[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]




 
                  DATA SECURITY: EXAMINING EFFORTS TO
                PROTECT AMERICANS' FINANCIAL INFORMATION

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 5, 2014

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 113-68


                                 ______

                   U.S. GOVERNMENT PRINTING OFFICE 
88-530                     WASHINGTON : 2014
____________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

GARY G. MILLER, California, Vice     MAXINE WATERS, California, Ranking 
    Chairman                             Member
SPENCER BACHUS, Alabama, Chairman    CAROLYN B. MALONEY, New York
    Emeritus                         NYDIA M. VELAZQUEZ, New York
PETER T. KING, New York              BRAD SHERMAN, California
EDWARD R. ROYCE, California          GREGORY W. MEEKS, New York
FRANK D. LUCAS, Oklahoma             MICHAEL E. CAPUANO, Massachusetts
SHELLEY MOORE CAPITO, West Virginia  RUBEN HINOJOSA, Texas
SCOTT GARRETT, New Jersey            WM. LACY CLAY, Missouri
RANDY NEUGEBAUER, Texas              CAROLYN McCARTHY, New York
PATRICK T. McHENRY, North Carolina   STEPHEN F. LYNCH, Massachusetts
JOHN CAMPBELL, California            DAVID SCOTT, Georgia
MICHELE BACHMANN, Minnesota          AL GREEN, Texas
KEVIN McCARTHY, California           EMANUEL CLEAVER, Missouri
STEVAN PEARCE, New Mexico            GWEN MOORE, Wisconsin
BILL POSEY, Florida                  KEITH ELLISON, Minnesota
MICHAEL G. FITZPATRICK,              ED PERLMUTTER, Colorado
    Pennsylvania                     JAMES A. HIMES, Connecticut
LYNN A. WESTMORELAND, Georgia        GARY C. PETERS, Michigan
BLAINE LUETKEMEYER, Missouri         JOHN C. CARNEY, Jr., Delaware
BILL HUIZENGA, Michigan              TERRI A. SEWELL, Alabama
SEAN P. DUFFY, Wisconsin             BILL FOSTER, Illinois
ROBERT HURT, Virginia                DANIEL T. KILDEE, Michigan
MICHAEL G. GRIMM, New York           PATRICK MURPHY, Florida
STEVE STIVERS, Ohio                  JOHN K. DELANEY, Maryland
STEPHEN LEE FINCHER, Tennessee       KYRSTEN SINEMA, Arizona
MARLIN A. STUTZMAN, Indiana          JOYCE BEATTY, Ohio
MICK MULVANEY, South Carolina        DENNY HECK, Washington
RANDY HULTGREN, Illinois
DENNIS A. ROSS, Florida
ROBERT PITTENGER, North Carolina
ANN WAGNER, Missouri
ANDY BARR, Kentucky
TOM COTTON, Arkansas
KEITH J. ROTHFUS, Pennsylvania

                     Shannon McGahn, Staff Director
                    James H. Clinger, Chief Counsel
       Subcommittee on Financial Institutions and Consumer Credit

             SHELLEY MOORE CAPITO, West Virginia, Chairman

SEAN P. DUFFY, Wisconsin, Vice       GREGORY W. MEEKS, New York, 
    Chairman                             Ranking Member
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
GARY G. MILLER, California           RUBEN HINOJOSA, Texas
PATRICK T. McHENRY, North Carolina   CAROLYN McCARTHY, New York
JOHN CAMPBELL, California            DAVID SCOTT, Georgia
KEVIN McCARTHY, California           AL GREEN, Texas
STEVAN PEARCE, New Mexico            KEITH ELLISON, Minnesota
BILL POSEY, Florida                  NYDIA M. VELAZQUEZ, New York
MICHAEL G. FITZPATRICK,              STEPHEN F. LYNCH, Massachusetts
    Pennsylvania                     MICHAEL E. CAPUANO, Massachusetts
LYNN A. WESTMORELAND, Georgia        PATRICK MURPHY, Florida
BLAINE LUETKEMEYER, Missouri         JOHN K. DELANEY, Maryland
MARLIN A. STUTZMAN, Indiana          DENNY HECK, Washington
ROBERT PITTENGER, North Carolina
ANDY BARR, Kentucky
TOM COTTON, Arkansas


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    March 5, 2014................................................     1
Appendix:
    March 5, 2014................................................    51

                               WITNESSES
                        Wednesday, March 5, 2014

Fortney, David, Senior Vice President, Product Management and 
  Development, The Clearing House Payments Company...............    38
Garcia, Gregory T., Advisor, Financial Services Information 
  Sharing and Analysis Center (FS-ISAC)..........................    36
Leach, Troy, Chief Technology Officer, Payment Card Industry 
  (PCI) Security Standards Council (SSC).........................    34
Mierzwinski, Edmund, Consumer Program Director, U.S. PIRG........    39
Noonan, William, Deputy Special Agent in Charge, Criminal 
  Investigative Division, Cyber Operations Branch, United States 
  Secret Service.................................................     7
Zelvin, Larry, Director, National Cybersecurity and 
  Communications Integration Center (NCCIC), U.S. Department of 
  Homeland Security..............................................     9

                                APPENDIX

Prepared statements:
    Waters, Hon. Maxine..........................................    52
    Fortney, David...............................................    54
    Garcia, Gregory T............................................    57
    Leach, Troy..................................................    67
    Mierzwinski, Edmund..........................................    73
    Noonan, William..............................................    84
    Zelvin, Larry................................................    95

              Additional Material Submitted for the Record

Capito, Hon. Shelley Moore:
    Written statement of the American Bankers Association (ABA)..   101
    Written statement of the Credit Union National Association 
      (CUNA).....................................................   111
    Written statement of the Independent Community Bankers of 
      America (ICBA).............................................   116
    Written statement of the National Association of Federal 
      Credit Unions (NAFCU)......................................   118
    Written statement of the National Retail Federation (NRF)....   122
Heck, Hon. Denny:
    Letter to Financial Services Committee Chairman Jeb 
      Hensarling requesting a data security hearing, dated 
      January 10, 2014...........................................   136
Sinema, Hon. Kyrsten:
    Written responses to questions submitted to Larry Zelvin.....   138


                    DATA SECURITY: EXAMINING EFFORTS 
                         TO PROTECT AMERICANS' 
                         FINANCIAL INFORMATION

                              ----------                              


                        Wednesday, March 5, 2014

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:03 a.m., in 
room 2128, Rayburn House Office Building, Hon. Shelley Moore 
Capito [chairwoman of the subcommittee] presiding.
    Members present: Representatives Capito, Bachus, McHenry, 
Pearce, Posey, Fitzpatrick, Luetkemeyer, Stutzman, Pittenger, 
Barr, Cotton, Rothfus; Meeks, Maloney, Scott, Green, Lynch, 
Delaney, and Heck.
    Ex officio present: Representatives Hensarling and Waters.
    Also present: Representatives Royce and Sinema.
    Chairwoman Capito. The subcommittee will come to order. 
Without objection, the Chair is authorized to declare a recess 
of the subcommittee at any time.
    I now recognize myself for the purpose of making an opening 
statement.
    Over the last 6 months, we have learned about a series of 
breaches of American businesses' data--millions and millions 
have had their personal data compromised. We will not know the 
true extent of the impact on American consumers until 
investigators from Federal agencies and private entities are 
done with the investigation.
    These breaches raise, I believe, really legitimate 
questions about the storage and usage of personal data by 
private industry. The prosperous have long sought access to 
this type of information, but the recent breaches demonstrated 
an evolving sophistication of attacks that seek to exploit and 
confuse consumers.
    As we have learned in previous subcommittee hearings, these 
criminals often reside in nations that fail to cooperate with 
United States law enforcement agencies. In some cases, these 
nations not only protect these criminals from prosecution but 
they celebrate them as heros.
    The data these criminals steal is often sold on the black 
market and can potentially be used for fraudulent purposes. 
While possibilities for such fraudulent charges may be the 
source of stress and frustration for consumers, many payment 
networks have zero fraud policies to protect consumers from 
fraudulent transactions.
    Today, we will learn more about why these breaches are 
occurring, existing payment security standards, what happens 
during and after a breach, and new payment technologies 
authorized to help prevent future breaches.
    One area that is of critical importance is information-
sharing, both during and after a breach.
    We have representatives from the National Cybersecurity and 
Communications Integration Center (NCCIC) and the Financial 
Services Information Sharing and Analysis Center (FS-ISAC) who 
will testify about the existing information-sharing efforts 
between the private sector and government agencies. On February 
13th, members of the retail financial services communities 
publicly announced their efforts at information-sharing amongst 
all parties that are a part of the payment system. I applaud 
this effort instructing all parties to strive for a more 
efficient, thorough, and effective information-sharing system 
to prevent data breaches in the future.
    The final area that this hearing will cover is future 
payment systems that may provide consumers with a more secure 
method of transmitting their financial data. I have great 
interest in the progression and diversification of our payment 
system. In the past, we learned about developments in mobile 
payments. Today, we will learn about a cloud-based tokenization 
proposal which will transfer payments without the need to store 
significant amounts of consumer financial data.
    If sensitive payment data is not being stored 
unnecessarily, the payment systems could be much less 
attractive to future hackers. The high degree of innovation in 
the payment space is exciting for consumers, but we also need 
to ensure that the new payment systems that are developed 
increase the level of security and reduce the threat of future 
breaches.
    I would like to thank our witnesses for joining us this 
morning. Each of you plays a critical role in helping to 
prevent future data breaches.
    I now yield time to the ranking member of the subcommittee, 
Mr. Meeks, for an opening statement.
    Mr. Meeks. Thank you, Madam Chairwoman.
    In recent months, a number of banking and U.S. retailers 
including Target, Neiman Marcus, and Nike have announced data 
breaches which stole the payment card account and sensitive 
personal information of millions of Americans. Although 
forensic investigations of recent breaches are still ongoing, 
news reports and announcements by the retailers themselves 
indicate that these breaches may be the largest breaches ever 
in the history of our country as of today.
    On December 19, 2013, Target announced that 40 million 
credit and debit accounts had been compromised through its in-
store credit card magnetic strips, allowing hackers to access 
customer names, credit and debit card numbers, and security 
codes. Less than a month later, on January 10, 2014, Target 
announced that the breach was significantly larger and that the 
personal information of 70 million customers was also stolen.
    Americans need to have the security that when they shop at 
a retail store, or when they use their credit or their debit 
cards, their account and personal information will be 
protected. We must make sure that happens.
    It is further troubling that we see the line fall behind 
Europe and Canada in terms of technology and security 
standards. Some reports even indicate that we are behind 
certain countries in Latin America and Africa, who are using 
the latest mobile technology for processing payments, as a 
result of the fact that they started late in adopting such 
technology, and therefore immediately adopted the latest 
innovations.
    We have to improve our technology to make sure that we are 
more up-to-date. We need to take our security more seriously in 
this country. The security breaches at Target were only 
reminders of existing national security issues, and there are, 
indeed, a lot of issues which we will seek to clarify in our 
hearing. How is it that this could happen in the world's most 
advanced economy and financial market in the world?
    What have we learned, and how do we prevent these serious 
incidents from ever happening again? And what technologies and 
standards need to be adopted instead so that we can protect 
Americans and the Nation?
    I want to thank all of the witnesses who are here, and I 
look forward to your participation and to listening to your 
testimony.
    Chairwoman Capito. Thank you.
    I now recognize Mr. Fitzpatrick for 2 minutes for an 
opening statement.
    Mr. Fitzpatrick. Thank you, Madam Chairwoman, for calling 
this hearing, and I also thank the witnesses for their time 
today.
    I spend a considerable amount of time at home--as do my 
colleagues--visiting my discrict, visiting with businesses and 
financial instutions, and also talking to their customers. Most 
if not all of these groups, when asked, would identify 
cybersecurity, identity theft, and national safety as a 
concern.
    My staff and I spent some time looking into this and 
quickly learned that hackers and thieves are by and large not 
only attacking financial institutions directly and literally 
downloading customers' back accounts to either deceive people 
into giving up their security information or they are stealing 
outright from some other source. Those sources are many times 
unsuspecting businesses or financial institutions that are 
storing or transferring personal information in ways that are 
quite vulnerable to attack.
    That is not to say that the burden of data security lies 
disproportionately with any one group, but I think these facts 
speak to the importance of working in a collaborative manner on 
developing a system that protects personal financial data 
through the process--from the individual, to the business, to 
the processor, and then to the bank or credit union.
    There is a level of trust necessary for an economy to 
function in this new virtual era, where cash is becoming a 
preferred payment method for fewer and fewer people. I look 
forward to the testimony and hearing what these experts can 
share with us about how we can protect people from theft and 
maintain and possibly restore trust in our cybersecurity 
system.
    And I thank the Chair.
    Chairwoman Capito. Thank you.
    I now recognize Mrs. Maloney for 2 minutes for an opening 
statement.
    Mrs. Maloney. I want to thank you, Madam Chairlady, and 
Ranking Member Meeks, for holding this incredibly important 
hearing. I would say that most Americans have had their 
identity stolen, including myself, and it is very costly to law 
enforcement, and certainly to our stakeholders, our financial 
institutions, and individuals.
    And I am particularly interested in the second panel, the 
industry itself, and what they have to say on new technologies. 
Why can't we just protect the number and have transactions take 
place?
    This is something really, really important: When the data 
breach occurs, the party who is most exposed when you look at 
it is the consumer. It is typically the retailer that is in the 
best position to know about the breach, although it is often 
the bank who discovers the breach before the retailer because 
the bank notices a spike in fraudulent transactions and then 
traces it back to the retailer that was breached.
    In my opinion, this makes it all much more reasonable to 
make the banks and financial institutions liable for all the 
fraudulent transactions that occur after the breach. This would 
give the banks and financial institutions an incentive to 
invest publicly in fraud-detecting technologies, which are 
remarkably effective at identifying fraudulent activities on 
your credit or debit card.
    If retailers were liable for all fraudulent costs after a 
breach, then there would be probably like a legal Fort Knox. 
And if payment networks were liable, there would be more robust 
security systems, as well. The point is that sometimes 
assigning blame, and in this case, assigning liablitity, is, in 
fact, important, because it incentivizes different parties to 
invest or not invest in fraud-reducing technology to protect 
consumers and our overall economy and it makes it more 
difficult for criminals.
    So I really look forward to this hearing. I think it is 
incredibly important and I look forward to hearing of new 
innovations to protect identity and therefore, hopefully, our 
banking system.
    Thank you very much. I yield back.
    Chairwoman Capito. Thank you.
    I recognize Mr. Pittenger for 2 minutes for an opening 
statement.
    Mr. Pittenger. Thank you, Chairwoman Capito, for allowing 
me to properly make this opening statement.
    And thank you to each of the witnesses for coming today to 
testify.
    We are here today to listen to experts from Homeland 
Security and the Secret Service and representatives of industry 
to learn about the ongoing effort to protect our fellow 
citizens' private information. We have seen over the past 
several years advancements in technology when Americans shop to 
pay for goods.
    But with these new advancements certainly comes the 
responsibility of protecting the integrity of the system. As 
payment systems increasingly rely on electronic transmissions 
of personal financial data, Americans have a right and an 
expectation to know how that data is being protected, where it 
is stored, the extent to which the government has access to it, 
and the protocols that ought to be in place in private or 
public sector entities who mishandle, improperly disclose, or 
otherwise fail to ensure the security of personal financial 
information.
    Over the last 6 months, several American companies and 
universities have experienced significant data breaches--my 
wife and I had a breach just yesterday--and while the details 
of these breaches remain under investigation by Federal and 
State law enforcement authorities, these episodes have 
disclosed a serious threat to financial privacy and data 
security posed by individuals and criminal syndicates.
    We have to remain vigilant in our fight against these 
individuals and organizations. I know it is a difficult task to 
ask to be prepared to prevent 100 percent of the cyber attacks. 
But the consequences of not being equipped to handle the threat 
could ruin the lives and threaten the security of millions of 
Americans.
    Thank you again for coming before the committee, and I look 
forward to hearing your testimony.
    Chairwoman Capito. Thank you.
    I would like to recognize Mr. Scott for 2 minutes for an 
opening statement.
    Mr. Scott. Thank you very much, Madam Chairwoman. And this 
is indeed a very, very interesting and important hearing as 
more and more Americans shift to electronic payment systems and 
online shopping.
    One of my professors at graduate school in economics and 
finance was an economist, John Kenneth Galbraith, and he 
produced a book about 40 years ago called, ``The New Industrial 
State.'' I bring that up because he made a very interesting 
statement. He said, ``Very shortly we in our country, and 
perhaps around the world, will soon become the victims and 
servants of the very machine that was created to serve us.''
    I think we are at that point now. As payment systems 
increasingly rely on electronic transmission of personal 
financial data, Americans certainly have a right and an 
expectation to know how that data is protected. They need to 
know where it is stored, who has access to that data, and to 
what extent.
    Americans have a right and an expectation to know the 
protocols that are and ought to be in place when entities, 
whether public or private, mishandle or improperly disclose or 
otherwise fail to ensure the security of their personal 
information.
    We have the big picture here. We have to hold everybody 
accountable. Financial institutions must be held accountable to 
the same accountability as our retailers.
    We have had over 110 million Americans impacted by this 
situation. Earlier, I had a very interesting conversation with 
one of our panelists, Mr. Troy Leach, and I think he is on to 
something here with the Security Standards Council. Perhaps we 
are indeed working on this, giving too much information, making 
too much information available, and that maybe we can cut down 
on some of that information so we don't make it so easy for 
hackers to access it.
    I look forward to the hearing, Madam Chairwoman, and I 
yield back.
    Chairwoman Capito. Thank you.
    I now recognize the chairman emeritus of the full Financial 
Services Committee, Mr. Bachus, for 2 minutes for an opening 
statement.
    Mr. Bachus. Thank you, Madam Chairwoman.
    One of Yogi Berra's most famous quotes is, ``It is deja vu 
all over again.'' A little more than a decade ago, this 
committee investigated a series of data breaches involving New 
York City restaurants, cable companies, retail businesses of 
all kinds, banks, universities, and all branches of government 
from local to State to Federal. People's credit was being 
ruined, and their good names being used for criminal purposes. 
But identity theft suddenly became a national issue.
    I remember this because I was chairman of the Financial 
Institutions Subcommittee at the time. I am proud of this 
committee because at the time, we held numerous hearings like 
the one today, that resulted in the Fair and Accurate Credit 
Transactions (FACT) Act or (FACTA), which was bipartisan 
legislation passed almost unanimously by this committee and 
signed into law by President Bush in December 2003.
    The legislation created a number of protections, which I am 
convinced have helped prevent numerous cases of identity theft 
over the last 10 years. That is why your full credit card 
number is no longer on store or restaurant receipts, and you 
can place fraud alerts on your credit report. Very 
significantly, it is why consumers are entitled to be provided 
with free copies of their credit report from the three major 
reporting bureaus.
    But I am having deja vu again because the same arguments 
that were being used then are being used again today against 
the adoption of marked chip and PIN cards. It won't be a total 
solution, and it wouldn't have prevented the Target breach, but 
it would prevent that information from then being used in 
credit transactions.
    It wouldn't be a total solution. It wouldn't be easy. It 
would be complicated. It would be expensive. All of that is 
true. It was then, and it is now. But still, something needs to 
be done.
    Let me close by saying, Mr. Noonan, you mentioned the 
National Computer Forensic Institute, and I want to compliment 
the Secret Service. They joined with the Alabama district 
attorney's office in the State of Alabama, Shelby County, and 
responded with that, and it has really helped, and I want to 
commend the Secret Service for that.
    That building that it is housed in was donated by a county 
and a city in Birmingham--a modern facility at no cost to the 
taxpayers. And it is a way that we can inexpensively respond 
with innovative thinking. The people being trained there--it is 
in his testimony on page 8, and I commend you for mentioning 
that.
    Thank you.
    Chairwoman Capito. Thank you.
    With that, I ask unanimous consent to allow members of the 
full Financial Services Committee who are not members of this 
subcommittee to sit in on today's hearing. Without objection, 
it is so ordered.
    And with that, I would like to recognize Ms. Sinema for 1 
minute for an opening statement.
    Ms. Sinema. Thank you, Madam Chairwoman.
    And thank you, Ranking Member Meeks.
    I believe that it is critical for public and private sector 
leaders to continue to push for the development of a strong 
cybersecurity industry that can protect our economic and 
national security interests. The nature of cyber means that 
nongovernment institutions and private sector companies alike 
need tools and resources to protect Americans' personal 
information from cyber attacks.
    Several large companies such as Honeywell, Schwab, and 
America's Best have some or all of their security space in 
Arizona; and several smaller innovative companies like Bishop 
Fox and Securosis are among the significant and growing number 
of cybersecurity businesses in my home State.
    Arizona is a hub for innovation. We are ahead of the curve 
on tech growth, thanks to entrepreneurial programs at Arizona 
State University, the University of Advancing Technology, and 
America's community colleges.
    Thank you for the opportunity to highlight this critically 
important issue. Through your collaboration with government and 
innovative private institutions, I believe we can meet the 
cybersecurity challenges of today and tomorrow.
    Thank you, Madam Chairwoman.
    Chairwoman Capito. Thank you.
    Mr. Green, for 2 minutes.
    Mr. Green. Thank you, Madam Chairwoman. I will be pithy and 
concise. I would like to thank you for the hearing, and thank 
the ranking member, as well.
    And I would like to, if I may, indicate to the public that 
while a hearing is titled, ``Data Security: Examining Efforts 
to Protect Americans' Financial Information,'' the actual 
concern is much broader and much bigger. We are also concerned 
about medical information. We are also concerned about your 
travel history. We are concerned about the materials that you 
purchase--your reading materials.
    This has implications that are far-reaching, that can have 
an impact on privacy beyond which we can't imagine currently. I 
am excited about the hearing and I am interested to find out 
how we can prevent this kind of encroachment on privacy.
    I thank you, and I yield back.
    Chairwoman Capito. The gentleman yields back.
    All time has expired for opening statements, and I would 
like to welcome our first panel of distinguished witnesses. 
Each of you will be recognized for 5 minutes to give an oral 
presentation of your testimony. And without objection, each of 
your written statements will be made a part of the record.
    Our first witness is Mr. William Noonan, Deputy Special 
Agent in Charge, Criminal Investigative Division, Cyber 
Operations Branch, United States Secret Service.
    Welcome, Mr. Noonan.

 STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE, 
   CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH, 
                  UNITED STATES SECRET SERVICE

    Mr. Noonan. Good morning, Chairwoman Capito, Ranking Member 
Meeks, and distinguished members of the subcommittee. Thank you 
for the opportunity to testify on behalf of the Department of 
Homeland Security regarding the ongoing trend of criminals 
exploiting cyberspace to obtain sensitive financial and 
identity information as part of a complex criminal scheme to 
defraud our Nation's payment systems.
    Our modern financial system depends heavily on information 
technology for convenience and efficiency. Accordingly, 
criminals motivated by greed have adapted their methods and are 
increasingly using cyberspace to exploit our Nation's financial 
payment systems to engage in fraud and other illicit 
activities.
    The widely reported payment card data breaches of Target, 
Neiman Marcus, White Lodging, and other retailers are just 
recent examples of this trend. The Secret Service is 
investigating these recent data breaches and we are confident 
we will bring the criminals responsible to justice.
    However, data breaches like these recent events are part of 
a long trend. In 1984, Congress recognized the risk posed by 
increasing use of information technology and established 18 USC 
Sections 1029 and 1030 through the Comprehensive Crime Control 
Act. These statutes define access device fraud and misuse of 
computers as Federal crimes and explicitly assign the Secret 
Service authority to investigate these crimes.
    In support of the Department of Homeland Security's mission 
to safeguard cyberspace, the Secret Service has developed a 
unique record of success in investigating cyber crime through 
the efforts of our highly trained special agents and the work 
of our growing network of 35 electronic crimes task forces, 
which Congress assigned the mission of preventing, detecting, 
and investigating various forms of electronic crimes, including 
potential terrorist attacks against critical infrastructure and 
financial payment systems.
    As a result of our cyber crime investigations, over the 
past 4 years the Secret Service has arrested nearly 5,000 cyber 
criminals. In total, these criminals were responsible for over 
$1 billion in fraud losses, and we estimate our investigations 
prevented over $11 billion in fraud losses.
    Data breaches like the recently reported occurrences are 
just one part of a complex criminal scheme executed by 
organized cyber crime. These criminal groups are using 
increasingly sophisticated technology to conduct a criminal 
conspiracy consisting of five parts: one, gaining unauthorized 
access to computer systems carrying valuable, protected 
information; two, deploying specialized malware to capture and 
exfiltrate this data; three, distributing or selling this 
sensitive data to their criminal associates; four, engaging in 
sophisticated and distributed frauds using the sensitive 
information obtained; and five, laundering the proceeds of 
their illicit activity.
    All five of these activities are criminal violations in and 
of themselves, and when conducted by sophisticated, 
transnational networks of cyber criminals, this scheme has 
yielded hundreds of millions of dollars in illicit proceeds.
    The Secret Service is committed to protecting our Nation 
from this threat. We disrupt every step of their five-part 
criminal scheme through proactive criminal investigations and 
defeat these transnational cyber criminals through coordinated 
arrests and seizure of assets.
    Foundational to these efforts are our private industry 
partners as well as our close partnerships with State, local, 
Federal, and international law enforcement. As a result of 
these partnerships, we were able to prevent many cyber crimes, 
by sharing criminal intelligence regarding the plans of cyber 
criminals and by working with the victim companies and 
financial institutions to minimize financial losses.
    Through our Department's National Cybersecurity and 
Communications Integration Center, the NCCIC, the Secret 
Service also quickly shares technical cybersecurity information 
while protecting civil rights and civil liberties in order to 
enable other organizations to reduce their cyber risks by 
mitigating technical vulnerabilities.
    We also partner with the private sector and academia to 
research cyber threats and public information on cyber crime 
trends through reports like the Carnegie Mellon CERT Insider 
Threat Study, the Verizon Data Breach Investigations Report, 
and the Trustwave Global Security Report.
    The Secret Service has a long history of protecting our 
Nation's financial systems from threats. In 1865, the threat we 
were founded to address was that of counterfeit currency. As 
our financial payment system has evolved from paper, to 
plastic, and now digital information, so too has the 
investigative mission.
    The Secret Service is committed to continuing to protect 
our Nation's financial system even as criminals increasingly 
exploit it through cyberspace. Through the dedicated efforts of 
our special agents, our electronic crimes task forces, and by 
working in close partnership with the Department of Justice--in 
particular, the computer crimes and intellectual property 
section--and local U.S. attorneys' offices, the Secret Service 
will continue to bring cyber criminals who perpetrate major 
data breaches to justice.
    Thank you for the opportunity to testify on this important 
topic, and we look forward to your questions.
    [The prepared statement of Deputy Special Agent in Charge 
Noonan can be found on page 84 of the appendix.]
    Chairwoman Capito. Thank you.
    Mr. Zelvin, you are recognized for 5 minutes.

STATEMENT OF LARRY ZELVIN, DIRECTOR, NATIONAL CYBERSECURITY AND 
 COMMUNICATIONS INTEGRATION CENTER (NCCIC), U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Zelvin. Chairwoman Capito, Ranking Member Meeks, and 
distinguished members of the subcommittee, thank you for the 
opportunity to appear before you today. In my brief opening 
comments, I would like to highlight the DHS National 
Cybersecurity and Communications Integration Center (NCCIC's) 
role in preventing, responding to, and mitigating cyber 
incidents, and then discuss our activities during the recent 
point-of-sale compromises.
    As you well know, the Nation's economic vitality and 
national security depend on a secure cyberspace where 
reasonable risk decisions can be made on digital goods, 
transactions, and online interactions so that they can occur 
safely and reliably.
    In order to meet this objective, we must share the 
technical characteristics of malicious cyber activity in a 
timely fashion so cyber defenders can discover, address, and 
mitigate information technology threats and vulnerabilities. It 
is increasingly clear that no single country, agency, company, 
or individual can effectively respond to the ever-rising 
threats of malicious cyber activity alone.
    Effective responses require a whole-of-nation effort, 
including close coordination among entities like: DHS's NCCIC; 
the Secret Service; the Department of Justice, to include the 
Federal Bureau of Investigation; the intelligence community; 
sector-specific agencies, such as the Department of the 
Treasury; private sector entities, who are simply critical to 
these efforts; and State, local, tribal, territorial, and 
international governments. In carrying out our particular 
responsibilities, the NCCIC promotes and implements a unified 
approach to cybersecurity, which enables the efforts of 
bringing these diverse partners to quickly share cybersecurity 
information in a manner that ensures the protection of 
individuals' privacy, civil rights, and civil liberties.
    As you may already know, the NCCIC is a civilian 
organization that provides an around-the-clock center where key 
government, private sector, and international partners can work 
together in both physical and virtual environments. The NCCIC 
is composed of four branches: the United States Computer 
Emergency Readiness Team, or US-CERT; the Industrial Control 
Systems CERT; the National Coordination Center for 
Communications; and Ops and Integration.
    In response to the recent retailer compromises, the NCCIC 
specifically leveraged the resources and capabilities of US-
CERT, whose mission focuses specifically on computer network 
defense, including prevention, protection, mitigation, and 
response activities. In executing this mission, the NCCIC and 
US-CERT regularly publish technical and nontechnical 
information products analyzing the characteristics of malicious 
cyber activities and improving the ability of organizations and 
individuals to reduce risk.
    When appropriate, all NCCIC components have onsite response 
teams that can assist owners and operators at their facilities. 
In addition, US-CERT has global partnerships with over 200 
CERTs worldwide that allow the teams to work directly with 
analysts across international borders.
    Increasingly, data from the NCCIC and US-CERT can be shared 
in machine-readable formats, such as the Structured Threat 
Information Expression, also known as STIX, which is currently 
being implemented and utilized.
    In the recent point-of-sale compromises NCCIC/US-CERT 
analyzed the malware provided to us by the Secret Service as 
well as other relevant technical data and used these findings, 
in part, to create a number of information-sharing products. 
The first, which is publicly available and can be found on the 
US-CERT Web site, provides a nontechnical overview of risks to 
point-of-sale systems along with recommendations on how 
businesses and individuals can better protect themselves and 
mitigate their losses in the event of an incident that has 
already occurred. Other products have been more limited in 
distribution and they are meant for cybersecurity professionals 
and provide technical analysis and mitigation recommendations 
to better enable expert-level protection, discovery, response, 
and recovery efforts.
    As a matter of strategic intent, the NCCIC's goal is always 
to share information as broadly as possible. These efforts 
ensured that actionable details associated with major cyber 
events are shared with the right partners so they can protect 
themselves, their families, their businesses and organizations 
quickly and accurately.
    In the case of the point-of-sale compromises, we especially 
benefited from the close coordination with the Financial 
Services Information Sharing and Analysis Center, or the FS-
ISAC. In particular, the FS-ISAC's Payments Processing 
Information Sharing Council has been useful in that they 
provide a forum for sharing information about fraud, threats, 
vulnerabilities, and risk mitigation in the payments industry.
    In conclusion, I want to highlight again that we in DHS and 
across the NCCIC strive every day to enhance the security and 
resilience across cyberspace and information technology 
enterprise. At every opportunity the NCCIC, in close 
coordination with our partners, publishes technical and 
nontechnical products to better enable our national critical 
infrastructure, businesses, and our citizens to protect against 
cyber threats, while also providing onsite technical assistance 
whenever necessary.
    We will accomplish our mission through voluntary means, 
ever mindful of the need to respect privacy, civil liberties, 
and the law. I truly appreciate the opportunity to speak with 
you today and look forward to your questions.
    [The prepared statement of Mr. Zelvin can be found on page 
95 of the appendix.]
    Chairwoman Capito. Thank you.
    And I am offering my sincere apologies to you, as the first 
panel, and to the next panel, and to the members of this 
subcommittee, but we are going to call a recess subject to the 
call of the Chair. We expect it to be a half hour, so that 
would be 11:05; hopefully, we can call back in sooner.
    Again, I apologize.
    [recess]
    Chairwoman Capito. I am going to go ahead and reconvene the 
hearing. Thank you for your patience.
    Mr. Meeks will be here in a few minutes, but I am going to 
go ahead and begin my questioning so we can move along a little 
bit.
    Mr. Noonan, in your statement you mentioned that the Secret 
Service had either arrested or gotten 5,000 criminals. Was that 
the number that you used?
    Mr. Noonan. Yes, ma'am.
    Chairwoman Capito. Those, I assume, are all American 
citizens in the United States? Because we hear about how a lot 
of this is occurring offshore. Are you coordinating in any 
international fashion, or--if you could just kind of give me a 
little background on that?
    Mr. Noonan. Sure, ma'am. That figure comprises all of the 
cases that we have made arrests on that have any connection 
back to the use of cyber in those crimes.
    So to say that they are domestic or international, it is 
both.
    Chairwoman Capito. It is both.
    Mr. Noonan. Yes. We have a very unique success of bringing 
international, transnational cyber criminals to justice here 
domestically, but that figure that we have provided for you 
there is domestic and international.
    Chairwoman Capito. Okay.
    Mr. Zelvin, you are from Homeland Security, and Mr. Noonan 
is with the Secret Service. I think sometimes we find that when 
there is coordination between Federal agencies, who is in 
charge, I guess is always a good question. I know it is a 
collaborative effort, but who is really leading this in your 
mind, from your agency's perspective?
    Mr. Zelvin. Yes, ma'am. It is a team effort so there is a 
variety, depending on which area you are looking at. As you are 
looking at the law enforcement aspect, the Secret Service and 
the Federal Bureau of Investigation have the primacy, depending 
on the cyber case. When you look at the intelligence field, 
obviously the National Security Agency, the Central 
Intelligence Agency, and others have primacy, whether you are 
talking about electronics intelligence or human intelligence.
    We at the NCCIC specifically really focus on those network 
defense measures--understanding the intrusions, understanding 
how to plug those holes, and then preventing them from 
reoccurring. We have the responsibility, as well, of protecting 
the Federal dot-gov space, and that is a big part of our 
effort, and then we work across the private sector at 16 
critical infrastructures, and as I mentioned in my opening 
statement, the international partnerships.
    Chairwoman Capito. Mr. Noonan, would you concur with Mr. 
Zelvin in terms of who is in charge or the coordinative aspect 
of what you are doing? I know we talk a lot about coordination, 
and both of you did in your statements, but I am trying to make 
sure that if Mr. Meeks and I say we are both in charge, but 
then something goes wrong, and I say, ``But he was in charge,'' 
so--
    Mr. Noonan. Yes, for sure. In an investigation like this 
law enforcement generally takes charge of the investigative 
piece--
    Chairwoman Capito. Right.
    Mr. Noonan. --and information-sharing we do through a bunch 
of different mechanisms. Our primary source for information-
sharing is through the NCCIC, but we also partner, as well, 
with the FS-ISAC. Obviously, the Secret Service has a rich 
history of working in the financial services sector.
    Chairwoman Capito. Right.
    Mr. Noonan. So the FS-ISAC, who is going to be on the next 
panel, is another great partner that we use to push information 
out to the financial services sector.
    In addition to that, we have 35 electronic crimes task 
forces. And those electronic crimes task forces that we have 
aren't just made up of law enforcement; they are made up of the 
private sector, so we have members from the private sector 
working side by side with agents, where we share information 
back and forth, as well as academia. So that is another method 
that the Secret Service uses to push information that is going 
to better protect the private industry and the critical 
infrastructure that we have.
    Chairwoman Capito. When there is a data breach from a 
retailer, say, such as what happened with Target--and I know 
the investigation is ongoing so not specifically that, I am 
just using it as an example--is the way that you are made aware 
of this through individuals whose cards have been corrupted, or 
does the company itself, whatever company it is, is it 
incumbent upon them to come to you? How does that reach your 
level of understanding of what is going on?
    Mr. Noonan. It depends on the case, ma'am. I brought up in 
my oral remarks that we have a proactive approach to law 
enforcement. And there is a reactive approach, in which the 
crime has already occurred, and we are chasing the clues back 
to the criminal to identify who the criminal is to affect an 
arrest.
    Chairwoman Capito. Right.
    Mr. Noonan. The proactive approach of what we do in law 
enforcement is we are out working with sources, we are out 
working undercover operations, we are working with private 
sector banking investigators, and in our proactive approach 
there are many times where we identify a potential breach 
before it has occurred. And we find that it is more valuable--
it is critical for law enforcement, then, to make notification 
to that industry, to that private sector partner, to be able to 
stop the crime from occurring.
    Chairwoman Capito. Okay. Let me stop you there because I am 
running out of time, but I am curious to know, in the case of a 
retailer where this could have an effect on their future sales, 
do you find that they are willing to make this breach public 
and really better inform everybody who could be affected by 
such a breach?
    Mr. Noonan. Again, it depends on the company--
    Chairwoman Capito. Right.
    Mr. Noonan. --and it depends on the case, so--
    Chairwoman Capito. Yes.
    Mr. Noonan. --I can't give you a yes-or-no answer.
    Chairwoman Capito. Right. You can see both sides of it. I 
would think more and more it is in the company's best interest, 
obviously, to be as open and transparent as possible in 
something of this nature.
    Mr. Meeks?
    Mr. Meeks. Thank you, Madam Chairwoman.
    Let me start with Mr. Noonan, and let me maybe ask a 
question that might not even be fair because I am going to ask 
you how to help me do my job. You urge Congress to take 
legislative action that could help to improve the Nation's 
cybersecurity, reduce regulatory costs on U.S. companies, and 
strengthen law enforcement's ability to conduct effective 
investigations. I think that was part of your testimony.
    And, I am sure that all parties agree with this in general, 
when you make the general assessment, but there are differing, 
at times, interests, and sometimes even competing interests 
that individuals would have. For example, there may be 
different interests between card issuers, merchants, and 
consumers. They can all overlap, but ultimately there could be 
divergent visions of how the government can best solve these 
problems.
    So, we are going to be trying to dig into this and talking 
to a number of different folks, but I would like to get your 
opinion. How would you suggest as lawmakers we balance these 
interests and create a plan that can satisfy the core concerns 
of all parties? Because we have this balancing act that we have 
to do but we need to--we want to help you also, so how would 
you suggest we do that?
    Mr. Noonan. Yes, sir. So from the law enforcement 
perspective--and that is what I can provide to you--I think it 
is important and it is critical for companies that have been 
exposed, companies that have knowledge of a potential breach, 
to bring that to law enforcement's attention. Law enforcement, 
at that point, is critical in the fact that it can, obviously, 
collect evidence to try to make a difference, make a physical 
arrest of a criminal. But I think it is also important that at 
that point in time, is when the information-sharing piece 
begins. Because if law enforcement is brought in early and we 
are able to draw the cybersecurity concerns out of the 
investigation, the evidence out of that, and we are able to 
take that information, we are able to minimize that information 
and protect the victim. We are able to then share that 
information with my partners over at the NCCIC and get that out 
to the greater infrastructure of this Nation so that they can 
better protect themselves from an additional potential attack 
to other pieces or other avenues of infrastructure.
    Mr. Meeks. Should the notification that goes out to you, go 
out to the consumer or the customer at the same time? For 
example, I was just wondering how long do most companies wait 
before they even notify you and/or notify the customer that 
their sensitive personal information may have been breached.
    Mr. Noonan. I would agree, sir. I think that it should be 
in a short period of time that the information should be put 
out to the customers. I, too, fell victim to a data breach as 
well, where it was inconvenient for myself and my family. So I 
think I am able to better respond as a customer to help support 
my family, but I think there is also a law enforcement concern 
there, as well, where there are situations and there are points 
in time wherein law enforcement may or may not need a window of 
opportunity to run operations to determine what has happened or 
who is behind the effort or the attack.
    Mr. Meeks. Let me just also, in that regard, ask Mr. Zelvin 
a question. I know in your testimony you also talked about the 
various virtual currencies as a means of laundering illicit 
proceeds, and I was wondering whether or not the Secret Service 
or other regulators have taken any action to address some of 
those concerns? And in your view, do regulators have--do you 
have sufficient authority to address the risk that these 
currencies pose as identified in your testimony?
    Mr. Noonan. Yes, sir. Just as early as last year the Secret 
Service, along with HSI and IRS, was successful in taking down 
a virtual currency or a digital currency called Liberty 
Reserve. Liberty Reserve was one of those digital currencies 
which the criminal underground used in which they would launder 
their money anonymously, and we were effective in taking that 
marketplace out of the criminal underground, as well as we were 
able and successful in arresting the people who were behind the 
setup of that operation. So it is more important than just 
taking the operation off, but we also arrested the people 
behind it.
    Mr. Meeks. Thank you.
    Really quick, Mr. Zelvin, what about individual criminal 
activity outside of the United States? What can be done to go 
after these illicit actors? And what tools do you have to 
ensure that foreign individuals are also held accountable? Does 
that fit within our--
    Mr. Zelvin. Ranking Member Meeks, that is a question I 
would recommend for the FBI and the Secret Service--I will talk 
from the US-CERT perspective. We work with 200 like-minded 
CERTs around the world. We are in contact with them in many 
cases on a weekly basis and we are able to work our 
mitigations. I was in London about 3 weeks ago, and when we 
were meeting with our counterparts, they said the point-of-sale 
product that we had from US-CERT was very helpful to them 
because they were bringing it to their industries, because what 
had happened here in the United States they felt was probably 
happening in the U.K. and around Europe, and this was 
instructive for them, as well.
    Mr. Meeks. Thank you.
    Chairwoman Capito. Thank you.
    Mr. Pearce?
    Mr. Pearce. Thank you, Madam Chairwoman.
    I appreciate both of the witnesses being here. Mr. Rothfus 
and I have decided we are going to cut up our cards right here 
among us while we are listening to you, so if you have any 
scissors, pass them on up.
    Mr. Zelvin, has the CFPB called you all? Are you all 
working with them in any way?
    Mr. Zelvin. Congressman, the CFPB?
    Mr. Pearce. Yes.
    Mr. Zelvin. The Consumer Financial Protection Bureau?
    Mr. Pearce. Yes.
    Mr. Zelvin. No, we haven't been in contact with them 
directly.
    Mr. Pearce. Mr. Noonan?
    Mr. Noonan. No, sir.
    Mr. Pearce. No. They are collecting 990 million records. 
Target lost 40 million. They are collecting 990 million. It 
seems like they would be calling the Nation's best to say, 
``What do we do for data security?'' Amazing.
    What kind of protection is available against a Snowden-type 
attack? In other words, he is working inside and pulls those 
records, downloads a three-mile-high stack of records, and is 
there any protection?
    Either one of you?
    Mr. Noonan. From the Federal Government standpoint, when we 
are talking about retail-type positions, there is nothing that 
we have that would stop an insider threat.
    Mr. Pearce. I guess I didn't make it clear. The CFPB is--
would be parallel to the NSA. I don't want to carry that 
analogy too far, but they are a government agency and they are 
collecting a massive amount of data--massive--almost a billion 
credit cards. And so I guess I am interested in if somebody 
inside the agency wants to release documents, like Mr. Snowden 
was inside the agency, it wasn't planned, and the agency didn't 
approve of it, so is there any protection for the Snowden-type 
attack from inside the agencies?
    Mr. Zelvin. Congressman, I can answer the question broadly, 
not specifically. So broadly, the insider threat is one of the 
most difficult things we face. I think the one that is probably 
almost as bad is if somebody was into what we call the supply 
chain.
    The ability to defend against the insider threat is 
developing quickly but we are not where we need to be by a long 
shot. There are things in the financial community which are 
leading the way that we are taking as lessons, but as you 
rightly point out, it is a vulnerability and a weakness that we 
need to get better on, and we need to do so quickly.
    Mr. Pearce. Okay.
    Mr. Noonan, your testimony had some numbers in it, but I 
don't know that I saw the scope. In other words, I saw 4,900--
that is the people that we had--that you have had 4,900 
arrests. What is the scope? How many cyber attacks are there 
each day, roughly?
    Mr. Noonan. I can't comment on the number of attacks that 
occur every day.
    Mr. Pearce. Because it is too secret, or you just don't 
know?
    Mr. Noonan. No, we don't compile our data in that manner. 
We have active investigations, so--
    Mr. Pearce. What would you guess? Hundreds of thousands a 
day? Is that too high?
    Mr. Noonan. I think there are cyber criminals who are 
probing our systems every day. I think every moment, they are 
probing our systems.
    Mr. Pearce. Yes, every day, hundreds of thousands, and I 
suspect that your agency is probably strained for resources. To 
put it in perspective, in your testimony you talk about the 11 
that you have indicted; how many convictions have you been able 
to get through the system?
    Mr. Noonan. Numerous convictions. We have had--
    Mr. Pearce. Numerous. How many? Like 20,000?
    Mr. Noonan. No, sir.
    Mr. Pearce. 22,000? What is numerous?
    Mr. Noonan. I would say that it is in the range of several 
hundred a year.
    Mr. Pearce. Several hundred. In the paragraph right above 
where you are talking about the 11, you are talking about how 
one system has 80,000 users. That is an illicit system--80,000 
users and we are getting 11. That is absolutely frightening, 
the scope that is coming at us and the system is, again, very 
difficult to work in, with almost no protections against inside 
attacks where people knowingly download and give away 
information.
    Snowden gave away, again, 1.8 million documents, and I 
just--I worry the CFPB has not even talked to you. Mr. Cordray 
got somewhat offended at the line of questioning and began to 
rewrite the question. I didn't accuse him of--going to do it, I 
just said that any agency--this information is widely viewable 
by almost everybody in the agency and widely accessible, and 
yet they haven't even called the best people in the Nation.
    I would recommend that the next time we have the CFPB come 
in and sit down and talk about the protections, maybe they have 
better operations than these two guys were able to present, but 
I find it stunning that they have not even contacted either one 
of you.
    Thank you. I yield back.
    Mr. Luetkemeyer [presiding]. Thank you.
    Now, the Chair recognizes the gentlelady from New York, 
Mrs. Maloney.
    Mrs. Maloney. Thank you so much. And I feel this is an 
incredible challenge for our country. Just talking to four 
friends on the panel, all four of us have had our identity 
stolen. The fact that 40 billion people lost their--40 million, 
I guess it was, from Target. That is staggering.
    So the cost to individuals, law enforcement, and 
institutions is absolutely huge. One of the problems I see is 
that the reaction time is so slow. By the time we put something 
in place, say the data breach chip by 2015, the hackers will 
have gone on to the next stage of how to hack that.
    And it seems to me the next phase is going to be online. 
Most of the transactions are online. So the tokenism idea and 
technology seems the most promising to me.
    When you do find a breach, Mr. Noonan, and you said that 
you are sometimes the first to notice it--who do you notify? Do 
you notify the financial institution, the consumer, or the 
retailer, or all three? What do you when you notice a breach? 
What do you do?
    Mr. Noonan. It depends on who the victim is, ma'am. If it 
is a retailer, we would obviously contact the security 
department of that retailer and we would suggest to them 
different steps to look at their system to be able to determine 
if, in fact--
    Mrs. Maloney. Okay. Do you tell them to also notify the 
bank and notify the consumer? Who does--
    Mr. Noonan. Yes, ma'am.
    Mrs. Maloney. Okay.
    Mr. Noonan. So the part we would do is we would have them 
work closely with the financial institutions and the processing 
system which they use.
    Mrs. Maloney. Now you also said that--and also retailers 
have said--that the reason that they don't immediately disclose 
a data breach is that public disclosure would hinder law 
enforcement efforts to catch the criminal. Is that true?
    Mr. Noonan. Not in all cases, ma'am.
    Mrs. Maloney. And why would public disclosure hinder an 
investigation?
    Mr. Noonan. Just at a point in time where there was 
potentially an undercover operation, it could hamper the 
conclusion of that undercover operation. So the time that we 
are talking is a very small window of time.
    Mrs. Maloney. I believe most public policy and resources 
are directed when we have good data, so who is keeping the data 
on how big a problem it is in the United States? It is huge in 
terms of the national security and financial security and 
economic security of our country.
    Somebody has to be tracking the overall picture of the 
extent and the depth of it and the techniques. Who is doing 
that if the CIA is not doing it? Who is doing the overall--we 
have to be collecting that data in a broad way to analyze 
trends and movements.
    Who is collecting that data? Somebody has to be collecting 
it. If they aren't, then someone should be. Who is collecting 
that data--the FBI, the CIA, Homeland Security?
    Mr. Zelvin. Congresswoman, let me answer the question this 
way: We are all collecting data in areas in which we have the 
ability to see the information.
    Mrs. Maloney. Okay, but then who is getting the overall 
picture for our national security and economic security?
    Mr. Zelvin. Again, it is being looked at by Homeland 
Security. We in the NCCIC look at the overall picture. But it 
is a matter of looking at the Internet service providers, and 
managed security service providers, and others, and taking that 
data and aggregating it.
    But I will tell you that we still don't have the visibility 
on everything. It is still just a snapshot. But those snapshots 
are useful because they show trends and then our ability to 
provide mitigations.
    So if you look at these security reports that Mr. Noonan 
has here, they will talk about things like spearphishing and 
man-in-the-middle attacks and all these other things, and we 
are defending against those things, so we have a lot of work to 
do as we take this data to build security measures so they are 
not successful. But that aggregation, it doesn't exist; we are 
just compiling data from a lot of sources.
    Mrs. Maloney. Before 9/11, we had 18 different intelligence 
organizations working independently, not sharing their 
information. The most important reform was that we created the 
Department of Homeland Security and combined all of our 
intelligence so we are working in a coordinated way.
    We have to do the same thing with cybersecurity. Somebody 
has to be in charge of the overall picture.
    And I know everybody is doing a good job in their 
department, and I would say the private sector is doing a 
pretty good job, too. Who is coordinating with finding the top 
things the private sector is doing with the top things the 
government is doing?
    This is a number one national security issue; it is not 
just an economic issue. And so, who is doing that? Is it 
Homeland Security? Somebody has to be pulling it all together. 
Who is in charge of doing that?
    Mr. Zelvin. Congresswoman, I will tell you, I think it is 
our responsibility at the NCCIC, as you describe it, to bring 
that all together, especially on the network defense side--so 
to be able to work with the private sector; to work with the 
critical infrastructure sectors; to work with State, local, 
tribal, territorial; to work with our international partners. 
That is what we are doing on a daily basis.
    Last year alone, the Center had 240,000 cyber incidents 
reported to us. But again, that is probably a fraction of the 
greater whole. But our numbers are increasing upwards at about 
60 percent a year as far as--
    Mrs. Maloney. And is the private sector also sending you 
their information?
    Mr. Zelvin. Yes, Congresswoman, they are, but it is done on 
a voluntary basis. They have no requirement to do so. The 
Federal Government has requirements to report to US-CERT under 
policy and other requirements, but the private sector reporting 
is voluntary and that is why one of the initiatives that has 
been asked for is the data breach reporting requirement.
    Mrs. Maloney. Okay. Thank you.
    Mr. Luetkemeyer. I thank the gentlelady.
    With that, it is my turn to ask the questions, so the Chair 
now allows himself 5 minutes to engage the witnesses, as well.
    I want to follow up on Mr. Pearce's comments with regards 
to the CFPB. I was kind of stunned, taken aback that you 
gentleman hadn't heard of or weren't aware of the CFPB, and I 
would certainly echo the concerns of Mr. Pearce from the 
standpoint that in committee, they actually testified 
themselves that they have access and take in at least 80 
percent of the credit card transactions per day that occur in 
this country.
    That sort of access, that sort of accumulation of data in 
one agency is, quite frankly, scary. You are looking at what 
happened with Target and Neiman Marcus and some of the other 
merchants, and now you have a government agency that has 80 
percent of all the credit card transactions going on in this 
country on a daily basis accumulating in their files and they 
are not coordinating with each of you? That certainly scares 
the dickens out of me, so I would certainly urge you to contact 
those folks and see once if there is a way that you can 
coordinate with them to see if there is something that they 
find which needs to be checked out.
    With that, I was curious--I assume that you have 
jurisdiction to go to any individual company or group or 
industry, whatever, if there is a challenge or some sort of a 
cyber breakdown within that group that deals with personal 
information. Is that correct?
    Mr. Noonan. The authority to go actually into the 
organization itself?
    Mr. Luetkemeyer. Yes.
    Mr. Noonan. We would use the court process to be able to 
work with that company so--
    Mr. Luetkemeyer. Okay.
    Mr. Noonan. --if somebody was reluctant or there was a 
company that was reluctant, we could potentially use the court 
process to do that, sir.
    Mr. Luetkemeyer. The reason I asked the question is that 
when--we are talking mostly this morning about financial 
institutions and merchants, but there are other entities out 
there that have personal information, sometimes have monetary 
transactions that occur. One of the things, for instance, you 
are looking at different kinds of, for instance, schools, 
associations--I kind of made a list here of other groups--
hospitals--medical information is huge these days, as well as 
credit bureaus.
    So have you taken any actions or coordinated with any of 
those kind of groups before with regards to this?
    Mr. Noonan. Yes, sir. Again, through our electronic crimes 
task forces, we would partnering with those different 
institutions, as well.
    We go after any sort of cyber criminal which is seeking to 
benefit through the monetization of whatever that they are 
trying to accomplish or steal. So in many of these situations 
that you have brought up, personally identifiable information 
is a piece that is of great concern to us, which the criminal 
underground can monetize and gain from.
    So any opportunity that we can work with a potential victim 
company before it occurs or as it has occurred to be able to go 
at those cyber criminals who are--
    Mr. Luetkemeyer. One of the reasons I bring that up is a 
lot of those folks, for instance, are not as aware of the 
ability of somebody to get into their records because they 
probably don't deal with financial matters as much. But yet, 
they are probably more at risk than anybody else because their 
systems probably aren't protected as well as, I would think, 
for instance, financial institutions. So, just kind of an 
observation.
    One of the questions I also had was, what about penalties? 
Do you guys ever catch anybody? How many folks have you caught 
in the last 5 years?
    Mr. Noonan. As a matter of fact, yes. I am talking about 
international, the higher-level cyber criminals.
    Going back, starting in 2005, the Secret Service 
successfully arrested Roman Vega out of the Ukraine. He was 
sentenced to 18 years, sir. In 2008, out of Estonia, Alexander 
Suvorov was sentenced to 7 years. In 2010, Russian Israeli 
citizen Vladislav Horohorin received 88 months, and Igor 
Shevelev, a citizen of the Ukraine, was sentenced to 13 to 40 
years in New York.
    Mr. Luetkemeyer. Are they serving time in the United 
States?
    Mr. Noonan. They are serving time here domestically, sir.
    Mr. Luetkemeyer. They sound like they are all--and you 
indicated they are all from foreign countries--
    Mr. Noonan. They are all international, transnational--
    Mr. Luetkemeyer. Okay.
    Mr. Noonan. --cyber criminals that we were able to 
successfully arrest internationally, and have extradited back 
to the United States where they are serving their sentences 
domestically here in the United States--
    Mr. Luetkemeyer. Now, are there other tools or other things 
that you need to be able to do your job better or to have 
better access to be able to bring charges against individuals? 
Is there something we need to do to help you do your job 
better?
    Mr. Noonan. Sir, what we are doing, which is bringing great 
success in the arena of going after international cyber 
criminals, is our partnerships with our international law 
enforcement partners as well as the international offices that 
we have and the international working groups that we have 
overseas. Because cyber crime knows no borders, we think it is 
important to be working outside of our own borders and 
developing these partnerships.
    So anything that we can get--continue to grow in the area 
of our international partnerships is where we find value right 
now in bringing these targets to justice.
    Mr. Luetkemeyer. Okay. Thank you.
    My time has expired.
    Mr. Noonan. Thank you.
    Mr. Luetkemeyer. With that, we will recognize the ranking 
member of the full Financial Services Committee, Ms. Waters.
    Ms. Waters. Thank you very much. And I ask unanimous 
consent to submit my opening statement for the record.
    Mr. Luetkemeyer. Without objection, it is so ordered.
    Ms. Waters. I would like to thank our witnesses for being 
here today. We are also very interested in this subject, and I 
think that there was a bipartisan effort to support this 
hearing.
    I would like to know, in light of the fact that the 
intrusion of Target came through a set of compromised vendor 
credentials, what, if any, updated guidance is being given to 
companies to heighten their due diligence of vendors to ensure 
they are, in fact, legitimate actors?
    Mr. Noonan. So surrounding the information of the 
potential--of the attacks that have occurred over the past 
several months, as we learn information on those attacks we are 
able to learn what criminal tools the perpetrators are 
utilizing. We take that information, and we analyze that 
information with the help of the NCCIC, and the NCCIC is the 
main operation that sends out the information to other 
industry.
    It is also partnered closely with the FS-ISAC, which is the 
Financial Services Information Sharing and Analysis Center, to 
take the information learned and push the tactics and trends of 
what is happening out to industry. And Mr. Zelvin could 
probably comment a little bit more on exactly how they are 
doing that.
    Mr. Zelvin. Yes, ma'am. We got the malware, or the 
malicious software, from the Secret Service. We analyzed it.
    We actually put out three different products. Informational 
products--the first one went to law enforcement so they could 
go out and hopefully find the actors who did this. The second 
one was a more technical product that went out to cyber 
defenders not only at the financial services companies and the 
retailers but also to the cyber defense community, managed 
security service providers, and Internet service providers, but 
the people who really understand one-zeros and backslashes and 
hashtags. Lastly, we have on the US-CERT Web site for consumers 
and the general population guidance on what they can do to 
protect themselves, and if they have been a victim, what they 
can do to recover from these events.
    Ms. Waters. So you do have some specific vendor information 
so that these companies can make a decision about whether or 
not they are credible vendors?
    Mr. Zelvin. Yes, ma'am. The government has put out 
information, the Financial Services ISAC has put out 
information, and also, the industry writ large is working hard 
at the problem. So, it is being attacked from a number of 
areas.
    Internationally, I will tell you we have gotten some focus 
there in working with our partners, because this is a global 
problem, not just a U.S. problem.
    Ms. Waters. I would like to ask Mr. Noonan a question about 
Attorney General Eric Holder's recent urging of Congress to 
establish a national standard for notifying Americans of data 
breaches in light of the theft, of course, of customer data at 
Target and other major retailers. Would you support a national 
breach notification standard? And if so, do you have any 
specific recommendations for how that should be crafted?
    I heard what you just said about all the things that are 
being done, but I think what is being urged by Attorney General 
Holder is a little bit different. Are you familiar with that? 
And what do you think?
    Mr. Noonan. Yes, ma'am. The Secret Service does support any 
initiative which would bring a data breach to the attention of 
a law enforcement agency with jurisdiction to be able to help 
bring criminals to justice and also to help in the aid of 
information-sharing.
    Ms. Waters. So you would consider that Congress does not 
need to establish a national standard for notifying Americans 
of data breaches? I appreciate that you have come up with some 
ways to approach this, including the notification of Americans, 
but there is nothing in law where we have set a standard.
    Do you think Congress should do that or could be helpful to 
you in doing that? Would you want to put something like that 
together as a recommendation for us to place in law?
    Mr. Noonan. Yes. Absolutely.
    Ms. Waters. Okay. Mr. Zelvin?
    Mr. Zelvin. Ma'am, I would absolutely agree. Last year at 
the Center, we had 240,000 incidents reported, but we know that 
is only a fraction of what is actually happening out there. 
There is no requirement.
    We would be supportive of that. We think it should be a 
public-private discussion to build what is the most appropriate 
way to come up with that standard, but we would support it.
    Ms. Waters. Thank you so very much.
    Mr. Chairman, I yield back the balance of my time.
    Mr. Luetkemeyer. Thank you.
    With that, we recognize the gentleman from Alabama, the 
chairman emeritus of the full Financial Services Committee, Mr. 
Bachus, for 5 minutes.
    Mr. Bachus. I thank the gentleman from Missouri.
    The Target incident has focused a lot of attention on data 
breaches at the point of sale, and I will ask Mr. Noonan, does 
the National Computer Forensic Institute (NCFI) have experience 
with these type of cases, and are there any lessons we can draw 
or any successful prosecutions?
    Mr. Noonan. Yes, sir. NCFI is an operation where the Secret 
Service brings State and locals to understand cyber crime the 
same way that Secret Service understands cyber crime.
    We teach them computer forensics; we teach them network 
intrusion capabilities; we teach them cell phone forensics, as 
well, and a litany of other courses to bring State and local 
law enforcement to the same level of understanding of cyber 
crime as the Secret Service. We utilize that facility as a 
capacity-building to help local law enforcement understand and 
be able to go after the small and medium-sized compromises, as 
well.
    A great success that we have out of the NCFI is a case in 
which a national restaurant chain was compromised in the same 
way that Target was compromised, through a POS case--intrusion 
case. Our office in Manchester, New Hampshire, worked this case 
and they worked it with the support of State and local law 
enforcement. And it was the State and local law enforcement 
that we were able to train at NCFI in understanding the 
forensics that were going on that actually were critical in 
bringing, in that case, three international, transnational 
cyber criminals to justice.
    So it is a force multiplication effort of the Secret 
Service, by training State and local law enforcement that are 
in your communities to have the same level of training, the 
same level of tools that the Secret Service has to go after 
these types of criminals.
    Not to mention that State and locals can't use that same 
equipment and that same training to do other types of cyber 
crime that is important to them in their communities, as well. 
So we know that agents or officers that we have trained and 
detectives that we have trained have also used those skills to 
bring homicide suspects to justice, pedophile suspects to 
justice, and a litany of other suspects.
    It doesn't stop at State and local law enforcement. We also 
have trained numerous State and local prosecutors as well as 
judges at that facility. So in the past 4 years, we have 
trained over 2,000 State and local members there.
    Mr. Bachus. Let me ask both of you this question, and it 
really goes into what Congresswoman Waters was saying: With 
Target, they delayed announcing anything until a blogger 
basically put on his blog that there had been a security 
breach, and then they disclosed the 40 million on their debit 
cards. But I think, Mr. Zelvin, you may have referred to this, 
they didn't report the 70 million on the personally 
identifiable information, which actually is almost a worse 
problem than the credit or the debit cards, because you can 
change the debit card. They didn't change the PPIs, and it is 
pretty hard to change your address or your grandmother's maiden 
name or the community you were born in, which are all used for 
passwords, so, there was all kinds of information. You are 
probably not going to change your phone number, and so those 
things are pretty difficult.
    And there has been a lot of discussion, and I have 
advocated before for some uniform Federal standard for 
disclosing this information--who you disclose it to and the 
timeframe. Because right now, they operate under--it depends on 
what State, and the disclosure laws are all different in 
different States.
    So if you would like to address the need for a--what we 
will call a uniform Federal standard?
    Mr. Zelvin. Congressman, I think one of the better examples 
is on the Federal side, the dot-gov side, the Federal 
departments and agencies, at least in the Executive Branch. You 
have a requirement to report if you had an intrusion, if you 
had a denial of service, if you have had a number of cyber 
events. That doesn't exist outside the dot-gov domain.
    So it really is incumbent upon that company to decide what 
they want to do and how they want to do it, and I know they 
talk about it at the highest levels, they bring in their 
security professionals who bring their attorneys, and then 
there is a decision made and the decision is either to disclose 
or not to disclose. They have to make a risk management 
decision of whether or not it is better to say something.
    I think we would--what I worry about is someday there could 
be that cyber 9/11, Pearl Harbor, whatever your analogy is, and 
the Congress will be asking, ``What do you need?'' This will be 
top on our list because if we don't know, we can't help to 
protect and secure the Nation.
    Mr. Bachus. Mr. Noonan?
    Mr. Noonan. Yes, sir. I would agree that a lot of times 
companies have to make a decision based on--they do make a 
decision based on a business need as opposed to what is right 
for the victim.
    Mr. Bachus. Right.
    Thank you.
    Chairwoman Capito. The gentleman's time has expired.
    Mr. Scott?
    Mr. Scott. Thank you very much.
    In light of everything that has happened, do each of you 
believe that our retailers are held accountable and responsible 
for cybersecurity at the same standard and level as our 
financial institutions?
    Mr. Zelvin. Congressman, let me answer your question this 
way: We don't have national standards; we are building them 
now. That is part of the President's Executive Order and--
forgive me--let me make sure I get the name right--there is the 
Cyber Critical Infrastructure Community Voluntary Program, the 
C3 program.
    Mr. Scott. But don't our financial institutions have 
standards now? My point is that, are the retailers held to that 
same level as our financial institutions? Because quite 
honestly, if not, much of what we are doing here is in vain: 
110 million Americans have suffered mainly because, in my 
humble opinion, retailers are not held to as high a standard in 
this issue as the financial institutions, and it is critical 
that we get those two on the same page quickly.
    Mr. Zelvin. Agreed, sir. The standards can be legislated; 
they can be put out by regulators; they can be enforced by the 
industry themselves. And I think your point is there are 
certain places in industry where they don't have standards and 
it would be very helpful to do so.
    Mr. Scott. Let's talk about that for a moment because, as 
you notice from the questions from our committee, we are eager 
here in Congress to respond to this issue. This is almost like 
a Poseidon tidal wave coming at us.
    As you rightly point out in your testimony, there are now 
over 2 billion Internet users. There are over 12 billion 
computers and other instruments that are used, and satellite 
devices, and so forth. And in the next 10 years that is 
estimated to possibly double.
    So the issue becomes, can we win this? Can we with this 
battle? That is especially true because not only--even if we 
just existed over the next 10 years at the same level of 
sophistication of these technical devices, which we have become 
sort of servants to instead of servants to us.
    So the question becomes, with the rapid advancements in 
technology--just think: Ten years ago, we didn't have what we 
have now, and what we have now, my God, is going to be ancient 
10 years from now and we are going to have double the people 
with it. So I think the American people are looking for some 
confidence here that their vital security is at stake, and then 
more than that, the Nation's security is at stake.
    Let me ask you an interesting question, Mr. Noonan. What 
was very interesting about your comment, because I wanted to 
get to--you said you caught some people and you mentioned 
sentencing of these people. Are there any possibilities for 
parole in this or negotiation or anything like that?
    Mr. Noonan. In the Federal system, my understanding is that 
there can be downward departures of sentences, but not that I 
know of as--
    Mr. Scott. That is interesting. Why so? Because you see, 
these national conspiracies, as you so aptly put it, are very 
sophisticated. And it could be that they are even more 
sophisticated than you or us or where we are.
    So why are there plea agreements? Why don't we have stiff, 
hard criminal sanctions and put these folks who do wrong in 
jail for what they are doing to the country?
    The other point I wanted to ask is that you mentioned that 
all of these were foreigners attacking us. Now, that begs the 
question, why aren't they attacking--I don't want them to 
attack France or Germany or Great Britain--but the question is, 
why us? Is there something that these other nations are doing 
that deters them, and we are vulnerable where other nations 
aren't? Is that a possibility, since the only ones that you 
have been able to get ahold of and put away, hopefully for a 
while, are foreigners?
    Mr. Noonan. Sir, we know that these cyber criminals are not 
just attacking the United States. This is a global issue. This 
is not just a national issue to the United States; this is a 
global issue.
    These particular criminals are attacking wherever they can 
find wealth and monetize that data.
    Mr. Scott. How are we doing compared to these other 
nations? Are these other nations putting them away as they 
should? Is there coordination with other nations?
    Mr. Noonan. Yes, sir. We are coordinating very closely with 
other nations. And to be honest, we have a very, very rich 
success rate of getting some significant, stiff sentences.
    Albert Gonzalez was a domestic target that we arrested in 
the TJX and Heartland Payment Systems breach. He was sentenced 
to 20 years in prison here in the United States.
    We also have a litany of other huge sentences. I brought up 
earlier Roman Vega out of the Ukraine was sentenced to 18 years 
in prison. Recently, out of Romania, Mr. Oprea was sentenced to 
15 years in prison here domestically for, again, point-of-sale 
breaches we are talking about today.
    Chairwoman Capito. The gentleman's time--
    Mr. Scott. And the national breach law is what you 
recommend we do?
    Mr. Noonan. Yes, sir.
    Mr. Scott. Okay.
    Chairwoman Capito. Thank you.
    Mr. Stutzman?
    Mr. Stutzman. Thank you, Madam Chairwoman.
    And I thank both of the witnesses for being here today.
    I would like to follow up just a little bit on the 
questions that you just talked about in, I guess, retailers. I 
come from a small business background and have small business--
or a retail small business as well, and obviously any sort of 
credit card is a convenience for both consumer and for the 
retailer, but the role that retailers play--granted, I am 
small, but there are large retailers out there. Can you share 
with us a little bit of what--how is that data stored? Do they 
keep that data?
    For us, we don't--we have no interest in it other than the 
transaction, and so I guess I am trying to follow up and 
understand why would we expect the retailers to be held to a 
different standard--or at the same standard as the financial 
institutions? Is there an effort out there by retailers even 
trying to do that?
    I guess I would be concerned about that to some extent, 
because the more information that is held in different groups' 
hands, the more opportunity there is going to be for breaches. 
I don't know if either of you had a comment on that?
    Mr. Noonan. Yes, sir. Actually on your next panel you have 
a witness from PCI who is going to be able to discuss some of 
those issues, but regulations have changed over the course of 
the years, so back in 2005, TJX intrusion happened where cyber 
criminals were able to go after a database where retailers were 
able to, at that time, store credit card data unencrypted in 
servers. So, the criminals were able to exfiltrate a whole 
database of stored credit card data in 2005.
    Because of that intrusion, industry changed. No longer can 
you store credit card data on a database within your system.
    So what the criminals then did is they looked at, where is 
the path of least resistance, and they attacked Heartland 
Payment Systems, which was a credit card processing company. 
Credit card data during that period of time crossed over the 
system from the retailer to the credit card processing company 
to the bank, and in that system it was not encrypted data 
during that period of time.
    Again, after that intrusion happened, the standards changed 
and from point to point credit card data and data information 
had to be encrypted.
    Today, the criminals are going after, again, where is the 
edge of the fence? So, they have gone after the point-of-sale 
systems.
    In domestic retail shops, from the point that you swipe 
your credit card at the terminal, that data goes to a back-of-
the-house server, to a computer in the back that you see it, it 
is probably in the storage room or something of that nature. 
And that data, from the point that it is swiped at the keypad 
to the back of the computer, that is where it is vulnerable and 
it is not encrypted. Once it hits that computer and goes 
through the processing system, that is where it is encrypted 
and protected.
    So what happens is continually we change the standard and 
these complex, sophisticated criminal actors are going to go 
after and have been going after this data in whatever they see 
as the most advantageous, weakest point in the system.
    Mr. Stutzman. So are you saying that typically, the weakest 
point is through retailers' entry points? How do they use the 
retailers' entry points? When I am swiping a card, are they 
able to follow that data from--
    Mr. Noonan. What they have done is they have actually 
installed malware into the computer system where it makes the 
switch from the swipe into the encryption piece, so before it 
is encrypted they have malware which actually captures the data 
at that point and exfiltrates the data back out to a different 
system where the criminal is able to collect it.
    Mr. Stutzman. Do retailers have the ability to--is there 
software out there that can prohibit that sort of activity, or 
what could retailers do to protect that information?
    Mr. Noonan. I am unsure at this point. That would be an 
industry question to bring up, sir.
    Mr. Stutzman. All right.
    Thank you. I will yield back.
    Chairwoman Capito. The gentleman yields back.
    Mr. Heck?
    Mr. Heck. Thank you, Madam Chairwoman.
    I would like to begin by asking unanimous consent to enter 
into the record the letter dated January 10, 2014, from 17 
signatories to Chairman Hensarling requesting this hearing. At 
the same time, I would like to express my public appreciation 
to you for conducting this hearing.
    Chairwoman Capito. Thank you. Without objection, it is so 
ordered.
    Mr. Heck. Thank you.
    Mr. Noonan, it is a little hard to look at this phenomenon 
without coming away with an answer to the question of, ``Are we 
winning or losing?'' of, ``We are losing,'' at least as 
measured--not in terms of the number of attacks, but the number 
of successful attacks and the dollar amount that has 
successfully been effectively stolen.
    So for those of us who aren't especially geeky, among whom 
I would count myself, can you put this in the simplest terms 
possible: What is the most important takeaway for those of us 
sitting here about what it is we can do as Members of Congress 
to help change that trend line? What is the most important 
action we could take, policy we could enact, in whatever form, 
to help?
    Mr. Noonan. It is my belief that if Congress were to assist 
in coming up with a reporting requirement where if there is a 
data breach or a company has knowledge of a data breach, that 
they were to bring that to law enforcement's attention. That is 
my perspective. That is the Secret Service perspective. Because 
we are able to, at that point, help with the information-
sharing piece that has to go forward to better protect what is 
going on after the fact.
    In other words, it is best for industry to have a point of 
contact at law enforcement--I make the analogy with a fire: 
Don't wait until your house is on fire to have the phone number 
to the fire department.
    If industry partners with law enforcement and already has a 
personal, a trusted relationship with law enforcement, we, law 
enforcement, are better able to assist a victim company walk 
through the process. And in doing so, we are able to grab and 
gather the cybersecurity-related information and share that, 
then, with the greater infrastructure in an effort to prevent 
other attacks.
    We use, again, a number of different efforts to share that 
information. We use the NCCIC, where they are able to push it 
out through their sources to greater industry. We are able to 
use our electronic crimes task forces. We are able to push that 
out to our trusted partners in the private sector as well as 
academia. And we are able to use our partners at the FS-ISAC to 
be able to take that information and push it.
    So I think the important part of this whole mechanism that 
we are talking about is the information-sharing apparatus of 
when a breach does occur, what can we learn from that breach, 
and how can we share that information to prevent others?
    Mr. Heck. I want to ask a follow-up corollary to that, 
which is really a follow up to the question--he has left now--
Mr. Luetkemeyer asked, which I didn't think you answered; I 
didn't think you were evading it but I didn't think you 
actually answered it, and I really thought it was a very good 
question, especially given that the nature of this activity 
does not respect boundaries of countries whatsoever. He asked 
you, ``What could we do to help you be more effective 
internationally?''
    And basically what you said is, ``Well, these international 
partnerships are really important to us.''
    But the question, sir, is, what can we do to help you be 
more effective as it relates to your ability to engage in 
effective enforcement internationally?
    Mr. Noonan. You can continue to support the Secret Service 
in our efforts of continuing to expand our presence in our 
international field offices and expanding that footprint. You 
can help us in furthering our international working groups that 
we have. We have working groups in the Ukraine; we have 
international working groups--
    Mr. Heck. Just use one example.
    Mr. Noonan. I'm sorry.
    Mr. Heck. I got it. I have one other question that I want 
to ask, and I apologize--
    Mr. Noonan. Sure. No problem.
    Mr. Heck. --for interrupting. I want to go back to Target.
    It is my understanding that neither Target-branded debit 
cards or credit cards were breached, or successfully--and first 
of all, I would like to know if I have accurate information in 
that regard. And if it is true, what was the difference? And is 
there a lesson to be learned there if it is true? What were 
they doing such that information wasn't used against--
    Mr. Noonan. Sure. So, I just checked, and that information 
is not accurate. Those cards--
    Mr. Heck. They were breached.
    Mr. Noonan. --were breached as well, so that was taken.
    Mr. Heck. Thank you.
    Mr. Noonan. Yes, sir.
    Mr. Heck. I yield back the balance of my entire 6 seconds. 
Thank you, Madam Chairwoman.
    Chairwoman Capito. The gentleman yields back.
    Mr. McHenry?
    Mr. McHenry. I thank the chairwoman.
    I just have a broad question for both of you, and if you 
could answer this. I read news reports that merchants and 
universities are finding out about data breaches from the 
government, from financial institutions, from credit card 
companies, banks, the whole lot. Why are merchants failing to 
detect those security breaches?
    Mr. Noonan. I can't answer why they are not detecting the 
security breaches, but law enforcement as well as other parts 
of the private sector--banks, processing companies--have a 
unique perspective of looking at compromised data. So we can be 
working with bank investigators--you can take any bank for 
example--and when they start seeing different anomalies with 
their customer base of reporting fraud losses, the initial 
point of report is going to be back to the bank investigator or 
back to the bank.
    So when they start seeing high percentages of fraud loss 
coming from the same merchant or the same retailer, that is a 
concern, so they would either bring it to law enforcement's 
attention or actually bring it to the retailer's attention at 
that point. So not necessarily would the retailer have the 
exposure themselves of that--
    Mr. McHenry. Okay. But to that end, Mr. Noonan, when you 
announced the data breach with Visa and Target in August of 
2013, right, it was made public then. Am I right on the 
timeline?
    Mr. Noonan. Negative. On Target? It wasn't until December 
at some point.
    Mr. McHenry. Okay. So when did you all identify the malware 
for that data breach?
    Mr. Noonan. The data breach, when it was brought to--when 
we were working closely side by side with the forensic 
examiners that--the third-party forensic examiners that Target 
had hired, within a week we were able to have that data and be 
able to push that out to--
    Mr. McHenry. So, you turned it around in a week's time?
    Mr. Noonan. Yes, sir.
    Mr. McHenry. Okay. So on the next panel, we have a witness 
from the Financial Services Information and Sharing and 
Analysis Center, and they are going to--they are actually 
conducting a study which, ``engages machine-to-machine threat 
intelligence exchange in a way that will more quickly inform 
financial infrastructure front line operators and aid their 
preventative and incident response decision-making.'' They are 
calling this the Cyber Threat Intelligence Repository.
    Are you both familiar with this initiative?
    Mr. Zelvin. We are, sir. At the NCCIC, we are one of the 
leading proponents and creators of the STIX and TAXII framework 
to which you are referring.
    Mr. McHenry. So will this speed the response? Tell us the 
value of it.
    Mr. Zelvin. Sure, Congressman. I think one of the best ways 
to highlight this is in September 2012, our financial sector 
was being attacked about 3 times a week with something called 
``distributed denial of service attacks.'' We were getting 
information by the hundreds of thousands, and technical 
information. We were getting those--and I am going to use some 
generalisms just to illustrate the point--in PDFs, so, in a 
very user-unfriendly format for a cybersecurity defender.
    We started using spreadsheets like Excel, which was a 
little bit better, but there are a variety of different data 
formats that companies use so there wasn't a one-size-fits-all. 
The STIX and TAXII format will enable to us adjust the 
information so somebody doesn't have to e-mail it, we don't 
have to process it, we then e-mail it back. This will do it in 
an automatic way so what had been taking us days that we got 
down into hours will hopefully take us seconds.
    Mr. McHenry. So you move from PDFs to Excel--
    Mr. Zelvin. To a machine-to-machine format that will take 
the human out of the equation. Again, it will be up to the--
where the destination goes how they are going to want to 
process--
    Mr. McHenry. My time is short, but can you tell us the 
legal restrictions that prohibit greater data-sharing? What are 
the things we could do to make the dissemination of data 
better?
    Mr. Zelvin. Congressman, I am going to highlight something 
that is--the question that was asked of Mr. Noonan, and you may 
have asked it. One of the things that we would really ask 
Congress to do is just better define clarity on information-
sharing. What is information that the private sector and others 
can share with us?
    I will tell you, we meet with a lot of C-suite executives, 
the security folks, and they say, ``By all means, government, 
here, you can have this information. Proliferate it widely. 
Others are being attacked. This will help us all.''
    Then they have others in the company who are giving good 
advice--their lawyers--saying, ``Look, there is no legal means 
that allows this. We are assuming some risk, some liability 
here.'' If we could get some clarity as to what can be shared 
with us and have that in law, that will really speed the 
process. And also, it should be respectful of privacy and civil 
liberties.
    We should not do this without having some governance on us, 
but it should not stop us from doing it, either.
    Mr. McHenry. I thank the chairwoman for her advocacy on 
this important issue.
    Chairwoman Capito. Mr. Rothfus?
    Mr. Rothfus. Thank you, Madam Chairwoman.
    In Pittsburgh, we are fortunate to have premier academic 
institutions like Carnegie Mellon University and the University 
of Pittsburgh right at our doorsteps. Both of these 
universities are doing exceptional work in the area of data 
security.
    And, Mr. Noonan, you highlighted in your testimony the work 
of Carnegie Mellon.
    As you, I think, would both agree, we need to be using 
these great resources in our fight to combat data-breachers.
    I am wondering, Mr. Noonan, if you would elaborate a little 
bit on how the Secret Service--and then, Mr. Zelvin, if you 
could perhaps comment on what DHS has been doing with these and 
similarly situated universities around the country?
    Mr. Noonan. Yes, sir. Thank you.
    The University Carnegie Mellon, we work closely with their 
Software Engineering Institute. We actually have a full-time 
agent who is assigned there, so he is sitting at Carnegie 
Mellon, partnered with them. Through academia and observing 
what is occurring in a lot of these cyber incidents, we are 
able to develop other tools--technical tools--which the 
Software Engineering Institute is able to help us identify 
different situations, different forensic solutions, different 
ways of looking at data, which better helps us do our cases, 
our investigations, our information-sharing.
    Like the institution at Carnegie Mellon, we also have 
representation at the University of Tulsa, where we have the 
Cell Phone or Mobile Device Forensics Facility, which we worked 
closely with students--graduate student level students there--
and we look at how mobile devices can be affected by criminals. 
We take highly complex criminal cases and we push them to our 
agent who sits with the University of Tulsa to examine how to 
get at those forensic capabilities and those forensic hurdles 
in mobile devices, too.
    So it is very important for us to team with academia to 
decide what is on the horizon of the next threat.
    Mr. Rothfus. Mr. Zelvin, is DHS similarly engaged with the 
academic institutions?
    Mr. Zelvin. Congressman, we are. Carnegie Mellon is one of 
our most critical partners in not only understanding threats 
but also in the mitigation, so it is an intimate relationship 
and something that we hold in the highest regard.
    Mr. Rothfus. I want to follow up a little bit on what 
Representative McHenry was talking about. I think everyone can 
agree that effective data security is dependent on a voluntary 
collaboration between the government and members of the private 
sector. Key to establishing this sort of trust-based public-
private partnership is adequate legal liability protection for 
private entities that share information with the government.
    And to that end, could you please elaborate on the current 
policy regarding legal liability protection for private 
entities that opt to share threat information with agencies 
like yours? Maybe each of you can--
    Mr. Zelvin. Congressman, that is one of the central issues 
with sharing at government is the concern of either breaking 
the law or potentially having court action in a civil case. So, 
there is great desire on behalf of the Executive Branch to have 
the legal liabilities in place so one would not be punished for 
sharing with government. Again, the information should be 
clarified as to what can be shared, but if you do share that 
information, one should be able to do so without penalty.
    Mr. Rothfus. Mr. Noonan, can you comment on, from your 
perspective, the current policy with respect to information-
sharing?
    Mr. Noonan. Yes, sir. I don't believe there is a policy as 
of right now. So I would concur with Mr. Zelvin. I think there 
is an issue with companies coming forward so they are given 
some sort of protection, but I cannot comment on existing 
policy, sir, no.
    Mr. Rothfus. In both of your written testimonies, you 
discuss the increasingly international nature of the threat 
landscape and the need for close partnerships with foreign law 
enforcement agencies. Which countries are you most concerned 
about in terms of data security?
    Mr. Noonan. A number of the international cases that we are 
talking about today are Eastern European, Russian-speaking 
cyber criminals. I don't want to affiliate these type of 
criminals with one particular country because again, there are 
no borders.
    We see Eastern European, Russian-speaking cyber criminals 
who are here domestically in our country that we are able to 
arrest and bring to justice. We see these types of criminals 
all over the world.
    I say this in the fact that these are the most 
sophisticated, in our opinion, cyber criminals who are 
attacking our Nation's financial infrastructure. So as far as 
saying--in trying to lock it down to a particular country of 
origin, there is not one in particular. We are seeing them 
across-the-board.
    But again, the Russian-speaking cyber criminal is using the 
Russian language as a form of OPSEC, if you will, to provide 
some anonymity to them. Because they use the Internet, they are 
wallowing in the anonymity of the Internet.
    Mr. Rothfus. Mr. Zelvin, would you agree with the Russian-
speaking actors out there? Are there other countries about 
which you have particular concerns?
    Mr. Zelvin. Congressman, I worry about actors in Asia; I 
worry about actors in Europe, to include Eastern Europe. It is 
literally a global threat environment. So on the financial 
side, I would agree with Mr. Noonan, it is more the Eastern 
European criminal actors, but there is also extraordinary 
criminal activity in Asia, as well.
    Mr. Rothfus. Thank you.
    And thank you, Madam Chairwoman.
    Chairwoman Capito. Thank you.
    Mr. Barr?
    Mr. Barr. Thank you, Madam Chairwoman.
    I wanted to kind of know from the witnesses what the worst-
case scenario would be. In your all's professional judgment, 
what would be the greatest cybersecurity threat to America's 
financial system?
    Mr. Noonan. In my opinion, it is a financial services 
attack that goes unnoticed. So a long, long period of exposure 
to a financial services sector company is my opinion of what 
the worst case could be.
    It is through the actions of law enforcement that 
proactively go out and seek these out that brings it to 
industry's attention. And I also think it is important that 
when industry itself notices it, that they bring it to our 
attention.
    It is important for us--law enforcement, the government--to 
be able to either prevent the attack from happening or see it 
as it is happening to be able to stop the bleeding from 
happening. If the bleeding occurs for a long, long period of 
time and there is a long period of exposure, that, in the 
financial services sector, would be probably the more 
important, more area of concern for that sector.
    Mr. Barr. Mr. Noonan, what would prevent a victim or 
targeted company from failing to notice this attack?
    Mr. Noonan. In my opinion, it is how advanced these 
criminal actors are. So when we are talking about significant 
criminal actors that--you have to understand, when they are 
going after the financial services sector, they are going into 
these targeted victim companies stealthily. Their job is to go 
undetected, because if they are detected and they go into these 
situations loud and disrupt everything, they are going to lose 
what their goal is and that is their financial gain; that is 
their grabbing the data and being able to monetize that data.
    So if law enforcement and industry learns about the theft 
of that data and we are able to do something about it, it 
minimizes the criminal profit in what they are attempting to 
do.
    Mr. Barr. Have we been able to assess or gauge the 
capabilities of some of these hackers? Specifically, the kind 
of nightmare scenario would be something along the lines of a 
hacker being able to erase electronic data from a large 
financial institution, or worse, effectuate transactions 
through hacking into a large, systemically important financial 
institution.
    Are we aware of whether or not cyber terrorists have that 
capability at this point?
    Mr. Zelvin. Congressman, let me answer that and then maybe 
go back to your original question. There are actors out there 
who have extraordinary sophistication, who are patient and are 
looking for vulnerabilities and are absolutely capable of 
finding them quickly, and it is just whether or not they have 
the intent and the access and then the ability.
    As I look at the worst-case scenario, to answer the first 
part of your question, I think that if somebody was to find an 
intrusion in the transactional systems that the financial 
sector uses, that would be pretty catastrophic. If there is a 
loss of confidence within the systems themselves where data has 
been compromised, that would be pretty catastrophic. If 
consumers lose the convenience that they rely upon, are unable 
to use their credit cards and their ATMs, that would be pretty 
catastrophic.
    There are others but those are the three that really come 
to my mind. You really get to that high impact, low 
probability.
    The sector, the institutions are doing extraordinary work 
at this every hour of every day. But ultimately, there are 
vulnerabilities and the actors are using some very creative and 
clever means to come at us, so you have to be very good every 
single day because they are trying to come at you every single 
minute of every day.
    Mr. Barr. And in terms of technological advancements in 
terms of creating defenses to this, there is talk about these 
chip cards and more extensive use of PINs, particularly with 
credit cards. But I did notice that in the case of the Target 
situation, that PINs were procured by the hackers, as well. So 
how effective is expanded use of PINS as a defense mechanism?
    Mr. Noonan. Any added security measure is going to 
definitely help in the monetization of whatever data is stolen. 
It would not assist in the theft of the data itself.
    Mr. Barr. Right.
    Mr. Noonan. Chip and PIN technology will help in limiting 
the criminal monetization of that data, but it would not help 
in the theft of that data. That data could still be used on 
card-not-present purchases.
    So a cyber criminal, though he cannot re-encode that data 
onto a credit card and use that counterfeit credit card, he 
could go online and type in the 16-digit number and the other 
information that is exposed there and still accomplish 
financial loss to the victim bank or the victim institution.
    Mr. Barr. Thank you.
    I yield back the balance of my time.
    Chairwoman Capito. Thank you.
    The gentleman yields back, and that concludes questioning 
for the first panel.
    I want to thank both of you gentlemen. I think this has 
been very enlightening, and I again apologize for the delay and 
thank you for your patience. You are dismissed.
    While we are changing over, I am going to ask for unanimous 
consent to submit several statements for the record from the 
Independent Community Bankers of America; the National Retail 
Federation; the National Association of Federal Credit Unions; 
the American Bankers Association; and the Credit Union National 
Association.
    Without objection, it is so ordered.
    All right. I want to thank the second panel for coming in. 
We have a second panel of distinguished witnesses.
    Again, thank you for your patience. I know you have been 
sitting here, as well, while we had our technical difficulties.
    Each of you will be recognized for 5 minutes to give an 
oral presentation of your testimony. And without objection, 
each of your written statements will be made a part of the 
record.
    Our first witness is Mr. Troy Leach, chief technology 
officer, PCI Security Standards Council.
    Welcome, Mr. Leach.

STATEMENT OF TROY LEACH, CHIEF TECHNOLOGY OFFICER, PAYMENT CARD 
        INDUSTRY (PCI) SECURITY STANDARDS COUNCIL (SSC)

    Mr. Leach. Thank you.
    My name is Troy Leach, and I am the chief technology 
officer for the PCI Security Standards Council, a global 
industry initiative that is focused on security payment card 
data. Our approach to an effective security program is people, 
process, and technology as key parts of data protection. Our 
community of over 1,000 of the world's leading businesses 
tackles security challenges from simple issues--for example, 
the word ``password'' is still one of the most commonly used 
passwords--to very complex issues, like proper encryption key 
management.
    We understand when consumers are upset when their payment 
card data is put at risk and the harm that is caused by 
breaches. The Council was created as a forum for all 
stakeholders--banks, merchants, manufacturers, and others--to 
proactively protect consumers' cardholder data against emerging 
threats.
    Our standards focus on removing cardholder data if it is no 
longer needed. Our mantra is simple: If you don't need it, 
don't store it. If you do need it, then protect it through a 
multilayered approach and devalue it through innovative 
technologies that reduce incentives for criminals to steal it.
    Let me explain how we do that. The data security standard 
is built on 12 principles that cover everything from strong 
access control, monitoring and testing of networks, risk 
assessment, and much more. This standard is updated regularly 
through feedback from our global community.
    In addition, we have developed other standards that cover 
payment software, security manufacturing of cards, point-of-
sale devices, and much more. We also develop standards and 
guidance on emerging technologies, like tokenization and point-
to-point encryption, that remove the amount of card data that 
is kept in systems, rendering it useless to cyber criminals.
    Another technology, EMV chip, has widespread use in Europe 
and other markets and is an extremely effective method of 
reducing card fraud in face-to-face environments. That is why 
the Council supports the deployment of this technology. In 
fact, today we already certified a securing of chip terminals 
and manufacturing of chip cards.
    However, EMV chip is only one piece of the puzzle. In 
addition, controls are needed to protect the integrity of 
payments online, on the telephone, and in other channels. These 
controls include encryption, proper access, response from 
tampering, malware protection, and more.
    These are all addressed within the PCI standards today. 
Used together, EMV chip and PCI standards can provide strong 
protections for payment card data.
    But effective security requires more than just standards 
and technology. Without ongoing adherence and supporting 
programs, these are only tools and not solutions.
    The Council makes it easy for businesses to choose products 
that have been independently lab-tested and certified as 
secure. The Council's certification and training programs have 
educated tens of thousands of individuals including assessors, 
merchants, technology companies, and government. And finally, 
we conduct global campaigns to raise awareness of payment card 
security.
    The recent compromises demonstrate the importance of a 
multilayered approach to payment card security, and there are 
clear ways in which the government can help--for example, by 
leading stronger law enforcement efforts worldwide, 
particularly because of the global nature of these threats; and 
by encouraging stiff penalties for these crimes. Promoting 
information-sharing between the public and private sector also 
merits attention.
    The Council is an active collaborator with government. We 
work with NIST, DHS, and many other government entities, and we 
are ready and willing to do more. We believe that the 
development of standards to protect payment card data is 
something that we are uniquely qualified to do. The global 
reach, expertise, and flexibility of PCI have made it an 
extremely effective mechanism for protecting consumers if 
implemented correctly.
    The recent breaches underscore the complex nature of 
payment card security. A multifaceted problem cannot be solved 
by a single technology, mandate, or regulation. It cannot be 
solved by a single sector of society.
    Businesses, standards bodies, policymakers, and law 
enforcement must work together to protect the financial and 
privacy interests of consumers.
    Today, as this committee focuses on recent breaches, we 
know that criminals are focusing on inventing the next attack. 
There is no time to waste. The PCI Council and business must 
continue to provide multilayered security protections while 
Congress leads efforts to combat global cyber crimes that 
threaten us all.
    We thank the committee for its attention to this, and we 
look forward to finding a way forward with addressing large 
security concerns of our time.
    [The prepared statement of Mr. Leach can be found on page 
67 of the appendix.]
    Chairwoman Capito. Thank you.
    Our next witness is Mr. Greg Garcia, advisor, Financial 
Services Information Sharing and Analysis Center.
    Welcome.

  STATEMENT OF GREGORY T. GARCIA, ADVISOR, FINANCIAL SERVICES 
       INFORMATION SHARING AND ANALYSIS CENTER (FS-ISAC)

    Mr. Garcia. Thank you, Chairwoman Capito, Ranking Member 
Meeks, and members of the subcommittee.
    I am Greg Garcia, president of Garcia Cyber Partners, a 
cybersecurity policy and business development consulting firm. 
I am testifying here today as an advisor to the Financial 
Services Information Sharing and Analysis Center, or FS-ISAC.
    In light of the recent data breaches in the retail sector, 
this hearing is timely as we consider how commercial and 
critical infrastructure sectors can prevent and defend against 
such attacks from happening in the future.
    During my tenure as Assistant Secretary at Homeland 
Security and as an executive with the financial services sector 
and IT sectors, I have consistently held up the FS-ISAC as a 
model operation. It is a model for how trusted collaboration, 
timely intelligence, and information-sharing are essential 
elements of any risk management strategy. They are effective 
tools against cyber adversaries who would subvert the integrity 
of the critical infrastructures that maintain the cyber, 
physical, and economic security of this country and the world.
    So accordingly, I would like to spend just the next few 
minutes describing some of the major elements of the model and 
put it in the context of the recent data breaches that are the 
subject of this hearing.
    The FS-ISAC was founded in 1999 in acknowledgement of a 
Presidential Directive, PDD 63, which urged private industry to 
self-organize around the mission of sector-specific critical 
infrastructure protection. The FS-ISAC provides a formal 
structure for its 4,500 member institutions to share valuable 
and actionable cyber intelligence within the sector and with 
their industry and government partners. This collaborative 
activity ultimately benefits the Nation.
    At FS-ISAC, we use all the tools at our disposal to stay 
ahead of adversaries. And just a few of these tools include the 
secure FS-ISAC member Web portal, where threat indicators are 
published; e-mail listservs; threat assessment conference 
calls; best practices advisories; incident response and 
mitigation protocols; cyber exercises; and information-sharing 
partnerships across the sector, with other sectors, and with 
government and cyber operations and intelligence entities, such 
as the NCCIC.
    We recognize that the threats we face are sophisticated and 
are frequently changing, and that immediate sharing of threat 
details and patterns is effective in heading off the changing 
nature of the threats.
    We also share this sensitive information without the risk 
that any member company would exploit another's misfortune from 
cyber attack for competitive advantage. Members know we are all 
in this together, that an attack on one can very quickly 
escalate to attack on many if all eyes and ears are not working 
together.
    And our organization ensures that even smaller community 
institutions have access to threat information alongside the 
largest financial institutions in the Nation. By way of 
specific example, allow me to walk you through some of the 
actions taken by the FS-ISAC in the wake of the retailer data 
breaches that recently occurred.
    First, when information from forensic investigations became 
available FS-ISAC published a joint document with the DHS 
National Cybersecurity and Communications Integration Center 
(NCCIC), the U.S. Secret Service, and ISAC partners regarding 
the breach. We provided relevant mitigation recommendations and 
network security best practices from an industry owner and 
operator perspective. These security practices are intended to 
help vendors and merchants to secure their point-of-sale 
systems and to defend against malware that are used in those 
system attacks.
    Second, FS-ISAC encouraged its association members to share 
the joint document broadly with their members, and we also met 
with and provided the document to a number of retailer 
associations and encouraged them to share the document with 
their members.
    Third, as information about the attacks was becoming 
available, members were able to leverage FS-ISAC's all-hazards 
playbook and related best practices to better protect and 
communicate with their customers and the general public.
    Fourth, FS-ISAC provided an assessment of the point-of-sale 
malware to its members on its biweekly threat calls and the 
assessment examined the malware in several ways--the usage 
patterns in the short term, the growing popularity and 
availability of the malware tools, and threat indicators for 
network defenders.
    Finally, we continue to work with multiple associations 
representing the retailers to explore ways in which we can help 
them enhance the security of their systems.
    Since these data breaches occurred, there has been 
considerable discussion in the public domain about 
accountability and assignment of costs associated with these 
breaches. Indeed, financial institutions have absorbed 
considerable costs associated with canceling and reissuing 
credit and debit cards to their customers.
    But as I stated at the beginning of my testimony, it is 
clear to us that we are all in this together, that security is 
a shared responsibility, and that is why the FS-ISAC was 
pleased to see the announcement on February 13th of a new 
partnership between merchant and financial trade associations 
that will focus on exploring the paths to increased 
information-sharing, better card security technology, and 
maintaining the trust of customers. Discussion regarding the 
partnership was initiated by the Retail Industry Leaders 
Association and the Financial Services Roundtable and was 
joined by a dozen other influential financial associations.
    Madam Chairwoman, that concludes my testimony and I look 
forward to answering any questions the subcommittee may have 
for me.
    [The prepared statement of Mr. Garcia can be found on page 
57 of the appendix.]
    Chairwoman Capito. Thank you.
    Our next witness is Mr. David Fortney, senior vice 
president, product manager and development, The Clearing House 
Payments Company.
    Welcome.

  STATEMENT OF DAVID FORTNEY, SENIOR VICE PRESIDENT, PRODUCT 
MANAGEMENT AND DEVELOPMENT, THE CLEARING HOUSE PAYMENTS COMPANY

    Mr. Fortney. Thank you. Good afternoon, Chairwoman Capito, 
Ranking Member Meeks, and members of the subcommittee.
    My name is David Fortney. I am the senior vice president of 
product management for The Clearing House, and I thank you for 
the opportunity to talk today about issues that are critical to 
all Americans--the security of our payment system and also the 
protection of sensitive consumer financial information.
    The Clearing House is the Nation's oldest bank association 
and payments company. Our mission includes ensuring the safety, 
soundness, and efficiency of the payments system.
    We provide payment services to our 23 owner banks and other 
financial institutions, clearing and settling nearly $2 
trillion daily. The organization's owner banks collectively 
represent over half of the Nation's deposits and over 70 
percent of Visa and MasterCard-branded credit cards.
    The recent escalation of merchant data breaches 
demonstrates the increasing sophistication of cyber criminals 
and also underscores the urgent need for financial 
institutions, merchants, and all who touch the payment system 
to work together to protect against current and future threats.
    I will focus my testimony today on two payment systems 
technologies that are on the horizon and will reduce the risk 
of future breaches: EMV; and tokenization.
    First, EMV cards contain computer chips and they are 
designed to protect against counterfeiting, as compared to the 
magnetic stripe-based cards used today. However, EMV alone 
would not have prevented the theft of card information in the 
recent breaches, as it relies on merchants receiving and 
processing the same static information that account numbers 
have today. As we have heard from prior testimony, those 
account numbers would still be significantly valuable to cyber 
criminals for committing fraud online, where most fraud occurs.
    Additionally, as EMV was designed prior to the Internet, 
prior to mobile phones or tablets, it does not address 
transactions initiated via those means.
    The second technology I would like to discuss is one that 
we have been directly involved in at The Clearing House. It is 
called tokenization.
    Tokenization addresses online and mobile phone payments by 
substituting a limited-use random number, called a digital 
token, for the customer's account number during the 
transaction. Working behind the scenes, the secure digital 
token acts just like a regular account number as it goes 
through the system and requires very little change in how 
customers and merchants operate. A customer's true account 
number is never present in the smartphone or in the merchant's 
system, preventing any malware residing on those systems from 
capturing that sensitive information in the first place.
    The implementation of these two technologies--EMV and 
tokenization--will require cooperation amongst the banks and 
merchants as the tangible benefits can only be achieved by 
moving in tandem.
    Turning to e-commerce, today customers provide personal 
financial and other data to e-commerce merchants, online 
wallets, alternative payment providers, merchant aggregators, 
and others. This proliferation of live sensitive customer 
account data increases the risk of breach-related fraud. When 
my bank recently sent me a new card after a compromise, I 
needed to update that card information on 47 different merchant 
and payment provider Web sites. In a tokenized environment, 
customer account data is held securely behind the bank 
firewalls and consumers won't need to update account 
information when cards are reissued.
    The scale of the payment system is enormous, with hundreds 
of millions of consumers, millions of merchants, thousands of 
banks and credit unions, and hundreds of networks and 
processors. The only way to gain broad adoption of a new 
technology such as tokenization is to develop an open standard 
that is scalable and widely adopted. Open standards promote 
innovation and allow customers and merchants to choose the best 
point-of-sale technology that works best for them.
    Two years ago, The Clearing House and its owner banks began 
working together to create an open tokenization standard that 
we call Secure Token Exchange. We are working with mobile 
wallets, networks, merchants, and payment processors to pilot 
and trial the standard. The initial pilot began late last year 
and we will soon expand the trial phase to encompass additional 
banks, merchants, and cities.
    This initiative has acted as a catalyst with an increasing 
number of payment system participants now working on 
tokenization. We remain very much at the center of this 
activity.
    For example, The Clearing House is now working with the 
card networks, standard bodies, merchants, and processors on 
digital tokenization efforts with the goal of upholding the 
core openness, safety, and soundness principles. We also joined 
the coalition referred to by the prior witness, a coalition of 
merchant and financial industry trade associations, to form a 
cybersecurity partnership.
    Thank you again for the opportunity to testify on these 
critical issues, and I would be happy to answer any questions 
you may have.
    [The prepared statement of Mr. Fortney can be found on page 
54 of the appendix.]
    Chairwoman Capito. Thank you.
    Our final witness is Mr. Edmund Mierzwinski, consumer 
program director, U.S. PIRG.
    Welcome.

  STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, 
                           U.S. PIRG

    Mr. Mierzwinski. Thank you, Madam Chairwoman, Ranking 
Member Meeks, and members of the subcommittee.
    As I did at a Senate hearing last month, I want to try to 
shift the discussion from what it has been in the media anyway, 
which is simply data breach notification--I am glad today we 
are talking about a lot more than data breach notification--to 
many of the other issues surrounding data security.
    First, regarding the Target breach, I am very concerned 
that Target dragged out notification to consumers for a long 
time. If it was because of investigations conducted with law 
enforcement that is one thing, but if it is simply because they 
wanted to drag it out for a long time, I am very disappointed.
    I am also disappointed in the product that they gave 
consumers--credit monitoring lite, a product that only tells 
you if your Experian credit report has any changes made to it, 
but not if your other two major credit reports have any changes 
made on them. Further, in order to accept that product, even 
though it was free, consumers had to agree to a mandatory 
arbitration clause limiting their rights against Experian in 
the future, and that is simply unacceptable to me.
    But at the same time, I don't hold Target, Neiman Marcus, 
or any other company completely to blame for the breaches that 
have occurred in their stores or in their payment systems. The 
reason for that is they are working with the banks and the card 
networks, and the banks and the card networks are forcing them 
to use an obsolete payment system known as the mag-stripe card. 
For 50 years, or maybe 40 years, we have used the mag-stripe 
card without upgrading it.
    I am very pleased to hear that the banks are now talking 
about open standards to upgrade the systems out there. That is 
very encouraging to me. But for 40 years, they acted as 
monopolists with closed standards and required merchants to 
accept a card essentially like a car from the 1950s--no 
airbags, no ABS brakes, no additional safety features, no 
safety glass.
    Merchants were forced to continue to adopt new and 
different and ever-changing changes to their systems. It was 
just very difficult for them and it is not all the merchants' 
fault, and the banks need to be held accountable and the card 
networks that were formerly owned by the banks and still are 
largely controlled by the banks.
    I have in my written testimony 10 recommendations that I 
want to go through quickly.
    First, Congress should make all plastic equal. Credit cards 
are safe by law; debit cards have zero liability by promise 
only. Plus, with a debit card, again, you are required to use 
an unsafe system on the signature-based network instead of a 
PIN-based network.
    You are encouraged, anyway, to use it without a PIN, and 
that is just unfair and unreasonable to consumers who not only 
are breached, who will not only face the problem of fraud or 
identity theft, but also lose money from their existing account 
until the bank replaces it, if it honors the zero liability 
promise. So first, why shouldn't debit cards have the same 
consumer protection as credit cards?
    Second, be careful not to endorse any specific 
technologies. Go forward with open standards that push 
innovation and that all participants in the system are subject 
to the same rules. Previously, the banks have forced merchants 
to be subject to a different set of rules than they have been 
subject to, and companies that are under Gramm-Leach-Bliley are 
subject to a different set of rules than the merchants are 
subject to--an easier, softer set of rules.
    Third, look into whether the open standards bodies are 
truly open. I don't think they have been in the past; I am 
encouraged to think that they may be in the future.
    Fourth, Congress should stay away from an issue that has 
been debated in State legislatures, which is that banks try to 
get the merchants, by law, to pay all of their costs. They 
already do pay most of the banks' costs. It is impossible to do 
that by law.
    Finally, don't preempt the States. Even if you come up with 
a uniform standard, don't preempt the States. You don't need 
to. The States will move onto other issues as long as your 
standard is good enough, but if it isn't, we need the States as 
first responders.
    Make sure you allow for private enforcement by consumers of 
any law in State attorneys general as well as a good Federal 
law.
    Don't include a harm trigger in your law. Force companies 
that lost their information to tell us about it.
    Investigate overpriced credit monitoring. I have already 
talked about the fact that it is given for free to consumers, 
but it is something the committee should investigate and the 
CFPB has been looking into quite a bit, as well.
    Finally, Congress should investigate the over-collection of 
consumer information generally on the Internet by companies we 
don't even do business with--not only by our banks, and not 
only by the retailers with whom we do business. There are 
dozens if not hundreds of additional business-to-business 
companies collecting information about us that are not 
regulated.
    Thank you.
    [The prepared statement of Mr. Mierzwinski can be found on 
page 73 of the appendix.]
    Chairwoman Capito. Thank you very much, and I want to thank 
all of the witnesses.
    I will yield myself 5 minutes to begin the questioning.
    My first question is for Mr. Garcia. On the FS-ISAC, it is 
a sharing organization with the financial services community, 
are there now private entities who are in that--retailers and 
such that are a member of that community or is it mostly just 
financial services?
    Mr. Garcia. It is mostly financial services, although we do 
have a retailer member now and we include insurance companies, 
and payment processors. Any organizations that have--that 
essentially are regulated as financial institutions or have 
banking credit subsidiaries are eligible for membership in the 
FS-ISAC.
    Chairwoman Capito. Would, say, like a Target be eligible 
for membership to--
    Mr. Garcia. Yes. And they are a member.
    Chairwoman Capito. And they are a member.
    Mr. Garcia. Yes.
    Chairwoman Capito. So are you going to encourage other 
retailers--because obviously this is where the--some of the 
breaches most recently have taken place--
    Mr. Garcia. Absolutely. We have had a lot of conversations 
with the retail sector, and certainly Target's membership in 
the FS-ISAC, I think, serves as leadership and opportunity to 
bring on the broader retail sector, provided each individual 
organization is eligible for ISAC membership according to the 
regulatory status, as I mentioned.
    Chairwoman Capito. All right. Thank you.
    Mr. Fortney, you mentioned two different types of 
technologies, the EMV chip and the tokenization. Is anybody 
using the tokenization now in the United States with whom we 
would all be familiar?
    Mr. Fortney. Tokenization has been used in what I would 
call point-to-point or proprietary type of environments, but 
what is--
    Chairwoman Capito. Give me an example of that.
    Mr. Fortney. So, an example would be that instead of using 
a true account number in a product that maybe one bank issues, 
instead embed a digital token. That has been done. Or 
individual merchants--
    Chairwoman Capito. In financial transactions, not retail.
    Mr. Fortney. Correct.
    Chairwoman Capito. Okay.
    Mr. Fortney. What is new with this is really talking about 
it in terms of an open standard that could be used widely in 
which everyone agrees to the same rules--
    Chairwoman Capito. Is anybody outside the United States 
using tokenization in a retail spectrum?
    Mr. Fortney. I believe the United States is ahead in this 
particular area, although there is a lot of interest for the 
technology globally, and some--
    Chairwoman Capito. Okay.
    Mr. Fortney. For instance, some of the institutions in our 
owner base do operate globally. They have strong interest in 
using this technology across the globe.
    Chairwoman Capito. Okay. The EMV chip is used in Europe, 
correct?
    Mr. Fortney. That is correct.
    Chairwoman Capito. Okay. Now I think I read this or heard 
that Target--and I am using Target as an example, but it might 
not be the correct example--had originally looked at the EMV 
chip as one of the mechanisms that they would use and actually 
might have even used it at some point and then ceased using it. 
Is that correct?
    Mr. Fortney. I read the same thing, and I think it really 
goes to--it is really impossible for a single entity to 
introduce a new technology in payment with--and have impact 
without moving in tandem with a number of other retailers at 
the same time and the banks at the same time.
    Chairwoman Capito. Yes. I think in that same article it 
said that it was discontinued because of the ease of service at 
the checkout. It was holding people up for one reason or 
another. Anyway, yes, I was just curious about that.
    Mr. Leach, I know from our previous conversation when we 
talked about the EMV chip, it is not the be-all and end-all to 
solve these issues. Could you expound on that a little bit for 
us, please?
    Mr. Leach. Sure. I would be happy to do so.
    As you know, our PCI standards are applied in Europe 
already today, and so we are looking at ways that we can remove 
the exposure of card data. So in a chip transaction, mag-stripe 
transaction, the card information is still exposed. And as Mr. 
Noonan in the previous panel explained, you can take that 
information and create fraud in online, telephone order, and 
other channels.
    So our focus is on removing that card information 
completely from the merchant environment through tokenization, 
point-to-point encryption, and other means, so as soon as the 
customer puts their information into a point-of-sale terminal, 
it is removed, and it is no longer available to the criminal if 
they are able to get into that system.
    Chairwoman Capito. Okay. We have been talking a lot about 
cards, and one of the things I mentioned in my opening 
statement is my interest in mobile payments, and I don't think 
of those as cards, although they are attached to a card number.
    What about security around these? Is that something that is 
part of what you are looking at for standards, Mr. Leach?
    Mr. Leach. It is. And we think that this new, innovative 
technology--and there is actually going to be a press release 
on the framework next week on this--is very exciting. We think 
that by removing card data, we can actually improve the 
security of mobile transactions, as well.
    Chairwoman Capito. Okay. Thank you.
    Mr. Meeks?
    Mr. Meeks. Thank you, Madam Chairwoman.
    And let me, as a guy who is not tech-savvy at all, say that 
I appreciate your testimony.
    I guess I will start with Mr. Leach. Again, in trying to 
figure out what we can do as Members of Congress, there is 
currently no Federal law establishing security standards that 
merchants and data brokers are required to meet.
    My first question is, does this matter? And what is the 
appropriate role of the Federal Government, in your estimation, 
in setting a dynamic and effective security standard, and what 
should the private sector's role be?
    And then, in light of the recent breaches at major U.S. 
retailers, do the existing PCI standards need to be updated?
    Mr. Leach. I will start with the last question, because it 
is very interesting the timing of these breaches and our most 
recent update to the standards. Many of the actual incidents 
that are being reported in the media of how these criminals 
were able to get into these systems are actually already 
addressed in our PCI standards today. When these forensic 
investigations are completed, they typically provide a report 
of what PCI requirements have failed in those environments in 
order for a criminal to actually access and steal consumers' 
cardholder information.
    There is enforcement of our standards in the industry 
today. It is by contract, so it is a financial institution and 
their contractual relationships with their merchants is how we 
enforce in our industry today.
    For government involvement, I think the FS-ISAC and 
information-sharing so that we can take what we learn from 
these investigations and put that into our standards is where 
we need to have improvement. I think there has actually been in 
the last couple of years more engagement between the government 
and the private sector, and we encourage that to go forward.
    Mr. Meeks. Let me ask, I guess, Mr. Mierzwinski: You 
testified today, as you did before the Senate Banking Committee 
in early February, where you urged that we should not embrace 
any specific technology but use and encourage the users to use 
the highest existing standard to prevent by action of rules of 
existing players from blocking additional technological 
improvements and security innovations.
    And I am listening, and I am hearing, on one end, and if I 
get a chance, I will ask Mr. Fortney about tokenization and how 
that can become a large-scale viable--but could you please 
elaborate on some of the basic pros and cons of each smart chip 
card variation, keeping in mind the differences in cost and the 
susceptibility to fraud, and how any of the resulting fraud 
losses are divided between merchants and card issuers and 
consumers?
    Mr. Mierzwinski. Thank you, Congressman. Again, today is 
really the first time that I have heard the words ``open 
standards'' from the bank and card network industry. They may 
have talked about it in the past but I have understood the PCI 
standards body to be totally controlled by the banks and the 
card networks, and that has been harmful to innovation.
    Today, EMV is kind of a standard, but it has different 
levels of protection, and the card networks would like you to 
believe that they are moving toward something called ``chip and 
signature,'' and that is good enough. But chip and signature is 
designed by them to ride on the old signature-based platform. 
Anybody can forge a signature.
    Chip and PIN is a better solution. Tokenization is also a 
better solution to part of the problem. Online, using virtual 
account numbers for each transaction, is another part of the 
solution.
    So I think as long as we are developing standards in a 
truly open body where you can promote innovation, we are much 
better off.
    Mr. Meeks. Mr. Fortney, would you alter your answer at all? 
What is your opinion on the same question?
    Mr. Fortney. Yes, so, first of all, in the United States, 
as Mr. Mierzwinski points out, as the chip cards are introduced 
it is not necessarily going to be mandating a PIN. You can call 
it chip and choice, that there will be certain transactions 
that require a PIN just as they do today, such as an ATM 
machine or certain retailer transactions. Other transactions 
may be requiring the signature, and certainly underneath a 
certain dollar amount there may not be either of those.
    But regardless of all that, that chip card is fundamentally 
more secure than the mag-stripe card and is a big advance 
forward.
    Mr. Meeks. Thank you.
    Mr. Luetkemeyer [presiding]. Thank you.
    With that, I will yield myself 5 minutes.
    One of the things that is concerning to me is at this 
point, from what I understand, the banks normally are the ones 
left holding the bag normally whenever you have one of these 
breaches, and is there something, Mr. Leach, in the discussion 
with your group, to find a way to put some liability on the 
other--the merchant who didn't maybe have the latest technology 
or didn't exercise the greatest care with his data so that it 
was breached? Or am I wrong on that? Is there a sharing of 
liability there?
    Mr. Leach. The PCI Council is a technical standards body, 
so liability and all of the enforcement of our standards is 
managed through those banking relationships between the bank 
and the merchant. What we do is we try to remove that card 
information from ever being stored in a merchant location.
    We heard from other Congressmen earlier who recognize that 
security is a very hard thing to do day in and day out, and 
what we are trying to do, to the gentleman's point earlier 
about tokenization, is remove cardholder data from ever being 
exposed in merchant locations so there is no longer an ability 
for criminals to monetize that data.
    Mr. Luetkemeyer. Mr. Garcia, is there a movement to have 
higher standards for the merchants so that they share some of 
the liability there?
    Mr. Garcia. We discussed just this recent partnership 
consortium that has been established between the financial 
services sector and merchants and payment processors, and I 
think that is going to go a long way to sort of gaining a 
common understanding as to what are our respective 
vulnerabilities, our respective responsibilities, and how do we 
work together to stay ahead of the adversaries.
    Mr. Luetkemeyer. Okay. You made mention a while ago that 
there was a February agreement to that effect. Is that correct?
    Mr. Garcia. That is correct, February 13th.
    Mr. Luetkemeyer. Can you explain that just a little bit 
further?
    Mr. Garcia. There are about a dozen industry associations 
that are signatory to this. It is just in the beginning phases. 
It is a partnership that is based on the recognition that we 
all--this is a shared challenge and therefore a shared 
responsibility, and over the coming months we are going to be 
looking into what are the various initiatives and programs we 
can engage in together to think about not just new 
technological capabilities, but what are standards of practice? 
How do we interact among each other to have a more secure 
ecosystem for the commercial and retail financial environments?
    Mr. Luetkemeyer. Okay. Do you work with foreign countries, 
as well, foreign clearinghouses?
    Mr. Garcia. No, not that I am aware of at this point. It is 
U.S.-based.
    Mr. Luetkemeyer. Okay. With your chip technology changing--
or perhaps changing--where do you go with that when it comes to 
discussing it with merchants who--for instance, if I want to 
take a trip to Italy and now I want to use my credit card, how 
is that going to work if they don't have that same technology 
to be able to accept that card?
    This is going to have to be worldwide, I assume. Either Mr. 
Garcia or Mr. Fortney here?
    Mr. Fortney. You have hit upon an issue that has been out 
there for people who travel from country to country, and maybe 
the card technology they work in one country doesn't work fully 
in the other. There are a number of banks today that will issue 
cards that will work internationally, using EMV, and as the 
rest of the U.S. industry issues those cards over the next year 
or two, that problem should diminish greatly.
    Mr. Luetkemeyer. One of the problems that we have is with 
convenience comes more exposure, more risk, and that means more 
responsibility on an individual's part, too. Is there something 
an individual can do to protect his cards, his information 
better by the way he uses it?
    Mr. Fortney?
    Mr. Fortney. You are asking an interesting question because 
I don't really put a lot of the responsibility on the end user. 
The end user, when they are in a payments environment, they 
need to enter their card information in the way in order to get 
the purchase done. So I guess I would prefer to focus on what 
are ways that we can actually improve the system, get rid of 
these card numbers and live static information out of the 
system and protect the consumers in that way?
    Now, to further answer your question, sure there are some 
things that we all would agree are very bad practices, like if 
you have a PIN, don't write it on the back of your card, and if 
you are missing a card or you see a fraudulent transaction, 
report it promptly. I would encourage people to sign up for the 
mobile banking alerts that most financial institutions offer so 
that you have rapid information if your card has been used, and 
if you don't recognize that transaction, take quick action.
    Mr. Luetkemeyer. Does a consumer need to change his cards 
regularly? In other words, if I have a MasterCard, for 
instance, do I need to call the company and say, once every 6 
months get a new card with new numbers and--is that a 
protection or is that just a waste of my time?
    Mr. Fortney. I don't think that is really necessary because 
if your card number were to be breached then your institution 
would most likely reissue that card. This really would be a 
tremendous hassle for a consumer to proactively go about asking 
for a new card.
    If you have reason to believe it has been breached, 
absolutely, but not just as a preventative measure. I wouldn't 
recommend that.
    Mr. Luetkemeyer. My wife, this past couple of weeks, has 
been in a different State, and as a result, she has used her 
credit card, and because it was a different State, immediately 
the credit card company, zam, they said, ``Hey, your card is 
being used in a different State. Is this what you want to--are 
you there or did somebody steal your card?'' It was very quick 
because the first transaction she did, immediately it was like 
that, the thing popped up on our e-mail and I was immediately 
notified to that effect.
    It was very helpful and it is nice to know that they are 
that quick to respond. So I guess that is another way that the 
companies are trying to prevent some folks from being abused 
with regards to that.
    Mr. Fortney. Yes, that is correct. And as you saw in your 
personal experience, many of the banks--really all of the banks 
now have this kind of fraud detection technology and they are 
looking for anything that is outside of the pattern.
    That can certainly create a hassle if you are traveling and 
it happens to you erroneously, but typically you can call and 
get that--verify the last transaction and the card gets opened 
up again for a full purchase.
    Mr. Luetkemeyer. Very good. Thank you.
    With that, we will move to the gentleman from Georgia, Mr. 
Scott.
    Mr. Scott. Thank you very much, Mr. Chairman.
    Certainly, first, I just want to commend Mr. Leach and the 
PCI. I think you guys are on the right track in lessening the 
available information out there for the bad guys to work with 
in the first place, and I encourage you to continue with that.
    But what really disturbs me about this hearing is that 
earlier I asked the Secret Service and Homeland Security why 
the United States was targeted, is there something other 
nations are doing that we are not doing, and their answer was 
not an accurate one, if I may say, and I want to address that. 
Because this is a serious problem and there is a reason why we 
are being targeted, and I want you all to respond to this.
    The Economist, in its February 15th article, said that 
America--this Nation, the United States--leads the world in 
payment card fraud. It is the only country in which counterfeit 
card fraud is consistently growing. In fact, the United States 
currently accounts for nearly half--47 percent--of all global 
payment card losses.
    It goes on to say, in part, that fraudsters target the 
United States because that is where the cards are. At the end 
of 2013 there were 1.2 billion debit, credit, and prepaid cards 
in circulation in America. That is over half of the 2 billion--
more than in any other region. That is nearly five cards per 
adult here.
    But America also makes things easy for fraudsters. Alone 
among developed countries, it still relies exclusively on cards 
with magnetic strips, which are far less secure than the chip 
and PIN technology used elsewhere. So clearly, the gentlemen 
with Homeland Security and the Secret Service are probably not 
aware of this.
    But now that we are aware of this, Mr. Mierzwinski, let me 
ask you, given this information from The Economist, given how 
big this issue is, let me ask you: What makes the United States 
payment card so vulnerable to fraud more than any other nation, 
and what is it that we do differently than other countries 
around the world regarding this?
    Mr. Mierzwinski. Mr. Scott, I think you answered the 
question already. I don't know how much I can add to it, but we 
are still using a 40- or 50-year-old magnetic stripe obsolete 
technology. We are now starting to move slowly toward chip and 
PIN, tokenization, virtual card numbers on the Internet, and 
other solutions that are going to be better.
    But the second thing that we do in this country is we 
aggressively rolled out debit cards to be used without PINs. 
When they were exclusively ATM cards they required a PIN, but 
the big card networks wanted them to ride along on their 
signature-based systems and so they said, ``Merchants and 
consumers, use the unsafe product on the signature-based 
system.''
    So that is why we say, let's give consumers greater 
consumer protection when they use debit cards. And let's go 
back to encouraging the use of PIN-based networks. There are 
competitor PIN-based networks but the big banks don't want you 
to use them because they don't own them.
    Mr. Scott. I see.
    Let me ask you this, because I am anxious--and all of us on 
this committee are anxious--to see what we in Congress can do. 
So let me ask you, is there any reason why Congress shouldn't 
mandate that payment card security standards use the most 
effective technology in the marketplace?
    Mr. Mierzwinski. I agree with you on that completely, and I 
will leave it up to your legislative counsel to help draft it, 
but absolutely it should be a standard-based system that 
promotes the highest and most innovative standards.
    Mr. Scott. And so don't you feel--let me just ask you this: 
Why is it important, in your opinion--and others can comment on 
this as well--for Congress to improve debit ATM card consumer 
rights and make all plastic equal?
    Mr. Mierzwinski. Very simply, cards are not protected and 
your bank account is not protected, and that is a real problem 
for consumers. I believe that if the consumer rights were 
increased to the level of credit cards--I only use credit 
cards, by the way, on the Internet, and I only use credits 
cards at the store. It is the safer way to go. But if debit 
cards had higher consumer rights that would focus the mind of 
the banks on improving protections for those cards.
    Mr. Scott. And you also mentioned that if fraud victims are 
reimbursed at what you refer to as zero liability, is this zero 
liability policy ubiquitous among all credit card and debit 
card users?
    Mr. Mierzwinski. As far as I--zero liability is something 
that the debit card industry promotes. The credit card law 
maximizes our liability at $50, but with a debit card, you 
could lose all the money in your account under some 
circumstances.
    Mr. Scott. Okay. My--
    Mr. Mierzwinski. But as far as I know, all the card 
companies do use zero liability but some have more asterisks, 
more exceptions.
    Mr. Scott. And so my final point is, because I think the 
American people--I think this is a problem of soaring 
magnitude, and we are going to be in trouble if we don't get a 
handle on this. We in Congress, there is no national directive 
here, so I just want to ask each of you, do you feel that the 
most important thing we can do right now is this national 
breach legislation that we have been talking about, that we 
have a national standard, or do you see just leaving it at the 
State level--the various State levels, this hodge-podge that we 
have?
    Mr. Mierzwinski. If you are starting with me, I have 
already testified that I think that we don't really need a 
national standard, but if you do establish one--because a good, 
smart company can just comply with the strongest State law, but 
if we are going to focus on that as part of the solution, just 
don't preempt the States. Go to a high, good national standard. 
You won't need to preempt the States.
    Mr. Scott. Okay.
    Anyone else?
    Mr. Fortney. Yes. We would support a national standard. We 
just think the most efficient way to deal with these sorts of 
threats is to be consistent and provide standard consumer 
protection versus a haphazard, State-by-State approach.
    Mr. Scott. Yes.
    Mr. Garcia?
    Mr. Garcia. Yes. I would agree with that. I think if you 
have 40-plus State laws that differ in various respects as to 
what are the requirements for breach notification, it doesn't 
necessarily improve consumer protection to have multiple 
different forms of communication, and to the extent that you 
can standardize that kind of communication to the consumer base 
nationally, I think that would be more effective and less 
costly.
    Mr. Scott. Okay. Thank you.
    Mr. Leach, would you--
    Mr. Leach. Consistency is good. Again, we need to find ways 
to get after these bad guys and remove the monetization of card 
data, period.
    Mr. Scott. Okay.
    Thank you very much, Mr. Chairman. I appreciate the extra 
time.
    Mr. Luetkemeyer. Thank you.
    I just have one follow-up question here, and then I think 
we are done for the day and we will let you guys go.
    We have seen in the last year or so a number of breaches, 
and my concern is, how many more are yet to come? And as a 
result of that, when are we going to get some action taken to 
stop this?
    And so if you could answer those two questions succinctly 
here, we will start with Mr. Mierzwinski?
    Mr. Mierzwinski. I apologize--
    Mr. Luetkemeyer. I guess the question is, how susceptible 
are we to further breaches, and then where are we going to be 5 
years from now? Are we going to take action?
    Mr. Mierzwinski. I think that further breaches are going to 
occur. I just saw Brian Krebs who is tweeting that--he is the 
guy who broke the Target story; he is a cyber journalist, I 
guess--that there was another breach today of a beauty company. 
And so, there will be continued breaches. The question is, what 
do we do about them?
    Five years from now, I predict we are going to have a much 
more sophisticated system. There is innovation coming from 
phone companies, coming from Internet companies, coming from 
alternatives. It is going to force the banks to do a better 
job.
    Mr. Luetkemeyer. Mr. Fortney?
    Mr. Fortney. I would agree with most of that. I think it is 
not just on the banks, however.
    It is really on the banks and the merchants and everyone to 
work together to introduce these new technologies. It can't be 
done from one side.
    Mr. Luetkemeyer. Mr. Garcia?
    Mr. Garcia. Asking when we are going to stop cyber attacks 
is tantamount to asking when we are going to stop crime. It is 
an ongoing challenge. As long as there is technological 
innovation, there is technological innovation on the side of 
criminals as well, finding ways to exploit that.
    So, as I mentioned before, it isn't just about technology, 
but it is about your practices and your information-sharing and 
your collaboration. We are all in this together and no single 
one of us is as smart as all of us combined, and that is really 
what the FS-ISAC is here to talk about today is how we 
collaborate when those technological solutions aren't going to 
fully protect us, but what can we do together as a team.
    Mr. Luetkemeyer. I guess the follow-up to you would be, 
okay, we recognize we have a problem. Your group is one who 
tries to solve a problem. Are you going to kick it into another 
gear to get this done ASAP?
    Mr. Garcia. As a matter of fact, we have initiated a new 
program that tries to automate--that does automate our 
intelligence and information-sharing and incident response, 
because as we know, many cyber attacks happen at Internet 
speed, and as long as we are operating at human speed, we are 
one step behind. So we have invested quite a lot of resources--
FS-ISAC and its membership--in developing--in automated tools 
using standardized language for how we characterize threats and 
attacks such that the front-line cyber operators and analysts 
who are protecting our systems are able to make decisions in a 
more real-time way and take action in a more real-time way 
against those threats and attacks.
    Mr. Luetkemeyer. Very good.
    Mr. Leach?
    Mr. Leach. I would say we can't address 2014 threats with 
2004 controls. We need to remove the legacy systems that we 
have--and part of that is legacy business process and educating 
merchants that there is no longer a need to store cardholder 
information beyond the point of getting an authorization.
    I think with the legacy systems that we have today, there 
is opportunity for us to improve. You asked about what we will 
see in about 5 years. I see us no longer having these value 
card information for criminals to attack. That is where I hope 
we are going to be in 5 years.
    Mr. Luetkemeyer. I thank each of the witnesses for being 
here today. As you can see, we are very concerned on this side 
of the table with regards to the privacy of information and the 
privacy of financial transactions that take place with our 
consumers and our constituents and the people of this country.
    And so, we want to work with you. If you can continue to 
work with us to point out places where we can be of help, we 
certainly want to look for that.
    And again, I thank the chairwoman for the opportunity to 
have this hearing.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    With that, hearing is adjourned.
    [Whereupon, at 1:09 p.m., the hearing was adjourned.]


                            A P P E N D I X



                             March 5, 2014


[GRAPHIC] [TIFF OMITTED] T8530.001

[GRAPHIC] [TIFF OMITTED] T8530.002

[GRAPHIC] [TIFF OMITTED] T8530.003

[GRAPHIC] [TIFF OMITTED] T8530.004

[GRAPHIC] [TIFF OMITTED] T8530.005

[GRAPHIC] [TIFF OMITTED] T8530.006

[GRAPHIC] [TIFF OMITTED] T8530.007

[GRAPHIC] [TIFF OMITTED] T8530.008

[GRAPHIC] [TIFF OMITTED] T8530.009

[GRAPHIC] [TIFF OMITTED] T8530.010

[GRAPHIC] [TIFF OMITTED] T8530.011

[GRAPHIC] [TIFF OMITTED] T8530.012

[GRAPHIC] [TIFF OMITTED] T8530.013

[GRAPHIC] [TIFF OMITTED] T8530.014

[GRAPHIC] [TIFF OMITTED] T8530.015

[GRAPHIC] [TIFF OMITTED] T8530.016

[GRAPHIC] [TIFF OMITTED] T8530.017

[GRAPHIC] [TIFF OMITTED] T8530.018

[GRAPHIC] [TIFF OMITTED] T8530.019

[GRAPHIC] [TIFF OMITTED] T8530.020

[GRAPHIC] [TIFF OMITTED] T8530.021

[GRAPHIC] [TIFF OMITTED] T8530.022

[GRAPHIC] [TIFF OMITTED] T8530.023

[GRAPHIC] [TIFF OMITTED] T8530.024

[GRAPHIC] [TIFF OMITTED] T8530.025

[GRAPHIC] [TIFF OMITTED] T8530.026

[GRAPHIC] [TIFF OMITTED] T8530.027

[GRAPHIC] [TIFF OMITTED] T8530.028

[GRAPHIC] [TIFF OMITTED] T8530.029

[GRAPHIC] [TIFF OMITTED] T8530.030

[GRAPHIC] [TIFF OMITTED] T8530.031

[GRAPHIC] [TIFF OMITTED] T8530.032

[GRAPHIC] [TIFF OMITTED] T8530.033

[GRAPHIC] [TIFF OMITTED] T8530.034

[GRAPHIC] [TIFF OMITTED] T8530.035

[GRAPHIC] [TIFF OMITTED] T8530.036

[GRAPHIC] [TIFF OMITTED] T8530.037

[GRAPHIC] [TIFF OMITTED] T8530.038

[GRAPHIC] [TIFF OMITTED] T8530.039

[GRAPHIC] [TIFF OMITTED] T8530.040

[GRAPHIC] [TIFF OMITTED] T8530.041

[GRAPHIC] [TIFF OMITTED] T8530.042

[GRAPHIC] [TIFF OMITTED] T8530.043

[GRAPHIC] [TIFF OMITTED] T8530.044

[GRAPHIC] [TIFF OMITTED] T8530.045

[GRAPHIC] [TIFF OMITTED] T8530.046

[GRAPHIC] [TIFF OMITTED] T8530.047

[GRAPHIC] [TIFF OMITTED] T8530.048

[GRAPHIC] [TIFF OMITTED] T8530.049

[GRAPHIC] [TIFF OMITTED] T8530.050

[GRAPHIC] [TIFF OMITTED] T8530.051

[GRAPHIC] [TIFF OMITTED] T8530.052

[GRAPHIC] [TIFF OMITTED] T8530.053

[GRAPHIC] [TIFF OMITTED] T8530.054

[GRAPHIC] [TIFF OMITTED] T8530.055

[GRAPHIC] [TIFF OMITTED] T8530.056

[GRAPHIC] [TIFF OMITTED] T8530.057

[GRAPHIC] [TIFF OMITTED] T8530.058

[GRAPHIC] [TIFF OMITTED] T8530.059

[GRAPHIC] [TIFF OMITTED] T8530.060

[GRAPHIC] [TIFF OMITTED] T8530.061

[GRAPHIC] [TIFF OMITTED] T8530.062

[GRAPHIC] [TIFF OMITTED] T8530.063

[GRAPHIC] [TIFF OMITTED] T8530.064

[GRAPHIC] [TIFF OMITTED] T8530.065

[GRAPHIC] [TIFF OMITTED] T8530.066

[GRAPHIC] [TIFF OMITTED] T8530.067

[GRAPHIC] [TIFF OMITTED] T8530.068

[GRAPHIC] [TIFF OMITTED] T8530.069

[GRAPHIC] [TIFF OMITTED] T8530.070

[GRAPHIC] [TIFF OMITTED] T8530.071

[GRAPHIC] [TIFF OMITTED] T8530.072

[GRAPHIC] [TIFF OMITTED] T8530.073

[GRAPHIC] [TIFF OMITTED] T8530.074

[GRAPHIC] [TIFF OMITTED] T8530.075

[GRAPHIC] [TIFF OMITTED] T8530.076

[GRAPHIC] [TIFF OMITTED] T8530.077

[GRAPHIC] [TIFF OMITTED] T8530.078

[GRAPHIC] [TIFF OMITTED] T8530.079

[GRAPHIC] [TIFF OMITTED] T8530.080

[GRAPHIC] [TIFF OMITTED] T8530.081

[GRAPHIC] [TIFF OMITTED] T8530.082

[GRAPHIC] [TIFF OMITTED] T8530.083

[GRAPHIC] [TIFF OMITTED] T8530.084

[GRAPHIC] [TIFF OMITTED] T8530.085

[GRAPHIC] [TIFF OMITTED] T8530.086

[GRAPHIC] [TIFF OMITTED] T8530.087

[GRAPHIC] [TIFF OMITTED] T8530.088

[GRAPHIC] [TIFF OMITTED] T8530.089

[GRAPHIC] [TIFF OMITTED] T8530.090

[GRAPHIC] [TIFF OMITTED] T8530.091

[GRAPHIC] [TIFF OMITTED] T8530.092

[GRAPHIC] [TIFF OMITTED] T8530.093

