, in
the Dave & Busters case, which was a part of the international hacking
ring prosecuted in 2008, when Dave & Busters became aware of
intrusions, they took measures to log access to their computers, block
the intruder's further attempts to collect credit and debit card data,
and identify for law enforcement the intruder's IP address.
While companies like VISA require by policy that all entities that
suspect or have confirmed that a security breach occurred must contact
Federal law enforcement, few laws require the victim company to notify
law enforcement. In its April 2007 Strategic Plan, the Identity Theft
Task Force recommended the establishment of a national standard
requiring entities that maintain sensitive data to provide timely
notice to law enforcement in the event of a breach. Because only a
handful of State laws currently require reporting to law enforcement
and because private sector rules are neither universal nor consistently
enforced across the various companies, we urge Congress to consider
requiring security breach reports to Federal law enforcement using a
mechanism that ensures that the USSS and FBI have access to the
reports.
International Law Enforcement Cooperation
As illustrated by the array of cases I have mentioned, carders
operating in carding forums on the internet reside in different
countries, collaborate freely across borders, and can immediately and
widely distribute stolen identity information around the globe. In
addition, on-line carding forums provide networking opportunities for
criminals interested in joining together to perpetrate other financial
fraud or criminal activity on a global scale. As a result, coordination
and cooperation from foreign law enforcement is vital to the success of
carding investigations and prosecutions. In this regard, the Identity
Theft Task Force's Strategic Plan also recommended that the Department
of Justice and other departments and agencies take specific steps to
improve coordination and evidence sharing with foreign law enforcement
agencies.
We believe that on this front, the United States should continue to
press other nations to accede to the Convention on Cybercrime (2001),
which will improve cooperation between law enforcement agencies. The
Convention, which the United States ratified in 2006, assures that
other countries enact suitable domestic legislation criminalizing
identity theft, in part to facilitate information-sharing under MLATs
and the extradition of criminal defendants. In addition, the United
States should continue to work closely with multilateral organizations
to urge other countries to review their criminal codes and criminalize
identity-related criminal activities where appropriate. This has
historically proven effective. Last month, for example, the G-8 Roma/
Lyon Group approved for further dissemination a paper that examines the
criminal misuse of identification information and identification
documents within the G-8 States and proposes ``essential elements'' of
criminal legislation to address identity-related crime. The Identity
Theft Task Force's Strategic Plan also directs the U.S. Government to
identify countries that are safe havens for identity thieves and to use
appropriate diplomatic and enforcement mechanisms to encourage those
countries to change their practices. The Department of Justice has
begun this process, gathering information from a range of law
enforcement authorities. Finally, only by assisting foreign authorities
can we expect them to reciprocate with critical evidence for our own
investigations. The United States can improve international
cooperation, in certain cases, by ensuring that our legislation
provides U.S. authorities with the tools to assist foreign
investigations effectively.
conclusion
As I have attempted to outline for the subcommittee, the Department
has been at the forefront of groundbreaking and historic efforts to
identify, prosecute, and punish the perpetrators of large-scale data
breaches and the associated identity theft and fraud following from
those breaches. In light of the growing sophistication and global scope
of the threat, we are committed to continuing and improving our efforts
to address this conduct. Thank you for the opportunity to provide the
subcommittee with a brief overview of the Department's role in
combating these crimes and the primary issues we must focus on as we
press ahead.
Madam Chairwoman, this concludes my remarks. I would be pleased to
answer any questions that you or other Members of the subcommittee may
have.
Ms. Clarke. I will remind each Member that he or she will
have 5 minutes to question the panel. I will now recognize
myself for questions.
Are we seeing more massive data breaches today, or is the
media simply reporting more?
Ms. Glavin. I think you have a little bit of both. The
media is reporting on it, but what we have seen over the last
several years and in some of the operations specifically I have
referred to in our testimony, including the Shadow Crew
organization, is hundreds of thousands, if not millions, of
personal financial information and identity thefts occurring.
The Operation Firewall, which was both the Shadow Crew
organization and the Carder Market Forum, should demonstrate
that for a number of years this type of data breach has been
happening and that there are hackers all over the world that
are looking to get into systems and slowly take the information
out. It can be over a course of months, if not over a course of
years.
So, yes, the data breaches are occurring and we know that
because of undercover operations we have done and because of
the publicly reported takedowns that we have done that I
mentioned in my testimony. Yes, the media is reporting on those
breaches.
Ms. Clarke. Ms. Glavin, to what extent does the fact that a
company is PCI-compliant help to mitigate criminal activity?
How effective are PCI standards in lowering the risk of being
breached?
Ms. Glavin. Having any security system and uniform
standards are going to help, all right? It is a floor, and it
is a way to begin the process of preventing breaches. That
said, what we look at in terms of those PCI set standards is
you have got to do continual monitoring and you have to do the
testing, because you may have adopted those standards, but
people may already be in your computer system by the time you
have adopted those standards. It is the monitoring and the
testing that is going to help companies see where they have
been breached. We know that hackers are always coming up with
new ways to get into your system. So it is going to be the
monitoring and the testing.
The second thing that the Department would suggest is that
there should be notification through Federal law enforcement
when breaches occur. I know is that something that has been
under subject of much discussion. But that would be an
effective way of dealing with the data breaches on a number of
levels, because we have a sense from our investigations and
prosecutions around the country as to the means that the
hackers used to do this. If we get early reporting, it helps us
get a sense of what is going on such that we can stop it. We
can stamp out, you know, Web sites that are doing this and help
get in front of the problem.
Ms. Clarke. Ms. Glavin, how successful do you think that
the Department of Justice's efforts to combat credit card fraud
will be in the long run if neither improved standards nor
technology and infrastructure changes are realized and there is
no reduction in the amount of cardholder data being lost or
stolen?
Ms. Glavin. This is going to have to be an on-going
partnership. Law enforcement has been there and we are always
going to be there. It is not just within the prosecution of the
Department of Justice. The FBI is always looking at this. The
Secret Service is always looking at this. We are working with
our international partners around the world to have an
international presence such that we are sharing information. We
can't do that alone, and having help from private industry when
they know there have been breaches and reporting that to us, it
is going to help everybody in the long run.
So we can do what we do in terms of watching the
technology, trying to stay on top of the hackers, continually
looking out for these Web sites and carding forums. But we
can't do everything alone. To the extent we get help from the
private sector to stay on top of that, that is important. I
think that the industry that has adopted the PCI DDS, that is a
laudable effort. The question is: Can they continue to evolve
from there?
Ms. Clarke. Just finally, can you please explain the roles
of the Secret Service, FBI, and ICE in investigating
cybercrime, and what are the distinctions between those
investigative units?
Ms. Glavin. Sure. The Secret Service has always been
involved in looking at financial crimes and hackers. What the
FBI brings to the table in addition to the Secret Service is
that they have your counter-intelligence databases, which the
Secret Service may not have. So they can be also checking, on a
much more international level, what is going on around the
world. They also have a presence through their legal attaches
in other countries. So the Secret Service and the FBI both play
critical roles and they both bring different tools to the law
enforcement effort.
Ms. Clarke. Well, thank you very much. I now recognize one
of our new Members on the committee, new Member to the
Congress, the gentleman from New Mexico, Mr. Lujan, for his
questions at this time.
Mr. Lujan. Thank you very much, Madam Chairwoman. Ms.
Glavin, thank you very much for being with us today.
Ms. Glavin. Thank you.
Mr. Lujan. In your testimony you highlight many instances
where there are projects or programs, recent success,
investigations that the Department of Justice has engaged in,
Dark Market carding forum, international hacking ring,
Operation Card Keeper, Iceman, Operation Firewall.
With that being said and with the level of concern that the
Department of Justice has with the level of crime that is
taking place, in this case cybercrime, what standards exist
today for keeping this data secure?
Ms. Glavin. In terms of private industry, the standards
that are out there are the PCI DSS, plus whatever State laws
there are. I mean, a number of States have consumer
notification laws that require financial entities to report
data breaches. Some have law enforcement notification laws.
In terms of Federal regulation, there is not a lot, other
than you are speaking to someone from the Criminal Division,
and I know we have the Title 18 criminal statutes that we use
to prosecute. But in terms of standards across the industry
Federally, such that people are required by law to comply with
a certain set of standards, that is not out there.
Mr. Lujan. So it sounds like what States have done, they
have a reporting mechanism that when there is a breach in
security and data is compromised, that they are required to
notify the consumer that may have been impacted. But with that
being said, in your opinion, are these standards working the
way they are being put together today?
Ms. Glavin. Which industries?
Mr. Lujan. The industry standards.
Ms. Glavin. In terms of whether or not they are working, we
know what reports we get when there has been data breaches and
when industry chooses to tell us; or sometimes we learn about
it from our own investigations and we choose to tell them.
Whether or not they are working, I think the industry
representatives are in the best position to tell you that.
What I can say from the Department's perspective is that if
we are going to do criminal investigations, there is going to
have to be some cooperation between us and private industry so
we can do those investigations, get a sense of the data
breaches and to have cooperation such that they let us know
what is going on.
We have a sense of how it happened, what is out there, and
who may be responsible. As for whether or not they are working,
I think they are a great bottom line to start with. But you
have to be constantly watching, testing them, checking them to
make sure they work, because the hackers are sophisticated
people and they try to stay one step ahead of the industry. The
industry tries to get one step ahead of them, and it is in
everyone's interest that you keep moving ahead.
Mr. Lujan. Ms. Glavin, did I hear you correctly? Did you
say that sometimes the Department of Justice will notify the
companies that there has been a breach, as opposed to the other
way?
Ms. Glavin. Yes. But sometimes that can happen--you know,
if we get information that they may not have, that we may have
access to through the course of our criminal investigations. It
could be a company that may be PCI-compliant, but there was
always something in the system before they got brought up to
compliance.
But, yes, there have been instances that I know of,
investigations where we have learned about information and that
we have informed the company about, that you may want to check
X, Y, and Z.
Mr. Lujan. Thank you very much, Ms. Glavin.
Madam Chairwoman, I know we had a lot of briefings and
discussions with the committee as a whole and the various
subcommittees on the importance and attention that is needed
when it comes to data breaches, especially with the attacks
that we know that are occurring on a regular basis, national
security, as well as financial institutions.
I think that in the same regard, when we are talking about
what the expectations are of the American public with feeling
secure about the data that could exploit them and expose them
to these types of crime, often times without them ever knowing,
is something that we have to take seriously.
So I thank you very much, Madam Chairwoman and Chairman
Thompson, for bringing this to the attention and allowing us to
have a hearing on this today.
Ms. Clarke. Thank you very much, my colleague. I just want
to correct the record, at least vocally, that my colleague's
name is Mr. Lujan.
Mr. Lujan. Thank you very much.
Ms. Clarke. Very well. Some of your responses to my
colleague's questions were a bit troubling to me. The fact that
it could take some time before there is communication around a
vulnerability that is existing within the system, and in that
amount of time transactions can take place that can lead to
financial support for criminal endeavors is something we should
always be concerned about. Time is of the essence, right? If
you are not getting the level of transparency, for whatever
reasons, from the private side--in other words, maybe someone
is ashamed that they met these PCI standards and now they have
found a vulnerability. As you said, it couldn't have been one
that existed there prior to them coming up to code. It is still
important for that information to be shared, notwithstanding
whatever reasons may inhibit someone from doing so. Because,
again, these transactions take place so quickly.
What would you say could expedite the transfers of
information? What do you think would open up private enterprise
to really working with law enforcement on a much more timely
basis, once something is detected, to address it? Do you think
that perhaps some introspection about the PCI standards would
help put them on a higher platform for detection?
Ms. Glavin. The PCI DSS standards--again, as I said before,
I think one of the key components of those standards is going
to be the regularly monitoring and testing. Sometimes these
breaches aren't readily apparent and are hard to detect.
As I have had it described to me, the breaches can
sometimes occur such that the best analogy could be that the
front door of your house gets open and you don't know it.
Slowly over a period of time, someone may take, piece by piece,
all of your house. It could happen over a course of months, and
an entity may not be aware of it.
So immediate notification could be hard in that type of
instance. But regularly monitoring and testing, we hope, would
be a way that they detect it sooner.
In terms of the information sharing, we support an effort
such that there be some type of notification to Federal law
enforcement. How that is done and what particular entity that
is reported to is something that we are happy to work with this
committee on, such that it can happen faster and it gets to the
law enforcement entities that have been in the forefront of
this, such as the FBI and the Secret Service. But it is
immediate notification when you see the data breach. Yes, that
is something that we would like. But sometimes it is not always
easy that you are going to find that data breach right away.
Ms. Clarke. Ms. Glavin, I want to thank you for sharing
with us your perspective on the PCI standards and the payment
card industry and its relationship to cybercrime. I want to
thank you for sharing your expertise with us. We look forward
to working with you further as we look for ways to strengthen
this part of our concern with regards to the threats that
exist, the vulnerabilities that may exist within the payment
card industry. Thank you very much.
Ms. Glavin. Chairwoman Clarke, thank you very much. We look
forward to working with you.
Ms. Clarke. Thank you. I would like to acknowledge the
work, Ms. Glavin, of your senior counsel, Kim----
Ms. Glavin. Kim Paretti.
Ms. Clarke [continuing]. Kim Paretti in this field, and I
would like to thank her and her colleagues for their service.
Ms. Glavin. They have done excellent work.
Ms. Clarke. We appreciate it.
The Members of the subcommittee may have additional
questions for the witness and we will ask you all to respond in
writing to those questions.
At this time, the first panel is dismissed and the
Chairwoman calls out the next panel.
I welcome the second panel of witnesses. Our first witness
is Robert Russo, Director of the Payment Card Industry Data
Security Standards Council. Welcome.
Our second witness is Joseph Majka, Head of Fraud Control
and Investigation, Global Enterprise Risk for Visa.
Our third witness is Michael Jones, Chief Information
Officer for Michaels Stores.
Our fourth witness is Dave Hogan, Senior Vice President and
Chief Information Officer for the National Retail Federation. I
thank you all for being here today.
Without objection, the witnesses' full statements of Andrew
Cochran, an expert on terrorism financing, and Kirsten Trusko
on behalf of the Network Branded Prepaid Card Association will
be inserted into the record. Hearing no objection, so ordered.
[The information follows:]
Statement for the Record Submitted by Andrew R. Cochran, Founder and
Co-editor, The Counterterrorism Blog
March 31, 2009
Chairwoman Clarke, Ranking Member Lungren, and Members of the
committee, I appreciate the opportunity to submit a written statement
on the subject of terrorists' use of credit cards for this important
hearing. I am the founder and co-editor of The Counterterrorism Blog,
the first multi-expert internet-based center dedicated solely to
reporting and analyzing terrorist attacks and counter-terrorism
policies. Now in its fifth year of operation, The Counterterrorism Blog
is a highly respected source of objective information and analysis in
the counter-terrorism community. Our Contributing Experts work in non-
governmental organizations and private businesses worldwide, and
include over 20 noted experts, including Evan Kohlmann, Douglas Farah,
Dennis Lornel, Walid Phares, Animesh Roul, Farhana Ali, and Matthew
Levitt. In addition to earning the plaudits of law enforcement,
intelligence officials, Members of Congress, and the news media, our
credibility is evidenced by the fact that al Qaeda attacked us by name
on Al-Ekhlaas, one of its central messaging forums, last April.\1\ You
can find us on the internet at http://counterterrorismblog.org/, and
you can e-mail me.
---------------------------------------------------------------------------
\1\ ``Al Qaeda Officially Hates The Counterterrorism Blog,'' April
16, 2008, at http://counterterrorismblog.org/2008/04/
al_qaeda_officially_hates_the.php.
---------------------------------------------------------------------------
Our Contributing Experts have reported often on terrorists' use of
stolen credit card information, and they speak often about the subject.
On February 29, 2008, I chaired a special panel, ``Meta-Terror:
Terrorism and the Virtual World,'' with two Contributing Experts (Evan
Kohlmann and Roderick Jones) and the senior vice president and chief
technology officer of VeriSign.\2\ During that event, our discussion
included how a senior al Qaeda operative financed operations through
the use of stolen credit card information. Dennis Lormel, who founded
and ran the Terrorist Financing Operations Section at the FBI and
investigated the financing of the
9/11 attacks, has several posts on terrorists' use of credit cards.\3\
Matthew Levitt and Contributing Expert Michael Jacobson cited the use
of credit card fraud to finance two deadly attacks in a New Republic
article this year.\4\ I invite the committee to review the cited works
in detail, and I will quote from and/or summarize their main points for
the committee's consideration as follows:
---------------------------------------------------------------------------
\2\ Complete transcript at http://counterterrorismblog.org/2008/03/
event_transcript_and_related_l.php.
\3\ ``Terrorists and Credit Card Fraud . . . a Quiet Epidemic,''
February 29, 2009, at http://counterterrorismblog.org/2008/02/
terrorists_and_credit_card_fra.php, and ``Credit Cards and
Terrorists,'' January 16, 2008, at http://counterterrorismblog.org/
2008/01/credit_cards_and_terrorists.php.
\4\ Summarized in ``Drug Wars,'' Michael Jacobson, January 27,
2009, at http://counterterrorismblog.org/2009/01/drug_wars.php.
---------------------------------------------------------------------------
1. Credit cards are extremely vulnerable to fraud and are used
extensively by terrorists. The internet not only serves as a
learning tool for terrorists but also functions as a mechanism
to steal credit card information through hacking, phishing, and
other means. In many instances, when terrorist operatives are
apprehended, they have multiple identifications and credit
cards in a variety of names in their possession.
2. The terrorists who executed the devastating 2004 Madrid train
bombings, which killed almost 200 people, and who carried out
the deadly July 7, 2005, attacks on the transportation system
in London were self-financed, in part through credit card
fraud.
3. Imam Samudra was a key operative of the al Qaeda-linked
terrorist group Jamaah Islamiah in Indonesia, and was the
mastermind behind the Bali nightclub bombings in 2002 which
killed over 200 people. While in prison in 2004, he wrote a
jailhouse manifesto, with a chapter, entitled ``Hacking, Why
Not.'' In it, he urged fellow Muslim radicals to take holy war
into cyberspace by attacking U.S. computers. Samudra described
America's computer network as being vulnerable to hacking,
credit card fraud, and money laundering. Samudra discussed the
process of scanning for Web sites vulnerable to hacking and
then discussed the basics of on-line credit card fraud and
money laundering. Interestingly, in 2004, Indonesian police
asserted that Indonesia had more on-line credit card fraud than
any country in the world.
4. Younes Tsouli, aka ``Terrorist 007,'' and his two associates,
Waseem Mughal and Tariq al-Daour, used computer viruses and
stolen credit card accounts to set up a network of
communication forums and Web sites that hosted everything from
tutorials on computer hacking and bomb making to videos of
beheadings and suicide bombing attacks in Iraq. They raised
funds through credit card information theft and fraud, which
were used to support the communications, propaganda, and
recruitment for terrorists worldwide, as well as to purchase
equipment for Jihadists in the field. One expert described
their activities as ``operating an on-line dating service for
al Qaeda.'' The three men pled guilty to inciting terrorist
murder via the internet.
Set forth below is a snapshot of the extent of credit card
information theft and fraud they were responsible for:
Stolen credit card numbers and identities were used to buy
Web hosting services. At least 72 stolen credit card accounts
were used to register more than 180 Web site domains at 95
different Web hosting companies in the United States and
Europe.
On one computer seized from al-Daour's apartment, some
37,000 stolen credit card numbers were found. Alongside each
credit card record was other information on the identity theft
victims, such as the account holder's address, date of birth,
credit balances, and limits.
More than $3.5 million in fraudulent charges were made using
credit card accounts stolen via on-line phishing scams and the
distribution of ``Trojan horses.''
The men purchased sophisticated equipment needed by
jihadists in the field and other operational resources,
including hundreds of prepaid cell phones, and more than 250
airline tickets using 110 different credit cards at 46 airlines
and travel agencies.
They laundered money through on-line gambling sites, using
accounts set up with stolen credit card numbers and victims'
identities. The trio conducted 350 transactions at 43 different
on-line wagering sites, using more than 130 compromised credit
card accounts.
The terrorists apparently obtained some stolen data through
contacts with Russian-based criminal gangs, and they traded this
information with criminal syndicates. In the 1990's, al Qaeda would
steal a handbag to get one credit card to raise funds. Now they will
just buy this data on-line and get thousands of credit card details.
Once credit card information winds up in the hands of criminal
syndicates, it can be easily transmitted to terrorists.
5. The Liberation Tigers of Tamil Eelam (LTTE), a.k.a. the ``Tamil
Tigers,'' use credit card fraud as an international means of
financing terrorist activities. Four men, believed to be
associated with the Tigers, were arrested this year in Toronto
on charges of debit and credit card fraud for possessing
numerous gift cards containing bank account and debit
information from individuals in the United Kingdom. Further
investigation found laptop computers and memory sticks
containing bank information for thousands of U.K. bank
customers. A massive credit and debit card fraud case in the
United Kingdom, involving up to 200 British gasoline stations,
is apparently another Tamil Tigers operation. The alleged
subjects obtained credit and debit card information at gasoline
pumps through the use of skimming machines, with the loss was
estimated to be as much as $72,000,000.
I look forward to reviewing the committee's review into the
effectiveness of the PCI standards to reduce data breaches, identity
theft, and the potential funding of terrorism, and I stand ready to
assist the committee in that mission.
______
Statement for the Record Submitted by Kirsten Trusko, on Behalf of the
Network Branded Prepaid Card Association
March 31, 2009
Chairwoman Clarke and Members of the subcommittee, I am Kirsten
Trusko, President and Executive Director of the Network Branded Prepaid
Card Association (``NBPCA'' or Association''). We are a non-profit
trade organization, which seeks to serve consumers, businesses, and
Government through unique applications of network branded prepaid
cards, and in doing so supports the growth and success of network
branded prepaid cards. We represent the common interests of the many
players in this new and rapidly growing payment category. The NBPCA's
members include banks and financial institutions, the major card
networks, processors, program managers, marketing and incentive
companies, card distributors and law firms. For additional information
about our organization, may we suggest you visit our Web site,
www.NBPCA.com. I am delighted to submit factual information that we
hope will help to address your questions on a topic that is of utmost
importance to our members: accurately understanding and mitigating the
potential risks posed by network branded prepaid cards.
This document is designed to outline the following topics, at a
high level. Should you have follow-up questions, please let us know.
1. What is a network branded prepaid card and how does it differ
from other cards?
2. Why is this card type growing and popular (including quotes from
the Federal Reserve and Office of the Comptroller)?
3. What are the facts to correct misperceptions about network
branded prepaid cards?
4. How are NBPCA's members working with legislators, regulators,
and law enforcement to mitigate the potential for misuse of the
cards?
i. what are ``network branded prepaid cards''?
We hope to clarify some misconceptions by being clear about the
facts.
First, there are many types of plastic, magnetic-striped
cards that are all called ``prepaid.'' That is, before one uses
the card to make a purchase, one must pre-pay the funds, which
are held by a bank. The cardholder uses the cards to gain
access to the funds. You cannot spend a $50 gift card, for
example, until the $50 has been paid in advance.
However, not all prepaid cards are ``network branded.''
Network branded cards (sometimes referred to as ``open loop''
or ``open system'' cards) are issued by regulated financial
institutions, carry the brand of a major card network (such as
American Express, Discover, MasterCard or Visa) on the front of
the card, and are generally \1\ usable anywhere that brand is
accepted. Some network branded prepaid cards are also usable at
ATMs to obtain cash for limited daily amounts.
---------------------------------------------------------------------------
\1\ We say ``generally'' because some network branded prepaid cards
have specialized usage which creates some limitations. For example,
``teen cards'' are designed so that they cannot be used in liquor
stores, and health cards may have restrictions to health-only merchants
and/or purchases.
---------------------------------------------------------------------------
Although many network branded prepaid cards display the word
``DEBIT'' on the front of the card, they are not ``debit
cards'' in the classic sense of the word. That is, network
branded prepaid cards are not linked to an individual's
personal checking, savings, or other bank account. Instead, the
funds are held in pooled bank accounts with data that links
each card to the cardholder's funds. This distinction enables
the under-banked population to use these cards to receive child
support, unemployment, and other funds that are essential to
daily life, transaction that are very difficult to administer
on a cash-only basis.
Network branded prepaid cards are also separate and distinct
from ``retailer gift cards'' (sometimes referred to as ``closed
loop'' cards). Retailer gift cards are not issued by a
financial institution and can only be used at one location (or
at one chain of affiliated locations). Retailer gift cards are
issued by a restaurant, store, hotel, or other retail service
provider solely for use to purchase goods or services at the
issuing retailer's establishment.
Attached to this testimony are pictures of some popular
network branded prepaid cards issued by our members.*
---------------------------------------------------------------------------
* The information referred to has been retained in committee files.
---------------------------------------------------------------------------
ii. why have network branded prepaid cards become so popular?
Network branded prepaid cards are a relatively new and growing
product, largely developed in response to market needs not being met by
other card types. They enable electronification of payments and the
supporting data trail, to capture what was previously transacted with
check or cash. They support specific applications by customer need
(e.g. the under-banked consumer as mentioned earlier) and help to
reduce costs and provide a better accounting/data trail for businesses
and Government than when using cash or checks.
The popularity of network branded prepaid cards is attributable to
their unique ability to address cardholder needs in a variety of
situations including health care, disaster relief operations, payroll,
Government benefit payments, and gifting.
The benefits that network branded prepaid cards provide was noted
in an article published by the Philadelphia Federal Reserve Bank's
Payment Card Center:
``The benefits that open-system prepaid cards offer for consumers,
providers, and issuing banks contribute to the increased adoption of
these payment applications. Consumers use these cards to pay bills,
make purchases, and access cash from ATM networks. Prepaid cards can
also be used to secure car rentals and to make hotel and air travel
reservations. At the same time, holders of prepaid cards need not
secure a traditional banking relationship nor gain approval for a
deposit account or revolving credit. Prepaid card providers may be
nonbank third parties, such as employers and payroll processing
companies, that can use prepaid cards as a means to convert paper
disbursements, such as payroll checks, benefit claims forms, travel
checks, gift certificates, and government checks, to less costly
electronic payments. Finally, bank card issuers have an opportunity to
serve a broader set of consumers. By offering prepaid cards, issuing
banks may meet the financial needs of consumers who may not otherwise
qualify for more traditional banking products, and these banks may do
so with a card-based electronic payment application that essentially
eliminates credit risk for the bank. (Cheney and Rhine, Prepaid Cards:
An Important Innovation in Financial Services, Philadelphia Federal
Reserve Bank Payment Center (Originally published in conjunction with
the American Council on Consumer Interests (ACCI) (July 2006)).''
Additionally, the Office of the Comptroller of the Currency, in a
July 2005 report, (http://www.occ.treas.gov/cdd/payrollcards.pdf)
compared the cost of network branded prepaid payroll cards versus the
alternatives available to the under-banked, noting the following
benefits:
Benefits to Employers
Reduced bank processing fees and check handling fees;
Reduced check printing costs;
Reduced likelihood of check fraud;
Reduced check reconciliation costs;
Increased employee productivity (e.g., not needing time off
during work to cash or deposit paycheck);
Reduced lost/stolen check replacement costs.
Benefits to Employees
Reduces or eliminates check cashing fees;
Offers ability to make purchases using credit card networks;
Offers 24-hour access to funds via ATMs; no need to wait in
lines;
Reduces the need to carry a lot of cash;
Makes money transfers more easily available to families;
Provides a pseudo-bank account--funds do not need to be
withdrawn entirely as with using a check casher;
Please refer to Table 5 in the OCC report as it documents
their comparison of consumer costs across Payroll card, Check
Casher, and Basic Bank account, reflecting Payroll card as the
option least costly to the consumer.
iii. misunderstandings/myths about network branded prepaid cards.
Despite the many benefits of network branded prepaid cards, aspects
of these products are misunderstood. This may be because organizations
not typically associated with financial products are sometimes involved
in the creation and distribution of network branded prepaid cards. For
example, some network branded prepaid cards are available through non-
traditional distribution channels such as supermarkets and drug stores.
Misconceptions about network branded prepaid cards, which have gained
currency through repetition, have the potential to affect the industry
negatively--particularly with respect to issues relating to money
laundering risks. My testimony today addresses several major
misconceptions by providing factual information that supports a fair
and accurate assessment of money laundering risks associated with
network branded prepaid cards. Here are some misunderstandings about
network branded prepaid cards:
Myth No. 1: Prepaid cards are unregulated or loosely regulated.--
Every network branded prepaid card (i.e., those carrying the logo of
American Express, Discover, MasterCard, or Visa) is issued by a highly
regulated financial institution or other regulated organization. As
such, network branded prepaid cards are subject to exam, review, and
oversight. For example, the FFIEC BSA/AML Bank Examination Manual (July
2006) sets forth specific requirements for examining banks regarding
their ``electronic cash'' products (which encompasses ``stored value'')
including OFAC screening, transaction testing, and monitoring for
suspicious activity. In addition, many prepaid card program managers,
distributors, and organizations that perform specific functions
relating to processing or distributing network branded prepaid cards,
are regulated by State banking departments as money transmitters or
check sellers. As such, they also are subject to exam, review, and
oversight. State regulators are increasingly requiring money
transmitters to:
(1) Register as Mobs with FinCEN,
(2) Have AML policies that address customer due diligence, OFAC
screenings, and suspicious activity monitoring, and
(3) Have independent reviews of their AML policies.
Altogether, there are over 50 laws/regulations that apply to
network branded prepaid cards. The applicability of these laws/
regulations depends on a number of factors including the charter of the
financial institution issuer.
Myth No. 2: Prepaid cards are ``ideal'' for money laundering.--
Network branded prepaid cards are actually less useful for money
laundering than many other payment products for the following reasons:
The value associated with network branded prepaid cards
issued in the United States consists of funds held in a bank
account in the United States. These funds can--at any time--be
frozen by the card issuer and/or forfeited entirely. Unlike
``bearer instruments'' or chip-based cards, where whoever holds
the product also holds the value, network branded prepaid cards
keep the value separate, making the products less attractive to
criminals.
All network branded prepaid cards are processed through an
on-line system that requires electronic authorization from the
payment network prior to completing a purchase transaction at
the point of sale or obtaining cash from an ATM.
The system enables card issuers to decline an authorization
and/or to cancel the ability to use a prepaid card. The ability
of the card issuer to terminate a card's usefulness, without
requiring possession of the card, is critical--and is a feature
not shared by most traditional payment products. The on-line
system tracks and records every use of every network branded
prepaid card. Unlike paper payment products (such as checks,
travelers checks, money orders, and cash), network branded
prepaid cards leave a traceable trail of use including place,
time, date, amount, and often the nature of the transaction.
This trail has already assisted law enforcement in tracking
illicit activity through use of prepaid cards.
If a network branded prepaid card issuer identifies unusual
or suspicious activity, the card can be blocked from further
use. Card programs routinely monitor card activity and, as
appropriate, file suspicious activity reports (SARs) or notify
law enforcement.
Myth No. 3: Network branded prepaid cards can be both anonymous and
permit ATM access, with liberal load limits or no limits on the amount
of cash that can be accessed.--Today, ``anonymous'' (meaning that no
identifying information is obtained from the purchaser and verified)
network branded prepaid cards are limited to the gift or reward card
category (although many network branded gift/reward cardholders are
identified and verified as well). Such anonymous gift/reward cards have
significant restrictions that minimize risk of misuse such as a
relatively low maximum dollar value, no ability to access cash through
ATMs, and no ability to load additional funds after the initial funds
are depleted. In addition, some issuers restrict usage of anonymous
cards to the United States.
Myth No. 4: Prepaid card issuers do not require Customer
Identification Programs (CIP) nor OFAC screening for individual prepaid
cardholders.--Reloadable, cash-accessible network branded prepaid cards
are not available anonymously. Issuers routinely subject individuals
purchasing such cards to CIP and OFAC screening, to the same extent as
is required for financial institutions opening ``accounts'' under the
Bank Secrecy Act. These verification and screening procedures are
identical to those conducted when any on-line bank account is opened.
Myth No. 5: A consumer can use cash to purchase a high-value,
reloadable network branded prepaid card from a j-hook and use it
anonymously.--When a consumer purchases a reloadable network branded
prepaid card from a j-hook in a retail location, a process called
``activation'' is typically required before the cardholder may use the
card for a purchase or to access cash. In other words, although the
consumer may purchase the card without identity verification, he/she
may not use the card until the identity verification process is
complete. The activation process typically involves the cardholder
telephoning the card issuing financial institution (or a specialized
organization with which the issuer has contracted) and providing
personal identification information. The financial institution then
verifies various elements of customer information including name,
address, Social Security Number, and/or date of birth using a third-
party authentication system such as Experian, Lexis-Nexis, or Equifax--
just as they would a bank account. The issuer also screens customers
against the OFAC Specially Designated Nationals list. If the cardholder
does not ``pass'' this process, the card is either not usable or not
reloadable.
iv. the nbpca's anti-money laundering recommended practices
In February 2008, the NBPCA released its ``Recommended Practices
for Anti-Money Laundering Compliance for U.S.-based Prepaid Card
Programs.'' The document provides recommendations for all network
branded prepaid card industry participants to support compliance with
the U.S. Bank Secrecy Act (BSA) anti-money laundering (AML) program
requirements. It recommends how to implement internal controls, monitor
and manage third parties involved with prepaid card processes and
mitigate risks associated with money laundering.
To ensure the document addresses the questions and concerns of law
enforcement and Government agencies, the NBPCA has and will continue to
maintain an open dialogue with Federal, State, and local regulatory
agencies as well as law enforcement officials. The document address
risks identified through information sharing between the industry and
critical agencies that monitor financial crime. ``Recommended Practices
for Anti-Money Laundering Compliance for U.S.-based Prepaid Card
Programs'' is a practical guide to setting up, implementing, and
auditing a compliance program. It covers the following areas:
1. How to conduct a risk assessment.
2. How to establish a set of internal controls to achieve
compliance with AML program requirements of the BSA.
3. Federal reporting requirements and red flags to look for with
respect to suspicious activity.
4. Adopting and implementing programs to comply with know your
customer requirements.
5. Reducing risk when working with non-financial institutions,
third-party agents, and processors.
6. How to implement independent compliance testing.
7. Training program guidelines for key personnel.
The NBPCA has made ``Recommended Practices for Anti-Money
Laundering Compliance for U.S.-based Prepaid Card Programs'' available
to anyone in the prepaid card industry. The report, which can be
downloaded from the NBPCA Web site at www.nbpca.com, has been widely
praised and was well-received both by Government and private entities.
v. the nbpca's role on the bank secrecy act advisory group (bsaag)
In 2008 the NBPCA was selected for membership in the Bank Secrecy
Act Advisory Group (BSAAG), a group made up of industry
representatives, regulators, and law enforcement, implemented by an act
of Congress. BSAAG's role is to advise the Department of Treasury's
Financial Crimes Enforcement Network (FinCEN) on matters related to
anti-money laundering risks and Bank Secrecy Act compliance. In
addition to its role on BSAAG, the NBPCA co-chairs the Stored Value
Subcommittee, a subcommittee focused on the potential risks presented
by prepaid cards and the ways to mitigate those risks.
vi. risks presented by data security breaches
Data security breaches and the misuse of consumer account
information by criminals and money launderers is an increasing problem
for the U.S. payment system. Because network branded prepaid cards use
the same card payment infrastructure as credit cards, prepaid
cardholders can be victims of such data security breaches. However,
because prepaid cards are not connected to an individual's bank account
or credit card accounts, the risks posed by such data breaches tend to
be far less for prepaid card issuers than they are for credit and debit
card holders. This is one of the reasons consumers who also use credit
and debit cards, are attracted to prepaid card use as any breach of the
card limits access to only the balance available on the card. And of
course, like credit and debit cardholders, most network branded prepaid
card holders are protected against losses from unauthorized use, thanks
to the card brands' ``zero liability'' policies which are incorporated
into the payment network operating regulations governing issuers.
vii. conclusion
Network branded prepaid cards are a new and valuable payment
product for consumers, businesses, and Government. As with any payment
product, network branded prepaid cards can be misused by the criminal
element. Nevertheless, the NBPCA has long encouraged practices that
reduce the opportunities for prepaid cards to be used in illicit
activities. Prepaid cards are vital and important products which serve
a substantial number of people, including those that are under-banked
and would have no other connection to the banking infrastructure so
critical to daily life in the United States. The NBPCA continues to
support national and international efforts to combat money laundering,
terrorist financing, and financial crime. We are also committed to
ensuring that our products are available to help consumers and
businesses maintain access to the payment system, have secure and
protected payment products, and reduce costs and inefficiencies for
consumers, businesses, and government.
Ms. Clarke. I now ask each witness to introduce yourself
and summarize your statement for 5 minutes beginning with Mr.
Russo.
STATEMENT OF ROBERT RUSSO, DIRECTOR, PAYMENT CARD INDUSTRY DATA
SECURITY STANDARDS COUNCIL
Mr. Russo. Thank you, Chairwoman Clarke. Thank you for the
opportunity to testify on the critical issue of payment card
data security. Payment card fraud concerns every American and,
in a global economy, every consumer worldwide. The payment card
system is one that manages billions of transactions
representing trillions of dollars moving across a global
network. Reducing payment card fraud and constantly innovating
to stay ahead of it is a critical challenge.
The PCI Security Standards Council was formed in 2006 just
for that purpose. Our mission is to protect cardholder data
from criminal elements who constantly manufacture new and
inventive ways to compromise security systems.
At the center of our efforts to do this are three
standards. Let me tell you about each.
First, the PCI Data Security Standard, or the DSS, is a set
of 12 security practices based on six core principles. The DSS
covers everything from securing applications, to networks, to
their perimeters, to maintaining an incident response plan.
Second, our payment application data security systems is
designed to ensure that payment applications, which are found
in many retailers, are not storing sensitive payment card data.
Third, the PIN security requirements ensure that the PIN
entry devices, devices that you may see at a checkout line to
enter your PIN number, have been designed to properly encrypt
the customer's PIN and are tamper-proof.
But new threats continue to emerge. That is why development
and review of the PCI standards is a critical process and why
the PCI Security Standards Council takes it seriously. We
engage our community of participating organizations, more than
500 merchants, processors, financial institutions, technology
companies, Government, academia, and trade associations
worldwide to ensure our standards meet the latest threats, and
when new threats emerge we have mechanisms to take swift
action.
These include regular updates to our testing procedures,
monthly Webinars with both assessors and merchants; flash
bulletins on emerging threats; as well as on-going updates to
the standards themselves.
Our goal is simple: To have every organization that stores,
processes or transmits cardholder data do so in accordance with
the PCI standards. I have no doubt that compliance with the PCI
standards is an entity's best line of defense against payment
card data compromise. In fact, we have never found a breached
entity to have been in full compliance with the PCI standards
at the time of a breach.
But we also recognize that the dynamic nature of any
organization can render a validated system noncompliant almost
immediately after a satisfactory compliance report has been
issued. Effective security is not a one-time snapshot, but
really a full-length feature film where the organization is
compliant at each and every frame.
No standard is perfect. But the PCI security standards have
proven to be the most effective means of preventing data
breaches and protecting consumers.
One final point. In order to assist organizations with
maintaining and achieving compliance with our standards, the
Council provides a wide range of resources. For example, the
on-going training, approval and quality assurance of qualified
security assessors; a worldwide network of professionals that
conduct on-site compliance assessment; the validation of a
worldwide network of approved scanning vendors who do remote
scanning of networks, secure them against network threats; and
finally, an education program that includes printed materials,
on-line resources, Webinars and face-to-face training sessions.
Payment card fraud is a serious concern demanding a
serious, continuous and vigorous response. The PCI Security
Standards Council has made its sole mission the securing of
cardholder data.
Thank you and I look forward to answering your questions.
Ms. Clarke. Thank you for your testimony.
[The statement of Mr. Russo follows:]
Prepared Statement of Robert Russo
March 31, 2009
introduction
Chairwoman Clarke, Ranking Member Lungren, Members of the
subcommittee, thank you for the opportunity to testify on the important
issue of payment card data security.
My name is Bob Russo and I am the general manager of the PCI
(Payment Card Industry) Security Standards Council. The Council is an
industry standards body responsible for developing security standards
that merchants (such as retailers, transportation companies, hotels,
etc.) and payment card transaction processors use to protect customers'
payment card data as it is stored, processed, or transmitted from the
point of sale to the card issuer for authorization and subsequent
processing.
Payment card fraud is something that concerns all of us, both
businesses and consumers alike--from the pizza shop down my street to
the country's largest retailers; from a single parent who manages the
household finances to the businesswoman who conducts trade globally.
For the consumer, having one's card data stolen can be an inconvenient
and stressful experience, even though here in the United States the
consumer normally bears no liability for any ensuing fraudulent
transactions. It is also very costly for financial institutions that
have to mitigate the damage associated with a payment card compromise,
and for businesses that can lose customer confidence and suffer damage
to their reputations. Data theft impacts everyone in the payment
stream.
The PCI Security Standards Council was formed with the intent of
providing tools and resources to protect payment card data from all
threats, regardless of motivation. In the less than 3 years since our
formation, we have made tremendous strides toward this goal--and our
efforts continue. We welcome the subcommittee's interest in the topic
of payment card data protection, and appreciate the Government's on-
going commitment to understanding and exploring the initiatives
underway to contain and reduce fraud for consumers and businesses
globally. We look forward to working with the subcommittee to continue
to reduce payment card data compromise and invite the subcommittee to
use the Council as a resource as it develops policies to combat
cybercrime.
My testimony today will cover the background and history of the
Council, how we came about, what we seek to do and with whom we work to
develop and maintain the standards in a dynamic security environment. I
will also detail some of the tools and resources we have made available
to the market to enable businesses to secure payment card data wherever
it is processed, stored, or transmitted.
about the pci security standards council
The PCI Security Standards Council, LLC is a global forum for the
on-going development, enhancement, dissemination, and implementation of
security standards for payment card data protection.
The Council was founded in September 2006 by the five major payment
card brands: American Express, Discover, JCB, MasterCard, and Visa.
Together, these five brands represent the vast majority of payment card
transactions both Nation-wide and globally. In coming together, these
organizations agreed to work together to develop and recognize one set
of data security standards to protect payment card data that is stored,
processed, or transmitted.
Prior to the formation of the Council, each of the payment card
brands developed their own set of requirements to ensure that the data
of those carrying their respective cards was maintained in a secure
fashion. Consequently, retailers and other merchants expressed
frustration at the challenges of securing payment card data in a way
that was not universally recognized by all the payment card brands with
which they did business. Organizations involved in the payment process
also highlighted their desire for a mechanism to contribute to the
payment card data security agenda and to provide input and gain insight
into the security standards they would be using. It is for this reason
that broad participation and transparency are core tenets of the
Council's operating principles.
The Council is but one example of the hundreds of private sector-
based entities that have been formed to develop voluntary consensus
standards across virtually all branches of industry to serve new needs
as they arise, thereby helping to ensure that businesses can conduct
their operations responsibly at home, and competitively around the
globe. This private sector role in standards development was mandated
by Congress in 1995 by its enactment of the National Technology
Transfer and Advancement Act (Pub. L. 104-113) (``the Act''). The Act
requires Government agencies to dramatically decrease the creation and
use of ``Government-unique'' specifications in their procurement
activities, and instead rely on voluntary consensus and private sector
standards whenever possible, as well as to report, via the National
Institute of Standards and Technology, their compliance with this
directive. In 1998, the Office of Management and Budget (OMB) updated
Circular A-119 to provide additional guidance to the Federal agencies
on implementing the Act. Under the Act, Government agencies are
requested to participate in developing voluntary consensus private
sector standards to the extent that their resources allow. Consistent
with this mandate, several governmental entities participate in the PCI
Security Standards development process.
the council's mission
The mission of the PCI Security Standards Council is to enhance
payment card data security by developing and maintaining appropriate
security standards and related tools, and driving education and
awareness of the critical importance of data security. Even though the
Council is a business-focused organization, this mission has at its
heart the protection of consumers. The Council works to provide the
necessary tools and resources that organizations should use to protect
their customers' payment card data successfully.
As discussed below, the Council achieves this end by enabling a
sophisticated, global security infrastructure based upon five highly
specialized and important mechanisms:
1. Standards for implementation by both those that store, process,
and transmit payment card data, as well as those that sell the
devices and other equipment that access and transmit such data.
2. Approval, training, and on-going quality assurance of a
worldwide network of ``Qualified Security Assessors'' (QSAs)
that conduct on-site assessments to determine whether those
with access to payment card data are in compliance with
applicable Council standards.
3. Approval, training, and on-going quality assurance of a
worldwide network of ``Approved Scanning Vendors'' (ASVs) that
conduct remote scanning of networks to determine whether those
networks are secure against most network-based attacks.
4. Training and approval of laboratories that can in turn approve
certain products to be in adherence with applicable Council
standards.
5. Training and education of payment process participants through
classroom sessions, collateral material and webinars, so they
are aware of the importance of protecting payment card data
from emerging threats and can actively participate in
protecting themselves and their customers from attacks.
how the council differs from other parties in the payment chain
As a standards body, the Council is responsible for developing and
maintaining the security standards and other tools necessary to protect
payment card data within the payment process. The Council publishes
these standards for anyone to access but specifically for the payment
card industry's use in security and compliance programs. It is
important to distinguish between this role as standards custodian and
industry body from those organizations that may validate compliance or
enforce compliance through rules, rewards, or actions against parties
not yet compliant with applicable security standards.
The Council does not validate the compliance of any entity or
vendor with its core standard, the PCI Data Security Standard (``PCI
DSS''). Indeed, like any other organization that develops voluntary
consensus standards, it does not have the authority or mechanisms to
enforce compliance to its standards. Consequently, the Council does not
run standards compliance programs. Instead, each payment card brand
maintains its own compliance programs based upon the Council's
standards, adding their own stipulations and requirements for
demonstrating compliance for those businesses that must comply.
Therefore, the Council has no direct business relationships with those
entities that store, process, or transmit payment card data, and does
not have the responsibility or contractual right to validate
compliance, enforce, or levy fines for non-compliance with the security
standards that it publishes. Each of these roles is performed by the
payment card brands.
the council's stakeholders
In order to be certain that the Council's standards are as clear
and comprehensive as possible, we seek input from a wide range of
stakeholders as part of the standards development process. For
instance, the Council's Participating Organization program is open to
any organization involved in the payment chain--merchants, banks,
processors, Government, and academia. To date, more than 500 leading
national, regional, and global players are part of this effort.
Participating Organizations provide the Council with real world
insight and experience in deploying security standards in the field,
and have deep understanding of the challenges and threat vectors that
security standards must address. Together, these Participating
Organizations represent the people who are responsible for securely
handling and defending consumers' payment card data against attack on a
daily basis, and therefore provide a valuable resource in feeding
front-line threat information into the Council.
From among the Participating Organizations, a smaller group of 21
representatives are seated as the Council's Board of Advisors every 2
years through an open election and appointment process. Two-thirds of
the Board of Advisors are elected, with the remainder appointed to
ensure adequate geographical and industry representation. These
organizations act as spokespersons for their respective industries and
regions and ensure that the Council is able to partner with industry at
a very detailed and actionable level in the standards-setting process.
The Board of Advisors is a critical enabler in our mission to secure
businesses' payment processes and consumers' payment card data
globally.
Our current Board of Advisors is composed of leaders in their
respective industries such as Wal-Mart Stores, Inc., Microsoft, PayPal,
First Data Corporation, and British Airways. The Board has worked
tirelessly with the Council over the past 2 years to highlight areas of
need in the market, and to devise educational resources that are of
immediate benefit to organizations looking to improve their security.
I want to recognize here for the record the hard work of our
Participating Organizations and Board of Advisors, all of whom
contribute to the Council's security standards in an entirely voluntary
capacity.
In addition to our Participating Organizations, the Council's QSA
and ASV communities, together numbering more than 250 companies
worldwide, provide valuable insight from the front lines of examining
merchants and processors systems. QSAs and ASVs are able to provide
feedback on where the implementation challenges lay and when common
security vulnerabilities appear. The Council is in constant two-way
communication with this group through webinars, newsletters, and, of
course, the Council's annual QSA and ASV retraining and examination
processes.
the pci security standards
The Council's security standards--the tools it makes available for
use by public and private sector entities to secure payment card data--
are designed to protect specific parts of the payments process. The
Council is constantly looking for new ways to secure the payment
process and maintains a dialogue with its Board of Advisors and other
industry stakeholders to bring new resources to the market to further
protect consumer's payment card data. As a result, since its inception
in 2006, the Council has assumed management responsibility for several
payment security standards in addition to the more-well known PCI DSS,
with the mission of increasing payment card data security. I'd like to
give a brief overview of the standards the Council currently manages
and updates:
PCI Data Security Standard
The PCI Data Security Standard is a set of 12 detailed requirements
designed around six principles fundamental to securing payment card
data. At the heart of this standard is the requirement that
organizations do not store sensitive payment cardholder information
typically contained in the magnetic stripe on the back of the payment
card. This is the information that criminals want to steal to create
counterfeit cards. The fundamental principle of the PCI DSS is that
organizations must not store sensitive data. Where information such as
the Primary Account Number (PAN) or expiration date is stored, it must
be rendered unreadable. This generally means that it must be truncated,
hashed, or encrypted, so that unauthorized access to such data will be
of limited use to a criminal.
Along with these fundamentals, the very detailed requirements of
the PCI DSS cover areas ranging from securing applications, networks,
and perimeters to maintaining up-to-date security patches and anti-
virus software, to things like developing and maintaining an incident
response plan and processes for an organization to follow in the event
of a breach.
The Payment Application Data Security Standard (PA-DSS)
The Council developed this standard after feedback from our
Participating Organizations and member brands indicated that software
applications represented a point of weakness in the payment chain.
These payment applications range from touchscreen applications you
might see used in a restaurant, to point-of-sale software used in
ticketing kiosks in museums and theme parks. Unless otherwise required
by the customer demanding PA-DSS compliance, some of these payment
applications may be designed to store sensitive payment card data
thereby undermining an organization's efforts to comply with the PCI
DSS. The Council introduced a process that enables payment applications
to be tested in laboratories to determine whether they are secure, not
storing payment card data, and whether they are capable of helping,
rather than hindering, an organization's efforts to comply with the PCI
DSS. The Council maintains a list on our Web site of validated payment
applications that have been tested in and approved by laboratories for
merchants to use in assessing their own applications and making
informed purchasing decisions.
The PIN Entry Device Security Requirements
The PIN Entry Device security requirements have the same underlying
principle as the PA-DSS. They are designed to enable organizations to
protect consumer's payment card data and ensure that PIN Entry Devices
have been designed not to store payment card information, thus
jeopardizing organizations' PCI DSS compliance efforts. As a PIN Entry
Device is a physical object, these requirements cover not just ensuring
that a device does not store sensitive data, but also that it is
tamperproof, and that, should the device be compromised, its contents
will self-destruct.
The Council maintains a list at its Web site of approved devices
that have been successfully tested in Council-approved laboratories for
merchants to cross-reference against their own devices and to assist
them in making informed purchasing decisions. The Council is currently
working to expand the scope of this program to include a broader array
of device types, including unattended payment terminals such as ticket
kiosks and self-service machines.
Development and review of the PCI standards is a continuous
process. In the case of the PCI DSS, the Council follows a defined 24-
month life-cycle process that incorporates a feedback period from
stakeholders and allows for periods of review by the Council's Board of
Advisors, Participating Organizations, QSAs, and ASVs.
While a planned life-cycle process is important, it is equally
important that the Council be responsive to emerging threats. As a
result, we have several mechanisms for on-going communications with
assessors (QSAs and ASVs), merchants and other stakeholders to provide
guidance as new threats emerge. These include:
Errata to the DSS itself;
Flash bulletins on emerging threats;
A monthly newsletter to the Assessor community with the
latest threat information & corresponding changes required to
the assessment process;
Regular updates to the ASV test scanning environment to
reflect new threats emerging ``in the wild'';
Monthly Webinars with both assessors and merchants;
Updates to the Council's on-line searchable FAQ and training
materials to ensure they include the latest information on the
threat landscape.
the nature of the compliance challenge and process
Validation of compliance with the PCI Data Security Standard can
only represent a snapshot in time that coincides with information
shared with and interpreted by a QSA during the assessment period.
Unfortunately, the dynamic nature of any organization's systems and
network environments can result in a wide variety of actions or
inactions that can render a validated system noncompliant almost
immediately after a satisfactory compliance report has been issued. As
a result, effective compliance is a full-length feature film where the
organization is ``compliant'' at each and every frame of that film. For
that reason, the Council believes achieving and maintaining compliance
with PCI DSS and continuous vigilance regarding other security
practices is an on-going process that must systematically be integrated
into every organization's development and operational practices and
policies in order to serve as the best line of defense against a data
breach.
The evidence of data breaches demonstrates that criminal elements
continue to manufacture new and inventive ways to compromise security
systems, and we can assume that this will continue to be true. The
Council, its members and others are working diligently to secure
payment card data against increasingly experienced and organized
criminals. In spite of the severity of this continually dynamic threat
landscape, the Council believes achieving and maintaining compliance
with the PCI DSS is the best line of defense against data breaches.
It is important to note that the members of the Council report that
they have never found an entity that has been subject to a data breach
that was also in full compliance with the PCI DSS at the time of the
breach. Nonetheless, there is no such thing as perfect security. An
organization could very well be compliant on the day its QSA wrote its
assessment report, but noncompliant thereafter, at the time of a data
breach. Many things can cause the protection to break down--logging
rules not being followed, delaying installation of software patches,
installing untested software, etc. Any of these examples (and many
more) may cause a previously validated company to no longer be
compliant, and therefore vulnerable to attack. Organizations must not
take solely a checklist approach to security, or rely on periodic
validation on a specific day as their security goal, but must instead
exercise continuous vigilance and maintain a strict security program
that ensures constant and ongoing PCI DSS compliance.
the future of the council's efforts and payment security
To succeed in the fight against cybercriminals who target our
payment systems will require the continued vigilance and work of all
parties involved in the payment chain. No system is perfect, and while
breaches can be expected to continue to occur, through our efforts and
the pervasive adoption of the Council's standards and the best
practices it advocates, the work of these thieves will remain as
difficult as possible.
When breaches do occur, the Council works with its member brands,
forensics investigators and, at times, through direct outreach to seek
information from breached entities, to determine the root causes of the
breach. If a need to strengthen the Standards or the Council's
Assessment programs is identified, we have mechanisms in place for
taking swift action.
conclusion
Once again, I want to thank Chairwoman Clarke, Ranking Member
Lungren and the subcommittee Members for their oversight of this issue
and for providing me the opportunity to testify on the important issue
of payment card data security. We hope that those entities that handle
payment card data take from this hearing the understanding of their
responsibilities to consumers, shareholders, and society at large to
increase focus on their payment security efforts. Using the PCI
Security Standards should act as a baseline for their doing so. We also
hope that many more of them will join us as Participating
Organizations, willing to help shape the future of payment security
standards based on their own experience of defending payment data
against attack on a daily basis.
Ms. Clarke. I now recognize Mr. Majka to summarize his
statement for 5 minutes.
STATEMENT OF W. JOSEPH MAJKA, HEAD OF FRAUD CONTROL AND
INVESTIGATIONS, GLOBAL ENTERPRISE RISK, VISA, INC.
Mr. Majka. Chairwoman Clarke and Members of the committee,
my name is Joe Majka. I am head of Fraud Control and
Investigations for Visa, Inc. I have been with Visa for over 12
years, and I have over 28 years of experience in corporate
security investigations and law enforcement, specializing in
the area of financial crimes.
I want to thank the committee for this opportunity to
appear at today's hearing and to explain who Visa is in our
role as a leader in global data security. It is important to
note that Visa's fundamental role is to facilitate transactions
between millions of consumers and businesses. Visa is not a
bank and we do not issue payment cards. Visa is a network that
connects 1.6 billion global payment cards, 29 million worldwide
merchants, and over 16,000 financial institutions in 170
countries.
Through electronic payment networks like Visa, the entire
economy benefits from a more transparent, cost effective, and
secure commercial activity.
I am pleased to be here to talk with you about data
security and about the payment card industry data security
standard in particular. In our view, the best way to secure
payments is by applying two core principles.
First, security must be a shared responsibility among all
relative parties--law enforcement, payment companies,
regulatory agencies, retailers, and others. Only together can
we protect all parts of our shared system.
Second, we must collectively apply multiple layers of
security to protect the system. That includes measures applied
at the card level such as card verification values or
transaction alerts, and includes measures applied at the point
of sale, such as standards for secure devices and best
practices for data storage, and it includes measures applied at
the network level, including neural networks and fraud
monitoring.
One of the most effective layers we have collectively
applied to date is the PCI Data Security Standard. Visa
acquires all entities that store transmitter Visa card data to
comply with the standards. To our knowledge, no organization
that is fully implemented and maintained compliance with the
standard has been a victim of a data compromise event. We
believe full compliance with the standard is a valuable
component of a comprehensive security program and greatly
reduces the risk of data compromise.
While there have been a few instances where an entity that
previously validated compliance was a victim of a compromise,
in all cases our review concluded gaps in the compromised
entity's PCI DSS controls were major contributors to the
breach.
Approximately 90 percent of the U.S. merchants and 80
percent of third-party processors have validated PCI
compliance. These organizations, like Michaels, deserve credit
to enhancing their security practices to meet the minimum
industry standard and for validating their compliance on at
least an annual basis.
This month in Washington, DC, Visa held our third Global
Security Symposium, a symposium on payment security where Visa
called on system participants for continued industry
investment, collaboration, and innovation to keep the
electronic payment system secure for the future. At this summit
we heard from numerous individuals and organizations who
reaffirmed the importance of on-going compliance with the PCI
standards.
Visa has maintained a long-standing relationship with law
enforcement agencies over the years, supporting efforts to
investigate and prosecute criminals committing payment card
fraud. This relationship continues and is stronger than ever
today as Visa and law enforcement agencies work together to
combat cybercriminals in today's high-tech world.
Visa was a founding member of the U.S. Secret Service
Electronic Crimes Task Force in San Francisco and continues to
actively participate in U.S. Secret Service task force groups.
Visa also works closely with the FBI Cyber Division, U.S.
Postal Inspection Service, State attorneys general, and the
Department of Justice Computer Crime and Intellectual Property
Section.
In 2004, Visa provided investigative support to law
enforcement which resulted in the indictment and extradition of
Roman Vega, one of the most significant high-level
cybercriminals at the time. Visa continues to support high-
profile investigations, including the arrests of criminals
responsible for hacking into Dave and Busters and T.J. Maxx.
Visa values our partnership with law enforcement and is
committed to continuing to work closely with law enforcement to
bring cybercriminals to justice.
Protecting card holders is always a primary goal in
responding to data compromise incidents. After learning of a
data compromise, Visa immediately begins to work with the
compromised entity, law enforcement, and the affected client
financial institutions to prevent card-related fraud.
In closing, securing consumer data within the U.S. economy
is a shared responsibility, and every industry should deploy
focused resources to protect consumer information within its
care. We look forward to working with all participants to
continue to develop tools to minimize the risk and the impact
of data-compromise events.
Thank you for the opportunity to be here today. I would be
happy to answer any questions.
Ms. Clarke. Thank you for your testimony.
[The statement of Mr. Majka follows:]
Prepared Statement of W. Joseph Majka
March 31, 2009
introduction
My name is Joe Majka. I am the head of Fraud Control and
Investigations for Visa Inc. I have been with Visa for over 12 years
and have over 28 years of experience in corporate security,
investigations, and law enforcement, specializing in the area of
financial crimes. I want to thank the committee for this opportunity to
appear at today's hearing and explain who Visa is and our role as a
leader in global data security. Visa plays a unique role in the
financial system, facilitating commerce among millions of consumers and
businesses here and around the globe. It is important to note that
Visa's fundamental role is to facilitate transactions between consumers
and businesses. Visa is not a bank. We do not issue payment cards
(credit, debit, or prepaid), make loans to consumers, or set the
interest rates or fees associated with card usage or acceptance. Visa
is a network that serves as the connection point between 1.6 billion
global payments cards, 29 million worldwide merchants, and 16,600
financial institutions in 170 countries. In making these connections,
Visa helps create significant value for each of the participants in our
system. Consumers receive a more convenient, secure, and widely
accepted way to make payments. Retailers benefit from the speed,
efficiency, security, and reliability that only electronic payments can
provide. They also receive guaranteed payment and can avoid the need to
extend credit directly to their own customers. In fact, the entire
economy benefits from electronic payments through more transparent,
secure, and cost-effective commercial activity. The Visa Payment System
plays a pivotal role in advancing new payment products and
technologies, including initiatives for protecting cardholder
information and preventing fraud.
We're pleased to be here to talk with you about data security in
the payment card industry and about the Payment Card Industry Data
Security Standard in particular. But, I want to put this discussion in
the context of a multi-layered approach to security that includes fraud
control measures from the card, to the terminal, through to the Visa
network. Visa understands that we must protect each link within our
control and work with others to preserve the trust in every Visa
payment. Visa is keenly focused on ensuring that payment products are
not used to perpetrate identity theft or other criminal activity. Our
goal is to protect consumers, merchants, and our client financial
institutions from fraud by preventing fraud from occurring in the first
place. To that end, Visa employs multiple layers of security, of which
the PCI standard is an important one, but only one of many. We have
taken a leading role in promoting cardholder information security
within the payments industry. Visa and our participating financial
institutions also provide solutions to prevent fraud and protect
cardholders in the event of a data compromise. These include real-time
fraud monitoring, identity theft assistance, consumer alerts, and zero
liability for cardholders on fraudulent transactions. Visa provides
sophisticated neural networks that enable our client financial
institutions to block authorization transactions where fraud is
suspected. Thanks to massive investments and innovative solutions,
compromise events rarely result in actual fraud and fraud rates in the
payments industry remain near all-time lows.
The payment card industry, regulatory agencies, and law enforcement
have individually and collectively taken extensive measures to prevent
and mitigate the effects of consumer information compromises. In this
regard, Visa has required all entities that store, transmit, or process
Visa card data to comply with PCI DSS standards, has implemented
incentives to encourage payment participants to make the significant
investments needed to attain compliance, and has taken numerous steps
to minimize the amount of cardholder data stored by system
participants.
payment card industry data security standard
PCI DSS was the first security standard adopted by the PCI SSC, but
it has not been a static standard. The PCI Security Standards Council
is charged with reviewing and updating the standard to ensure that it
remains effective to protect card data, by incorporating input from
stakeholders as well as technological developments in the evolution of
the standard over time. Visa recognizes that no set of standards can
provide an absolute guarantee of security in a changing world, and PCI
DSS is not an exhaustive list of all the security practices that may be
effective to safeguard card data. To our knowledge, however, no
organization that has fully implemented and maintained compliance with
the PCI DSS has been the victim of a data compromise event. Therefore,
we believe that full compliance with the standard is a valuable
component of a comprehensive security program and greatly reduces the
risk of data compromise. We also believe that PCI DSS controls are
highly effective in mitigating the impact of data compromise events.
Validating PCI DSS is a major milestone, but achieving and
maintaining compliance requires companies to make an on-going
commitment to keeping consumers' data safe--24 hours a day, 7 days a
week, 365 days a year. While there have been a few instances where an
entity that previously validated compliance was the victim of a
compromise, in all compromise cases our review concluded that gaps in
the compromised entity's PCI DSS controls were major contributors to
the breach. As such, Visa continues to believe that standards
validation is a valuable process that drives organizations to undertake
the minimum steps necessary to protect cardholder data. While it is
easy to focus on the failures that some entities have had with on-going
compliance, we believe it is likely that many compromises have been
prevented as a result of the strenuous efforts of merchants and
processors to maintain compliance with PCI DSS.
visa security initiatives
Visa leads the payment industry in providing merchants and service
providers with incentives to validate and comply with PCI DSS in order
to ensure that they properly protect cardholder data. In particular,
Visa launched a Compliance Acceleration Program offering $20 million in
incentive payments to promote compliance among the largest U.S.
merchants that account for more than two-thirds of Visa annual
transactions. Visa's combination of incentive payments and potential
fines ultimately drove the vast majority of large U.S. merchants to
validate their initial compliance with PCI DSS and to revalidate
annually thereafter. At this time, approximately 90 percent of large
U.S. merchants have validated PCI DSS compliance. Visa also publishes a
list of service providers that have validated compliance with the PCI
DSS, which has been the principal incentive in driving 80 percent of
U.S. service providers to validate their compliance on an annual basis.
These organizations, like Michaels, deserve credit for enhancing their
security practices to meet the minimum industry standard and for
validating their compliance on at least an annual basis.
Visa has also made considerable strides toward eliminating the
storage by merchants and processors of authorization data, which
criminals covet to perpetrate fraud. This ``prohibited'' data includes
full magnetic stripe information, the CVV2 or ``Card Verification Value
2'' and PIN. Visa has executed a ``drop the data'' campaign over the
past 3 years to encourage merchants to discontinue storage of
prohibited data and reduce overall cardholder data storage.
Additionally, Visa developed security standards for payment application
vendors to support merchants in their security efforts by driving
vendors to reduce data storage and provide more secure payment
application products.
Visa has executed a robust data security educational campaign to
engage payment system participants in the fight to protect cardholder
information. This campaign includes training for financial
institutions, merchants, and service providers. Most large merchants,
including Michaels, have attended one of Visa's security training
seminars. Visa is also committed to educating system participants on
emerging security threats and publishes regular security alerts and
bulletins, and holds seminars focused on data security and fraud
mitigation. Visa has partnered with organizations like the National
Retail Federation to promote data security among its members and
commends the NRF and Michaels for their data security efforts. Visa
outreach also extends to participation in industry forums on data
security, media campaigns, and partnerships with other industry groups
made up of merchants, such as the U.S. Chamber of Commerce. This month
in Washington, DC, Visa held our third Global Security Summit, a
symposium on payment security where Visa called on system participants
for continued industry investment, collaboration, and innovation to
keep the electronic payment system secure for the future. The Global
Security Summit reaffirmed the importance of on-going compliance with
security standards and highlighted opportunities to actively engage
consumers in the process of fraud prevention through Visa's transaction
alerts and notifications service which can not only help consumers
track and manage their accounts, but also provide an early warning of
potentially fraudulent activity.
collaboration with law enforcement
Visa has maintained a long-standing relationship with law
enforcement agencies over the years, supporting efforts to investigate
and prosecute criminals committing payment card fraud. This
relationship continues and is stronger than ever today, as Visa and law
enforcement agencies work together to combat cyber criminals in today's
high-tech world. In 2002, Visa was a founding member of the U.S. Secret
Service San Francisco Electronic Crimes Task Force and continues to
actively participate in U.S. Secret Service task force groups in San
Francisco, New York, and Los Angeles. Visa also works closely with the
Federal Bureau of Investigation's Cyber Division, United States Postal
Inspection Service, State Attorneys General and the Department of
Justice Computer Crime and Intellectual Property Section.
In 2004, Visa provided investigative support to Federal law
enforcement, which resulted in the indictment and subsequent
extradition to the U.S. of Roman Vega, known on-line as ``Boa''. Roman
Vega was allegedly one of the most significant high-level criminals
specializing in the on-line sale of stolen payment card data at the
time. Visa has continued with our investigative support on other high-
profile investigations, including the Federal prosecution of Max Ray
Butler known on-line as the ``Iceman'', arrested by Federal agents in
2007 and the 2008 arrest of Albert Gonzales, Maksym Yastremskiy, and
Aleksandr Suvorov for their scheme in which they hacked into Dave &
Busters, Inc. restaurants. Visa also works closely with local law
enforcement agencies and local retailers in supporting their effort to
investigate and prosecute street level criminals using payment cards to
commit fraud. Visa values our partnership with law enforcement and is
committed to continuing to work closely with law enforcement to bring
cyber criminals to justice.
recent compromise events
After learning of data compromise events, Visa immediately begins
working with the compromised entity, law enforcement, and affected
client financial institutions to prevent card-related fraud. Visa
notifies all potentially affected card-issuing institutions and
provides them with the necessary information so that they can monitor
the accounts and, if necessary, advise customers to check closely all
charges on their statements or cancel or reissue cards to their
customers. Visa card-issuing institutions have the direct
responsibility and relationship with cardholders, and because of Visa's
zero liability policy for cardholders, bear most of the financial loss
if fraud occurs. Visa financial institutions can best determine the
appropriate action for each customer that might have been affected.
Based on Visa's findings following recent compromise events at
Heartland Payment Systems and RBS WorldPay, we have taken the necessary
step of removing both companies from our on-line list of PCI DSS-
compliant service providers. In addition, we are activating our account
data compromise recovery programs, which are in place to protect our
system and help issuers recoup some of their losses from compromise
events. Visa is committed to working with these processors so they can
be reinstated to this list upon successfully revalidating their
compliance and Visa is not penalizing merchants that continue to
utilize these processors. Protecting our cardholders was, and remains,
Visa's primary goal in responding to this incident.
conclusion
In closing, securing consumer data within the U.S. economy is a
shared responsibility, and every industry should deploy focused
resources to protect consumer information within its care. In this
regard, the payment card industry has done more than any other to
provide stakeholders with the tools and guidance that they need to
properly secure the data they are trusted to protect. Visa has led the
industry in protecting cardholder data and stands ready to continue to
support industry participants in our collective fight against the
criminals that perpetrate card fraud. We look forward to working with
all participants to continue to develop tools to minimize and
eventually eliminate the risk of data compromise in our economy. Thank
you for the opportunity to present this testimony today. I would be
happy to answer any questions.
Ms. Clarke. I now recognize Mr. Jones to summarize his
statement for 5 minutes.
STATEMENT OF MICHAEL JONES, SENIOR VICE PRESIDENT AND CHIEF
INFORMATION OFFICER, MICHAELS STORES, INC.
Mr. Jones. Good afternoon, Madam Chairwoman, Members of the
committee.
I have been in retail for 30 years, 20 in retail IT, the
last 4 with Michaels, a $4 billion merchant. I wish I could say
that attempting to follow the PCI mandates made me confident
that credit card data is completely safe, but unfortunately
that is not the case. This is because the mandates have been
developed from the perspective of the card companies rather
than from those who are expected to follow them.
The PCI data and security standards are an extraordinarily
complex set of requirements; they are very expensive to
implement, confusing to comply with, and ultimately subjective
both in their interpretation and in their enforcement. The
program is rife with ambiguity and complexity. As an example,
must every company associate acknowledge the security policy of
a company? All 40,000 of our associates, or just those involved
with credit transactions? This one PCI mandate has been imposed
by compliance vendors differently at retailers all across the
country.
We have been questioned by customers, legislators, and even
the credit card companies themselves, why do you keep credit
card information at all? One reason we keep the information is
related to another credit card company procedure designed to
protect their banks from loss. It is called a chargeback. It
can be initiated by a bank on its own, or it can be initiated
at the request of the bank's customer.
For example, if a customer spots a charge on their credit
statement that they don't recognize, they can initiate a
chargeback by contacting the issuing bank. The retailer is then
charged with retrieving sales media by card number. If the
retailer is unable to produce that sales media, or something on
that sales media does not match, the retail sale is reversed,
and the cost of the transaction is charged back against the
retailer. This is true even if the transaction may have
actually been made. This could have been fairly easily solved
using a unique approval ID for each transaction, thus
eliminating the need for credit card number storage by the
retailer.
PCI states that all credit card data must be encrypted.
There is an exception to this requirement, however; PCI states
that data traveling over a private network need not be
encrypted. While a private network is more secure, I still
would not choose to send credit card numbers through this
number unencrypted. Why? Because it adds unnecessary risk.
However, the credit card companies' financial institutions do
not accept encrypted transactions.
We at Michaels have asked, for the past 3 years, for the
ability to send encrypted information to the bank. To date,
this has not happened. Why is this an issue? One might ask the
consumers affected by the Heartland Payment Systems data
breach, or TJX Corporation, for that matter. It has been
suggested that methods used in those breaches capitalized on
this flaw.
What can be done to improve this situation? First, many of
the PCI requirements are covered by the Sarbanes-Oxley audits.
This causes a lot of duplicative work around proof of
compliance and is, arguably, unnecessary.
Second, the requirements are one-sided against the
merchants. The very financial institutions that impose them are
not subject to the mandates themselves.
Third, the PCI Data Security Standards Council was
allegedly spun off from the credit card companies and set up as
an independent governing body of credit card company, bank, and
merchant representatives. In fact, the council is set up so
that credit card companies and banks retain all power over the
ultimate mandates, fines, and anything else connected to PCI.
It is not an industry standards body.
When a breach occurs, and card data is stolen, clearly the
consumer potentially suffers the most inconvenience.
Fortunately, the law provides that promptly reporting consumers
must be held financially harmless. However, the largest
financial impact is on the retailer, especially if the credit
card company's data--which, by and large, we do not want--is
seized from a retail location. The retailer is in the press,
the retailer is demonized, the retailer is threatened with
damages and sanctions. The retailer pays the cost of the
fraudulent transactions. All of this arises from rules that
initially grew from a card monopolist that we have no choice
but to do business with or risk the loss of a large portion of
our business.
We do not need more laws. The existing, sometimes
misguided, enforcement and the proliferation of State
regulations around these issues have created a difficult, if
not impossible, environment for retailers.
In conclusion, I am proud to report that Michaels has never
had evidence of a breach of consumer data. Regardless of the
outcome here, we will continue to do what is necessary to keep
card data safe, but in the future we would be more secure, and
the risks to us all far lower, were the card companies to take
greater responsibility for the inadequate system of payment
they have created and asked us to use.
Thank you. I am happy to answer any questions.
[The statement of Mr. Jones follows:]
Prepared Statement of Michael Jones
March 31, 2009
Good afternoon, Madam Chairwoman, fellow committee Members, and
distinguished panel members. I am Michael Jones; I serve as the senior
vice president and chief information officer (CIO) for Michaels Stores,
Inc. reporting to the chief executive officer. Thank you for inviting
me to discuss the security aspects of credit cards as they impact
consumers at retail locations and especially at Michaels.
Michaels Stores, Inc. is the largest specialty retailer of arts and
crafts. With more than 1,000 stores in the United States and Canada,
the company carries a wide selection of arts and crafts merchandise.
Michaels also operates specialty stores under different brand names,
including Aaron Brothers and Artistree manufacturing facility. We have
annual revenues approaching $4 billion.
I have been with Michaels Stores in my current role for 4\1/2\
years. I held the CIO position at Hollywood Video prior to Michaels for
over 3 years. Prior to that I spent over 12 years at Kmart, and Kmart-
related companies, in various leadership positions in retail
technology. I have been in the retail and restaurant industry since
graduate school, and indeed, since my sixteenth birthday.
I appreciate the committee's invitation to provide a retailer's
view of the state of credit card security. In addition to my own
experience I often communicate about this issue with my peers at
retailers, restaurants, and other establishments that take credit cards
from consumers as a form of payment. My comments today are informed by
those discussions as well.
At Michaels the customer is at the center of everything we do. Her
loyalty and patronage of our stores is something we can not afford to
lose for any reason. We always want her to feel safe and secure when
she is in our stores, with the products we sell, and with the payment
mechanism she chooses: Whether that be cash, checks, debit cards, gift
cards, travelers checks, or credit cards. For many years we have
implemented security standards and processes to protect our customers
and their important financial information, with our preference always
being to keep the least amount necessary to satisfy the payment
process. Losing the trust of our customers because we can not safeguard
their information is a risk we would not take, regardless of what
mandates are imposed on us by an outside organization.
Michaels Stores, Inc. is a PCI-certified organization and has been
almost since the initial imposition of the standard (i.e., prior to the
date where fines were threatened for non-compliance).
I wish I could say that attempting to follow the PCI mandates made
me confident that one could say customers' credit card data is
completely safe, but unfortunately that is not the case. That is
because the mandates seem to have been developed from the perspective
of the card companies, rather than from that of those who are expected
to follow them.
The PCI Data Security Standards are an extraordinarily complex set
of requirements. They are very expensive to implement, confusing to
comply with, and ultimately subjective, both in their interpretation
and in their enforcement. It is often stated that there are only twelve
``requirements'' for PCI compliance. In fact there are over 220 sub-
requirements; some of which can place an incredible burden on a
retailer and many of which are subject to interpretation.
For example, one of the requirements is that all company associates
must annually acknowledge the company security policy. Michaels has an
average of 40,000 associates at any given time. In any one week we
could have more then 1,000 changes in associates. Well, as you might
expect, many of our associates are getting trained on the range of our
merchandise, the operation of the registers, fire safety protocols, and
other important procedures to assist our customers and protect our
operations. So do we also need to get every associate to learn and sign
a written statement of our understanding of the credit card companies'
security policy? Or do we just need to get associates that may deal
with credit cards to sign? This one little PCI mandate has been imposed
by compliance vendors differently at retailers across the country both
because of its subjective interpretation, and the inability for any
large merchant to meet the standard in its most literal form.
We have often been questioned by customers, legislators, and even
the credit card companies themselves: ``Why do you keep credit card
information at all?'' It would seem with the risk of a breach from the
outside or from within, we would be better served not to keep the data
at all. We agree completely. As a retail CIO, I would like nothing
better than to not store a single credit card number anywhere in our
network of systems.
The reason we must still keep credit card information is related to
the results of another credit card company procedure designed to
protect their banks from loss. It is called a chargeback. It can occur
in a number of different ways. It can be initiated by a bank on its
own, or it can be initiated at the request of a bank's customer. For
example, if a customer spots a charge on his bill that he does not
recognize he might initiate a chargeback by contacting his card issuing
bank. The card-issuing bank asks the merchant's bank to retrieve
documentation proving that the purchase took place. The merchant's bank
then requires the retailer to produce the underlying documentation for
the sale--typically sales media showing the customer's credit card
number, signature, and date of purchase. The merchant's bank forwards
the information back to the card-issuing bank. Often, once the customer
sees the underlying documents he remembers the purchase and the matter
is closed. (Confusion might occur, for example, if the formal name of
the business on the customer's monthly statement--e.g. the XYZ Medical
Complex--is different from the name of the business where the customer
received services--The Offices of Dr. MDA.)
However, if the retailer is unable to produce the sales media, the
sale is reversed and the cost of the transaction is ``charged back''
against the retailer. This is true even if the transaction were
actually made. As I mentioned, banks can also initiate retrieval
requests for documentation on their own--it does not have to be
triggered by a customer. If the retailer cannot produce the underlying
data, the cost of the purchase is taken from the retailer and credited
back to the card-issuing bank.
We have a department in Michaels dedicated to handling chargebacks.
Chargebacks may be for a single transaction or an entire block of
transactions. Card-issuing banks file retrieval requests that come to
us. We must first look up the charge on our systems to match the
transaction and identify the store location where the transaction took
place (this is what we need the credit card number for). We then
initiate a request to the store to ``pull'' the receipt for that
transaction. Since we do not have an electronic signature system we
have to get the paper receipt. We then submit that back to the bank
along with the original request. If the bank/credit card company
determines that the charge was not made by the customer (this is pretty
much at their discretion and we have little effective recourse), then
we are charged back the amount of the transaction, plus a processing
fee.
Thankfully at Michaels, chargebacks are not a very large problem,
but my brethren at big ticket companies are not so lucky, as I know
from my previous work experience. We could choose to take the hit and
just accept the chargebacks as a cost of doing business so we would not
need the credit card number stored but, over time, as word of our
vulnerability spreads among the unscrupulous, this would likely cause
an increase in chargebacks to the point where we could no longer
sustain the losses.
This could have been fairly easily solved and saved retailers
hundreds of millions of dollars by having the credit card companies
send retailers a unique approval ID back for each approval transaction.
We could store that ID and a signature, and if there were a question on
the transaction the unique approval ID would indicate how we locate the
transaction. This would eliminate the need for us to store the credit
card number, but still enable us to respond to retrieval requests. This
method would have required changes for retailers, credit card
companies, and the banks, but the overall expenditure would have been
much less and the consumer data would be much safer.
PCI states that all credit card data must be encrypted. This is a
very important component of any data security standard, and one we use
for sensitive data all across our organization. There is an exception
to this requirement, however. PCI says that data traveling over a
``private network'' need not be encrypted. It does not state that it
can't be, just that it need not be. I have been told that in theory a
private network is ``more secure'' than one that is not private. Well,
there is no question about that. A land-line data communication
connection that is direct between two organizations is certainly more
secure then one that traverses the internet or a wireless network.
Michaels has a private network between our stores and corporate
headquarters. This network is also isolated from our other networks in
the headquarters and the internet. Access is extremely limited. It is
private and secure, and we continually look for ways to make it more
secure; after all this is the network millions of our customers' credit
card numbers traverse every year. The security of this network is
paramount and probably at least two-thirds of the PCI requirements deal
with this very subject.
Yet I would still not choose to send my customers' credit card
numbers through this network unencrypted. Why? They are encrypted at
the pin pad or register by mandate of the standard. It only makes sense
that we would keep this information encrypted through our entire
network.
Unfortunately this is where the system breaks down. The credit card
companies' financial institutions, the very organizations that have
created and are mandating this rigorous and highly complex standard, do
not accept encrypted transactions. We must decrypt the credit card
number at our corporate headquarters prior to sending to the merchant
bank for approval!
The transaction is then returned to us un-encrypted and we then re-
encrypt it to send back to the store. We, at Michaels, have asked for
the past 3 years for the ability to send encrypted information to the
bank. To date, this has not happened. We have heard various ancillary
responses to the request such as, ``It is too expensive to implement'';
``If you (i.e. the retailer) are willing to pay the costs (i.e. the
credit card banks' cost) to implement it we will consider it''; to ``It
would be too difficult to implement a standard encryption routine in
the industry.''
Why is this the case? One might ask all the consumers affected by
the Heartland Payment systems data breach, or TJX Corporation for that
matter. It has been suggested that methods used in those breaches
capitalized on that flaw. The criminals used a ``Trojan Horse'' that
read the credit card data ``in flight.'' This is not the stored data I
spoke of earlier, but rather the numbers that were flowing through the
communication channel for approval. One reason thieves could capture
this data is because it was not encrypted. Had it been encrypted they
would most likely not have been able to read the data.
Now there are several requirements in the PCI standards for
``scanning'' systems that look for these types of Trojan Horses. But
this is not an ordinary virus that is written and sent to millions of
PCs via e-mail. These are incredible technical programs often designed
by organized crime syndicates with technical resources that dwarf those
of the average company. And with just one inside source in a company
they can be made virtually invisible. So why take the chance?
So, are the PCI standards bad? No, however there are some major
issues with both the program and the way in which it is implemented.
First, many of the requirements of PCI are already covered in many
companies' Sarbanes-Oxley audits. This causes a lot of duplicative work
around proof of compliance, and is arguably unnecessary.
Second, the requirements are one-sided against the merchants. The
very financial institutions that impose them are not subject to all the
mandates themselves. The idea that these organizations don't ``need''
to be audited because they are already held to an audited examination
standard is inconsistent with the arguments they make to us (i.e.,
Sarbanes-Oxley).
Third, The PCI Data Security Standards Council was allegedly spun
off from the credit card companies and set up as an independent
governing body of credit card company, bank, and merchant
representatives. In fact, the council is set up so that the credit card
companies and banks retain all power over the ultimate mandates, fines,
and anything else connected to PCI. Because of this, the mandates do
not represent what is the ``best'' security, but rather what is best
for the credit card companies and their financial institution partners.
When a breach occurs and card data is stolen, clearly the consumer
potentially suffers the most inconvenience. Fortunately, the law
provides that promptly reporting consumers must be held financially
harmless.
However, the largest financial impact is on the retailer,
especially if the credit card companies' data (which by and large we
don't want) is seized from a retail location. We are the ones in the
press; we are the ones who are demonized; we are the ones States'
attorneys general and others threaten with damages and sanctions.
Consumers may make decisions not to shop at a breached retailer not
realizing that it was the card company processes that caused the data
to be placed at risk.
The retailers pay the costs of the fraudulent transactions, either
through chargebacks or credit card company-imposed fees and penalties.
All of this arises from rules that initially grew from a card
monopolist that we have no choice but to do business with, or risk the
loss of a large portion of our business. It would be impossible for a
retailer like Michaels to survive without taking Visa. So we, like
other retailers, swallow the tens of millions we have spent to become
PCI-compliant, in many cases unnecessarily spent, which both reduces
profitability and increases the costs of everything we, the merchant,
sells.
Is credit card data any safer now than it was before PCI was put in
place? Yes. Would it be had PCI not been put in place? Probably. Could
the consumers' data be safer then it is right now? Most definitely!
But we do not need more laws. The existing (sometimes) misguided
enforcement and the proliferation of State regulations around these
issues have created a difficult, if not impossible, environment for
retailers to effectively meet the legal requirements imposed on them
should a breach of information occur.
Madam Chairwoman, committee Members, and distinguished panel and
guests, if I can leave you with but one message, it is that the
precepts underlying the massive dissemination of credit card data need
to be rethought. As a CIO, I was informed by one of the top security
officers of a major credit card company that based on their analysis
our company credit card data had been breached. Although I thought this
unlikely, they told me that they had never been wrong. After an
agonizing week of internal research, twice daily ``all hands on deck''
calls, many, many dollars and hours spent, the voice at the other end
of the line went dead. The next day a breach of over 40 million credit
card numbers was announced at a bank processor. Our ``incident''
apparently showed that the card company's analysis at that time had not
counted on breaches of such magnitude, since we were later told that
the data which had triggered all of our activity was more likely a
subset of ``another issue'' they were dealing with.
I am proud to report that Michaels has never had evidence of a
breach of consumer data. Regardless of the outcome here we will
continue to do whatever is necessary and prudent to keep the loyalty of
our customers for, without that, we cease to exist. But the future
would be more secure and the risks to us all far lower were the card
companies to take greater responsibility for the inadequate system of
payment they have created and asked us to use.
Thank you. I am happy to answer any questions you may have.
Ms. Clarke. Thank you for your testimony.
I now recognize Mr. Hogan to summarize his statement for 5
minutes.
STATEMENT OF DAVID HOGAN, SENIOR VICE PRESIDENT, RETAIL
OPERATIONS, AND CHIEF INFORMATION OFFICER, NATIONAL RETAIL
FEDERATION
Mr. Hogan. Thank you, Chairwoman Clarke and Members of the
committee, for this opportunity to appear on behalf of National
Retail Federation, the world's largest retail association. I
have been with the NRF for almost 7 years and have spent my
entire 25-plus-year career in retail information technology.
Whether it be by cash, check, or plastic, the payment
mechanism is really just a means of accomplishing business.
Retailers accept credit cards for payment, in part because they
have been assured by the credit card companies that if they
follow a limited number of steps, they will be given a
guarantee of payment. Most retailers are not in the payment-
acceptance business any more than their customers are in the
payment-delivery business.
There have been two big developments in the last decade or
so that have changed the playing field. The first has been the
rapid proliferation of general purpose credit cards. With over
80 percent of the market share, Visa and MasterCard are two
primary examples, these cards issued broadly by banks in the
hope that each card will generate income for them.
The second change has been society's increased
computerization. Globally there have been numerous instances of
hackers from outside of our borders accessing computer systems,
stealing credit card information, and then using this data to
commit fraud. In several cases these have targeted companies
that process or store credit card data.
As with the growth of on-line shopping fraud, these
developments presented the card industry with a challenge. In
response, they introduced what they call the Payment Card
Industry Data Security Standard, also called PCI.
PCI is an attempt to prevent large stockpiles of credit
card data from getting into the wrong hands. However, the PCI
guidelines are onerous, confusing, and constantly changing.
Indeed, PCI is little more than an elaborate patch.
The premise behind PCI, that millions of retail
establishments will systemically keep pace with ever-evolving
sophistication of today's professional hacker, is just not
realistic. Our industry has spent billions on compliance
programs related to data security. PCI protocols have required
many merchants to scrap good existing data security programs
and replace them with different security programs that meet PCI
rules that aren't necessarily any better. Even companies that
have been certified as PCI-compliant have been compromised.
Unfortunately, the economic incentives for the card
companies to remedy these flaws in their system have been
diminished. It appears to our industry that the credit card
companies are somewhat less interested in improving their
product and procedures than they are in reallocating their
fraud costs. In our view, if you peel back the layers around
PCI, you will see it for what it really is, a tool to shift
risk off the banks and credit cards' balance sheets and place
it on others. It is their payment card system, and retailers,
like consumers, are just users of their system. What is really
ironic here is that merchants are forced to store and protect
credit card data that many don't want to keep anyway. The
credit card companies' own rules around retrieval requests
essentially require merchants to keep credit card data for
extended periods of time.
As I mentioned, all of us, merchants, banks, credit card
companies and our customers, want to eliminate credit card
fraud, but if the goal is to make credit card data less
vulnerable, the ultimate solution is to stop requiring
merchants to store credit card data in the first place. In
fact, we proposed such changes to the PCI Security Standards
Council back in 2007. The card industry dismissed our proposal
without addressing its merits.
There have been numerous suggestions made over the years
that would significantly reduce the chances of major data
breaches, but none of them have been adopted yet. Here are just
a few.
First, go on record and stop requiring merchants to store
credit card data and eliminate any penalties they impose for
not doing so.
Another, change the system and allow consumers to enter in
a pin or personal identification number for credit card
transactions, just like you do with debit card transactions.
Third, quickly develop and roll out the next generation of
credit card and give merchants the hardware and software
necessary to handle these new products.
In conclusion, once the payment system itself becomes a
burden, commerce inevitably suffers. We believe any one of
these recommendations will significantly reduce credit card
fraud.
Thank you for the opportunity for appearing in front of
this committee. I will be happy to answer any of your
questions.
[The statement of Mr. Hogan follows:]
Prepared Statement of David Hogan
March 31, 2009
Thank you Chairwoman Clarke, Members of the committee. My name is
Dave Hogan. I am senior vice president, chief information officer for
the National Retail Federation.
By way of background, the National Retail Federation (NRF) is the
world's largest retail trade association, with membership that
comprises all retail formats and channels of distribution including
department, specialty, discount, catalog, internet, independent stores,
chain restaurants, drug stores, and grocery stores as well as the
industry's key trading partners of retail goods and services. NRF
represents an industry with more than 1.6 million U.S. retail
establishments, more than 24 million employees--about one in five
American workers--and 2008 sales of $4.6 trillion. As the industry
umbrella group, NRF also represents more than 100 State, national, and
international retail associations.
I have been with NRF for almost 7 years and have spent my entire
career in retail information technology. Prior to joining NRF I was a
business unit CIO for The Limited and most recently CIO for
international retailer, Duty Free Americas. During that time I became
familiar with the broad array of issues confronting retail CIOs,
including matters related to data security. Both in my prior positions,
as well as during my time at NRF I have helped design and upgrade the
systems that protect my companies' core records.
Currently, I also work with the NRF's CIO Council. The Council is
made up of more than 50 well-known retailers who meet regularly to
study, share, and discuss best practices and challenges inherent in
ever more sophisticated retail technology programs. As a result of that
work I have become familiar with many of the issues involved with the
Payment Card Industry Data Security Standards.
Credit card security is not, however, a new issue for retail. For
years many retailers managed their own in-house credit programs.
Companies such as Sears and JCPenney offered proprietary retail credit
through cards issued in all 50 States. They were known as proprietary
programs because for most of their history, the cards were owned by the
retailer and used exclusively for the purchase of a retailer's
merchandise. Beyond credit programs, many companies maintain
information about their most valuable customers, often gleaned through
loyalty programs. Those programs are used to encourage our customers to
shop and to serve them better when they do. All of this information was
valuable and proprietary.
For this reason retailers developed programs to secure their data.
Each retailer's program was commensurate with the sensitivity of the
data it sought to keep. Certainly, as to their cards, for example, no
retailer wanted its credit card programs to be appropriated by thieves.
Therefore, we retailers developed systems designed to minimize losses
to us and inconvenience to our customers.
There have been two big developments in the last dozen or so years
that have scrambled the playing field. The first has been the rapid
proliferation of what are known in the industry as third-party, general
purpose credit cards. Visa and MasterCard are two examples. These cards
are not issued by retailers, but rather are issued by independent banks
under a particular card brand's name. Thus you might have a Citibank
MasterCard or a Chase Visa or a Citibank Visa. Consistent with their
internal standards, the banks issue the cards as broadly as possible,
in hopes that each card will generate income for the bank.
The other big change has been increasing computerization and the
related growth of the internet. As you all know computers are now
ubiquitous. And many of our governmental, commercial, and personal
activities are greatly dependent upon access to the Web. Unfortunately,
the same processes that give us access also are available to the
unscrupulous. Scams that would have been difficult to accomplish, or
been limited in scope if they were attempted on a face-to-face,
individual-by-individual basis, such as eliciting banking account
information from individuals, can be much more efficiently accomplished
on-line by ``phishing,'' for example, among those who engage in banking
from their home computers.
In a brick-and-mortar environment, retailers accept a variety of
forms of payment: Cash, checks, credit cards, gift certificates, and
other script. Retailers accepted credit cards for payment, in part,
because they had been assured by the card companies that if the
merchant followed a limited number of steps (e.g., confirming the
card's presence; checking the signature; obtaining an approval; and
keeping a copy of the completed charge media) they would be given a
guarantee of payment. Whether it be by cash, check, or otherwise, the
payment mechanism is really just a means of accomplishing business.
Most retailers are not in the payment acceptance business any more than
their customers are in the payment delivery business. The form of
payment simply facilitates the underlying business to be done. (The
consumer is searching for something to wear; the merchant is seeking to
find and display attractive merchandise that customers desire wearing.)
A few years back, outside of the brick-and-mortar environment, in
the then newly developing world of internet shopping, it soon became
apparent to the credit card companies that they should take additional
steps to minimize losses from the use of their card products for on-
line purchases. Through a combination of rules and new security
requirements the card companies were largely able to achieve that goal.
They adopted special security requirements for on-line merchants
(Visa's program was called CISP: Customer Information Security
Program). They also declared that the then-growing number of internet
merchants who accepted a credit card for payment on-line would be 100%
liable for any losses if charges were challenged, either by the
cardholder or by the bank. As a practical matter, for on-line
merchants, there was little or no payment guarantee.
Over time, however, the card companies realized that the number of
fraudulent purchases was continuing to rise. And this was true not just
on-line. Thieves and others learned that if they could obtain the data
on the credit card companies' cards, they could accomplish a few fake
transactions (on-line) or even create fake cards and accomplish many
fraudulent transactions in a wide variety of brick-and-mortar
locations.
The growth of computerization facilitated these breaches. Globally,
there have been numerous instances of hackers accessing computer
systems, stealing credit card information, and using this data to
commit fraud. It has been reported that many of these hackers are
operating out of Eastern Europe and some of the former Soviet states.
In several cases they have targeted retailers' computer systems that
process or store credit card data. But the thieves are really looking
for the data anywhere they can find it.
As with the growth of on-line shopping fraud, these developments
presented the card industry with a challenge. In response, they
introduced what they call the Payment Card Industry Data Security
Standards, commonly called PCI. Since its inception, PCI has been
plagued by poor execution by Visa, MasterCard and the other credit card
overseers of the program. The PCI guidelines are onerous, confusing,
and are constantly changing. Many retailers say that basic compliance
is like trying to hit a rapidly moving target.
As I mentioned, retailers take data security very seriously.
Indeed, merchants, banks, the major card brands and the vendor
community that supplies our industry with hardware and software all
want to reduce the incidence of credit card fraud. PCI is an attempt to
prevent large stockpiles of credit card data from getting into the
wrong hands. But the premise of PCI, that hundreds of thousands or even
millions of merchants will systematically keep pace with the ever-
evolving sophistication of professional hackers, is unrealistic.
PCI is little more than an elaborate patch. While PCI can reduce
some fraud, at extraordinary cost, it is not nearly as effective as a
redesign of the card processes themselves. Since its inception, our
industry has spent billions on compliance programs and related data
security systems. PCI protocols have required many merchants to scrap
good, existing data security programs and replace them with different
security programs that meet PCI rules but aren't necessarily any
better. Retailers have been required to take extraordinary steps to
ensure that somewhere, somehow, data is not inadvertently being
retained by software. However, what is ironic in this scenario is that
the credit card companies' rules require merchants to store, for
extended periods, credit card data that many retailers do not want to
keep.
To many NRF members, it appears that the credit card companies are
less interested in substantially improving their product and procedures
than they are with reallocating their fraud costs. In our view, if you
peel off all the layers around PCI Data Security Standards, you will
see it for what it is--in significant part, a tool to shift risk off
the banks' and credit card companies' balance sheets and place it on
others. It is their payment card system and retailers--like consumers--
are just users of their system.
As I mentioned, all of us--merchants, banks, credit card companies,
and our customers--want to eliminate credit card fraud. But if the goal
is to make credit card data less vulnerable, the ultimate solution is
to stop requiring merchants to store card data in the first place.
For example, rather than requiring that merchants keep reams of
data--currently required under card company rules in order to satisfy
card company retrieval requests--credit card companies and their banks
should provide merchants with the option of keeping nothing more than
the authorization code provided at the time of sale and a truncated
receipt. The authorization code would provide proof that a valid
transaction had taken place and been approved by the credit card
company, and the signed sales receipt would provide validation for
returns or poof of purchase. Neither would contain the full account
number, and would therefore be of no value to a potential thief. Any
inquiries about a credit transaction would be between the cardholder
and the card-issuing bank.
If all merchants took advantage of this option, credit card
companies and their member banks would be the only ones with large
caches of data on hand, and could keep and protect their card numbers
in whatever manner they wished. The bottom line is that it makes more
sense for credit card companies to protect their data from thieves by
keeping it in a relatively few secure locations than to expect millions
of merchants scattered across the Nation to lock up their data for
them.
In fact, we proposed such changes to the PCI Security Standards
Council in 2007. The card industry dismissed our proposal without
addressing its merits but have yet to offer a viable alternative.
Once the payment system itself becomes a burden, commerce
inevitably suffers. The NRF, with direction from our CIO Council, has
engaged the PCI Security Standards Council directly and highlighted
flaws with the existing ``standard'' and ``governance'' of the PCI
Security Standards Council. There have been numerous suggestions made
over the years that would significantly reduce the chances of major
data breaches, but none have been adopted.
In conclusion, we believe any of our suggestions would be more
effective and efficient approaches to protecting credit card data and
preventing a continuation of the data breaches that have been seen in
recent years.
Thank you for the opportunity to appear before the committee today,
I would be happy to answer any questions.
Ms. Clarke. I thank the witnesses for their testimony.
I will remind each Member that he or she will have 5
minutes to question the panel. I will now recognize myself for
questions.
My first question goes to both Mr. Russo and Mr. Majka.
Since the PCI standards have become mandatory, there has been
no shortage of massive data breaches. Is there any hard
evidence to suggest that the standards have reduced the number
of data breaches or the amount of credit card fraud? What
metrics are in place to judge the effectiveness of these
standards?
Mr. Russo. Chairwoman Clarke, let me answer first.
The council's purview does not include keeping statistics
on breaches, on who is compliant, as we do not have that
relationship with the merchants. I can tell you, as I stated
earlier, that based on what we have seen in forensics and what
we have seen our information has given us by reaching out to
these breached entities, that they were, in fact, not compliant
at the time of the breach. Very similar to Ms. Glavin, who
mentioned locking your doors, you don't lock your doors on
Monday, Wednesday, and Friday and not on Tuesday, Thursday,
Saturday, and Sunday. So it is constant vigilance that must be
there when it comes to protecting this data. It is everyone's
responsibility, including the merchant, including the consumer,
to be looking after their own data.
Mr. Majka. Madam Chairwoman, I would like to say that entry
into these data systems, while the criminal is very complex, we
found that the entry methods have been very simple, and they
would have been addressed by the PCI data security standard in
all cases. Even those entities where they have had validated
compliance, our review of those incidents found that either
they hadn't maintained compliance, and there were significant
gaps that allowed the breach to occur.
I would also like to say that the standard itself has been
improved over the years. One of the success stories of the
standard is the removal of prohibitive data from merchants'
servers. This has led to incidents where we no longer have a
breached entity who has been storing data for 3, 4, or 5 years
that the criminals can access 5 years' worth of data. So those
are things that the standard itself has addressed and has
helped.
I would also like to say that I think that we don't know
how many breaches have been prevented by those entities that
have, in fact, gone as far as implementing and maintaining the
standard properly.
Ms. Clarke. I think that is really at the core of the issue
here is that we can't get some tangible evidence of how
effective this is in actually eliminating the breaches. It is
clear that if people aren't following the protocols, that opens
them up in terms of more vulnerability. But it would seem to me
that as a part of the build-out of the floor of the PCI
standards, that we would develop some sort of metric that gives
us an ability to objectively judge the effectiveness of these
standards. Are you saying that those don't exist right now?
Mr. Russo. No, Madam Chairwoman. They do exist in various
entities, those entities being the acquiring banks, as an
example, which own the relationships with the merchants. They
require PCI compliance, they track PCI compliance, they have
those numbers. Again, the council does not have any input into
that or any view into that because we do not have the
relationships with the merchants. The banks, the acquirers have
the relationship with the merchants. But there are tens of
thousands, hundreds of thousands that are going through
programs every day and validating their compliance on a regular
basis.
Ms. Clarke. Mr. Russo, do you have a relationship with the
banks?
Mr. Russo. The council does not have a relationship with
the banks other than to put its standard out there and make
sure that they are creating awareness among their constituents
that they need to be compliant with the standard.
Ms. Clarke. Thank you.
The next question then is both to you, Mr. Russo, and Mr.
Majka. The PCI standards include requirements for encrypting
data at rest and data that travels over the internet. But the
Heartland breach, for instance, involved data in transit
between terminals and hosts on nonpublic networks.
As Mr. Jones notes in his testimony, there are no PCI
standards for this. Is this a fundamental weakness in the
standards? Why doesn't PCI require end-to-end encryption,
including internal encryption? How are you going to address
this?
Mr. Russo. There are provisions within the standard now
that address this data and address the inside network that
should, in fact, either stop this from happening, or at least
give you a warning that something is happening so that you can
immediately stop it and cut the breach off. We do go out to, as
I mentioned, all of our participating organizations--one of
whom is sitting at the table with me today, the NRF--and we do
ask them for their feedback on the standard and what needs to
be done.
One of the things that we are in the process of doing right
now is that we have issued a proposal to a number of technology
companies to give us an independent study on what we are
calling emerging technologies, one of which is end-to-end
encryption, another of which is tokenization, another of which
is chip and PIN. So we are looking at these technologies and
how they make the standard more robust. But it is important to
the say that there really is no silver bullet here.
Ms. Clarke. I am a bit over my time, but I would like to
get Mr. Jones' and Mr. Hogan's response to this end-to-end
encryption dilemma.
Mr. Jones. First, I think on encrypted, I am not sure I
would call it an emerging technology; it has been around for
some time. Obviously, since it is a requirement for anything
traveling outside the private network, I think that not having
it as part of something that travels on your internal network
was something originally to reduce some of the costs involved
with implementing the standards, because it costs money to
implement encryption end-to-end, and that would have involved a
lot of cost to merchant banks all across the country, as well
as retailers. Every retailer would have had to implement
encryption on their side. But we have already had to do it
from--and most retailers do transact across the internet in one
way or another, so we have had to do that.
So I would separate that out from a chip and PIN discussion
as far as what we should be looking at going forward. As far as
whether it should be in the standard or not, I feel that it
should have been in the standard long ago as part of something
simply because there are things that may have caught the
Heartland Payment thing. But when we talk about very
sophisticated thieves, the Heartland Payment software that was
used was so sophisticated that it was virtually impossible for
highly technical, highly sophisticated people to pick up. Most
of the existing scanning technologies would not have even
picked it up, but had it been encrypted, it wouldn't have
mattered. I think that is the way of looking. So why not lock
your front door? Why leave it open?
Ms. Clarke. Mr. Hogan, do you concur?
Mr. Hogan. Yes, I do concur. I think it is very interesting
that the merchants, universities, doctors' offices, anybody who
accepts credit cards and processes credit card data has to go
through extraordinary hoops to adhere to a PCI standard;
however, when it is convenient, the information is sent open in
the free and clear, when it is transmitted to the banks, so on
and so forth.
So I think you have a double standard going on here where
in one case you have to adhere to a standard, and spend a lot
of time, effort, and money to do it, and then all of a sudden
you send it back out wide open that anybody could potentially
read unencrypted downstream.
Ms. Clarke. Thank you. My time is expired.
Let me now acknowledge the gentleman from New Mexico, Mr.
Lujan.
Mr. Lujan. Thank you, Madam Chairwoman. I know we have some
votes we have to get to, if I am not mistaken, so I will try to
keep this brief.
Mr. Russo, what recommendations of standards have been made
that have not been implemented by those that follow your
standards?
Mr. Russo. Congressman, we have a feedback process in
place, which Chairwoman Clarke mentioned a little earlier--
actually, I am a little perplexed because Mr. Hogan earlier
said that this is constantly changing, yet Chairwoman Clarke
indicated it was a 2-year process that we go through. We go
through two feedback periods where we get feedback from all of
those participating organizations, again, one of which is the
NRF, and we then discuss all of this information at two
community meetings that we have on a yearly basis, one in North
America and one in Europe. That information is then taken back
from what we are getting again at that community meeting and
gone through another feedback period before a new standard is
released.
I might also mention that the difference between the
initial standard that we came out with in 2006 and the 1.2
version, which we came out with in October, was not that
different. There were clarifications, there were documentation
changes, more guidance information was put in to make it easier
to understand the intent and, in fact, comply with it. These
were all recommendations from these participating
organizations, from our board of advisors. There are things
that we put out on a regular basis based on their input. We do
not create this standard in a vacuum. This is something that
the entire group of participating organizations and the
assessment community and our board of advisors advise us on.
Mr. Lujan. Let me narrow the question a little bit.
Mr. Russo, there was some discussion about end-to-end
encryption for its databases. Isn't that a recommendation that
was made by the Heartland Payment Systems CEO?
Mr. Russo. After the breach it absolutely was, after the
breach. We agree that encryption is a good thing--again, not a
silver bullet. Encryption is a good thing. As the gentleman
from Michaels mentioned, encryption is an expensive
proposition. If we make this mandatory in the standard, there
will be a number of merchants who will not be able to afford
this immediately. There are provisions within the standard that
actually affect what happens there. So the need for end-to-end
encryption within the internal network is really not there. If
you are following the standard religiously, the need is not
there. Why put these people through the expense?
That being said, we are now investigating it from an
independent third party, and we will present that information
in the form of feedback to our entire community and get their
feeling on whether or not they actually want this to be part of
the standard.
Mr. Lujan. Mr. Russo, you said something earlier that I
found interesting, that you have never found PCI not to be in
compliance at a time of breach, meaning that at a time of
breach, there may have been some break in compliance. But with
the system that we have today, who is responsible for
monitoring compliance?
Mr. Russo. The merchant himself. Basically what we do is we
take a snapshot--let me give you a brief example, if I have a
minute or so. If you need fire insurance on your house, and you
come to me and ask me as the insurance company to give you fire
insurance, I send an inspector out, and you have everything in
place--smoke detectors that work, fire extinguishers,
sprinklers, and such. Three months later, your house burns
down. I send an inspector out again, only to find out that
there was no pressure on the sprinklers at that time, all of
the batteries weren't working in your smoke detectors, and so
on. This is the responsibility not only of the council to make
sure that you are compliant, but it is your responsibility as a
merchant, your responsibility to the consumers to make sure
that you are doing this on a regular basis.
Mr. Lujan. Mr. Russo, if I could interrupt, I think that
that example is a perfect illustration, because I would ask
that the regulator that was responsible for monitoring the fire
suppressant system, if you come back after there was a fire,
and you found out that my fire suppressant system wasn't
adequate to be able to protect my home or my place of business,
then the regulator wasn't doing their job. But in this case,
there is no one overseeing this. It is, here is a set of rules;
if you want to be able to utilize our product, please follow
them. In the case if there is a breach, we depend on the
Department of Justice to step in, often times informing a group
of people that maybe there was a breach.
Madam Chairwoman, I know that my time is expired, but this
is really interesting to see, when we talk about a set of
standards, to truly see how we can work together to look to see
where the weak points are. But also from a compliance
perspective, I know that there aren't compliance efforts moving
forward to truly work with the retailers if it is their
responsibility to be held in compliance. But it seems to me
that the system that we have today, I think we all agree, from
different sides, that it is not working.
Ms. Clarke. Thank you very much for your observations, Mr.
Lujan. Thank you for your responses.
We are in the process of votes right now, but I would like
to get in one final question for this panel, and this question
is for the entire panel actually.
A large part of the data theft problem is the amount of
valuable data stored in the system. Mr. Hogan and Mr. Jones
testified that the credit card companies are actually requiring
merchants to keep more data than they would otherwise prefer.
Can the panel please explain what requirements exist for
merchants to store credit card data in their systems, and why
did the credit card companies dismiss the suggestion from NRF
that these requirements be changed?
Mr. Majka. Madam Chairwoman, if I may start by answering
that question. Visa does not require merchants to retain card
holder data. We embarked on a campaign about 3 years ago to
educate merchants on what data they absolutely need to
maintain, and the campaign was called Drop the Data. In those
cases, they are not required to retain the account number.
We have found that some merchants do, in fact, retain the
account number, customer name, maybe the expiration date, and
in those cases, should a merchant choose to maintain that data,
they do have to secure it properly. But all merchants have the
ability to work with their acquiring merchant bank to not store
that data, and use whether it is an authorization code or
transaction ID as a reference number to then research a
transaction that may be in question. So from a Visa
perspective, we do not require storage of that data.
Ms. Clarke. Mr. Hogan.
Mr. Hogan. That statement is quite interesting, because we
hear from numerous, numerous merchants, restaurants, hotels
that if they don't keep some credit card data for a period of
time to handle the retrieval or chargeback request process,
they will be fined and penalized. So I would love to have
somebody go on record here from Visa or so on and so forth that
would basically make a statement that, again, retailers and
merchants do not need to store any credit card data at all,
just keep an authorization code, and they will not be penalized
at all in context of the chargeback or retrieval request
process. Maybe that could be a question you could pose back.
Ms. Clarke. I find this discrepancy to be very troubling,
very troubling.
Mr. Jones.
Mr. Jones. I think we have to look at two entities, too. As
the question was being answered, there was Visa does not
require. Then the second part was, we recommend they work with
their acquiring merchant bank to understand what data they need
to keep or don't need to keep.
Visa is not the person that we work with on a day-to-day
basis. We work with our merchant bank. If your merchant bank
cannot provide you back the information for you to look up
among your thousands, tens of thousands, hundreds of thousands,
or millions of transactions which we deal with on a basis to
pull that transaction--and we have to physically pull a receipt
again; we go from the point of we get a piece of paper with a
card number on it, and we have to get to a point where we pull
a receipt within a certain time period, otherwise we lose that
transaction. So it is not a requirement. We could not do that.
We could say that is a cost of doing business. By doing that,
then, we would just automatically lose those dollars.
My brethren in places like Best Buy or Big Ticket, it would
cost them a fortune. Places like Marriott, or a hotel or a car
reservation where you hold a reservation with a credit card
number, or they put a $400 charge on your credit card where it
is being held but not charged yet, they do have to keep that;
otherwise they have no way to charge you after.
So I think we are dealing with which organization is
requiring versus PCI doesn't require you, they are not a credit
card organization. Visa just transports it; the merchant bank
is something else. The retailer is left holding the bag and has
no input or say, but yet is paying the transaction fee, is the
one who pays for the transaction when the customer says that
they are not responsible for it and has no say in it.
There is a solution out there, but there has been no
interaction, there has been no partnership to really develop
that solution, I think.
Ms. Clarke. Well, let me just close by saying that this is
something that we have to fix. Mr. Majka, I look forward to
speaking with you further about this.
To all of you, thank you very much for your testimony
today. This has been very interesting, very enlightening. I
think we have got a lot of work to do, as I said in my opening
statement. Certainly I think some things have come to light
here today that should concern all of us and that we should be
working together as a team to make sure that we address.
I thank the witnesses for their valuable testimony and the
Members for their questions. The Members of the subcommittee
may have additional questions for the witnesses, and we will
ask you to respond expeditiously in writing to those questions.
Hearing no further business, the subcommittee stands
adjourned.
[Whereupon, at 3:15 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairwoman Yvette D. Clarke of New York for Rita M.
Glavin, Acting Assistant Attorney General, Criminal Division,
Department of Justice
Question 1. How do you prosecute criminals in cyberspace when it is
virtually impossible to identify and attribute attacks to specific
individuals?
Answer. Response was not received at the time of publication.
Question 2. What attraction does card fraud have for criminals and
terrorists?
Answer. Response was not received at the time of publication.
Question 3. Would you say that card fraud is the financing method
of choice for terrorists?
Answer. Response was not received at the time of publication.
Question 4. How many people and man-hours are devoted to
investigations and prosecutions related to card fraud, including both
data breaches and the criminal activity card fraud underwrites?
Answer. Response was not received at the time of publication.
Question 5. You testified that by disabling Shadow Crew's Web site,
the Department of Justice believed they ``prevented hundreds of
millions of dollars in additional losses to the credit card industry.''
Is it the Department's understanding that the fraudulent charges that
are the result of a data breach are a financial liability to the card
brands, issuing banks, or acquiring banks?
Answer. Response was not received at the time of publication.
Questions From Chairwoman Yvette D. Clarke of New York for Robert
Russo, Director, Payment Card Industry Data Security Standards Council
Question 1. Why aren't penetration tests required on a quarterly
basis? Why don't they conform to NIST standards?
Answer. The PCI DSS requirement for penetration testing is not
based exclusively on time intervals. Tests are also required after any
significant changes to a data system environment that has been
validated as compliant with the PCI DSS--as frequently as that may
occur, which may be more frequently than quarterly. The Council's
information supplement regarding penetration tests is attached as
Exhibit A.* This is in addition to the annual validation of static
controls. It is also important to note that penetration tests are only
a small part of the comprehensive set of controls and layers of
security identified in the PCI DSS.
---------------------------------------------------------------------------
* Attachments referred to have been retained in committee files.
---------------------------------------------------------------------------
Vulnerability assessments, which share many of the characteristics
of penetration tests by identifying the same threats, are required, at
a minimum, quarterly. Penetration tests are additive to, rather than
substitutes for, the standards promulgated by the National Institute of
Standards and Technology (NIST), which are also a critical part of the
process that our Approved Scanning Vendors (ASVs) utilize to identify
vulnerabilities in networks. Indeed, all ASVs rely on the NIST National
Vulnerability Database (http://nvd.nist.gov/), a U.S. Government
repository of standards-based vulnerability management data and each
entity must receive a passing score quarterly to be considered
compliant with the PCI DSS.
Question 2. Given the prevalence of insider attacks (both physical
and virtual), which have grown by 55% according to the intelligence
community, why has two-factor authentication not been required of all
users who access payment data within networks as well as all system
administrators' who have privileged rights?
Answer. The PCI DSS requires two-factor authentication (Requirement
8.3) as a mechanism for external access (internet/remote) into
cardholder data environments. The primary focus of PCI DSS Requirement
8.3 is to prevent unauthorized access from the outside, focusing on
protecting from external intrusion, not internal access.
For internal threats with respect to unauthorized authentication
attempts, the PCI DSS provides a layered security approach that
requires numerous other controls to minimize risks within the internal
network. Two-factor authentication is one method for meeting this
layered approach. Other approaches that address the internal risk of
user account takeover include prohibiting the use of risky protocols
that expose user names and passwords (Telnet and FTP) and requiring
passwords to be encrypted/hashed during transmission and storage within
the internal network. There are also numerous user account management
and password controls (Requirement 8), along with logging and
monitoring requirements (Requirement 10) that address internal controls
to help mitigate internal risks including two-factor authentication.
Question 3. How are Qualified Security Assessors trained?
Answer. Because the quality of PCI DSS validation assessments can
have a tremendous impact on the consistent and proper application of
security measures and controls, the Council's QSA qualification
requirements are exacting and detailed, involving both the security
companies themselves as well as the individual employees involved in
assessments.
In broad terms, prospective QSA companies must:
Apply for qualification in the program;
Provide documentation adhering to the Validation
Requirements for Qualified Security Assessors v. 1.1, a copy of
which is attached as Exhibit B;*
---------------------------------------------------------------------------
* Attachments referred to have been retained in committee files.
---------------------------------------------------------------------------
Qualify individual employees to perform the assessments,
which requires annual training and testing of those employees,
and;
Execute an agreement with the Council governing performance
of validation assessments.
In turn, each individual QSA employee who will be performing and/or
managing on-site PCI DSS assessments:
Must attend annual PCI DSS training provided by the Council,
which includes training in Scoping a PCI DSS Assessment, PCI
DSS v1.2 Requirements, and Compensating Controls;
Must pass all examinations conducted as part of training;
Has access to face-to-face feedback sessions with the
Council every 6 months;
Has access to the numerous fact sheets, information
supplements, frequently asked questions, and webinars that the
Council makes publicly available at its Web site at
www.pcisecuritystandards.org/education.
Our management of QSAs does not end with training. In 2008, the
Council launched a Quality Assurance program to promote consistency of
both services and results provided by the security assessment
community. This program specifies eight guiding principles QSAs must
commit to and outlines a number of criteria QSAs must adhere to in
order to provide a more uniform experience for merchants and other
customers. The criteria include evaluating QSAs based on consistency of
the opinions rendered, competency of the professionals, credibility of
the organizations, and business ethics. To staff this program, the
Council has also invested in a dedicated team responsible for assessor
performance monitoring.
Each assessor is required to use the template report associated
with the PCI DSS (attached as Exhibit C*) as the framework for
reporting validation to the standard. Each requirement contains one or
more testing procedures that must be evaluated by the assessor and
appropriately documented to demonstrate that the control has been
tested by the QSA and is operating correctly. The quality assurance
team reviews these reports to confirm that all testing procedures in
the framework are completed and documented, indicating consistency of
practice in the assessor community.
The Council's quality assurance team evaluates trends among Report
of Compliance documents in an effort to identify common inconsistencies
and reports findings to the Council in order to consider and implement
appropriate curative actions. Any such actions are communicated to the
assessors via training, newsletters, and webinars. This information is
also shared with the Council's Technical Working Group for future
consideration and possible adjustment of the PCI DSS.
Question 4. Mr. Jones of Michaels Stores stated that ``Many of the
PCI requirements are covered by the Sarbanes-Oxley audits.'' Could you
report to the committee on the redundancies between the Sarbanes-Oxley
audits and the PCI Council's own requirements?
Answer. The Sarbanes-Oxley Act of 2002 (``Sarbanes-Oxley'') applies
exclusively to publicly traded companies in the United States,
addresses a host of concerns and is not primarily concerned with data
security. Sarbanes-Oxley instead focuses primarily on addressing
accounting standards and practices. The provisions of Sarbanes-Oxley
are not intended, nor would they be adequate, to enable the marketplace
to achieve and maintain data security, particularly with respect to
payment card data. The Council does not believe there is extensive
overlap between Sarbanes-Oxley and PCI Standards.
The PCI Standards are specifically designed to protect payment card
data. They apply to both public and private companies of all sizes,
both inside and outside the United States. Further, they are far more
detailed and specific in the way they address data security issues: for
example, the PCI DSS has over 225 requirements and 525 testing criteria
specific to data security.
Given the specific nature of the PCI DSS and the absence of similar
specific controls in Sarbanes-Oxley, we are unclear about precisely
what redundancies Mr. Jones is referring to.
Question 5. You testified that the PCI council does not develop or
use metrics to evaluate the effectiveness of the council's standards.
How then does the council weigh proposals to the PCI standards if they
cannot measure the costs and benefits of past and future additions to
the standards?
Answer. There are a number of readily available industry metrics
that the Council uses to track the effectiveness of the standard. For
example, the Nilson Report is a widely used industry publication with
extensive metrics on payment card fraud and a wide range of other data
security issues.
Moreover, the payment card brands regularly receive and assess
forensic information regarding the cause of payment card data breach
incidents. This type of data provides critical information regarding
where the PCI Standards may need to be strengthened or modified. This
guidance is provided by the payment card brands as members of the
Council's technical working group.
Proposed changes to the PCI Standards are shared with our
Participating Organizations, which represent over 500 companies, all of
which have first-hand experience in implementing standards and
protecting payment card data on a daily basis. A formal feedback
process enables the Council to receive robust feedback from this group.
This feedback ensures additions and changes to the PCI Standards are
weighed by those with a front-line perspective on what measures are
most beneficial to protect payment card data.
One example of how this broad industry feedback has directly
resulted in changes to the PCI Standard is in the case of wireless
security. In 2007, forensic investigators indicated that insecure
wireless implementations were at the core of a number of breaches. As a
result of that, the Council started investigating wireless security
with its stakeholder community--making it a key agenda item for
discussion at our first Community Meeting. Feedback from that
discussion led to changes in version 1.2 of the PCI DSS. Finally, in
order to help organizations meet the new requirements, our stakeholders
suggested creating a Wireless Special Interest Group--comprised of
representatives from dozens of our Participating Organizations--to
examine implementation issues. That group is expected to release an
implementation guide on meeting the new wireless requirements in the
coming weeks.
It is broad participation such as this--coupled with the knowledge
that the payment brands bring to the table--that gives us confidence in
our ability to measure the cost and benefits of future additions to the
standard.
Question 6. You stated in your testimony that ``no standard is
perfect. But the PCI security standards have proven to be the most
effective means of preventing data breaches and protecting consumers.''
Given that the Council has not developed or applied any metrics to
measure the effectiveness of the PCI standards or to compare their
resulting security to other payment technologies, how have the PCI
security standards proven to be effective at all?
Answer. Necessarily, evidence demonstrating that a particular
standard is effective in preventing a particular outcome must be
inferential. However, it is noteworthy that with more than 10,000
payment card transactions per second worldwide (Source: American
Bankers Association, March 2009) and the usage of payment cards
steadily increasing, payment card fraud rates are at historic lows. The
Council believes that the PCI Standards have been an integral driver of
this trend, and industry data supports that conclusion.
Question 7. You stated that the council does not have a
relationship with banks ``other than to put the standard out there and
make sure that they are creating awareness among their constituents.''
Since it is the banks which, according to you, monitor compliance and
the effectiveness of the standards, should not they be central to the
drafting process?
Answer. My statement pertained to lack of a direct contractual
business relationship between the Council and the banks. It was not
intended to suggest that banks are not intimately involved in data
security standards. Any suggestion to the contrary was inadvertent.
Banks are a pivotal part of our organization. Over 40 financial
institutions worldwide--including such leading U.S. banks as Bank of
America, Capitol One, and Wells Fargo--have joined the Council as
Participating Organizations. These organizations receive draft copies
of the PCI Standards for comment prior to publication and have the
opportunity to contribute feedback during the drafting process.
Financial institutions also comprise nearly one-quarter of the
Council's elected Board of Advisors.
Question 8. Merchants who have experienced data breaches also face
significant class action lawsuits. What liability exists for the
payment card industry and the assessors if a PCI-compliant company is
breached?
Answer. The PCI Standards do not assign liability to any party in
the event there is a data breach. Any liability from a data breach
would arise from agreements between participants in a network and/or
applicable law.
Consistent with its role as a standards development organization,
as discussed above, the Council does not impose any liability
allocation requirements between assessors and merchants, nor does it
have knowledge of the contractual terms entered into between individual
payment card brands (who are competitors of each other) and their
industry partners. Consequently, the Council does not have special
insight into how any liability for payment card breaches is allocated.
Question 9. In response to the committee, JCB said that they expect
the PCI standards will continue to ``become even more stringent in
future iterations.'' Is this also your expectation? What changes will
the next iteration likely have?
Answer. At this point in our standards lifecycle process, we are
not in a position to predict what specific changes will be included in
the next major iteration of the PCI Standards--our open comment period
for the most recent release starts in July. This comment period is a
pivotal part of a rigorous, end-to-end review undertaken within a 2-
year lifecycle process that includes input and feedback periods for our
Participating Organizations. Any changes introduced to meet new and
evolving threats will be debated with all of our stakeholders before
release.
In order to address interim threats, as previously noted in my
written testimony, the Council maintains on-going two-way
communications with its assessors, merchants, and other stakeholders,
and has the ability to issue errata to the PCI DSS, flash bulletins on
emerging threats, monthly newsletters to the Assessor community,
regular updates to the ASV test scanning environment, monthly webinars
with both assessors and merchants, and updates to the Council's on-line
searchable FAQ and training materials.
Question 10. Currently, requirements of notification of breaches
vary from State to State. Given that the Department of Justice stressed
the importance of notification, both of law enforcement and consumers,
has or will the Council consider mandating notification as part of its
standards? How would or could that be enforced?
Answer. As a standards body, the Council has no direct contractual
power that would enable it to mandate or enforce such notification by
retailers or processors when they suffer a breach. Although we do not
have the power to require notification, each of our members feels
strongly that notification of law enforcement and affected consumers is
an important component in a security breach response plan.
In fact, PCI DSS Requirement 12.9.1(b), which addresses Incident
Response, requires entities to have a communication and contact
strategy in the event of data compromise as well as an analysis of
legal requirements for reporting compromises.
Question 11. You stated in your testimony that ``in fact, we have
never found a breached entity to have been in full compliance with the
PCI standards at the time of a breach.'' Can you please explain the
discrepancy between that statement and the statement of Ellen Richey,
Chief Enterprise Risk Officer at Visa, Inc., that Heartland had
validated PCI compliance ``but it was a lack of ongoing compliance and
ongoing vigilance in maintaining security that left them vulnerable to
attack''. Can you please explain exactly how Heartland was not in full
compliance with the PCI standards?
Answer. These two statements are consistent. As noted in my written
testimony, validation of compliance with the PCI DSS only represents a
snapshot in time that coincides with information shared with and
interpreted by a QSA during the assessment period. No entity that has
custody of customer data can afford to gear up for an assessment, and
then relax its vigilance thereafter. While assessment is a useful tool
to uncover vulnerabilities, stakeholders across the payment chain must
realize that data security, and not passing assessments, is the goal of
an effective compliance program. The 2009 Data Breach Investigations
Report from Verizon Business (attached as Exhibit D*) found that
effective tracking and monitoring of network access was not in place at
95% of breached entities at the time of compromise. This provides a
good example, because the tracking and monitoring requirement is a
security practice that requires on-going compliance to be effective.
Its value is severely limited if it is in place only during validation
of compliance to the PCI DSS.
---------------------------------------------------------------------------
* Attachments referred to have been retained in committee files.
---------------------------------------------------------------------------
Unfortunately, the dynamic nature of any organization's complex
information technology systems and network environments, as well as
turnover of human resources, can require the taking of a wide variety
of actions that, absent appropriate steps to restore system integrity
can render a validated system noncompliant quickly after a satisfactory
compliance report has been issued. To use an analogy, effective
compliance should be viewed as equivalent to a full-length feature film
where an organization must be ``compliant'' at each and every frame of
that film. In contrast, validation of compliance is determined by a QSA
only in a single, specific frame of that film.
Question 12. Mr. Majka of Visa stated in his testimony that
``security must be a shared responsibility among all relative parties--
law enforcement, payment companies, regulatory agencies, retailers and
others.'' How is the financial risk and liability shared between these
parties?
Answer. The Council is not involved in the allocation of risk
within a particular network. This question is better directed to
participants in the respective networks, including the networks
themselves.
Question 13. Mr. Majka of Visa stated that ``we must collectively
apply multiple layers of security to protect the system. That includes
measures applied at the card level such as card verification values.''
It is the committee's understanding that not all issuing banks are
required to support CVVs and not all transactions are required to
include CVVs. Can you explain how the Council develops and enforces
standards for the card brands and issuing and acquiring banks?
Answer. It is important to recall, as noted above, that the Council
manages and develops--but does not enforce--the PCI Standards, nor does
it enforce operational regulations imposed by the payment brands.
Instead, it makes standards available to the market as tools to be used
in order to protect the payment card data of any entity that stores,
transmits, or processes payment card data. Members of the payment chain
then individually decide which industry partners must comply with the
PCI Standards, define required compliance validation mechanisms, and
manage any enforcement programs that may exist.
Requirements that exist between individual card brands and their
issuing and acquiring banks are not within the Council's purview.
Question 14. According to Mr. Jones' testimony, PCI states that all
credit card data must be encrypted, with the exception that it need not
if the data travels over a private network. Nonetheless, Mr. Jones says
in spite of that his company does not send this information over their
own private network unencrypted. Surprisingly, he notes, ``The credit
card companies' financial institutions, the very organizations that
have created and are mandating this rigorous and highly complex
standard, do not accept encrypted transactions. We must decrypt the
credit card number at our corporate headquarters prior to sending to
the merchant bank for approval!'' And Mr. Jones' company has to re-
encrypt this data when it is sent back to its stores. As a result of
his company's strong objection to this policy, it has asked for the
past 3 years for the ability to send encrypted information to the banks
but nothing has happened. One reason given is that it is too expensive
to implement. Mr. Jones has been told if the retailers ``are willing to
pay the costs (i.e., the credit card banks' cost) to implement it, we
will consider it.''
How important is the cost to the credit card banks in your
analysis?
Answer. Cost to all stakeholders, including merchants is one of
many factors that are taken into account in considering changes to the
PCI Standards. Effective data security must be affordable to the
millions of participants in the payment chain that must invest in it or
they cannot be expected to act quickly and effectively enough to meet
on-going threats. Any effective security stance must therefore
realistically take cost into account. For example, our Participating
Organizations, and particularly our merchant Participating
Organizations, have told us that internal encryption would be
extremely--even prohibitively--expensive, and have urged us to pursue
more affordable, alternative ways to make further security advances in
this area.
Question 15. Can you explain your process for evaluating Mr. Jones'
3-year effort to be able to encrypt information to the banks? Also, who
has opposed this suggestion?
Answer. Until our introduction at the hearing, Michaels Stores,
Inc. (``Michaels'') had not presented its opinions regarding this issue
to the Council. Moreover, Michaels is not a Participating Organization
and so to date has not attended any of our community meetings or
feedback sessions in the almost 3 years since the Council's inception.
The Council had therefore not had any prior opportunity to evaluate the
Michaels suggestion, nor is it aware of who may or may not be
supportive of this suggestion. The Council would welcome Michaels as a
Participating Organization so that its views could be heard and debated
among our stakeholder community.
Question 16. A large part of the data theft problem is the amount
of valuable data stored in the system. What requirements exist for
merchants to store credit card data in their systems? Please explain
how the chargeback/retrieval process affects what kinds of data can or
should be stored on a merchant's system.
Answer. The Council is not involved in the assessment of the
chargeback and retrieval process. Those processes are dictated by
participants in the payment network and those participants are
therefore in a better position to respond to the question, and speak to
the necessity of various kinds of data in connection with the
chargeback/retrieval process.
To more broadly answer the question of what data merchants are
required or permitted to retain, the fundamental premise of PCI DSS is
``if you don't need it, don't store it.'' That is why requirement 3.1
of the PCI Data Security Standard stipulates that organizations should
only retain data that is required for business, legal and/or regulatory
purposes. In other words, the PCI DSS does not itself mandate that
merchants retain any specific kind of data. To the extent card data
must be stored for legitimate purpose, it must be stored in a secure
manner.
Question 17. Why do card brands require merchants to retain
cardholder data for the purpose of chargebacks? Since this is such
vulnerability for merchants and cardholders, why not mandate that no
cardholder data be retained and provide transaction IDs for the purpose
of chargebacks?
Answer. As noted above, the Council is not involved in the
chargeback process.
Question 18. Why does the PCI Council not mandate PINs for credit
card transactions?
Answer. What data is presented in a transaction is part of the
authorization format used by the payment systems. Since the Council is
a security standards body, we are focused on providing standards to
secure payment data within the current payment system. The Council has
nothing to do with authorization format requirements or the
authentication of a transaction at the point of sale. The Council does
not run a payment network, nor do we have influence over vendors'
product platforms.
If the system evolves to mandate PINs for all transactions, the
Council will then address the issue of how to best provide the market
with any necessary standards to secure this process. For example, the
Council already maintains a comprehensive standard for PIN Entry
Devices. This standard lists requirements that address physical and
logical requirements for devices that process PIN transactions and
would likely be an integral part of securing PINs if they were to be
used more broadly in authentication.
Question 19. The basic design and security model of credit cards
has not changed since the 1950s. What major investments would be
required for a large scale migration to a different payment technology?
Who would make those investments? For example, if we were move to a
chip and PIN system?
Answer. The design and security model of payment cards has changed
extensively since the 1950s. Advances have included advanced hologram
technologies, on-line authorizations, Card Verification Codes, 3-D
Secure, address verification, real-time heuristic fraud detection
solutions, on-line PIN and off-line chip & PIN. This is just a sample.
However, any migration decisions are driven by the underlying value
proposition, which may differ from market to market and vary by payment
brand. The Council in its role as a standards body does not have
insight into these elements.
Question 20. Your responses to the committee concerning adopting
technological changes to the PCI standards, such as the end-to-end
encryption embraced by other witnesses, seems to be: (1) We have
addressed this issue [``there are provisions within the standard now
that address this data, address the inside network that should, in
fact, . . . stop this from happening . . . '']; or (2) it's unnecessary
to address this issue [``so the need for end-to-end encryption within
the internal network is really not there.'']; or (3) we are considering
addressing this issue [``we have issued a proposal to a number of
technology companies to give us an independent study on what we are
calling emerging technologies, one of which is end-to-end
encryption.'']. Given the skepticism toward Visa and the PCI Security
Standards Council expressed by the other members of the panel, can you
point to specific actions you are taking that will reassure this
committee that you are approaching the adoption of end-to-end
encryption and other security-enhancing solutions with the degree of
urgency and level of seriousness warranted by the current threat?
Answer. The introduction of any new technology--whether it is end-
to-end encryption or other security enhancing solutions such as
virtualization and tokenization--is a matter of utmost importance to
the Council and is treated as a high priority. We are constantly
evaluating the potential uses of new technologies to improve the
security of payment card data. As noted in your question, we have
issued a proposal to a number of technology companies to research and
submit to us an independent study of emerging technologies, one of
which is end-to-end encryption. As discussed further in the response to
Question 21 below, we expect to commission that study in the coming
weeks. The issuing of this technology study demonstrates the Council's
commitment to examining the relevance on an on-going basis of
technologies such as encryption to the PCI Standards.
It is important to note, however, that the message from our
stakeholders regarding end-to-end encryption has been mixed. During the
last feedback period in 2007, we received input from more than 350
organizations. It is noteworthy that not a single organization
requested that end-to-end encryption be mandated or even examined. Our
Board of Advisors has similarly not requested an examination of end-to-
end encryption.
Question 21. What technology companies are providing these
``independent'' studies of emerging technologies? Mr. Jones testified
that end-to-end encryption is not an ``emerging'' technology. If that
is correct, what do these companies need to study with regard to end-
to-end encryption?
Answer. The Council conducted an RFP process for selecting a vendor
to assist in the technology study. We are currently in the negotiation
process with the finalist--one of the major public accounting firms.
Our RFP asked vendors to examine the impact that emerging
technologies--including end-to-end encryption as well as technologies
such as virtualization and tokenization--might have on the PCI
Standards, and how broad adoption of these technologies might serve to
simplify the process of securing payment card data.
To Mr. Jones' point, while encryption itself is not a new
technology, no standard currently exists on how to apply end-to-end
encryption in a comprehensive data security framework.
Question 22. Visa asserts that consumers bear zero legal liability
for fraudulent use of credit cards. How is this policy financed?
Answer. Council members understandably avoid discussing any matters
that might in any way relate to the pricing and financing models of the
individual payment brands, and the Council accordingly does not address
such areas. This question is best directed to Visa, but we do note,
that U.S. Pub. Law 93-495 (commonly referred to as ``Reg E'') protects
a consumer against fraud in excess of $50.
Again, I appreciate the opportunity to assist the committee in this
matter, and support its goal of reducing the number and impact of data
security breaches. The Council remains available to provide the
committee with information to more fully understand and address
cybersecurity concerns as they relate to the PCI DSS and other payment
chain-related standards for which the Council has responsibility.
Questions From Chairwoman Yvette D. Clarke of New York for W. Joseph
Majka, Head of Fraud Control and Investigations, Global Enterprise
Risk, Visa, Inc.
Question 1. The PCI requirements are directed solely at merchants
and retailers. Why shouldn't there be a prescriptive security mandate
for Visa or other payment card brands to secure your own networks?
Answer. The PCI Data Security Standard (PCI DSS) applies to all
entities that store, process, or transmit payment cardholder data,
including financial institutions, processors, third party service
providers, and merchants. Visa, Inc. has validated and maintained on-
going PCI DSS compliance on an annual basis using an independent
qualified security assessor (QSA) since the creation of the PCI DSS in
2006. In addition, Visa, Inc. adheres to more rigorous security
measures to protect the overall Visa payment system. Visa is subject to
oversight by U.S. regulatory bodies under the auspices of the Federal
Financial Institution Examination Council (FFIEC) and undergoes regular
reviews by the FFIEC.
Question 2. Given the central role the card brands play in the
American economy, what responsibilities do you believe they have to
consumers and to the Nation?
Answer. Securing consumer data within the U.S. economy is a shared
responsibility, and every industry should deploy focused resources to
protect consumer information within its care. In this regard, the
payment card industry has done more than any other to provide
stakeholders with the tools and guidance needed to properly secure the
data they are trusted to protect. Visa has led the industry in
protecting cardholder data and stands ready to continue to support
industry participants in our collective fight against the criminals
that perpetrate card fraud. Thanks to massive investments and
innovative solutions, compromise events rarely result in actual fraud
and fraud rates in the payments industry remain near all-time lows.
Question 3. Is a breached company (whether compliant with the PCI
Standards or not) subject to increases in interchange rates?
Answer. Visa does not increase or modify the interchange rate
structure that applies to an entity that is breached. In fact, since
October 1, 2007, to encourage and provide incentives for stronger
protection against data breaches, acquiring financial institutions have
been able to qualify transactions for lower interchange rates under the
``tiered'' interchange rate system by, among other best practices and
volume requirements, ensuring that their merchant customers comply with
the PCI DSS. Acquirers of merchants that have been compromised and are
found not to have been in compliance with the PCI DSS may therefore
lose the benefit of these incentive-based ``tiered'' interchange rates,
until they demonstrate that they have come into compliance.
Question 4. In responses to the committee's investigation, you
stated that ``while there have been a few instances where an entity
with previously validated PCI DSS compliance was the victim of a
compromise, in all compromise cases our review concluded that gaps in
the compromised entity's PCI DSS controls were major contributors to
the breach.'' What gaps are normally found in a victim's security
controls after they have been certified PCI compliant, but later found
to be out of compliance?
Answer. In all compromised cases within Visa's purview, third-party
investigations concluded that gaps in the compromised entity's PCI DSS
controls were major contributors to the breach. Gaps commonly include
failures to secure and monitor non-payment-related systems that are
connected to the payment environment, which are then targeted to gain
access to the network. Corporate Web sites are an example of non-
payment-related systems commonly targeted by criminals through
Structured Query Language (SQL) injection attacks. Another common gap
is insufficient monitoring of logs for firewalls, anti-virus, intrusion
detection systems, as well as monitoring of privileged user accounts.
The PCI DSS requires that not only should there be mechanisms in place
to monitor for intrusions, but also that the organization regularly
monitors the logs generated to identify and investigate anomalous
activity.
Visa works with its acquiring financial institutions, through its
compliance programs to ensure merchants and their service providers
achieve and maintain PCI DSS compliance. It is the responsibility of
the acquiring financial institution, which deals directly with their
merchants and their service providers, to ensure these entities
continue to eliminate unnecessary risk to the overall payment system.
To determine overall success of these measures, Visa actively requests
frequent reporting from its acquiring financial institutions on the
status of the PCI DSS compliance of their merchants and service
providers. In support of these compliance programs, Visa has actively
communicated, since 2006, common vulnerabilities and corresponding
mitigation measures that merchants and service providers mistakenly
leave susceptible to attack on their systems. In addition, Visa
provides other data security alerts, bulletins and webinars to payment
system participants, all publicly available at www.visa.com/cisp.
Validating PCI DSS is a major milestone, but achieving and
maintaining compliance requires companies to make an on-going
commitment to keeping all consumers' data safe, including cardholder
data--24 hours a day, 7 days a week, 365 days a year. For any standard
to be effective, however, organizations must rigorously ensure that
they comply with each of its requirements on an on-going basis. Verizon
Business' 2009 Data Breach Investigations Report affirms similar
findings, ``The majority of breaches still occur because basic controls
were not in place or because those that were present were not
consistently implemented across the organization.'' Further, the report
specifically attributes non-compliance to PCI DSS requirements as major
factors contributing to breaches. Verizon cites PCI DSS Requirements 3
(protect stored cardholder data), 6 (develop and maintain secure
systems and applications), and 10 (track and monitor access to network
resources and cardholder data) as the least compliant across their
caseload, saying, ``This trio of deficiencies factored heavily into
many of the largest breaches investigated by our team over the past
five years.''
Question 5. Mr. Russo of the PCI Council stated in his testimony
that ``in fact, we have never found a breached entity to have been in
full compliance with the PCI standards at the time of a breach.'' Can
you please explain the discrepancy between that statement and the
statement of Ellen Richey, Chief Enterprise Risk Officer at Visa, that
Heartland had validated PCI compliance ``but it was a lack of on-going
compliance and on-going vigilance in maintaining security that left
them vulnerable to attack''. Can you please explain exactly how
Heartland was not in full compliance with the PCI standards?
Answer. In all compromise cases within Visa's purview and as stated
by Mr. Russo, despite any validation that may have been completed by a
QSA, the breached entity was not found to have been in full compliance
at the time of the breach. Based on compromise event findings, Visa
removed Heartland from its list of PCI DSS compliant service providers.
Information related to Heartland's PCI DSS compliance status was
provided to Visa under the obligations of a confidentiality agreement.
As such, Visa suggests contacting Heartland directly for specifics.
Question 6. You stated in your testimony that Visa looks forward to
``working with all participants to continue to develop tools to
minimize the risk and the impact of data-compromise events.'' Does Visa
understand the committee's concern about a fraud prevention strategy
that minimizes fraudulent charges only to the extent that card brands
and issuing banks remain solvent when fraudulent charges finance
criminal activities?
Answer. Visa's goal is to prevent both card data compromises and
the subsequent potential for fraudulent transactions. Visa has been
executing a multi-layered security strategy working with all payment
system participants to prevent data compromises around the world as
well as the fraud that may result there from. Visa invests substantial
resources and leads innovation in the industry with measures to stay
ahead of criminals and prevent them from obtaining financing through
the payment system. This includes, for card-based solutions (e.g., EMV-
chip, contactless), data-based measures (e.g., PCI DSS), and network-
based technologies (e.g., Advanced Authorization, neural networks,
Address Verification Service). In addition, participants in the Visa
system should strictly adhere to the EFT Act and Reg. E, the Truth in
Lending Act and Reg. Z, as well as numerous other Federal regulations
that protect consumers from the consequences of data breaches and
fraud. Additionally, Visa is currently working to empower cardholders
to play a more active role in protecting their information through
innovations such as transaction alerts. Armed with this kind of
information, cardholders can help monitor usage on their accounts and
identify potential fraud. All of these measures are designed to prevent
criminals from obtaining card data, and to prevent them from using it
to commit fraud.
Question 7. Merchants who have experienced data breaches also face
significant class action lawsuits. What liability exists for the
payment card industry and the assessors if a PCI-compliant company is
breached?
Answer. Parties that experience data breaches may be subject to the
liabilities determined through the court system. Visa is aware of a
number of class action lawsuits related to major data breaches in the
United States. However, Visa cannot speculate about facts and outcomes
in potential or pending class action lawsuits. To our knowledge, no
organization that has fully implemented and maintained compliance with
the PCI DSS has been the victim of a data compromise event. These
breaches damage consumer trust in the overall electronic payment
system, including Visa and its brand.
Question 8. In response to the committee, JCB said that they expect
the PCI standards will continue to ``become even more stringent in
future iterations of the PCI standards.'' Is this also your
expectation? What changes will the next iteration likely have?
Answer. The PCI SSC is charged with reviewing and updating the PCI
DSS to ensure that it remains effective to protect card data, by
incorporating input from stakeholders as well as technological
developments in the evolution of the standard over time. Since its
creation, the PCI DSS has been formally updated three times, with
considerable input from over 500 participating organizations, including
merchants, banks, and service providers from around the world, in order
to meet the evolving threats to the system, changing technologies and
the increased sophistication of hackers. The updates introduced in
version 1.1 and 1.2 of the PCI DSS have been relatively minor changes,
most of which served as clarifications to help entities better
understand the intent of a requirement. We expect the standard will
continue to evolve to address new threats as they materialize and add
further specificity where participating organizations, including many
global merchants, provide feedback.
Question 9. Currently, requirements of notification of breaches
vary from State to State. Given that the Department of Justice stressed
the importance of notification, both of law enforcement and consumers,
has or will the Council consider mandating notification as part of its
standards? How would or could that be enforced?
Answer. PCI DSS Requirement 12.9.1 addresses incident response and
requires entities to have a communication and contact strategy in the
event of data compromise. Additionally, in the event of a compromise
Visa advises entities to follow all State and Federal disclosure
requirements. Visa also works closely with the Federal Bureau of
Investigation's Cyber Division, United States Secret Service, United
States Postal Inspection Service, State attorneys general and the
Department of Justice Cybercrime and Intellectual Properties Unit in
criminal cases of data compromises.
Question 10. You stated that ``security must be a shared
responsibility among all relative parties--law enforcement, payment
companies, regulatory agencies, retailers and others.'' How is the
financial risk and liability shared between these parties?
Answer. Financial institutions have the direct responsibility and
relationship with cardholders, and because of Federal law and Visa's
zero liability policy for cardholders, bear most of the financial loss
if fraud occurs. Visa's Account Data Compromise Recovery program allows
issuing financial institutions to receive reimbursement for counterfeit
fraud losses and a portion of their operating expenses incurred as a
result of data compromise events from the financial institution
responsible for the compromised entity in the Visa system.
Question 11. Mr. Jones of Michaels Stores stated in his testimony
that ``credit card companies' financial institutions do not accept
encrypted transaction.'' The committee is concerned that the PCI
Council is not applying the same standards to its members that it
applies to merchants and processors. Is Visa planning to move forward
with securing the communications channel between merchants and
financial institutions?
Answer. Visa accepts encrypted data transmissions from its
processing endpoints and many processors also accept encrypted data
transmissions for merchant transaction submissions. Visa is also
mandating use of stronger encryption for protection of PINs at every
point of sale globally, specifying use of Triple Data Encryption
Standard (TDES) for PIN accepting entities. While the PCI DSS requires
encryption over public networks including the internet, it does not
require the use of encryption over private networks, such as a
merchant's internal network or a private connection between a merchant
and processor. Encrypting cardholder data in-transit over private
networks is encouraged. It should be noted, however, that while
encryption can add an additional layer of security, the data is still
at risk if transactions must be decrypted at any point within the
private network--for example, for transaction processing--and must
still be properly protected. As such, many organizations have
determined that the costs and number of system and software
modifications needed outweigh any incremental security benefit. The
requirements outlined currently in the PCI DSS, when implemented
properly, should effectively prevent a criminal from obtaining access
to a business' private network and detect any unauthorized access.
Question 12. The basic design and security model of credit cards
has not changed since the 1950s. What major investments would be
required for a large-scale migration to a different payment technology?
Who would make those investments? For example, if we were move to a
chip and PIN system?
Answer. In the 50 years since the beginning of the card industry,
Visa has evolved from credit card roots to become one of the world's
leading global retail electronic payments networks. Today, the Visa
network connects cardholders, merchants, and financial institutions
around the world with products and services that are designed to make
payments faster, more convenient, more reliable, and more secure. At
the heart of Visa's business is VisaNet, our centralized processing
platform and one of the world's largest transaction and information
processing networks. Nearly 92 billion authorization, clearing, and
settlement transactions were processed through VisaNet in calendar year
2008. On this platform, Visa has been able to build capabilities that
provide secure, reliable, and scalable processing, including
innovations such as Advanced Authorization to risk-score transactions
in real time. Other examples of technological improvements include the
introduction of magnetic stripe technology, CVV2 (three-digit code on
the back of a Visa card), address verification service and contactless
cards with dynamic data technology. There have also been anti-
counterfeit measures such as holograms, ultra-violet marks, and micro
text, to name a few. Fraud rates today are at historic lows, much lower
than they were decades ago when we did not fully benefit from the power
of the Visa network to be able to analyze and authorize transactions in
real time.
Visa supports chip technologies around the world, including in the
United States where we are beginning to see adoption in mobile and
contactless payments. Chip technology--both contact and contactless--
can add an important security layer, introducing dynamic data into
transactions which can reduce the incidence of fraud. However, we
recognize that there are different needs, threats, and infrastructures
in different parts of the world, and there is no one-size-fits-all chip
solution. In some other countries around the world, the market has
driven the adoption of chip technology based on these factors. To the
extent chip adoption can meet the needs of the payments industry in the
United States, Visa is ready to support migration as it has in other
markets. Where chip technology has been implemented broadly in a
market, it should be noted that migration takes time. The costs have
been shared by all parties--payment networks, financial institutions,
and merchants. Generally, the card brands make investments in the
network upgrades and consistent standards and financial institutions
and merchants typically bear the increased cost of card technology and
the upgraded payment terminals.
Question 13. A large part of the data theft problem is the amount
of valuable data stored in the system. What requirements exist for
merchants to store credit card data in their systems? Please explain
how the chargeback/retrieval process affects what kinds of data can or
should be stored on a merchant's system.
Answer. Visa does not require merchants to store complete card
numbers. To the contrary, Visa encourages merchants to limit retention
to truncated account numbers and has executed a ``drop the data''
educational campaign in partnership with the U.S. Chamber of Commerce
over the past 3 years to encourage merchants to reduce data storage
(www.dropthedata.com). A merchant may work with their acquiring
financial institution to implement the necessary chargeback processes
that do not rely upon the merchant's storage of the account number. For
example, a signed point-of-sale terminal receipt with a truncated
account number and the accompanying authorization log is valid
fulfillment and will remedy a fraud chargeback. As such, a merchant may
mitigate their risk by storing only truncated account numbers. In many
cases, merchants decide to store cardholder data for marketing, loyalty
programs, or customer service purposes. In those instances, Visa
requires that stored data is protected in accordance with the PCI DSS.
Question 14. In responses to the committee, Discover stated that it
is currently making changes to processes to provide merchants with the
option of receiving masked data for disputes (like retrievals and
chargebacks) as well as settlement reports. Is Visa doing something
similar? Would this cut back on the amount of data stored that could be
subject to breach?
Answer. Visa does not require merchants to store complete card
numbers. Visa continues to work with those financial institution
clients that may be requesting card numbers for dispute resolution to
eliminate this practice and adopt the use of truncated account numbers.
While Visa strives to eliminate any practices that may lead to the
storage of cardholder data, there are likely many other reasons
merchants have made a business decision to store this data, including
processing returns and loyalty programs. In addition to our efforts to
limit retention of complete account numbers, Visa has made considerable
strides toward eliminating the storage by merchants and processors of
authorization data, which criminals covet to perpetrate fraud. This
``prohibited'' data includes full magnetic stripe data, the CVV2 or
``Card Verification Value 2'' and PIN.
Question 15. Visa asserts that consumers bear zero legal liability
for fraudulent use of credit cards. How is this policy financed?
Answer. Visa card-issuing financial institutions are responsible
for complying with Federal law and honoring Visa's zero liability
policy for cardholders and, as a result, bear most of the financial
loss if fraud occurs.
In closing, Visa is acutely focused on ensuring that payment
products are not used to perpetrate criminal activity and has taken a
leading role in promoting cardholder information security and
innovation within the payments industry. I appreciate the opportunity
to assist the committee in this matter.
Questions From Chairwoman Yvette D. Clarke of New York for Michael
Jones, Senior Vice President and Chief Information Officer, Michaels
Stores, Inc.
Question 1. How much does it cost you to comply with the PCI
standards, and are they effective in keeping out intruders?
Answer. Response was not received at the time of publication.
Question 2. Are retailers bearing a disproportionate burden of
costs in data security?
Answer. Response was not received at the time of publication.
Question 3. Do you agree that the effectiveness of data security
standards is inherently limited by the technology base of U.S. credit
and signature debit card processing networks? How could this technology
base be improved, and what obstacles exist that would prevent this from
happening?
Answer. Response was not received at the time of publication.
Question 4. Have you ever notified the Council of assessors trying
to sell their own products or services?
Answer. Response was not received at the time of publication.
Question 5. The basic design and security model of credit cards has
not changed since the 1950s. What major investments would be required
for a large-scale migration to a different payment technology? Who
would make those investments? For example, if we were move to a chip
and PIN system?
Answer. Response was not received at the time of publication.
Question 6. A large part of the data theft problem is the amount of
valuable data stored in the system. What requirements exist for
merchants to store credit card data in their systems? Please explain
how the chargeback/retrieval process affects what kinds of data can or
should be stored on a merchant's system.
Answer. Response was not received at the time of publication.
Question 7. Visa asserts that consumers bear zero legal liability
for fraudulent use of credit cards. How is this policy financed?
Answer. Response was not received at the time of publication.
Questions From Chairwoman Yvette D. Clarke of New York for David Hogan,
Senior Vice President, Retail Operations, and Chief Information
Officer, National Retail Federation
Question 1. Are retailers bearing a disproportionate burden of
costs in data security?
Answer. Response was not received at the time of publication.
Question 2. Do you agree that the effectiveness of data security
standards is inherently limited by the technology base of U.S. credit
and signature debit card processing networks? How could this technology
base be improved, and what obstacles exist that would prevent this from
happening?
Answer. Response was not received at the time of publication.
Question 3. Have you ever notified the Council of assessors trying
to sell their own products or services?
Answer. Response was not received at the time of publication.
Question 4. The basic design and security model of credit cards has
not changed since the 1950s. What major investments would be required
for a large-scale migration to a different payment technology? Who
would make those investments? For example, if we were move to a chip
and PIN system?
Answer. Response was not received at the time of publication.
Question 5. A large part of the data theft problem is the amount of
valuable data stored in the system. What requirements exist for
merchants to store credit card data in their systems? Please explain
how the chargeback/retrieval process affects what kinds of data can or
should be stored on a merchant's system.
Answer. Response was not received at the time of publication.
Question 6. Visa asserts that consumers bear zero legal liability
for fraudulent use of credit cards. How is this policy financed?
Answer. Response was not received at the time of publication.
�