[Senate Hearing 113-305]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 113-305


                 SAFEGUARDING CONSUMERS' FINANCIAL DATA

=======================================================================



                                HEARING

                               before the

                            SUBCOMMITTEE ON
                            
         NATIONAL SECURITY AND INTERNATIONAL TRADE AND FINANCE

                                 of the

                              COMMITTEE ON
                              
                   BANKING,HOUSING,AND URBAN AFFAIRS
                   
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                                   ON

 EXAMINING THE PROCEDURES FOR OVERSEEING DATA SECURITY AND BREACHES OF 
DATA SECURITY BY THE UNITED STATES SECRET SERVICE AND THE FEDERAL TRADE 
                               COMMISSION

                               __________

                            FEBRUARY 3, 2014

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs


                 Available at: http: //www.fdsys.gov /

 
                                    ______

                      U.S. GOVERNMENT PUBLISHING OFFICE 

88-374 PDF                    WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                          



            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                  TIM JOHNSON, South Dakota, Chairman

JACK REED, Rhode Island              MIKE CRAPO, Idaho
CHARLES E. SCHUMER, New York         RICHARD C. SHELBY, Alabama
ROBERT MENENDEZ, New Jersey          BOB CORKER, Tennessee
SHERROD BROWN, Ohio                  DAVID VITTER, Louisiana
JON TESTER, Montana                  MIKE JOHANNS, Nebraska
MARK R. WARNER, Virginia             PATRICK J. TOOMEY, Pennsylvania
JEFF MERKLEY, Oregon                 MARK KIRK, Illinois
KAY HAGAN, North Carolina            JERRY MORAN, Kansas
JOE MANCHIN III, West Virginia       TOM COBURN, Oklahoma
ELIZABETH WARREN, Massachusetts      DEAN HELLER, Nevada
HEIDI HEITKAMP, North Dakota

                       Charles Yi, Staff Director

                Gregg Richard, Republican Staff Director

                       Dawn Ratliff, Chief Clerk

                      Kelly Wismer, Hearing Clerk

                      Shelvin Simmons, IT Director

                          Jim Crowell, Editor

                                 ______

 Subcommittee on National Security and International Trade and Finance

                   MARK R. WARNER, Virginia, Chairman

             MARK KIRK, Illinois, Ranking Republican Member

SHERROD BROWN, Ohio                  JERRY MORAN, Kansas
JOE MANCHIN III, West Virginia

                Milan Dilal, Subcommittee Staff Director

        Lindsey Johnson, Republican Subcommittee Staff Director

                                  (ii)

                            C O N T E N T S

                              ----------                              

                        MONDAY, FEBRUARY 3, 2014

                                                                   Page

Opening statement of Chairman Warner.............................     1

Opening statements, comments, or prepared statements of:
    Senator Kirk.................................................     3
        Prepared statement.......................................    35

                               WITNESSES

William Noonan, Deputy Special Agent in Charge, Secret Service, 
  Criminal Investigative Division, Cyber Operations Branch.......     4
    Prepared statement...........................................    36
Jessica Rich, Director, Bureau of Consumer Protection, Federal 
  Trade Commission...............................................     5
    Prepared statement...........................................    43
    Response to written questions of:
        Senator Kirk.............................................    75
James A. Reuter, Executive Vice President, FirstBank, on behalf 
  of the American Bankers Association............................    18
    Prepared statement...........................................    48
    Response to written questions of:
        Senator Kirk.............................................    77
Mallory Duncan, General Counsel and Senior Vice President, 
  National Retail Federation.....................................    19
    Prepared statement...........................................    54
    Response to written questions of:
        Senator Kirk.............................................    79
Edmund Mierzwinski, Consumer Program Director, U.S. PIRG.........    21
    Prepared statement...........................................    63
Troy Leach, Chief Technology Officer, PCI Security Standards 
  Council........................................................    22
    Prepared statement...........................................    69
    Response to written questions of:
        Senator Kirk.............................................    81

              Additional Material Supplied for the Record

Letter from the Independent Community Bankers of America.........    86
Letter from the National Association of Federal Credit Unions....    88
Letter from The ClearingHouse....................................    92
Letter from the Credit Union National Association................    94
.................................................................


                                 (iii)

 
               SAFEGUARDING CONSUMERS' FINANCIAL DATA

                              ----------                              


                        MONDAY, FEBRUARY 3, 2014

U.S. Senate, Subcommittee on National Security and 
                   International Trade and Finance,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Subcommittee met at 3:05 p.m. in room SD-538, Dirksen 
Senate Office Building, Hon. Mark Warner, Chairman of the 
Subcommittee, presiding.

          OPENING STATEMENT OF SENATOR MARK R. WARNER

    Senator Warner. I call to order this hearing of the 
National Security and International Trade and Finance 
Subcommittee titled, ``Safeguarding Consumers' Financial 
Data.'' I am going to go ahead and introduce the two witnesses 
now and then make a brief opening statement and see if Senator 
Kirk is here to make an opening statement. Since we have got 
two panels, if my colleagues do not mind, we will go straight 
then to let our witnesses give their presentations because we 
have got--this is a subject that has generated an enormous 
amount of interest, and I am very appreciative of both the 
panels.
    In the first panel, we are going to hear from Mr. William 
``Bill'' Noonan, who is the Deputy Special Agent in Charge of 
Secret Service's Criminal Investigative Division, Cyber 
Operations. In this position he oversees the Service's cyber 
portfolio. He has over 20 years of Federal Government 
experience. Throughout his career he has initiated and managed 
high-profile transnational fraud investigations which involve 
network intrusions and the theft of data and intellectual 
property from financial institutions and Government systems. 
Welcome, Mr. Noonan.
    Ms. Jessica Rich is the Director of the Bureau of Consumer 
Protection at the FTC. She has held a number of senior 
positions at the FTC, including Associate Director in charge of 
the Division of Financial Practices and Assistant Director of 
the Division of Privacy and Identity Protection. She joined the 
FTC as a staff attorney more than 20 years ago. Welcome, Ms. 
Rich.
    This is a subject that has garnered a lot of public 
attention recently, and I think as somebody who spent still a 
longer career in technology than I have in Government, this is 
an area that I think is going to--we are going to see an 
exponential rise in consumer interest, press interest, and 
others as we try to get our arms around a challenge that is 
only going to grow in terms of all of our lives.
    In recent weeks we have heard of massive data breaches at 
Target, Neiman Marcus, and other retailers. For example, at 
Target alone more than 40 million cards were compromised, and 
up to an additional 70 million consumers' other information was 
taken. So not only were the cards taken, but people whose 
cards' data was not taken, their data was compromised as well.
    Let me make clear that while we will talk about these 
particular retailers, this is not a witch hunt, at least from 
my perspective, about any particular retailers' actions or 
inactions. Quite honestly, I think we are going to see--and I 
know from my role in the Intel Committee, this is a crime that 
happens daily to financial institutions and retailers at a 
level that, frankly, if most Americans realized, I think would 
find rather confounding.
    I at one point had a much longer statement, but, you know, 
there are three areas that I think we need to focus on. As we 
sort through this issue, we need to understand that we do not 
need another--I do not need, at least--long-term fight between 
the bankers, the retailers, and the card industry. Many of us 
up here have gone through the challenges rightfully felt around 
the interchange battles, but a repeat of that kind of delay in 
getting a solution serves no one. The hackers in Russia, China, 
Ukraine, and throughout the world are not waiting for America 
to get its act together on this issue. They are continuing to 
strike us every day.
    To better protect consumers, our financial institutions, 
the networks, and merchants should work together to continue to 
innovate on antifraud technology. As I said, the public cannot 
afford a year or multiple years of legislative battles like we 
saw over interchange fees. Every minute of every day the 
hackers and the cyber thieves are attacking our 
vulnerabilities.
    Second, as somebody who has spent a career in technology, 
in many ways this is fundamentally a technology problem, and 
technology can provide part of the solution. We have already 
seen data that shows that the card protection system used in 
Europe, the so-called chip-and-PIN system, is much more 
effective than what we have at present in the United States, in 
terms of the swipe system, in terms of preventing fraud at 
point of sale. But we should not assume that any single 
technology is a silver bullet solution. Technology, as we all 
know, will continue to evolve on a weekly/monthly basis, and we 
have to continue to stay ahead. As a matter of fact, we have 
seen in Europe that while the chip-and-PIN system dramatically 
decreased, for example, in the U.K. the amount of fraud and 
cyber theft at point of sale, we saw a dramatic increase then 
in online fraud and cyber attacks. So I hope we are able to 
discuss technology solutions, not just chip and PIN, but as we 
look, for example, on the online issue, I think there is 
enormous promise in this emerging field of tokenization, which 
can provide a more encrypted solution set not just for point of 
sale but for other solution sets.
    Let me say again we are not here to endorse any specific 
technology product or services, but, again, I think this is an 
area where we need great collaboration.
    Third, Government has a role to play. Industry has a role 
to play. But as consumers, we need to be more vigilant as well. 
Consumer financial exposure is more limited with credit cards. 
Here is industry personal debit. I will try to hold the numbers 
back a little bit. But I have to tell you, until a few weeks 
ago I did not realize that my debit card protections are not as 
great as my credit card products. I will let the record show 
that I do not show the numbers on the other side. But that even 
with debit card protections, there are--with this challenge 
around debit card protections, we have got to see if we can 
perhaps look at raising those standards to at least equaling 
credit cards. Debit card use has been growing like mad, 
transactions tripling since 2003. And, again, I think we look--
I think about my kids who have debit cards, and large portions 
of the underserved community use debit cards. They are going to 
be a fact of life, and we have to figure out a way to sort that 
through.
    And, finally, I think while we talk about--one of the most 
frightening things that I heard as I sorted through this and we 
are thinking about cards and protecting consumer privacy, in 
many ways we have focused so far on the challenge around 
protecting credit cards and debit cards, but the real potential 
exposure we have is if people can actually get into our bank 
account or online transactions that we all do more and more 
online banking and other services. That offers an area where 
there are very few protections at this point and almost 
unlimited liability for consumers.
    So one of the challenges we have is, yes, we have got a 
role for industry, we have got a role for Government, but we 
all have a role as Americans to make sure you take that extra 
protection to occasionally change your PIN number, to make sure 
you never reveal your bank account information number, that you 
constantly report if you feel like there has been instances of 
fraud. This is a role that all Americans are going to have to 
play a continued increased vigilance in.
    With that, I will ask for any opening comments from my 
friend Senator Kirk, and then we will go to the witnesses.

                 STATEMENT OF SENATOR MARK KIRK

    Senator Kirk. I thank you for having this hearing, Senator. 
Mr. Chairman, I would just put a face to this crime that we are 
talking about. Albert Gonzalez--if you could hold that up--was 
convicted in 2010 of stealing 40 million credit card records 
that he made so much money off this he even bought his own 
Italian island off the profits. He is now serving 20 years in 
prison, and that is in line with the legislation that I will be 
introducing that calls for a 25-year Federal minimum mandatory 
for the theft of a million records or more, just to say to 
whoever would do this in a massive scare, good-bye, you are off 
to prison for a significant portion of your life. I am looking 
for bipartisan cosponsors.
    Senator Warner. Well, I think that the question of 
enforcement has got to be an area that we focus on. I think 
there will be some bipartisan interest in it.
    All right. With that, again, I look forward to an exciting 
and robust discussion. And, Mr. Noonan, if you want to start, 
and then we will go to Ms. Rich.

 STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE, 
    SECRET SERVICE, CRIMINAL INVESTIGATIVE DIVISION, CYBER 
                       OPERATIONS BRANCH

    Mr. Noonan. Good afternoon, Chairman Warner, Ranking Member 
Kirk, and distinguished Members of the Subcommittee. Thank you 
for the opportunity to testify on behalf of the Department of 
Homeland Security regarding the ongoing trend of criminals 
exploiting cyberspace to obtain sensitive financial and 
identity information as part of a complex criminal scheme to 
defraud our Nation's payment systems.
    Our modern financial system depends heavily on information 
technology for convenience and efficiency. Accordingly, 
criminals, motivated by greed, have adapted their methods and 
are increasingly using cyberspace to exploit our Nation's 
financial payment systems to engage in fraud and other illicit 
activities. The widely reported data breaches of Target and 
Neiman Marcus are just recent examples of this trend. The 
Secret Service is investigating the recent breaches, and we are 
confident we will bring these criminals responsible to justice.
    However, data breaches like the recent events are part of a 
long trend. In 1984, Congress recognized the risks posed by 
increasing use of information technology and established 18 
U.S.C. Sections 1029 and 1030 through the Comprehensive Crime 
Control Act. These statutes defined access device fraud and 
misuse of computers as Federal crimes and explicitly assigned 
the Secret Service authorities to investigate these crimes.
    In support of the Department of Homeland Security's mission 
to safeguard cyberspace, the Secret Service investigates cyber 
crime through the efforts of our highly trained special agents 
and the work of our growing network of 33 Electronic Crimes 
Task Forces, which Congress has assigned the mission of 
preventing, detecting, and investigating various forms of 
electronic crimes.
    As a result of our cyber crime investigations, over the 
past 4 years the Secret Service has arrested nearly 5,000 cyber 
criminals. In total, these criminals were responsible for over 
$1 billion in fraud losses, and we estimate our investigations 
prevented over $11 billion in fraud losses.
    Data breaches like the recently reported occurrences are 
just one part of a complex scheme executed by organized cyber 
crime. These criminal groups are using increasingly 
sophisticated technology to conduct a criminal conspiracy 
consisting of five parts:
    One, gaining unauthorized access to computer systems 
carrying valuable protected information; two, deploying 
specialized malware to capture and exfiltrate this data; three, 
distributing or selling the sensitive data to their criminal 
associates; four, engaging in sophisticated and distributed 
frauds using the sensitive information obtained; and, five, 
laundering the proceeds of their illicit activity.
    All five of these activities are criminal violations in and 
of themselves, and when conducted by sophisticated 
transnational networks of cyber criminals, this scheme has 
yielded hundreds of millions of dollars in illicit proceeds.
    The Secret Service is committed to protecting our Nation 
from this threat. We disrupt every step of their five-part 
criminal scheme through proactive criminal investigations, the 
defeat of these transnational cyber criminals through 
coordinated arrests, and seizure of assets. Foundational to 
these efforts are our private industry partners as well as 
their close partnerships with State, local, Federal, and 
international law enforcement. As a result of these 
partnerships, we were able to prevent many cyber crimes by 
sharing criminal intelligence regarding the plans of cyber 
criminals and minimizing financial losses by stopping their 
cyber criminal schemes.
    Through the Department's National Cybersecurity and 
Communications Integration Center, the NCCIC, the Secret 
Service also quickly shares technical cybersecurity information 
while protecting civil rights and civil liberties in order to 
allow organizations to reduce their cyber risks by mitigating 
technical vulnerabilities. We also partner with the private 
sector and academia to research cyber threats and publish 
information on cyber crime trends through reports like the CERT 
Insider Threat Study, the Verizon Data Breach Investigations 
Report, and the Trustwave Global Security Report.
    The Secret Service has a long history of protecting our 
Nation's financial system from threats. In 1865, the threat we 
were founded to address was that of counterfeit currency. As 
our financial payments system has evolved from paper to 
plastic, now digital information, so too has our investigative 
mission. The Secret Service is committed to protecting our 
Nation's financial system even as criminals increasingly 
exploit it through cyberspace.
    Through the dedicated efforts of our Electronic Crimes Task 
Forces and by working in close partnership with the Department 
of Justice, in particular the Criminal Division and the local 
U.S. Attorney's Offices, the Secret Service will continue to 
bring cyber criminals that perpetrate major data breaches to 
justice.
    Thank you for the opportunity to testify on this important 
topic, and we are looking forward to your questions.
    Senator Warner. Thank you.
    Ms Rich.

    STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF CONSUMER 
              PROTECTION, FEDERAL TRADE COMMISSION

    Ms. Rich. Chairman Warner, Ranking Member Kirk, and Members 
of this Committee, I am Jessica Rich, Director of the Bureau of 
Consumer Protection at the Federal Trade Commission. I really 
appreciate this opportunity to present the Commission's 
testimony on data security.
    In today's interconnected world, personal information is 
collected from consumers wherever they go. From the workplace 
to shopping for groceries, from our smartphones to browsing the 
Web at home, virtually every action we take involves the 
collection of information, some of it very sensitive. Many of 
these data uses have clear benefits, but the recent spate of 
data breaches are a strong reminder that they also create risks 
for consumers. Hackers and others seek to exploit 
vulnerabilities to obtain and misuse consumers' personal 
information. And all of this takes place against the backdrop 
of the threat of identity theft, a pernicious crime that harms 
both consumers and businesses.
    The Bureau of Justice Statistics estimates that over 16 
million people were victims of identity theft in 2012 alone. 
The FTC is committed to protecting consumer privacy and data 
security in the private sector. Since our first data security 
case in 2001, the FTC's data security program has been a 
strong, bipartisan effort that includes law enforcement, 
education, and policy initiatives.
    The FTC enforces several laws that protect consumer data. 
Under the FTC Act, the agency can take action against companies 
that engage in deceptive or unfair practices, including 
deceptive or unfair data security practices. The FTC also 
enforces several laws that require special protections in 
certain business sectors--in the credit reporting industry, 
among financial institutions, and also among online services 
for our kids.
    In enforcing these laws and investigating patient data 
security failures, the Commission recognizes that there is no 
such thing as perfect security and instead examines whether 
companies have undertaken reasonable procedures to protect 
consumer data from the risk of identity theft and other misuse.
    Since 2001, the FTC has used its authority to obtain 
settlements with businesses--to obtain 50 settlements with 
businesses that failed to provide these protections. The FTC's 
best-known case may be its 2006 action against ChoicePoint, a 
data broker that allegedly sold sensitive information about 
more than 160,000 consumers to thieves posing as ChoicePoint 
clients. The Commission alleged that ChoicePoint failed to use 
reasonable procedures to screen prospective purchasers of 
consumer data and ignored obvious security red flags, resulting 
in at least 800 cases of identity theft.
    Before ChoicePoint, the FTC brought actions alleging 
security failures by such companies as Microsoft, Petco, Guess, 
BJ's Wholesale, and DSW Shoe Warehouse. And after ChoicePoint, 
the FTC has brought cases alleging security failures by such 
companies as TJX, Card Systems Solutions, Lexis/Nexis, 
LifeLock, CVS, Rite Aid, and HTC. Many of our cases spanning 
over the course of 14 years allege similar, commonly known 
vulnerabilities and security failures.
    In addition to enforcement, the Commission promotes strong 
data security through consumer education, business guidance, 
and policy initiatives. For example, our Web site contained 
guidance for consumers about what to do in the event of a 
breach. And perhaps our most important education piece is our 
guide to businesses about how to develop a strong data security 
program.
    Sitting here today with my colleague from the Secret 
Service, I want to emphasize that data security is a shared 
responsibility among many different entities and people, 
including the different law enforcement agencies that work in 
this area. The Commission has a long history of working closely 
with other Federal and State agencies on this important issue. 
For example, the FTC's LifeLock case was a joint action with 35 
State AGs, and the FTC received assistance from 39 State AGs in 
its case against TJX. We also worked jointly with the 
Department of Homeland Security in our cases against CVS and 
Rite Aid.
    The FTC also coordinates with criminal enforcement agencies 
such as the FBI and Secret Service. The goals of the FTC and 
the criminal agencies are complementary. Criminal actions seek 
to punish hackers and other intruders that steal customer data 
while FTC actions focus on shoring up security protections at 
companies to prevent intruders from getting inside in the first 
place.
    Let me conclude with a final point on data security 
legislation. Never has the need been greater. In its testimony, 
the Commission reiterates its bipartisan support for Federal 
legislation that would strengthen the FTC's existing authority 
governing data security and require companies to notify 
consumers when there has been a security breach.
    Thank you for the opportunity to testify here today. The 
Commission looks forward to continuing to work with Congress on 
this critical issue.
    Senator Warner. Thank you. Thank you both.
    I also should point out that last week I asked a question 
of DNI Clapper. He had made an estimate that cyber attacks on 
our economy were in excess of $300 billion worth of damage, and 
that was a last-year report. I asked him, he says that number 
is probably dramatically increased, and that was in public 
testimony last week. Obviously that goes beyond just the 
question of individual data breach. But this is an issue that, 
again, I believe is going to grow dramatically.
    I also understand, Mr. Noonan, that the Secret Service does 
not want to weigh in on specific technology solutions, chip-
and-PIN, EMV, tokenization. But we are going to need your 
cooperation at some point and guidance on how working with 
industry and whatever standards come about that we have got the 
most cutting-edge technology.
    I guess my first question for you, Mr. Noonan, is: Why is 
it that the Secret Service or even security bloggers are 
oftentimes the first to know about these attacks? I understand 
we have got industry PCI standards that are set, but, you know, 
this news keeps floating out more. The Target breach, to my 
understanding, originally floated from a blogger, and in one of 
these blogs, Brian Krebs said that they first identified the 
malware that was involved in the Target breach back in 2011. 
Why is it taking us so long to respond? And is that some 
constraint on you? Or is that not enough aggressive action from 
industry?
    Mr. Noonan. Sir, first you got into the fact that sometimes 
the Secret Service knows ahead of time about these breaches and 
we are able to bring it to the attention of different victims. 
So the fact that we do that, it is through proactive 
investigations where we are out sometimes ahead, determining 
and looking at data as it relates to financial industries. It 
is through partnerships that we have in the financial industry 
sector that is able sometimes to bring us data where we are 
able to go through and parse through that data, be able to find 
out where information is leaking into the criminal underground 
from. So, too, is the same way, I believe, that some 
journalists are able to get hold of some of that information as 
well.
    You also brought up the malware and the fact that it has 
been around since 2011. I think what we are discussing here is 
that it is the type of malware. So it is not necessarily that 
exact type of malware. Malware can be molded and changed per 
attack. Of course, these attackers are molding malware so it is 
not picked up through antivirus and through technical means 
that general IT security folks would have. So these are very 
sophisticated criminal actors that are not using just regular 
malware. They are modifying that malware for each particular 
high-tech attack when we are talking about an attack of this 
significance.
    Senator Warner. Well, I guess one of the things that I know 
my colleagues will want to press on, too--this is both for you 
and Ms. Rich. How do you get the standard right on when it 
becomes the duty of the company or the financial institution to 
report an incursion? You know, particularly since this evolves 
all the time, and, you know, I know there are standards set, 
but that has got to be constantly evolutionary. Do we have it 
right? Do you need more tools? Do we need to do this in--I 
believe we need to do this in collaboration with industry, 
setting a regulatory process that would be static in an area 
that moves this quickly. I would like to get you both quickly 
to weigh in on this, and then I have got one last quick 
question for Mr. Noonan. Ms. Rich, do you want to start?
    Ms. Rich. Well, the Commission supports Federal standards 
for both data security and breach notification. Right now there 
are State laws requiring breach notification, but no standard 
at the Federal level and no civil penalties. And while we have 
tools and we are using them to enforce--to address data 
security failures by companies, it would be extremely helpful 
to have a Federal law requiring data security, not just 
notification, with civil penalties.
    Senator Warner. How do you make sure that laws can evolve 
quickly enough so you do not--if you think about NIST or other 
standards, it sometimes takes 7 years to evolve. This is a 
field that changes on a monthly basis.
    Ms. Rich. We believe that the legal requirements should 
require a process for developing appropriate data security so 
that the specific technical standards can evolve and perhaps be 
implemented through self-regulation or industry standards. But 
we do have one regulation in the financial area that is already 
a model for this called the Gramm-Leach-Bliley safeguards rule 
that really sets forth a process. You have to put somebody in 
charge, you know, your chief technology officer. You have to do 
a formal risk assessment. You have to then implement safeguards 
in key areas of risk, such as employee training, network and 
physical security, service providers, et cetera. And it sets 
out a process like that, and we are able to use that as a tool 
for enforcement without mandating levels of encryption and 
things that change over time.
    Senator Warner. Mr. Noonan, could you add--and I want to 
respect all my colleagues' time. Could you also identify for 
us--we saw in the Target public indications that it might have 
been from Ukraine, but where some of these criminal activities 
seem to be generating from? And then we will move to Senator 
Kirk.
    Mr. Noonan. Sure, sir. Many of these international, 
transnational cyber criminals are attacking us from Eastern 
Europe. I do not want to say that it is one country versus 
another country. What we are seeing is that largely the cyber 
criminal world is using the Russian-speaking language--I say 
Russian speaking in the fact that they are using the Russian 
language as an operational security. So that is the piece that 
the criminal underworld is using to hide themselves from U.S. 
law enforcement.
    Senator Warner. Senator Kirk?
    Senator Kirk. A real quick question for Mr. Noonan. You 
describe the general Russian origin of a lot of these attacks. 
Could you describe your international cooperation with Russian 
law enforcement on this issue?
    Mr. Noonan. There have been many events where we have 
worked with the Russian law enforcement to some degree of 
cooperation. There are times----
    Senator Kirk. Vladimir Putin is not exactly our best 
friend. Could you give a grade to the level of cooperation that 
we have received for----
    Mr. Noonan. Yes, sir. We do most of our work through the 
Office of International Affairs and through DOJ's computer 
hacking--or CCIPS, Computer Crimes and Intellectual Property 
Section. And, generally, the cooperation that we deal with with 
the Russian authorities is generally through that mechanism, 
through the CCIPS 24/7 notification process to get the process 
taken care of in the Russian Federation.
    Senator Kirk. The only quick follow-up I would say, have 
you had any extraditions from Russia?
    Mr. Noonan. Negative, sir. We have not had any extraditions 
from Russia.
    Senator Kirk. Thank you, Mr. Chairman.
    Senator Warner. Senator Warren.
    Senator Warren. Thank you, Mr. Chairman, Ranking Member. 
Thank you for holding this hearing.
    All of us have constituents who are affected by these data 
breaches, and I think it is clear that the data protections we 
have in place now are not enough. In 2012, 16.6 million people, 
7 percent of the adult population, in a single year were 
victims of identity theft. It is a huge number. So I would like 
to get a better sense of how these laws are enforced.
    The FTC has authority to go after companies that engage in 
either deceptive or unfair practices. I want to break those two 
out, if I can.
    Ms. Rich, can you describe what a company must do with 
regard to its data security standards for the FTC to bring a 
claim for deceptive practices?
    Ms. Rich. Well, our deception authority focuses on making 
statements or omitting information that is material, and so our 
cases in this area generally involve statements that can be 
express--you know, ``We encrypt our data to the highest levels 
of blah, blah, blah''--or implied, ``We really care about your 
data security, the security of your data, and if you give data 
to us, nothing bad will come of it.'' And we look to see if 
those claims are true by asking a lot of questions, getting 
data, doing hearings with officials at companies, and 
consulting with experts to determine whether those claims are 
true.
    Senator Warren. OK. Ms. Rich, let me just clarify this. If 
a company's security standards are inadequate but the company 
says nothing about them, then the FTC is powerless, at least 
under its authority, to go after deceptive practices. Is that 
right?
    Ms. Rich. We have two prongs of our Section 5 authority, 
and the other is unfairness.
    Senator Warren. I am going to come to unfairness in just a 
minute. I just want to find out how helpful ``deceptive'' is 
for a company that has totally inadequate data protection 
standards. And I just want to clarify. I think what you are 
saying to me is if the company never says they have great data 
protection standards, then the answer is, under the deceptive 
prong, the FTC has no authority to go after this company. Is 
that right?
    Ms. Rich. That is absolutely right, and that is one of the 
reasons that we are supporting general data security 
legislation. But let me say we do also have unfairness 
authority and----
    Senator Warren. So I am going to come there.
    Ms. Rich.----and we use our deception authority to look at 
not just what is stated in a privacy policy, but what the 
company may claim in the context of its interaction with 
consumers, including implied claims such as a seal.
    Senator Warren. OK. But under your authority to go after 
deceptive practices, I understand that the FTC has settled 
about 30 data security cases since 2002. That would be about 3 
per year. So I think it is fair to say that is not very many 
given the number of data breaches that we have seen over the 
last decade.
    Ms. Rich. Well, I would emphasize that there is not strict 
liability for a breach. When a breach happens, we look at the 
underlying practices and not whether there was a breach and 
then we automatically bring a case. And I would also emphasize 
that we believe our 30 deception cases and our 20 unfairness 
cases provide very strong general deterrence as well as 
specific deterrence, especially given the kind of remedies we 
seek. And we do believe that our work in this area has brought 
a lot of attention to the need to secure data and has made a 
difference in raising the stakes. But we do need more tools.
    Senator Warren. Well, so let us talk about that just a 
little more. In addition to the 30 cases you have brought over 
the course of a decade under deceptive practices, I just want 
to ask you about unfair practices. Can you describe what a 
company must do with regard to data security standards for the 
FTC to bring a claim for unfair practices?
    Ms. Rich. Well, we have a three-prong test that we need to 
meet to use our unfairness authority, and one of those is 
substantial injury. But in many of these breach and--well, 
these data failure cases--again, it is not strict liability for 
breach--we have met that standard and we, therefore, have 
brought those cases.
    Senator Warner. So I understand--and if I am understanding 
this correctly, you are describing a fairly demanding standard 
since, as you say, it is more than breach, more than the fact 
that people have been injured, more than the fact that a 
company had very lax standards. In fact, as I understand it, 
there is a great deal--there is some question around the FTC's 
authority in this area, which may be why you have used unfair 
practices in only 20 cases over 10 years.
    I just want to say I think this is a real problem that the 
FTC's enforcement authority in this area is so limited. The FTC 
should have the enforcement authority it needs to protect 
consumers, and it looks like to me it does not have that 
authority right now. Data security problems are not going to go 
away on their own, so Congress really needs to consider whether 
to strengthen the FTC's hand.
    Thank you, Mr. Chairman.
    Senator Warner. Thank you, Senator Warren. I think an 
interesting line of questioning, and I do think, you know, we 
oftentimes see--you may have a series of players in an industry 
who are meeting those standards. The challenge is you may have 
that one weak link, and the whole industry sector could be 
infected because of the weak link. So I think there should be 
some more ability to collaborate here.
    Senator Johanns.
    Senator Johanns. Thank you, Mr. Chairman.
    Let me start out in the international front, if I could, 
and maybe follow up on Senator Kirk's questions a little bit. 
Is there any data available that would illustrate to us what 
percentage of attacks come from someplace outside of the United 
States? Is that data available? Either one of you. Go ahead, 
Mr. Noonan.
    Mr. Noonan. Sure, I am certain that it is. I will have to--
if you do not mind, I can respond back to you in writing at 
some point.
    Senator Johanns. Yes.
    Senator Johanns. Just for the purposes of the hearing, 
would it be the majority of attacks, do you think?
    Mr. Noonan. I would say a majority of the significant 
attacks, sir, are from outside our borders.
    Senator Johanns. And to put a finer point on that, would 
the majority of attacks then be coming out of Eastern Europe 
that are foreign attacks?
    Mr. Noonan. Yes, sir, that is the belief of the Secret 
Service.
    Senator Johanns. Now, in terms of the cooperation that we 
get out of that part of the world, can you think of any case at 
all where there has been an extradition from Eastern Europe 
where a hacker was sent to the United States for prosecution, 
any case?
    Mr. Noonan. Yes, just recently we had a case out of 
Romania.
    Senator Johanns. Romania?
    Mr. Noonan. Yes, sir.
    Senator Johanns. Is that rare?
    Mr. Noonan. With the Romanian authorities, we are working 
very, very closely with them at this point. So it is not rare 
on that occasion. But in other countries within Eastern Europe, 
potentially it could be rare, yes.
    Senator Johanns. What I am getting to--and I am not trying 
to be coy here--is that it looks to me like Eastern Europe or 
substantial parts of Eastern Europe are a sanctuary if you are 
a hacker, because the chances of being sent over here to face 
prosecution and conviction and jail time are probably 
nonexistent. Would you agree with that statement?
    Mr. Noonan. Yes, I would agree.
    Senator Johanns. That is kind of a bad deal, no matter how 
secure you are, because at the end of the day, if those folks 
are not facing the possibility of prosecution, they are just 
going to keep going.
    Mr. Noonan. Yes. However, we do have some very strong 
partnerships within some of the countries over in Eastern 
Europe, which it is through those collaborative efforts that we 
are making gains against a number of the cyber criminals. So to 
say that we do not have cooperation in Eastern Europe is not 
100 percent accurate.
    Senator Johanns. Sure.
    Mr. Noonan. It is through many of the different law 
enforcement authorities that we do have a strong collaborative 
effort in moving toward some of these cyber criminals and 
identifying who these actors are and learning more about their 
networks.
    Senator Johanns. Right. Let me, if I might, focus on breach 
notification, because I think from the consumer's standpoint, 
that is critical. You know, as consumers we want to have the 
ability to trace a hacker to Romania or wherever. But the one 
thing that we do have is, if we are given notification, that we 
have the ability to stop using the card or tear it up or notify 
our creditors. We can be proactive.
    Ms. Rich, how important would you say breach notification 
is in our effort to protect consumers?
    Ms. Rich. I think for the very reasons you say, it is 
extremely important, which is why we support a law at the 
Federal level with civil penalties.
    Senator Johanns. How do we do that--and I do not want to 
get into a sensitive area, but this is a sensitive area. As a 
former Cabinet member, I can tell you I know we had millions of 
records from citizens that contain sensitive information: 
Social Security numbers, data of birth, residence address, on 
and on and on. And I will also add that oftentimes the Federal 
Government's security system is not the best. I wish it was, 
but it is not the best. And it could be the health care law, it 
could be the VA, it could be the Department of Agriculture, it 
could be a whole host of things.
    What mandate do we have on the Federal Government that if 
my information, at whatever department, has been compromised, 
somebody is going to let me know that?
    Ms. Rich. You mean what laws govern the Federal 
Government's collection of information?
    Senator Johanns. Yes.
    Ms. Rich. There are laws that require--a number of laws 
that require data security among Federal Government agencies as 
well as breach notification. I am not completely familiar with 
the details of all of those, but I know, that if any breach 
happens in my Bureau, who we are supposed to report it to.
    Senator Johanns. Do you know of any breach notification 
requirements in the health care law?
    Ms. Rich. I am not familiar with all the details of the 
health care law. But I did want to add, on the point you were 
making about Eastern Europe, that because there are always 
going to be criminals and they may be coming from countries 
where it is very difficult to trace, that is why it is this 
partnership, this joint effort among different approaches and 
different agencies. We cannot just count on criminal 
enforcement. It is very important that companies also shore up 
their systems as much as they can against attacks. We need to 
attack this problem from different angles.
    Senator Johanns. Thank you, Mr. Chairman.
    Senator Warner. Thank you, Senator.
    Senator Tester.
    Senator Tester. Thank you, Mr. Chairman. Thank you for 
holding this hearing.
    As long as we are talking about breach, we will flesh it 
out a little more. The breach I think you were talking about 
with Senator Johanns was between the financial institution and 
the card holder. Is there any breach requirements between the 
retailer and the financial institution or the retailer and your 
office, Mr. Noonan, or your office, Ms. Rich?
    Ms. Rich. There are State laws that require breach 
notification that may apply to retailers, but there is no 
Federal breach notification law.
    Senator Tester. OK. So there are no breach requirements 
across the board, whether it is to the card holder or between 
the retailer and the banks, or the retailer and the 
investigative services, or the banks and the investigative 
services. There is no breach requirements across the board?
    Mr. Noonan. Again, not that I am aware of.
    Senator Tester. Could you tell me when the breach happened 
on Target?
    Mr. Noonan. The breach at Target is still an ongoing 
investigation.
    Senator Tester. No, but when did it actually happen? When 
did the breach happen? Maybe it is an unfair question. When did 
the actual attack to their database happen? What date?
    Mr. Noonan. Again, it is an active investigation, so we 
cannot necessarily get into the specifics at this point.
    Senator Tester. So you cannot tell me how much time it was 
before you found out about it to be able to start your 
investigation and when the breach actually happened?
    Mr. Noonan. No, I cannot at this point.
    Senator Tester. It was a period of time, though.
    Mr. Noonan. Actually----
    Senator Tester. It was not immediate?
    Mr. Noonan. It is through proactive--I will get back to it 
in a moment if I can----
    Senator Tester. I do not want to put you on the spot. You 
can just say you could take the Fifth, if you want. It does not 
matter.
    [Laughter.]
    Senator Tester. OK.
    Senator Warner. Senator, it has been in the public at least 
from, I think, November 27th to December 15th, and then there 
was an announcement on December 19th.
    Senator Tester. I got that. My concern is this: there needs 
to be breach notification across the board so you can get to 
the bottom of it, because I think time is literally money in 
this situation. And if there is a breach that happens and that 
retailer withholds the information, or for some reason the 
banking institution may want to disclose information--I do not 
know why, but--I do not know why either one would want to, 
quite frankly. But you guys need to know about it immediately 
so you can start finding out where the bad guys are that did it 
if we are going to get to the bottom of it, right?
    Mr. Noonan. Yes, sir.
    Senator Tester. OK. Mr. Noonan, your testimony focused 
really on the retail industry as a point of entry for the 
criminals, and you highlighted investigations of a number of 
retail networks where cyber criminals were able to install 
programs to be able to capture information from retailers. And 
it has been already talked about by the Chairman. There were 40 
million cards, 70 million personal--people with personal 
information that was given out. Could you tell me why a 
retailer would be storing sensitive payment information on 
their own networks?
    Mr. Noonan. I do not know if--I do not believe in this case 
information on the cards were actually being stored on the 
network.
    Senator Tester. So how did they get them, then? How did 
they get the information?
    Mr. Noonan. The information was being collected as the data 
was going through the process.
    Senator Tester. OK. I got you. So how did they get the 70 
million?
    Mr. Noonan. It was a heavy period of collection time in 
which the data was being collected by the criminals.
    Senator Tester. OK. So the fact whether this was encrypted 
or not makes very little difference. I was under the assumption 
that this was on a database, the information was not encrypted. 
The folks that got into that database then encrypted the 
information and took it out.
    Mr. Noonan. There is more--I think you are getting this 
from the media perhaps. There is more to the investigation--
    Senator Tester. Of course.
    Mr. Noonan. Correct. Right.
    [Laughter.]
    Mr. Noonan. Right, and again, this is an ongoing 
investigation. I cannot talk about the specifics of exactly how 
that was being done.
    Senator Tester. OK. Ms. Rich, I want to talk a little bit 
about the enforcement that you have. Right now, I mean 
seriously speaking, of all the things you have to deal with, do 
you have any tools to work with that really work?
    Ms. Rich. We are doing a lot in this area. This is one of 
our areas of priority. We are bringing enforcement. We are 
doing education. We are using the bully pulpit----
    Senator Tester. I got you. I am not being critical of you. 
I am being critical of us.
    Ms. Rich. Well, we do want more tools. We do want more 
tools.
    Senator Tester. Yeah, and when was the last time your tools 
dealing with this issue were dealt with from a policy 
standpoint? I am talking about has there been a revamp of your 
tools dealing with data breaches in the last 10, 15, 20, 50 
years?
    Ms. Rich. We have received some new authority in this area, 
including we do have a data breach law for a narrow class of 
health entities, PHRs, personal health records. But for the 
most part--and Gramm-Leach-Bliley was passed in 1999 or 2000. 
But it has been awhile.
    Senator Tester. OK. We obviously have some work to do, Mr. 
Chairman. Thank you.
    Senator Warner. You are ceding back 30 seconds?
    Senator Tester. Efficiency, baby.
    [Laughter.]
    Senator Warner. Senator Menendez.
    Senator Menendez. Thank you, Mr. Chairman. I appreciate you 
holding this hearing. When these issues broke in December, 
Senator Schumer, myself, and yourself signed a letter to the 
Chairman of the full Committee asking for hearings, and I am 
glad that your Subcommittee is leading on this. And I 
understand the Chairman is going to broaden some of his call 
for hearings and include this topic. So this is extraordinarily 
important.
    Ms. Rich, I have two particular lines that I want to 
pursue. I think Senator Warren opened the door to something 
that I think is incredibly important, which is: What role 
should the FTC and the Federal Government create in standards? 
It seems to me that whatever high standard exists in the 
marketplace readily available in technology is one that we 
would want to have companies follow in order to ensure the 
security of millions of Americans' private information, 
critical information to themselves, to their credit histories, 
to retailers, to banking institutions. And so if a company--if 
we set a standard that basically says look what is available in 
the marketplace, we cannot expect a company that gets hacked 
and was already using the highest standards available in the 
marketplace to be held responsible. But if, in fact, there was 
a standard that was available and that company or companies 
were not using that standard, then we have to question whether 
or not they made an investment decision not to go ahead and 
expend the resources for that higher standard.
    So it seems to me that part of the question is--and I know 
that the private sector has largely worked on creating its own 
standards, but is there a role for the Federal Trade Commission 
and the Federal Government to set a standard that says, look, 
whatever is existing in the marketplace that, in fact, can be 
achieved to give the highest protection available should be the 
standard. And if you do not pursue that standard, then you are 
subject to consequences thereof?
    Ms. Rich. Well, that is incredibly similar to the way we 
think about it now when we talk about having reasonable 
security. So reasonable security means you take into account, 
you know, what is--what the risks are in your business, what 
kind of--what the sensitivity of information you collect, how 
much information you collect, and the cost and availability of 
measures that are out there in the marketplace. So that is 
exactly how we analyze it. And the good----
    Senator Menendez. The question is: Does the industry 
understand that they are going to be held to those standards? 
Because I do not get the sense that there is an obligation per 
se to be held to that higher standard.
    Ms. Rich. Well, one of the limitations we have in our work 
is we do not have civil penalties or the kind of sanctions that 
are needed to provide the right incentives to focus on this 
issue.
    Senator Menendez. But if we set a standard--I want to get 
to civil penalties in a moment, because I sent a letter to your 
Chairwoman, and she responded to me in that respect. If we set 
a standard that at least everybody has notice, here is what we 
expect of you; if we do not set standard, then we have a more 
amorphous process of deciding what is the right standard or 
not. And, of course, we should have industry input into that 
standard. But it seems to me that we should be setting a 
standard, because if we set a standard, then we have notice, 
the essence of due process, notice and opportunity to be heard, 
and then we go away with a standard. So I would like to pursue 
with the agency whether or not such a standard is important, 
Mr. Chairman.
    And, secondly, with reference to additional authorities, in 
my letter to Chairwoman Ramirez asking about the Commission's 
efforts in the past, I notice that there were never civil 
penalties, even though there were very large breaches--not as 
large as this one now, but large for their time. And it seems 
to me that she agreed that the authority to impose civil 
penalties would be a helpful tool to have in addition to 
current authorities like consumer restitution and disgorgement 
of ill-gotten gains.
    I do not think that is something that you want to levy 
against every company. I think that goes back to the standard. 
If you have the standard and you are pursuing the standard, you 
should not be subject to penalty. If you have a standard and 
you are not pursing the standard, then civil penalties may be 
an option.
    Do you agree with that line of thinking?
    Ms. Rich. It is very important to have civil penalties as 
an available remedy to make sure there is both specific and 
general deterrence when there has been a failure.
    Senator Menendez. OK. And the reason, if I can, Mr. 
Chairman, finally, you know, your testimony reasserts the 
Federal Trade Commission's longstanding assertion borne out 
through case history that Section 5 of the FTC Act covers 
instances where a company fails to adequately protect consumer 
data. This assertion is based on the commonsense premise that 
customers have an understanding that companies will take 
reasonable steps to protect their data and failure to do so 
would be an unfair or deceptive practice. However, such 
companies as LabMD and Wyndham Worldwide have been challenging 
this assertion.
    So I think that if that is the case, that now they are 
going to challenge that assertion, it seems to me to call for 
not just voluntary efforts but to create a standard and 
consequences of that standard that can give Americans the best 
security that they can hope for. And I look forward to working 
with the Committee and with the FTC in that regard.
    Senator Warner. Thank you, Senator.
    One last comment. I know we probably all have other 
questions, but we have got a second panel, unless anybody wants 
to make one comment. Then if anybody has got a burning, burning 
question, we will go to the second panel. Just, you know, one--
following up on Senator Tester's comments, you know, trying to 
get the notion of your obligation to disclose when you have 
been breached, I think sorting that through is going to be a 
challenge, because there are so many attacks every day, and we 
have got to set a standard somewhere that you cross a 
threshold, so you do not want to--what I get concerned about is 
that you do not want to create the old--remember the Homeland 
Security color code system, which everybody proceeded to 
ignore. There has got to be a materiality piece in here 
somewhere.
    Senator Tester. I agree with you. On the other hand, if a 
business withholds that information because it is in the heart 
of Christmas shopping season----
    Senator Warner. Amen.
    Senator Tester.----and it might affect their bottom line--
--
    Senator Warner. Amen.
    Senator Tester.----they need to be hung out to dry.
    Senator Warner. Amen. Well, the other point, too, following 
up on Senator Menendez, an earlier point you made to Senator 
Warren I thought was an interesting one, where companies in the 
past have, in effect, put a seal or put some kind of Good 
Housekeeping Seal of Approval that may or may not be valid 
really troubles me greatly. But I thank both the witnesses, and 
we will move to the second panel. Thank you both.
    [Pause.]
    Senator Warner. If the panel does not mind, I am going to 
go ahead and start introducing you even as you are in the 
process of being seated. I am going to start introducing you 
once my staff gives me your introductions.
    Gentlemen, thank you. The first panel was focused on our 
governmental witnesses. Now we are going to focus more on 
industry and consumers.
    Mr. James Reuter?
    Mr. Reuter. Reuter.
    Senator Warner. Reuter, sorry. I should know that, like the 
news agency. He is Executive Vice President of FirstBank, 
located in Lakewood, Colorado, where he has been since 1987. He 
is also President of First Data Corps, which provides all IT 
and operational support services for more than 110 locations. 
Welcome, Mr. Reuter.
    Mr. Mallory Duncan is Executive Vice President and General 
Counsel of the National Retail Federation where he is 
responsible for coordinating strategic, legislative, and 
regulatory issues involving customer data privacy, bankruptcy, 
fair credit reporting, truth in lending. He previously worked 
for J.C. Penney and for the FTC.
    Mr. Troy Leach is the Chief--excuse me. Why don't we do Mr. 
Mierzwinski? Mr. Ed Mierzwinski is the Federal Consumer Program 
Director and Senior fellow for the U.S. PIRG, Public Interest 
Research Groups. He has worked in the Federal offices of U.S. 
PIRG since 1989 and is recognized as an expert in the wide area 
of consumer issues with an emphasis on financial services, 
banking, credit cards, credit reports, privacy, and identity 
theft. Thank you, sir.
    And Mr. Troy Leach is the Chief Technology Officer for the 
PCI Security Standards Council. This is the industry council 
that is setting the standards right now. In his role, Mr. Leach 
partners with industry leaders to develop comprehensive 
standards and strategies to secure payment, credit card data, 
supporting information. He has a long history in the private 
sector working on IT issues.
    Gentlemen, thank you all very much. You have got a panel 
that is anxious to ask you questions, so, Mr. Reuter, why don't 
you start? Then we will just go down the line and get to 
questions.

    STATEMENT OF JAMES A. REUTER, EXECUTIVE VICE PRESIDENT, 
    FIRSTBANK, ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION

    Mr. Reuter. Chairman Warner, Ranking Member Kirk, and 
Members of the Subcommittee, my name is James Reuter, President 
of Support Services at FirstBank in Lakewood, Colorado. We are 
a $13 billion institution with over 115 locations and 2,000 
employees serving Colorado, Arizona, and California. My 
operation provides information technology, payment processing 
services, a 24-hour call center, and electronic banking 
services for 115 FirstBank locations. I appreciate the 
opportunity to be here to represent the ABA.
    Even with the recent breaches, our payments system remains 
strong and continues to support the $3 trillion that Americans 
spend safely and securely each year with their credit and debit 
cards, and with good reason: Customers can use these cards 
confidently because their banks protect them by investing in 
technology to detect and prevent fraud, reissuing cards and 
absorbing fraud costs.
    At the same time, these breaches have reignited the long-
running debate over consumer data security policy. The banking 
industry recognizes the importance of a safe and secure 
payments system to our Nation and its citizens. We thank the 
Subcommittee for holding this hearing and welcome the ongoing 
discussion.
    Let me be clear. Protecting customers is the banking 
industry's first priority. As the stewards of the direct 
customer relationship, the banking industry's overarching 
priority in breaches like that of Target's is to protect 
consumers and make them whole from any loss due to fraud. When 
a retailer like Target speaks of its customers having ``zero 
liability'' from fraudulent transactions, it is because our 
Nation's banks are making customers whole, not the retailer 
that suffered the breach. Banks swiftly research and reimburse 
customers for unauthorized transactions and normally exceed 
legal requirements by making customers whole within days of the 
customer alerting them.
    Beyond reimbursing customers for fraudulent purchases, 
banks often must reissue cards to affected customers. For our 
bank, this cost is $5 per card. In the end, banks receive 
pennies on the dollar for fraud losses and other costs incurred 
while protecting their customers. In fact, banks bear over 60 
percent of reported fraud losses, yet have accounted for less 
than 8 percent of reported breaches since 2005.
    More needs to be done to stop this kind of fraud in its 
tracks. Having a national data breach standard is an important 
step in this direction.
    In many instances, the identity of the retailer that 
suffered the breach is either not known or oftentimes 
intentionally not revealed by the source. Understandably, a 
retailer or other entity would rather pass the burden on to the 
affected consumers' banks rather than taking the reputational 
hit themselves. In such cases, the bank is put in the position 
of notifying their customers that their credit or debit card 
data is at risk without being able to divulge where the breach 
actually occurred. Often customers, absent better information, 
blame the bank for the breach itself and any inconvenience they 
are now suffering.
    Consumers' electronic payments are not confined by borders 
between States. As such, a national standard for data security 
and breach notification, as contained in Senate bill 1927, the 
Data Security Act of 2014, is of paramount importance. It is 
critical that all players in the payments system, including 
retailers, must improve their internal security systems as the 
criminal threat continues to evolve.
    Criminal elements are growing increasingly sophisticated in 
their efforts to breach the payments system. This disturbing 
evolution, as demonstrated by the Target breach, will require 
enhanced attention, resources, and diligence on the part of all 
payments system participants.
    Let me make one final point. Protecting the payments system 
is a shared responsibility. Banks, retailers, processors, and 
all participants in the payments system must share the 
responsibility of keeping the system secure. That 
responsibility should not fall predominantly on the financial 
services sector. Banks are committed to doing our share, but 
cannot be the sole bearer of that responsibility.
    Policymakers, card networks, and all industry participants 
have a vital role to play in addressing the regulatory gaps 
that exist in our payments system, and we stand ready to assist 
in that effort.
    Thank you, and I would be happy to answer any questions you 
might have.
    Senator Warren. [Presiding.] Mr. Duncan, please.

 STATEMENT OF MALLORY DUNCAN, GENERAL COUNSEL AND SENIOR VICE 
             PRESIDENT, NATIONAL RETAIL FEDERATION

    Mr. Duncan. Thank you, Senator Warren, Ranking Member Kirk, 
Members of the Subcommittee. Collectively, retailers spend 
billions of dollars safeguarding consumers' data and fighting 
fraud. Most of the U.S. data breaches we have seen--whether at 
retailers you have heard about or at banks and card companies, 
about which you have heard less--have been perpetrated by 
criminals. The companies are victims. We need to reduce fraud; 
that is, we should not be satisfied with deciding what to do 
after a data breach occurs--who to notify and how to assign 
liability. Instead, it is important to look at why such 
breaches occur and what the perpetrators get out of them so 
that we can find ways to reduce and prevent not only the 
breaches but the fraudulent activity that is often their goal.
    In its comprehensive 2013 data breach report, Verizon 
revealed that 37 percent of breaches happened at financial 
institutions, 24 percent at retail, and the remainder at 
others. It may be surprising to some given recent media 
coverage that more data breaches occur at financial 
institutions than at retailers, but that thieves focus on banks 
because they have the most sensitive financial information. 
Still, fraud is devastating for retailers in the United States, 
and it is rising.
    In 2012, the United States accounted for nearly 30 percent 
of credit and debit card charges but 47 percent of all fraud 
losses. Who bears this cost? Independent studies vary. They say 
retailers bear anywhere from 90 percent to 40 percent of the 
payment card fraud costs. We think a fair assessment is that 
retailers pay about half.
    Why is card fraud increasing? Thieves go where the rewards 
are plentiful and easiest to obtain. Unfortunately, our card 
payment system is outdated and rife with opportunities for 
fraud.
    Despite the billions of dollars spent by merchants in hopes 
of becoming PCI compliant, we still must accept fraud-prone 
cards that are so attractive to data thieves. Unlike the rest 
of the world, U.S. cards still use a signature and magnetic 
stripe for authentication. The fraudsters rely on our system 
being so porous.
    What the card companies effectively say to merchants is 
that even though this sensitive information is visibly printed 
on the card, even though security information can be lifted off 
a magstripe by a reasonably sophisticated 12-year-old, and even 
though signatures are a virtually worthless form of 
authentication, it is your responsibility to guard that 
information at all costs. Retailers work very hard to do it, 
but the request does not really make sense.
    What is needed is for the networks and banks to issue cards 
that are not so easily compromised. At a minimum, we need to 
replace the signature with a PIN and the magstripe with a chip. 
Even that will not be state-of-the-art. After all, it is 
technology that is three-quarters of a generation old. But 
fraud dropped 70 percent when it was adopted in Britain, and 
fraud is growing here because we have not. We must adopt both 
PIN and chip. The PIN authenticates the card holder and, thus, 
helps protect her and the merchant. The chip authenticates the 
card to her bank. Together they greatly reduce fraud.
    The banks know this combination is very powerful. They 
promote it all over the world. Yet here in the United States 
they are proposing signature and chip cards, ``chip and 
choice,'' as one of them cutely calls it. It is an ineffective 
half measure, the locking of the back door while leaving the 
front door open. Why adopt a halfway measure? Merchants would 
still need to spend billions to install new equipment to read 
cards that would combine 1990s technology--chip--with 1960s 
relic--signature--in the face of 21st century threats. Frankly, 
if Congress is seriously concerned about protecting our payment 
card system against fraud, it ought to do oversight of any 
group that is seriously advancing this absurd solution.
    There are additional changes to the system that would be 
helpful and provide greater security. Point-to-point encryption 
of data is one, but it relies on banks and networks being able 
to accept encrypted data, and that has been a challenge.
    Chips are more advanced than magstripes, but their 
sophistication pales in comparison with a smartphone. Today 
smartphones are mini-computers. They could enable state-of-the-
art fraud protection, and if payment platforms are open and 
competitive, they will only get better.
    As to legislative solutions, we lay out a number of 
proposals in our written testimony. It is important, however, 
that the Federal law should ensure that all entities handling 
the same type of sensitive consumer information, such as 
payment card data, are subject to the same statutory rules and 
penalties with respect to notifying consumers of a breach 
affecting that information.
    In closing, three brief points are uppermost:
    First, retailers take the increasing incidence of payment 
card fraud very seriously. Merchants already bear at least an 
equal, or often a greater, cost of fraud than any other 
participant in the payment card system. We did not design the 
system; we do not configure the cards; we do not issue the 
cards. We will work to effectively upgrade the system, but we 
cannot do it alone.
    Second, the vast majority of breaches are criminal 
activity. No system is invulnerable to the most sophisticated 
and dedicated of thieves. Consequently, eliminating all fraud 
is likely to remain an aspiration. Nevertheless, we will do our 
part to achieve that goal.
    And, last, it is long past time for the United States to 
adopt PIN and chip card technology. If the goal is to secure 
data and reduce fraud, we must, at a minimum, do both.
    Thank you.
    Senator Warner. [Presiding.] Mr. Mierzwinski.

  STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, 
                           U.S. PIRG

    Mr. Mierzwinski. Thank you, Chairman Warner, Senator Kirk, 
Members of the Committee. I am Ed Mierzwinski. I am a consumer 
advocate, and I have been working on these issues for some 
time. And my views I think are somewhat in line with the 
merchants, but also somewhat not in line with the merchants.
    First, the Target breach itself, I want to make one point 
about that. The breach occurred with information that allows 
fraud to take place on your existing accounts in the first 40 
million consumers who were breached. The additional 70 million, 
the information that was collected allows phishing attacks to 
try to obtain more information to commit identity theft. But I 
think the biggest risk to customers of Target is fraud on 
existing accounts. So the provision of credit monitoring, which 
they are giving for free but is normally an overpriced, junky 
product, really creates a false sense of security. It will not 
stop fraud on your existing accounts, and it will not stop 
identity theft. It will simply tell you when your Experian 
account has changed. It could be because of identity theft, or 
it could be because of something else. But it will be after the 
fact. But that is one point I wanted to make about the Target 
breach.
    The thing about Target, again, is that they are not at 
fault completely. They are maybe in violation--and I have seen 
different stories on whether they were or they were not in 
violation--of the current highest PCI standards. We will know 
that more after they have testified in the next few days. But 
whether or not they were in violation of the PCI standards, 
those standards are cobbled on to an obsolete technological 
platform. It is like they are trying to put disc brakes on a 
Model T, airbags on an Edsel. I mean, the merchants are being 
asked constantly to add different bells and whistles to an 
obsolete system from the mid-20th century. So that is a 
problem. I think the banks and the card industry have a lot to 
answer to with these problems.
    I want to make a couple of quick points that are all made 
in my testimony.
    First, I was encouraged, Chairman Warner, when you 
mentioned that debit card protections maybe should be 
increased. We strongly support that idea. All plastic should be 
equal. The zero liability promise the banks make is just a 
promise. It is not the law. I only use credit cards. I never 
use debit cards. The other problem, of course, with a debit 
card is you lose money from your account. Until they complete 
the reinvestigation, you could have other checks bounce.
    Second, any reforms should be technology neutral and 
technology forcing. You really should have a reform that 
encourages continuous increasing in the uses of better and 
better technology. And as Mr. Duncan pointed out, it should be 
on an open platform, and competitors should be allowed to come 
in. I think today if you look at the networks, the two big ones 
are a duopoly. They have all the standard characteristics of a 
duopoly. They seek excess rents. They do not like new 
technology. They do not like competitors. And that has really 
been a problem.
    I think you should look at the PCI standard-setting body. 
Do the merchants have adequate input into it? Do the prudential 
regulators or the FTC have enough review of it? You should not 
enact any new legislation that preempts State laws. If Congress 
enacts a good enough law, it does not have to preempt State 
laws. The States will move on. They will do other things. But 
if Congress does not enact a good enough law, you need the 
States as first responders, and my testimony goes into detail. 
After 2003, when the FACT Act amendments to the Fair Credit 
Reporting Act did not include adequate identity theft reforms, 
46 States passed breach laws; 49 States gave consumers the 
right to freeze their credit report. And so those were 
important things that the States did. Whereas, every bill that 
I have seen to some extent not only preempts any breach law, 
which is their nominal purpose, but goes further and preempts 
any right of the States to do anything in the future. And that 
is really, I think, the wrong way to go.
    Another point that we make in our testimony is that if you 
do enact a breach law, it should be on an acquisition standard. 
There should not be a harm trigger. The company that did not 
protect my information should not be allowed to decide whether 
or not to give me notice.
    One point that I do not make in my testimony but I have 
made in previous testimony before the Commerce Committee is 
that I strongly support any effort to increase the FTC's 
authorities, including the right to impose civil penalties for 
a first violation.
    Thank you for the opportunity. I hope to answer any 
questions you might have.
    Senator Warner. Mr. Leach.

STATEMENT OF TROY LEACH, CHIEF TECHNOLOGY OFFICER, PCI SECURITY 
                       STANDARDS COUNCIL

    Mr. Leach. Thank you. My name is Troy Leach. I am the CTO 
of the PCI Security Standards Council, a global industry 
initiative focused on securing payment card data. Our approach 
to an effective security program is people, process, and 
technology as key parts of data protection.
    Our community of over 1,000 of the world's leading 
businesses tackles security challenges from simple issues--for 
example, the word ``password'' still one of the most commonly 
used passwords--to really complicated issues, such as proper 
encryption. We understand consumers are upset when their 
payment card data is put at risk and the harm that is caused by 
these breaches.
    The council was created as a forum for all stakeholders--
banks, merchants, manufacturers, and others--to proactively 
protect consumers' card hold data. Our standards focus on 
removing card holder data if it is no longer needed. Our mantra 
is simple: If you do not need it, do not store it. If it is 
needed, then protect it through a multilayered approach and 
devalue it through innovative technologies that reduce the 
incentive for criminals to steal it.
    Let me tell you how we do that. The data security standard 
is built on 12 principles, everything from strong access 
control, monitoring and testing networks, annual risk 
assessments, and much more. This standard is updated regularly 
through feedback from our global community. In addition, we 
have developed other standards that cover payment software, 
point-of-sale devices, and the secure manufacturing of cards. 
And we do much more as well. We develop standards and guidance 
on emerging technologies like tokenization and point-to-point 
encryption that remove the amount of card data kept in systems, 
rendering it useless to cyber criminals. Tokenization and 
point-to-point encryption work in concert with other PCI 
standards to offer additional protections.
    Now, another technology, EMV chip, has widespread use in 
Europe and other markets. It is an extremely effective method 
of reducing card fraud in face-to-face environments. That is 
why the PCI Council supports the deployment of chip technology.
    However, EMV chip is only one piece of the puzzle. 
Additional controls are needed to protect the integrity of 
payments online, on the telephone, and in other channels. These 
controls include encryption, proper access, response from 
tampering, malware protection, and more. These are all 
addressed within the PCI standards. Used together, EMV chip and 
PCI standards can provide strong protections for payment card 
data.
    But effective security requires more than just standards 
and technology. Without ongoing adherence and supporting 
programs, these are only tools and not solutions. The council 
makes it easy for businesses to choose products that have been 
lab tested and certified as secure. The council's certification 
and training programs have educated tens of thousands of 
individuals, including assessors, merchants, technology 
companies, and government. Finally, we conduct global campaigns 
to raise awareness of payment card security.
    The council welcomes the Committee's attention to this 
critical issue. The recent compromises underscore the 
importance of a multilayered approach, and there are clear ways 
in which the Government can help, for example, by leading 
strong law enforcement efforts worldwide, particularly because 
of the global nature of this threat, and by encouraging stiff 
penalties for these crimes. Promoting information sharing 
between the public and private sector also merits your 
attention.
    The council is an active collaborate with Government. We 
work with NIST, DHS, and many other Government entities, and we 
are ready and willing to do more.
    We believe the development of standards to protect payment 
card data is something that the private sector and PCI 
specifically is uniquely qualified to do. But global reach, 
expertise, and flexibility of PCI have made it an extremely 
effective mechanism for protecting consumers.
    Now, the recent breaches underscore the complex nature of 
payment card security. A multifaceted problem cannot be solved 
by a single technology, standard, mandate, or regulation. It 
cannot be solved by a single sector of society. Business, 
standards bodies, policymakers, and law enforcement must work 
together to protect the privacy interests of consumers. Today, 
as this Committee focuses on recent data breaches, we know that 
criminals are focused on inventing the next attack.
    There is no time to waste. The PCI Council and business 
must continue to provide multilayered security protections 
while Congress leads efforts to combat global cyber crimes that 
threaten us all. We thank the Committee for taking a leadership 
role in seeking solutions to one of the largest security 
concerns of our time.
    Senator Warner. Thank you all, gentlemen.
    I made this comment in my opening statement, but I would 
like to make it again with you all sitting in front of me. It 
is my strong hope that as we approach this issue, we recognize, 
rather than pointing blame at each other, the only way this is 
going to work to protect consumers and give them the confidence 
they need is for the banking industry, the retail industry, the 
card and the industry at large to actually collaborate 
together. We do not need, I do not believe, another replay of a 
multiyear legislative battle here when the hackers are not 
going to take a timeout and American consumers are going to be 
increasingly at risk.
    Mr. Leach, in the spirit of your comments, we are going to 
do a lightning round here, so I would ask you to keep your 
comments as close to yes or no as possible, recognizing, of 
course, that there is not a single technology solution but 
seeing a dramatic decrease in Europe in terms of fraud at face-
to-face transactions when they moved to the chip-and-PIN 
system. What do each of you think in terms of our country 
moving to the chip and PIN as one step forward?
    Mr. Reuter. We have embraced the chip technology. In fact, 
the card networks have laid out a timeline that involves a 
pretty strong incentive for the industry by October 2015 to 
move there. And so as----
    Senator Warner. Let us get to everybody else. Mr. Duncan?
    Mr. Duncan. Mr. Chairman, I take to heart your comments 
about not pointing fingers at each group. As I said in my 
testimony, if we are actually to have effective protection, it 
has got to be, as you said, PIN and chip. If you listen to the 
response that was just given, it only mentioned the chip. And 
as I said, that is closing the back door and leaving the front 
door open.
    Senator Warner. So it sounds to me you are saying yes to 
full chip and PIN.
    Mr. Duncan. Yes.
    Mr. Mierzwinski. Yes, absolutely to full chip and PIN, not 
chip and signature, but do not leave that as the ceiling. Make 
sure that you can go more.
    Senator Warner. Mr. Leach?
    Mr. Leach. We are supportive of chip technology as well, 
but keep in mind that information----
    Senator Warner. As I learn this, I might want to make sure 
I am getting it right. Chip is different than chip and PIN. Are 
you supportive of chip and PIN?
    Mr. Leach. We are supportive of chip and PIN. Any type of 
authentication added on to chip technology is an important form 
of authentication. It is important to keep in mind, though----
    Senator Warner. OK. I got it, and I think that is great 
progress today, everybody agreeing. I would concur with Mr. 
Mierzwinski that--and I thought I was a relatively informed 
consumer. I did not realize my debit card did not have the same 
protections. And, you know, I think again about the fact that 
where the growth of debit cards is coming is younger folks and 
the underbanked community, who potentially are the most 
vulnerable if they do not have these protections. It would seem 
to me that equalizing cards on a same standard makes common 
sense. Give me a reason why not. Anyone?
    Mr. Reuter. As a practical matter, we invoke a zero 
liability policy, so we today, if a transaction--if you did not 
authorize it, you are not responsible for it.
    Senator Warner. I do not want to get you in trouble with 
the ABA, but is that an endorsement of equalization in the 
truth in lending--truth in reporting----
    Mr. Reuter. I believe that from a legislation perspective, 
the way we are all performing as banks, I am not sure 
additional legislation is needed, because we are adhering to a 
zero liability policy as a matter of our business practice.
    Senator Warner. Would there be no practical reason why you 
would not want to have the same standard between different 
types of plastic?
    Mr. Reuter. There would be no practical reason.
    Senator Warner. Mr. Duncan?
    Mr. Duncan. We believe it is a good idea.
    Senator Warner. Mr. Leach? And you get the last word.
    Mr. Leach. And just to follow up on the point, I just want 
to emphasize that chip technology is in the clear, so we still 
need additional security protections to that. We are supportive 
as well.
    Mr. Mierzwinski. I would just add, Senator, that the issue 
here is that the zero liability may not occur in all 
circumstances. It may only apply to signature transactions, not 
to PIN-based transactions. That is the question, debit or 
credit, which confuses consumers at the store. Debit means 
using a PIN. Credit means it is still a debit card but you are 
using it on the signature-based credit card network. And, also, 
I would look at the zero liability contract and say what if I 
had two violations in a year, do they honor the second one? 
Because some banks do not.
    Senator Warner. Let me level down. I am interested and I 
would like to hear more. I guess the last point I want to 
make--I am not sure I am going to get a question out, but we 
have focused on the challenges around the cards. I would make 
the comment, though, that the cards actually do add an extra 
layer of protection because of some of the network, because of 
even the technologies that may not be fully up to snuff at this 
point, versus what may be our real Achilles heel, which is 
everybody's movement toward online financial transactions. I 
think about the fact of how many of us pay our utility bills or 
I pay college tuition online. In a certain sense, that is, if 
people can get into that personal data information, that is 
something that is there are no limits on in terms of an 
individual's exposure. We are much more, I believe, vulnerable. 
And, again, my time has expired, but I would simply say chip 
and PIN, good step forward; equalization of cards, good step 
forward; but continuing, again, the notion that Mr. Leach said, 
recognizing tokenization and other abilities that are online 
transactions, trying to put a level of protection is something 
that I think needs a lot more study and work.
    Senator Kirk?
    Senator Kirk. Let me just follow up with Mallory. I agree 
with you that Parliament has done a much better job than 
Congress moving to chip and PIN. I was struck by your comment 
that fraud was reduced in the U.K. by 70 percent by using chip 
and PIN. For those of us who have lots of friends in the U.K., 
you will see them pull out a credit or debit card with a chip 
in it and disparage the technological backwardness of the 
United States.
    Can I just ask you on behalf of the Retail Federation, how 
much would it cost your members to move to a full U.K.-based 
chip and PIN?
    Mr. Duncan. Senator, we would have to replace all of the 
card readers in the store. There are approximately 3.5 million 
retailers in the United States. Many of them are just a one-
store location, one checkout place; others have a dozen on each 
floor. So if you multiply that times approximately an average 
of 1,000 or more per unit, you are talking several billions of 
dollars in order to replace those, and, of course, some amount 
of time.
    Senator Kirk. And, in general, I took from your testimony 
that the Retail Federation would support making that move.
    Mr. Duncan. We absolutely would. In fact, some retailers 
have already begun to install chip-and-PIN readers in their 
facilities in hopes that the banks will do the right thing.
    Senator Kirk. Mallory, let us identify the heroes. Who was 
the first who did that?
    Mr. Duncan. I cannot tell you who the first was, but they 
tend to be the larger retailers who experience more 
international clients, so like a Home Depot, for example, or 
maybe a Best Buy.
    Senator Kirk. Thank you.
    Senator Warner. Thank you. I am very supportive of moving 
toward chip and PIN. I would only point out, as I dug into the 
data on the U.K., when we saw chip and PIN and face-to-face 
transaction fraud drop dramatically, it was like squeezing a 
balloon, and you saw online fraud in the U.K. shoot up, I think 
something like 30 percent.
    Senator Warren?
    Senator Warren. Thank you, Mr. Chairman.
    So I will just pick up on the same point about chip and 
PIN. We understand why chip and PIN works better, and it seems 
that we are years behind Europe in developing adequate 
technology, technology we know is out there, but applying 
adequate technology here in the United States.
    So I was interested in your testimony, Mr. Leach. You said 
that you think that standards are best left to private 
organizations such as yours. That is what we have done, and we 
are now way behind in technology and have become the targets 
for data attacks from around the world. So why should we leave 
this to organizations like yours?
    Mr. Leach. Well, Senator, it is a very fair question to 
ask. I think for us we look at standards being people, process, 
and technology, and recognize that while we have not migrated 
to chip, we have advanced fraud monitoring tools in the United 
States, the best in the world, as well as looking at other 
technologies that are more cost-effective for merchants to move 
to, like tokenization and point-to-point encryption.
    Senator Warren. I am sorry, Mr. Leach. Let me just make 
sure I am following you here. I thought I had heard in this 
conversation that we were uniform in our agreement that the way 
we should go now is to chip and PIN. And you are telling me we 
have other things we can do, which I am not disagreeing with, 
but I am asking the question: Why have we not hit the basic 
chip-and-PIN standard?
    Mr. Leach. Well, I think, Senator, that question is 
probably not for a standards body like myself. My role and our 
role is to actually develop secure standards for what we have 
today.
    Senator Warren. Well, fair enough, but your testimony was 
not just we have great standards if someone wants to adopt 
them. Your testimony, as I understood it, was that the 
standards should be left to private organizations and not to 
Government to say you have got to meet the standards put out by 
other organizations or developed in other ways. And so that is 
the point I am pushing on. It sounds like to me we may need 
some pressure from the Government to make sure that the 
toughest standards are used.
    Maybe I could ask the question of Mr. Reuter. Why has chip 
and PIN not been adopted already in the United States?
    Mr. Reuter. Well, I would like to comment on why the rest 
of the world is ahead of us on chip. The United States has a 
very robust telecommunications system. Years ago, in other 
parts of the world, they did not have as robust of a 
telecommunications system, so as a result, they deployed chip 
technology to solve that problem. It was not driven by fraud 
measures. Today, as we have seen more breaches at retailers and 
different things, we are embracing the chip technology here in 
the United States.
    The reason I keep leaving out PIN is one of my concerns 
with PIN data is it is a static piece of information. The chip 
brings the dynamic data to the transaction, which is really 
what renders the compromised data useless. The PIN is a static 
element, so I would--I appreciate and support the ongoing 
debate on chip and signature--but I would hate to delay the 
deployment of chip technology on this one issue because it has 
the biggest impact on fraud.
    Senator Warren. Well, let me actually hit both parts of 
your question to make sure that I fully understand your point. 
I understand that Europe had reasons to go to chip early on, 
but are you saying that the banks have just now discovered that 
chip and PIN would be a more secure system? Or have they had 
some reason to know that for many, many years now?
    Mr. Reuter. You know, we have been working toward putting 
chip technology in. The card networks laid out the timeline we 
are working toward in 2011. There are 8 million retailers, 
14,000 financial institutions----
    Senator Warren. So was it only in 2011 that the banks 
figured out that chip and PIN would be a more secure system?
    Mr. Reuter. No, there were conversations before that, but 
that is when the actual timeline was laid out.
    Senator Warren. All right. But the Europeans have done more 
to protect themselves than we have. Now, as to the question 
about chip and PIN, why don't I just invite Mr. Duncan to weigh 
in on that issue about whether or not chip and signature would 
be a better approach.
    Mr. Duncan. Well, signature is worthless. I mean, your 
signature is on the back of your card right now. If you lose it 
and a thief finds it, there is an exemplar there for them to 
copy your signature. It is essentially worthless. If you are 
going to have security, you have to have PIN.
    As for the idea that they are slightly different systems 
and, therefore, we should not use both, imagine putting up a 
burglar alarm system in your house. You have one sort of 
protection for the doors when they open and a second sort of 
protection for the windows. Why would you say, ``Well, this one 
works differently so I am not going to alarm the windows''? If 
you want security, you have got to have the whole system. It 
has got to be PIN and chip. And I am just flummoxed as to why 
anyone thinks otherwise.
    Senator Warren. Thank you.
    It sounds like to me, Mr. Chairman, that the banks have 
delayed, the retailers have delayed, the Government has 
delayed, and the ones who have paid the price are the consumers 
whose data are being stolen.
    Senator Warner. Senator Tester.
    Senator Tester. Thank you, Mr. Chairman. I am getting 
conflicting data here. I have got a bank that employs some of 
my constituents in Montana that had 7 percent of their debit 
cards--now, we are not talking credit, just debit--7 percent of 
their debit cards that were impacted by the recent breach. That 
was only 12,000 cards. In their particular case, it cost them 
about 5 bucks a card, $60,000, to replace them. That was just 
to replace the cards. It did not include any additional costs 
bearing the cost of monitoring fraud.
    When this breach happened, I actually got a call from the 
credit union that is located in the Hart Building--the credit 
union that is located in the Hart Building, where we have an 
account--and it said, ``Your account has been breached. We 
think it would be wise if you issued a new credit card.'' We 
were very appreciative of that, and they did. And so I actually 
visited with somebody from the credit union who said it cost 
about 30 million bucks, this recent breach on them. And that 
does not include any of the fees that were back there, because 
I asked the credit union, I said, ``If this card is used 
somewhere else by somebody else and they ring up a charge, am I 
going to have to pay for it?'' And they said no, they would 
take care of it.
    So the question is, and this is for you, Mr. Reuter: In 
this particular case, what do you think the prospects are for a 
particular bank or credit union in this case will actually get 
reimbursed for fraud costs?
    Mr. Reuter. You know, our bank, we reissued almost 65,000 
cards, and that came as a result of us learning more about the 
breach, but also customer demand. Our call center, we took an 
extra 30,000 calls over a 3-week period. So the bottom line is 
we have already invested quite a bit, and at the end, when all 
the dust settles, we will get, at the most, pennies on the 
dollar.
    Senator Tester. Now, Target has said that they are going to 
make sure that--let me see if I can get the right quote here. 
They are going to make sure that customers are made whole and 
have zero liability. Who is going to pay the bill? Is it going 
to be Target, or is it going to be the banks?
    Mr. Reuter. We as banks shoulder that responsibility. We 
are the ones reimbursing----
    Senator Tester. Does Target reimburse you then?
    Mr. Reuter. No, they do not.
    Senator Tester. What has been your experience on you 
recovering fraud costs in other breaches, like the TJX case?
    Mr. Reuter. My experience has been we recover very little.
    Senator Tester. Pennies on the dollar again?
    Mr. Reuter. Pennies on the dollar.
    Senator Tester. OK. Let us talk about the cards here for a 
second again. I mean, look, I love to pay in cash. I would even 
rather pay in checks, but that is not the way it works a lot of 
times. And so I end up using my credit card a lot. I am like 
Mr. Mierzwinski--and sorry about the pronunciation of the last 
name. I use credit cards almost exclusively myself.
    If merchants--and this is for you, Mr. Duncan. If they are 
concerned about fraud, and I think they are concerned about 
fraud, what is preventing them from doing more identity checks 
when you go to the checkout line? I have got to tell you, they 
do not even ask to look at my signature anymore. They do not 
ask for a credit card. They do not ask for anything. They just 
take the credit card, they swipe it. And sometimes they do not 
even take the credit card and swipe it. They say, ``You swipe 
it.''
    So what are the merchants doing to help prove identity at 
point of sale?
    Mr. Duncan. Well, one thing we would like to do is to have 
a PIN authentication. That would be one thing----
    Senator Tester. OK, but we do not.
    Mr. Duncan.----that would help. Number two----
    Senator Tester. Just a second. We do not right now. OK? I 
think we can all agree there, here, we would like to go that 
way.
    Mr. Duncan. Right.
    Senator Tester. We had a breach. You guys, everybody at the 
table said they were concerned about it. Everybody up here is 
concerned about it. If the retailers are concerned about it, 
what are they doing to help stop the breach now?
    Mr. Duncan. Well, as I mentioned in my testimony, we have 
put--there is a lot in your question. I mentioned in my 
testimony we have spent billions hardening the system so that 
the bad guys cannot get in and pull out information.
    Senator Tester. OK.
    Mr. Duncan. We encrypt the information. In terms of 
signature at the checkout, the card associations have told us 
that we are not allowed to ask for information along with that.
    Senator Tester. Oh, really?
    Mr. Duncan. It is considered--I guess they consider it a 
hassle of the consumer if we ask for additional identification. 
Some merchants do it anyway.
    Senator Tester. Yes. Well, they used to do it all the time.
    Mr. Duncan. Well, unfortunately we are told we are not 
allowed to do it.
    Senator Tester. That is interesting. I want to talk about 
the cost with the chip and PIN. Mr. Duncan, you had said $3 
billion it would cost the merchants. There are a lot of small 
merchant folks out there that--I mean, that is probably quite a 
bit per machine. Who would pay the $3 billion? Is that going to 
be picked up by the retail association? And does that have any 
impact on your support for chip and PIN?
    Mr. Duncan. We would have to pay for that equipment, so it 
would come out of the retailers' bottom line. We would do it to 
improve security. And I should clarify my statement. What they 
have told us is that we may not reject a transaction based on 
the signature. So looking at a driver's license, the signature 
does not match, you still cannot reject the transaction. So to 
be precise, that is what they have told us.
    Senator Tester. OK. That would be interesting to flesh that 
out some more, too, because that does not sound particularly 
good to me. But you cannot ask for an opportunity to compare 
signatures. I think that is where the key is in a card if I 
lose mine and you pick it up and use it, they are going to 
know--well, they are probably going to know it is not Jon 
Tester.
    Mr. Duncan. But if it is feminine handwriting, they would 
still have to accept the transaction.
    Senator Tester. I got you. Well, thank you, Mr.----
    Senator Warren. You have not seen his handwriting.
    Senator Tester. Yes, exactly. It is pretty bad. It used to 
be worse when I was left-handed. Anyway, thank you very much, 
Mr. Chairman.
    Senator Warner. Before I move to Senator Menendez, just two 
quick points. One, you mentioned credit unions. We have got 
lots of interest. We have got testimony from credit unions, 
independent banks, other organizations who have submitted for 
the record. And I would also just point out to Senator Tester, 
you know, that second security check at the checkout, though, 
think about how many transactions are going where you are 
automated now.
    Senator Tester. That is what I was talking about.
    Senator Warner. We have got to get a technology--I am not 
sure that human interaction piece is going to be----
    Senator Tester. Right. I mean, that is what I said. A lot 
of times they do not even take the card. They just say, ``You 
swipe it.''
    Senator Warner. Or you go to the grocery store and you 
check out without a person.
    Senator Tester. That is true. We do not have a lot of those 
grocery stores.
    Senator Warner. I am not going to ask you the price of 
milk.
    Senator Menendez?
    Senator Menendez. Thank you, Mr. Chairman.
    You have had a big discussion here on chip-and-PIN 
technology, which has been around more than a decade. It is 
widely used in Western Europe and other areas outside the 
United States. So I see that several of you in your testimony 
caution against adopting a similar standard by law that would 
lock in any specific technology. However, even if we do not 
adopt a Federal legal standard that favors one technology over 
another, couldn't we still have a standard based on 
performance? In other words, at what point should it be 
considered an unreasonable security risk for a company not to 
be using chip-and-PIN technology or something that performs 
equivalently? Mr. Mierzwinski?
    Mr. Mierzwinski. Well, Senator, I think my testimony, we 
definitely say we should not adopt a specific standard, but I 
certainly think, from what I understand--and I am not the 
world's biggest expert on the tech--that chip and PIN is a 
higher standard than chip and signature. So if you have a 
technology-forcing standard, a performance standard, that chip 
and PIN meets, I think that is a good way to go as long as it 
is an open standard that encourages more and better technology 
to come forward.
    Senator Menendez. What about the banks and the retailers?
    Mr. Reuter. You know, setting a specific technology 
standard I would agree is not a good idea because of how 
quickly the fraudsters keep changing and adapting. But as far 
as setting standards that we all do the best we can with the 
technology available, I think that that is fine.
    Mr. Duncan. We would like our partners in this to do the 
right thing and to adopt PIN-and-chip technology. However, as I 
mentioned earlier, a number of retailers are already beginning 
to explore mobile as a possibility, and we want to be careful 
that Congress would not do something that might slow down that 
transition to even more secure systems in the future.
    Senator Menendez. Yes, well, that is why I am saying not 
supporting a specific standard. I get the sense everybody is 
worried about what Congress will do. We are worried about what 
you all will do. I sit here and listen to the banks say 
retailers should have more liability. I sit here and listen to 
the retailers say banks should have more liability. In the 
interim, the only entity that potentially is getting screwed 
with all of their financial data and security is consumers. So 
we have to have a different paradigm as to how we get here. And 
so it seems to me, as I was posing the questions to the Federal 
Trade Commission representative before, that creating some type 
of standard that does not necessarily lock you into a 
technology that may be in time, you know, a dinosaur but does 
ultimately create a standard of responsibility is important for 
both the banks and the retailers at the end of the day.
    Now, I know that the industry, the card industry, likes 
setting its own standards. I understand why. But at some point 
there is a responsibility here to the consumers and to the 
economy, because it is not good for retailers, it is not good 
for banks when we have data breaches at the end of the day. And 
it is not good for the card companies in terms of the 
confidence in people who put it on their credit card.
    So I would like to hear from Mr. Mierzwinski, you ask in 
your testimony whether Federal regulators should have a greater 
role in setting security standards. And, Mr. Reuter, in your 
testimony you raise the question of whether we should have a 
national standard that applies by force of law versus simply by 
the force of contract to all parties in the chain of possession 
of consumer financial and payments data. Isn't that really part 
of the goal here so that we can have a standard that then can 
be applied and that ultimately we can make judgments? Look, if 
you met that standard and there is a data breach, there is 
nothing more you could do. I mean, you know, you did all the 
things that you could. But if you do not have a standard, we 
never know what is the right engagement by both the banks and 
the retailers in protection of consumers.
    Mr. Mierzwinski. Well, Senator, I understand that you are 
conducting an ongoing series of hearings. On Thursday the 
regulators are coming in, and I think it is useful to ask them, 
Should there be a Federal performance standard, as you point 
out, a Federal performance standard that is enforceable by the 
regulators? Should the regulators have the authority to look 
at--and maybe they do already, and maybe they are already doing 
something here, but they have not told me about it. Shouldn't 
they have the authority to determine whether any industry 
standards body, any voluntary industry standards body is 
performing adequately to protect the safety and soundness of 
the financial system? So, yes, I agree.
    Senator Menendez. Yes, Mr. Reuter?
    Mr. Reuter. Senator, we as a banking institution already 
have to comply with a number of data security standards in the 
Gramm-Leach-Bliley Act. It is not only something that is 
written and we have instant response, but we are examined on it 
on a regular basis. So as an industry, that is why we are not 
opposed to setting standards. We are already obligated to 
follow standards today.
    Senator Menendez. And that may be different than what the 
Federal Trade Commission might determine would be the standard 
more broadly, but I appreciate that in Gramm-Leach-Bliley.
    May I have one other question, Mr. Chairman, one final 
question? And it goes to you, Mr. Mierzwinski, as a consumer 
advocate here. You know, we have seen an economy that is 
increasingly data driven in terms of companies collecting, 
storing, processing even greater quantities of consumer 
information, often against consumers' wishes or even without 
their knowledge. The financial service industry, for example, 
we hear stories about lenders data mining sources like social 
media to help them form underwriting decisions on consumer 
loans. Companies aggregate more data. The consequences of a 
breach or improper use become greater as the risks expand 
beyond simple fraud to identity theft and other hardships.
    Target experienced breaches of at least two kinds of 
customer information: payment card data and personal 
information, such as names, email addresses, and phone numbers. 
What if the next breach involves information like purchase 
histories or Social Security numbers?
    So my question is: Are you concerned about the rise of big 
data? And what can we do to give consumers greater control over 
their data, reduce the chances of a breach, and minimize the 
harm to consumers if a breach occurs? And should we be putting 
limits on what companies can store without a consumer's 
affirmative opt-in?
    Mr. Mierzwinski. Well, Senator, you have raised a question 
that I could talk about for about an hour, 2 hours.
    Senator Menendez. I am sure the Chairman would not want you 
to do that.
    Mr. Mierzwinski. I will not. But at the end of my 
testimony, I refer to a recent Federal Trade Commission 
comprehensive report on privacy and also to a Law Review paper 
that I have written on this very subject of big data being used 
for financial decisionmaking. And as Mr. Duncan pointed out, 
much of the big data that has been collected is now starting to 
be collected in the mobile landscape as well. So in addition to 
credit card information, in addition to personal information 
about the kinds of things that you buy with your cards, we also 
now know where you are and what you are doing at any particular 
time, and that new locational data is something that I think 
Congress should look at as well.
    But I would be very happy to talk to you about this 
Internet ecosystem. It used to be that you had a bank and you 
had a merchant and you had a credit bureau that had information 
about you. And there were direct marketing companies, to be 
sure, but they did not have very much information, and they 
were not connected. There are hundreds of interconnected if not 
thousands of interconnected business-to-business companies on 
the Internet buying and selling information about you today and 
auctioning you off in real time to the highest bidder. Many of 
them are predatory lenders, the highest bidders. There are 
companies on the Internet called ``lead generator sites'' that 
I would encourage the Committee to just hold a hearing on lead 
generation. You type, ``I want a loan,'' on the Internet. You 
are taken to a site that just bids you out to the highest 
bidder. Not the lowest bidder, the highest bidder.
    So there is a lot of work that needs to be done. Consumers 
need greater rights. There are some bills that address parts of 
it, and we would be happy to talk further on it.
    Senator Menendez. Mr. Chairman, I can see that there can be 
some value, even to consumers, to have some degree of 
information. But by the same token, I am increasingly concerned 
about the degree, the depth, the breadth, and scope of where 
that information is, and finding the right balance here I think 
is incredibly important.
    I thank the Chair for his indulgence.
    Senator Warner. Well, let me thank the witnesses and thank 
my colleagues.
    A couple of closing comments. One is I do think I would 
make my point for the third time. You know, we are just the 
first of what was going to be a series of hearings. The 
American public is very, very concerned about this issue, and 
we can either do it in a collaborative fashion, or we can do it 
in an adversarial fashion. And I am not even saying so much 
Congress versus industry and consumer groups, but you all 
collaborating together is terribly important.
    I think we have seen today actually that across the panel 
there was a sense that we need to move aggressively to chip and 
PIN. I tend to agree with Mr. Duncan. I cannot imagine chip and 
PIN versus chip and signature where you have automated systems. 
It seems like Beta versus VHS. And a little bit of that in the 
sense that--I think Mr. Leach made this point, and I want to 
re-emphasize it. As I learn more, chip and PIN is not a 
declaration of victory. You know, I would point back to the 
U.K. circumstance where the point-to-point fraud went down, but 
online fraud went up. And I think we have not seen the 
potential vulnerability we have all for online transactions. I 
was a technology guy, but boy, oh, boy, we have no consumer or 
financial protections at all in that space.
    Also, Mr. Mierzwinski, I think you may have gotten a win 
today since I think they all agreed to increase the Truth in 
Lending Act to equalize all cards to an equal standard. So 
maybe we made some small progress as well.
    I would just close out my comments with, you know, two 
points.
    One, if we think about this more holistically, I do think--
and I am just starting to learn this notion of tokenization and 
some of these other things so that there is encrypted data 
regardless of where your transaction takes place, is something 
that we need to think through. And I am sensitive to Mr. 
Duncan's members' concerns that, you know, you do not want to 
go out and buy a terminal that is going to be outdated 6 months 
or a year from now, so how you keep that in some kind of open 
system so it cannot be cobbled on is something that makes 
sense.
    An issue we did not even get to--and I think Senator 
Menendez raised it near the end, kind of not just broadly about 
folks' access to our data, but whoever has the data, how is it 
going to be kept secure? Wherever it stands in the financial 
system or in our system, you know, what are the obligations to 
keep that information in a secure fashion? Again, a topic that 
is going to be--that we will come back to.
    So I again want to thank my colleagues. I thank both the 
first panel and the second panel. I go back to General 
Clapper's comments that this was--his estimate was a $300 
billion hit to our economy last year, and it is dramatically 
going to be higher. We need to get ahead of this, and I look 
forward to working to find those solutions. Thank you all.
    And, again, these letters will be added.
    Senator Warner. The hearing is adjourned.
    [Whereupon, at 4:52 p.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
                PREPARED STATEMENT OF SENATOR MARK KIRK
    I am very pleased to be having this hearing today. There has 
obviously been considerable attention drawn to the issue of data 
security recently, with a number of data breaches occurring at several 
large retailers across the country. I am especially troubled because 
these breaches have had such a widespread impact--consumers being hit 
from all sides and with the more recent breaches impacting what is 
possibly one-third of the U.S. population. I think we have reached an 
inflection point. In the more recent data breaches, my constituents in 
Illinois and across the country were targeted at one of the busiest 
holiday shopping times, necessitating these individuals to replace 
cards and sign up for additional credit and identity monitoring--not to 
mention cope with substantial consumer anxiety.
    Further, impacts are not only felt by consumers when a merchant is 
breached, but also by any number of other third parties, including 
banks whose customers shopped at the retailer. I have had one community 
banker in Illinois tell me that the recent Target data breach will cost 
their company roughly $100,000, and another regional bank has told me 
that they expect to lose millions for card replacement as well as 
millions for fraud. My bankers in Illinois tell me that nearly every 
Illinois bank had at least some credit and debit cards compromised by 
the breach, with about one-third of customers in State experiencing 
fraudulent account activity. As a result, Illinois banks had to replace 
large numbers of debit and credit cards, costing thousands in card 
replacement and fraud costs. While these are substantial, we know that 
any merchant that experiences a breach also suffers from brand damage, 
lost revenues, legal fees and other costs.
    I do think it is important to view these breaches as criminal 
attacks and any entity that is breached as victims. It is also well 
known that these criminal hackers are persistent and when one technique 
is thwarted or secured against, these criminals will discover and 
create new and even more cryptic techniques with which to wreak havoc. 
However, I am hopeful that through this hearing, we can move beyond 
being ``victims'' to understand what other safeguards can be taken. We 
all saw and experienced the massive ramp up in national security 
reforms post the September 11th terrorist attacks. While our country is 
not completely without susceptibility, the United States has become 
much safer over the past decade and continues to constantly evolve in 
its security efforts to keep harm at bay.
    While similar security efforts have been made in the cyber space, I 
don't believe it has been quite as extensive--and there is most 
definitely cause for considering whether we need to broaden the sphere 
of those responsible for greater cyber security.
    According to the Identify Theft Resource Center, more than 4,200 
breaches have occurred since 2005 exposing more than 600 million 
records, and in 2013 there were more than 600 reported breaches--an 
increase of 30 percent over 2012 and the highest number of recorded 
breaches since 2005.
    In reviewing the spike in breaches, it is notable that the highest 
number of breaches occurred in the healthcare sector, at 43 percent and 
the business sector, which includes merchants, which accounted for 
roughly 34 percent of the reported breaches. Banks, credit and the 
financial sector accounted for only 4 percent of all breaches and less 
than 2 percent of all breached records.
    After some of the more recent data breaches at retailers, there 
were claims made and questions asked whether the banks should have 
updated their technologies--specifically through the use of ``chip and 
pin''. While I look forward to hearing from the witnesses about these 
and other protective measures industry can undertake to make the system 
safer and more sound, I also understand that in several of the most 
recent cases, chip and pin technology likely would not have prevented 
these breaches. Just as with national security, this is a shared 
responsibility of a number of parties and it is critical that all 
parties that handle this sensitive personal information take all 
possible steps to ensure that information is kept safe.
    Through the Gramm-Leach-Bliley Act, Reg. E, the Fair Credit and 
Reporting Act (FCRA) and a number of other regulatory requirements, 
some of the Nation's most vulnerable institutions--namely banks and 
financial institutions that house valuable and sensitive information--
have taken extraordinary measures to keep up with the ever present and 
ever changing threats in the cyber security world. In addition to 
heightened standards, banks also face penalties, such as prompt 
corrective action, fines and other penalties often before a breach has 
occurred--just for being noncompliant.
    I think all of these heightened standards and oversight is the 
right approach--financial institutions should have some of the highest 
cyber security measures in place to protect American consumers and the 
financial system. However, I think it is also appropriate to consider 
if other entities that either store or handle the same type of 
sensitive information should come under the same scrutiny and oversight 
to protect consumers.
    I hope to explore whether we should expand this ``sphere'' of 
scrutiny and bring greater oversight and accountability to other 
businesses and entities that have access to and in some instances store 
large amounts of consumer data. Some of these considerations might 
include whether the Federal Trade Commission (FTC) needs additional 
regulatory authorities, including the ability to require heightened 
standards as new threats emerge, additional oversight authority and the 
authority to utilize penalties for those entities found noncompliant. I 
also would like to explore whether our witnesses believe that creating 
a merchant/retailer ISAC (Information Sharing and Analysis Center) 
would help in preventing these breaches or, at a minimum, if an ISAC 
could effectively prevent the spreading of these threats to other 
merchants.
    Finally, while industry must be vigilant and constantly evolve to 
protect itself and U.S. consumers, we also must look at the role of law 
enforcement in cyber security to see what else our Nation's law 
enforcement community needs to effectively combat these threats. Part 
of this may mean exploring what the Administration, Congress and 
Federal agencies can do to incite international cooperation, especially 
in areas where these criminal cells seem to exist. We also need to 
ensure that our criminal statutes are updated to bring stiff sentences 
to those engaging in these cyber crimes. Thank you again and I look 
forward to hearing from our witnesses.
                                 ______
                                 
                  PREPARED STATEMENT OF WILLIAM NOONAN
      Deputy Special Agent in Charge, United States Secret Service
        Criminal Investigative Division, Cyber Operations Branch
                            February 3, 2014
    Good afternoon Chairman Warner, Ranking Member Kirk, and 
distinguished Members of the Committee. Thank you for the opportunity 
to testify on the risks and challenges the Nation faces from large-
scale data breaches like those that have been recently reported and are 
of great concern to our Nation. The U.S. Secret Service (Secret 
Service) has decades of experience investigating large-scale criminal 
cyber intrusions, in addition to other crimes that impact our Nation's 
financial payment systems. Based on investigative experience and the 
understanding we have developed regarding transnational organized cyber 
criminals that are engaged in these data breaches and associated 
frauds, I hope to provide this Committee useful insight into this issue 
from a Federal law enforcement perspective to help inform your 
deliberations.
The Role of the Secret Service
    The Secret Service was founded in 1865 to protect the U.S. 
financial system from the counterfeiting of our national currency. As 
the Nation's financial system evolved from paper to plastic to 
electronic transactions, so too has the Secret Service's investigative 
mission. Today, our modern financial system depends heavily on 
information technology for convenience and efficiency. Accordingly, 
criminals have adapted their methods and are increasingly using 
cyberspace to exploit our Nation's financial payment system by engaging 
in fraud and other illicit activities. This is not a new trend; 
criminals have been committing cyber financial crimes since at least 
1970.\1\
---------------------------------------------------------------------------
    \1\ Beginning in 1970, and over the course of 3 years, the chief 
teller at the Park Avenue branch of New York's Union Dime Savings Bank 
manipulated the account information on the bank's computer system to 
embezzle over $1.5 million from hundreds of customer accounts. This 
early example of cyber crime not only illustrates the long history of 
cyber crime, but the difficulty companies have in identifying and 
stopping cyber criminals in a timely manner--a trend that continues 
today.
---------------------------------------------------------------------------
    Congress established 18 USC  1029-1030 as part of the 
Comprehensive Crime Control Act of 1984; these statutes criminalized 
unauthorized access to computers \2\ and the fraudulent use or 
trafficking of access devices \3\--defined as any piece of information 
or tangible item that is a means of account access that can be used to 
obtain money, goods, services, or other thing of value.\4\ Congress 
specifically gave the Secret Service authority to investigate 
violations of both statutes.\5\
---------------------------------------------------------------------------
    \2\ See 18 USC  1030.
    \3\ See 18 USC  1029.
    \4\ See 18 USC  1029(e)(1).
    \5\ See 18 USC  1029(d) & 1030(d)(1).
---------------------------------------------------------------------------
    Secret Service investigations have resulted in the arrest and 
successful prosecution of cyber criminals involved in the largest known 
data breaches, including those of TJ Maxx, Dave & Buster's, Heartland 
Payment Systems, and others. Over the past 4 years Secret Service cyber 
crime investigations have resulted in over 4,900 arrests, associated 
with approximately $1.37 billion in fraud losses and the prevention of 
over $11.24 billion in potential fraud losses. Through our work with 
our partners at the Department of Justice (DOJ), in particular the 
local U.S. Attorney Offices, the Computer Crimes and Intellectual 
Property section (CCIPS), the International Organized Crime 
Intelligence and Operations Center (IOC-2), and others, we are 
confident we will continue to bring the cyber criminals that perpetrate 
major data breaches to justice.
The Transnational Cyber Crime Threat
    Advances in computer technology and greater access to personally 
identifiable information (PII) via the Internet have created a virtual 
marketplace for transnational cyber criminals to share stolen 
information and criminal methodologies. As a result, the Secret Service 
has observed a marked increase in the quality, quantity, and complexity 
of cyber crimes targeting private industry and critical infrastructure. 
These crimes include network intrusions, hacking attacks, malicious 
software, and account takeovers leading to significant data breaches 
affecting every sector of the world economy. The recently reported data 
breaches of Target and Neiman Marcus are just the most recent, well-
publicized examples of this decade-long trend of major data breaches 
perpetrated by cyber criminals who are intent on targeting our Nation's 
retailers and financial payment systems.
    The increasing level of collaboration among cyber-criminals allows 
them to compartmentalize their operations, greatly increasing the 
sophistication of their criminal endeavors and allowing for development 
of expert specialization. These specialties raise both the complexity 
of investigating these cases, as well as the level of potential harm to 
companies and individuals. For example, illicit underground cyber crime 
market places allow criminals to buy, sell and trade malicious 
software, access to sensitive networks, spamming services, credit, 
debit and ATM card data, PII, bank account information, brokerage 
account information, hacking services, and counterfeit identity 
documents. These illicit digital marketplaces vary in size, with some 
of the more popular sites boasting membership of approximately 80,000 
users. These digital marketplaces often use various digital currencies, 
and cyber criminals have made extensive use of digital currencies to 
pay for criminal goods and services or launder illicit proceeds.
    The Secret Service has successfully investigated many underground 
cyber criminal marketplaces. In one such infiltration, the Secret 
Service initiated and conducted a 3-year investigation that led to the 
indictment of 11 perpetrators allegedly involved in hacking nine major 
U.S. retailers and the theft and sale of more than 40 million credit 
and debit card numbers. The investigation revealed that defendants from 
the United States, Estonia, China and Belarus successfully obtained 
credit and debit card numbers by hacking into the wireless computer 
networks of major retailers--including TJ Maxx, BJ's Wholesale Club, 
Office Max, Boston Market, Barnes & Noble, Sports Authority and Dave & 
Buster's. Once inside the networks, these cyber criminals installed 
``sniffer'' programs \6\ that would capture card numbers, as well as 
password and account information, as they moved through the retailers' 
credit and debit processing networks. After the data was collected, the 
conspirators concealed the information in encrypted computer servers 
that they controlled in the United States and Eastern Europe. The 
credit and debit card numbers were then sold through online 
transactions to other criminals in the United States and Eastern 
Europe. The stolen numbers were ``cashed out'' by encoding card numbers 
on the magnetic strips of blank cards. The defendants then used these 
fraudulent cards to withdraw tens of thousands of dollars at a time 
from ATMs. The defendants were able to conceal and launder their 
illegal proceeds by using anonymous Internet-based digital currencies 
within the United States and abroad, and by channeling funds through 
bank accounts in Eastern Europe.\7\
---------------------------------------------------------------------------
    \6\ Sniffers are programs that detect particular information 
transiting computer networks, and can be used by criminals to acquire 
sensitive information from computer systems.
    \7\ Additional information on the criminal use of digital 
currencies can be referenced in testimony provided by U.S. Secret 
Service Special Agent in Charge Edward Lowery before the Senate 
Homeland Security and Governmental Affairs Committee in a hearing 
titled, ``Beyond Silk Road: Potential Risks, Threats, and Promises of 
Virtual Currencies'' (November 18, 2013).
---------------------------------------------------------------------------
    In data breaches like these the effects of the criminal acts 
extended well beyond the companies compromised, potentially affecting 
millions of individual card holders. Proactive and swift law 
enforcement action protects consumers by preventing and limiting the 
fraudulent use of payment card data, identity theft, or both. Cyber 
crime directly impacts the U.S. economy by requiring additional 
investment in implementing enhanced security measures, inflicting 
reputational damage on U.S. firms, and direct financial losses from 
fraud--all costs that are ultimately passed on to consumers.
Secret Service Strategy for Combating This Threat
    The Secret Service proactively investigates cyber crime using a 
variety of investigative means to infiltrate these transnational cyber 
criminal groups. As a result of these proactive investigations, the 
Secret Service is often the first to learn of planned or ongoing data 
breaches and is quick to notify financial institutions and the victim 
companies with actionable information to mitigate the damage from the 
data breach and terminate the criminal's unauthorized access to their 
networks. One of the most poorly understood facts regarding data 
breaches is that it is rarely the victim company that first discovers 
the criminal's unauthorized access to their network; rather it is law 
enforcement, financial institutions, or other third parties that 
identify and notify the likely victim company of the data breach by 
identifying the common point of origin of the sensitive data being 
trafficked in cyber crime marketplaces.
    A trusted relationship with the victim is essential for confirming 
the crime, remediating the situation, beginning a criminal 
investigation, and collecting evidence. The Secret Service's worldwide 
network of 33 Electronic Crimes Task Forces (ECTF), located within our 
field offices, are essential for building and maintaining these trusted 
relationships, along with the Secret Service's commitment to protecting 
victim privacy.
    In order to confirm the source of data breaches and to stop the 
continued theft of sensitive information and the exploitation of a 
network, the Secret Service contacts the owner of the suspected 
compromised computer systems. Once the victim of a data breach confirms 
that unauthorized access to their networks has occurred, the Secret 
Service works with the local U.S. Attorney's office, or appropriate 
State and local officials, to begin a criminal investigation of the 
potential violation of 18 USC  1030. During the course of this 
criminal investigation, the Secret Service identifies the malware and 
means of access used to acquire data from the victim's computer 
network. In order to enable other companies to mitigate their cyber 
risk based on current cyber crime methods, we quickly share information 
concerning the cybersecurity incident with the widest audience 
possible, while protecting grand jury information, the integrity of 
ongoing criminal investigations, and the victims' privacy. We share 
this cybersecurity information through:

    Our Department's National Cybersecurity & Communications 
        Integration Center (NCCIC);

    The Information Sharing and Analysis Centers (ISAC);

    Our ECTFs;

    The publication of joint industry notices;

    Our numerous partnerships developed over the past three 
        decades in investigating cyber crimes; and

    Contributions to leading industry and academic reports like 
        the Verizon Data Breach Investigations Report, the Trustwave 
        Global Security Report, and the Carnegie Mellon CERT Insider 
        Threat Study.

    As we share cybersecurity information discovered in the course of 
our criminal investigation, we also continue our investigation in order 
to apprehend and bring to justice those involved. Due to the inherent 
challenges in investigating transnational crime, particularly the lack 
of cooperation of some countries with law enforcement investigations, 
occasionally it takes years to finally apprehend the top tier criminals 
responsible. For example, Dmitriy Smilianets and Vladimir Drinkman were 
arrested in June 2012, as part of a multi-year investigation Secret 
Service investigation, while they were traveling in the Netherlands 
thanks to the assistance of Dutch law enforcement. The alleged total 
fraud loss from their cyber crimes exceeds $105 million.
    As a part of our cyber crime investigations, the Secret Service 
also targets individuals who operate illicit infrastructure that 
supports the transnational organized cyber criminal. For example, in 
May 2013 the Secret Service, as part of a joint investigation through 
the Global Illicit Financial Team, shut down the digital currency 
provider Liberty Reserve. Liberty Reserve is alleged to have had more 
than one million users worldwide and to have laundered more than $6 
billion in criminal proceeds. This case is believed to be the largest 
money laundering case ever prosecuted in the United States and is being 
jointly prosecuted by the U.S. Attorney's Office for the Southern 
District of New York and DOJ's Asset Forfeiture and Money Laundering 
Section. In a coordinated action with the Department of the Treasury, 
Liberty Reserve was identified as a financial institution of primary 
money laundering concern under Section 311 of the USA PATRIOT Act, 
effectively cutting it off from the U.S. financial system.
Collaboration With Other Federal Agencies and International Law 
        Enforcement
    While cyber-criminals operate in a world without borders, the law 
enforcement community does not. The increasingly multi-national, multi-
jurisdictional nature of cyber crime cases has increased the time and 
resources needed for successful investigation and adjudication. The 
partnerships developed through our ECTFs, the support provided by our 
Criminal Investigative Division, the liaison established by our 
overseas offices, and the training provided to our special agents via 
Electronic Crimes Special Agent Program are all instrumental to the 
Secret Service's successful network intrusion investigations.
    One example of the Secret Service's success in these investigations 
is the case involving Heartland Payment Systems. As described in the 
August 2009 indictment, a transnational organized criminal group 
allegedly used various network intrusion techniques to breach security 
and navigate the credit card processing environment. Once inside the 
networks, they installed ``sniffer'' programs to capture card numbers, 
as well as password and account information. The Secret Service 
investigation, the largest and most complex data breach investigation 
ever prosecuted in the United States, revealed that data from more than 
130 million credit card accounts were at risk of being compromised and 
exfiltrated to a command and control server operated by an 
international group directly related to other ongoing Secret Service 
investigations. During the course of the investigation, the Secret 
Service uncovered that this international group committed other 
intrusions into multiple corporate networks to steal credit and debit 
card data. The Secret Service relied on various investigative methods, 
including subpoenas, search warrants, and Mutual Legal Assistance 
Treaty (MLAT) requests through our foreign law enforcement partners to 
identify three main suspects. As a result of the investigation, these 
primary suspects were indicted for various computer-related crimes. The 
lead defendant in the indictment pled guilty and was sentenced to 
twenty years in Federal prison. This investigation is ongoing with over 
100 additional victim companies identified.
    Recognizing these complexities, several Federal agencies are 
collaborating to investigate cases and identify proactive strategies. 
Greater collaboration within the Federal, State and local law 
enforcement community enhances information sharing, promotes efficiency 
in investigations, and facilitates efforts to de-conflict in cases of 
concurrent jurisdiction. For example, the Secret Service has 
collaborated extensively with DOJ's CCIPS, which ``prevents, 
investigates, and prosecutes computer crimes by working with other 
Government agencies, the private sector, academic institutions, and 
foreign counterparts.''\8\ The Secret Service's ECTFs are a natural 
complement to CCIPS, resulting in an excellent partnership over the 
years. In the last decade, nearly every major cyber investigation 
conducted by the Secret Service has benefited from CCIPS contributions.
---------------------------------------------------------------------------
    \8\ U.S. Department of Justice. (n.d.). Computer Crime & 
Intellectual Property Section: About CCIPS. Retrieved from http://
www.justice.gov/criminal/cybercrime/ccips.html.
---------------------------------------------------------------------------
    The Secret Service also maintains a positive relationship with the 
DOJ's Federal Bureau of Investigation (FBI). The Secret Service has a 
permanent presence at the National Cyber Investigative Joint Task Force 
(NCIJTF), which coordinates, integrates, and shares information related 
to investigations of national security cyber threats. The Secret 
Service also often partners with the FBI on various criminal cyber 
investigations. For example, in August 2010, a joint operation 
involving the Secret Service, FBI, and the Security Service of Ukraine 
(SBU), yielded the seizure of 143 computer systems--one of the largest 
international seizures of digital media gathered by U.S. law 
enforcement--consisting of 85 terabytes of data, which was eventually 
transferred to law enforcement authorities in the United States. The 
data was seized from a criminal Internet service provider located in 
Odessa, Ukraine, also referred to as a ``Bullet Proof Hoster.'' Thus 
far, the forensic analysis of these systems has already identified a 
significant amount of criminal information pertaining to numerous 
investigations currently underway by both agencies, including malware, 
criminal chat communications, and PII of U.S. citizens.
    The case of Vladislav Horohorin is another example of successful 
cooperation between the Secret Service and its law enforcement partners 
around the world. Mr. Horohorin, one of the world's most notorious 
traffickers of stolen financial information, was arrested on August 25, 
2010, pursuant to a U.S. arrest warrant issued by the Secret Service. 
Mr. Horohorin created the first fully automated online store which was 
responsible for selling stolen credit card data. Both CCIPS and the 
Office of International Affairs at DOJ played critical roles in this 
apprehension. Furthermore, as a result of information sharing, the FBI 
was able to bring additional charges against Mr. Horohorin for his 
involvement in a Royal Bank of Scotland network intrusion. This type of 
cooperation is crucial if law enforcement is to be successful in 
disrupting and dismantling criminal organizations involved in cyber 
crime.
    This case demonstrates the importance of international law 
enforcement cooperation. Through the Secret Service's 24 international 
field offices the Service develops close partnerships with numerous 
foreign law enforcement agencies in order to combat transnational 
crime. Successfully investigating transnational crime depends not only 
on the efforts of the Department of State and the DOJ's Office of 
International Affairs to establish and execute MLATs, and other forms 
of international law enforcement cooperation, but also on the personal 
relationships that develop between U.S. law enforcement officers and 
their foreign counterparts. Both the CCIPS and the Office of 
International Affairs at DOJ played critical roles in this 
apprehension. Furthermore, as a result of information sharing, the FBI 
was able to bring additional charges against Mr. Horohorin for his 
involvement in a Royal Bank of Scotland network intrusion. This type of 
cooperation is crucial if law enforcement is to be successful in 
disrupting and dismantling criminal organizations involved in cyber 
crime.
    Within DHS, the Secret Service benefits from a close relationship 
with Immigration and Customs Enforcement's Homeland Security 
Investigations (ICE-HSI). Since 1997, the Secret Service, ICE-HSI, and 
IRS-CI have jointly trained on computer investigations through the 
Electronic Crimes Special Agent Program (ECSAP). ICE-HSI is also a 
member of Secret Service ECTFs, and ICE-HSI and the Secret Service have 
partnered on numerous cyber crime investigations including the recent 
take down of the digital currency Liberty Reserve.
    To further its cybersecurity information sharing efforts, the 
Secret Service has strengthened its relationship with the National 
Protection and Programs Directorate (NPPD), including the NCCIC. As the 
Secret Service identifies malware, suspicious IPs and other information 
through its criminal investigations, it shares information with our 
Department's NCCIC. The Secret Service continues to buildupon its full-
time presence at NCCIC to coordinate its cyber programs with other 
Federal agencies.
    As a part of these efforts, and to ensure that information is 
shared in a timely and effective manner, the Secret Service has 
personnel assigned to the following DHS and non-DHS entities:

    NPPD's National Cybersecurity & Communications Integration 
        Center (NCCIC);

    NPPD's Office of Infrastructure Protection;

    DHS's Science and Technology Directorate (S&T);

    DOJ National Cyber Investigative Joint Task Force (NCIJTF);

    Each FBI Joint Terrorism Task Force (JTTF), including the 
        National JTTF;

    Department of the Treasury--Office of Terrorist Financing 
        and Financial Crimes (TFFC);

    Department of the Treasury--Financial Crimes Enforcement 
        Network (FinCEN);

    Central Intelligence Agency;

    DOJ, International Organized Crime and Intelligence 
        Operations Center (IOC-2);

    Drug Enforcement Administration's Special Operations 
        Division;

    EUROPOL; and

    INTERPOL.

    The Secret Service is committed to ensuring that all its 
information sharing activities comply with applicable laws, 
regulations, and policies, including those that pertain to privacy and 
civil liberties.
Secret Service Framework
    To protect our financial infrastructure, industry, and the American 
public, the Secret Service has adopted a multi-faceted approach to 
aggressively combat cyber and computer-related crimes.
Electronic Crimes Task Forces
    In 1995, the Secret Service New York Field Office established the 
New York Electronic Crimes Task Force (ECTF) to combine the resources 
of academia, the private sector, and local, State and Federal law 
enforcement agencies to combat computer-based threats to our financial 
payment systems and critical infrastructures. In 2001, Congress 
directed the Secret Service to establish a nationwide network of ECTFs 
to ``prevent, detect, and investigate various forms of electronic 
crimes, including potential terrorist attacks against critical 
infrastructure and financial payment systems.''\9\
---------------------------------------------------------------------------
    \9\ See Public Law 107-56 Section 105 (appears as note following 18 
U.S.C.  3056).
---------------------------------------------------------------------------
    Secret Service field offices currently operate 33 ECTFs, including 
two based overseas in Rome, Italy, and London, England. Membership in 
our ECTFs includes: over 4,000 private sector partners; over 2,500 
international, Federal, State and local law enforcement partners; and 
over 350 academic partners. By joining our ECTFs, our partners benefit 
from the resources, information, expertise and advanced research 
provided by our international network of members while focusing on 
issues with significant regional impact.
Cyber Intelligence Section
    Another example of our partnership approach with private industry 
is our Cyber Intelligence Section (CIS) which analyzes evidence 
collected as a part of Secret Service investigations and disseminates 
information in support of Secret Service investigations worldwide and 
generates new investigative leads based upon its findings. CIS 
leverages technology and information obtained through private sector 
partnerships to monitor developing technologies and trends in the 
financial payments industry for information that may be used to enhance 
the Secret Service's capabilities to prevent and mitigate attacks 
against the financial and critical infrastructures. CIS also has an 
operational unit that investigates international cyber-criminals 
involved in cyber-intrusions, identity theft, credit card fraud, bank 
fraud, and other computer-related crimes. The information and 
coordination provided by CIS is a crucial element to successfully 
investigating, prosecuting, and dismantling international criminal 
organizations.
Electronic Crimes Special Agent Program
    A central component of the Secret Service's cyber-crime 
investigations is its Electronic Crimes Special Agent Program (ECSAP), 
which is comprised of nearly 1,400 Secret Service special agents who 
have received at least one of three levels of computer crimes-related 
training.
    Level I--Basic Investigation of Computers and Electronic Crimes 
(BICEP): The BICEP training program focuses on the investigation of 
electronic crimes and provides a brief overview of several aspects 
involved with electronic crimes investigations. This program provides 
Secret Service agents and our State and local law enforcement partners 
with a basic understanding of computers and electronic crime 
investigations and is now part of our core curriculum for newly hired 
special agents.
    Level II--Network Intrusion Responder (ECSAP-NI): ECSAP-NI training 
provides special agents with specialized training and equipment that 
allows them to respond to and investigate network intrusions. These may 
include intrusions into financial sector computer systems, corporate 
storage servers, or various other targeted platforms. The Level II 
trained agent will be able to identify critical artifacts that will 
allow for effective investigation of identity theft, malicious hacking, 
unauthorized access, and various other related electronic crimes.
    Level III--Computer Forensics (ECSAP-CF): ECSAP-CF training 
provides special agents with specialized training and equipment that 
allows them to investigate and forensically obtain digital evidence to 
be utilized in the prosecution of various electronic crimes cases, as 
well as criminally focused protective intelligence cases.
    These agents are deployed in Secret Service field offices 
throughout the world and have received extensive training in forensic 
identification, as well as the preservation and retrieval of 
electronically stored evidence. ECSAP-trained agents are computer 
investigative specialists, qualified to conduct examinations on all 
types of electronic evidence. These special agents are equipped to 
investigate the continually evolving arena of electronic crimes and 
have proven invaluable in the successful prosecution of criminal groups 
involved in computer fraud, bank fraud, identity theft, access device 
fraud and various other electronic crimes targeting our financial 
institutions and private sector.
National Computer Forensics Institute
    The National Computer Forensics Institute (NCFI) initiative is the 
result of a partnership between the Secret Service, NPPD, the State of 
Alabama, and the Alabama District Attorney's Association. The goal of 
this facility is to provide a national standard of training for a 
variety of electronic crimes investigations. The program offers State 
and local law enforcement officers, prosecutors, and judges the 
training necessary to conduct computer forensics examinations. 
Investigators are trained to respond to network intrusion incidents and 
to conduct electronic crimes investigations. Since opening in 2008, the 
institute has held over 110 cyber and digital forensics courses in 13 
separate subjects and trained and equipped more than 2,500 State and 
local officials, including more than 1,600 police investigators, 570 
prosecutors and 180 judges from all 50 States and three U.S. 
territories. These NCFI graduates represent more than 1,000 agencies 
nationwide.
Partnerships with Academia
    In August 2000, the Secret Service and Carnegie Mellon University 
Software Engineering Institute (SEI) established the Secret Service 
CERT \10\ Liaison Program to provide technical support, opportunities 
for research and development, as well as public outreach and education 
to more than 150 scientists and researchers in the fields of computer 
and network security, malware analysis, forensic development, training 
and education. Supplementing this effort is research into emerging 
technologies being used by cyber-criminals and development of 
technologies and techniques to combat them.
---------------------------------------------------------------------------
    \10\ CERT--not an acronym--conducts empirical research and analysis 
to develop and transition socio-technical solutions to combat insider 
cyber threats.
---------------------------------------------------------------------------
    The primary goals of the program are: to broaden the Secret 
Service's knowledge of software engineering and networked systems 
security; to expand and strengthen partnerships and relationships with 
the technical and academic communities; partner with CERT-SEI and 
Carnegie Mellon University to support research and development to 
improve the security of cyberspace and improve the ability of law 
enforcement to investigate crimes in a digital age; and to present the 
results of this partnership at the quarterly meetings of our ECTFs.
    In August 2004, the Secret Service partnered with CERT-SEI to 
publish the first ``Insider Threat Study'' examining the illicit cyber 
activity and insider fraud in the banking and finance sector. Due to 
the overwhelming response to this initial study, the Secret Service and 
CERT-SEI, in partnership with DHS Science & Technology (S&T), updated 
the study and released the most recent version just last year, which is 
published at http://www.cert.org/insider_threat/.
    To improve law enforcement's ability to investigate crimes 
involving mobile devices, the Secret Service opened the Cell Phone 
Forensic Facility at the University of Tulsa in 2008. This facility has 
a three-pronged mission: (1) training Federal, State and local law 
enforcement agents in embedded device forensics; (2) developing novel 
hardware and software solutions for extracting and analyzing digital 
evidence from embedded devices; and (3) applying the hardware and 
software solutions to support criminal investigations conducted by the 
Secret Service and its partner agencies. To date, investigators trained 
at the Cell Phone Forensic Facility have completed more than 6,500 
examinations on cell phone and embedded devices nationwide. Secret 
Service agents assigned to the Tulsa facility have contributed to over 
300 complex cases that have required the development of sophisticated 
techniques and tools to extract critical evidence.
    These collaborations with academia, among others, have produced 
valuable innovations that have helped strengthen the cyber ecosystem 
and improved law enforcement's ability to investigate cyber crime. The 
Secret Service will continue to partner closely with academia and DHS 
S&T, particularly the Cyber Forensics Working Group, to support 
research and development of innovate tools and methods to support 
criminal investigations.
Legislative Action to Combat Data Breaches
    While there is no single solution to prevent data breaches of U.S. 
customer information, legislative action could help to improve the 
Nation's cybersecurity, reduce regulatory costs on U.S. companies, and 
strengthen law enforcement's ability to conduct effective 
investigations. The Administration previously proposed law enforcement 
provisions related to computer security through a letter from OMB 
Director Lew to Congress on May 12, 2011, highlighting the importance 
of additional tools to combat emerging criminal practices. We continue 
to support changes like these that will keep up with rapidly evolving 
technologies and uses.
Conclusion
    The Secret Service is committed to safeguarding the Nation's 
financial payment systems by investigating and dismantling criminal 
organizations involved in cyber crime. Responding to the growth in 
these types of crimes and the level of sophistication these criminals 
employ requires significant resources and greater collaboration among 
law enforcement and its public and private sector partners. 
Accordingly, the Secret Service dedicates significant resources to 
improving investigative techniques, providing training for law 
enforcement partners, and raising public awareness. The Secret Service 
will continue to be innovative in its approach to cyber crime and cyber 
security and is pleased that the Committee recognizes the magnitude of 
these issues and the evolving nature of these crimes.
                                 ______
                                 
                   PREPARED STATEMENT OF JESSICA RICH
             Director of the Bureau of Consumer Protection
                        Federal Trade Commission
                            February 3, 2014
I. INTRODUCTION
    Chairman Warner, Ranking Member Kirk, and Members of the 
Subcommittee, I am Jessica Rich, Director of the Bureau of Consumer 
Protection at the Federal Trade Commission (``FTC'' or 
``Commission'').\1\ I appreciate the opportunity to present the 
Commission's testimony on data security.
---------------------------------------------------------------------------
    \1\ This written statement presents the views of the Federal Trade 
Commission. My oral statements and responses to questions are my own 
and do not necessarily reflect the views of the Commission or of any 
Commissioner.
---------------------------------------------------------------------------
    As recent publicly announced data breaches remind us,\2\ consumers' 
information is subject to a variety of risks. Hackers and others seek 
to exploit vulnerabilities, obtain unauthorized access to consumers' 
sensitive information, and potentially misuse it in ways that can cause 
serious harms to consumers as well as businesses. And in this 
increasingly interconnected economy, all of this takes place against 
the background of the threat of identity theft, a pernicious crime that 
harms both consumers and financial institutions. The Bureau of Justice 
Statistics estimates that 16.6 million persons--or 7 percent of all 
U.S. residents ages 16 and older--were victims of identity theft in 
2012.\3\
---------------------------------------------------------------------------
    \2\ See Elizabeth A. Harris & Nicole Perlroth, For Target, the 
Breach Numbers Grow, N.Y. Times, Jan. 10, 2014, available at http://
www.nytimes.com/2014/01/11/business/target-breach-affected-70-million-
customers.html (discussing recently announced breaches involving 
payment card information by Target and Neiman Marcus); Nicole Perlroth, 
Michaels Stores Is Investigating Data Breach, N.Y. Times, Jan. 25, 
2014, available at http://www.nytimes.com/2014/01/26/technology/
michaels-stores-is-investigating-data-breach.html (announcement of 
potential security breach involving payment card information).
    \3\ See Bureau of Justice Statistics, Victims of Identity Theft, 
2012 (Dec. 2013), available at http://www.bjs.gov/content/pub/pdf/
vit12.pdf.
---------------------------------------------------------------------------
    As the Nation's leading privacy enforcement agency, the FTC is 
committed to protecting consumer privacy and promoting data security in 
the private sector and has settled 50 law enforcement actions against 
businesses that we alleged failed to protect consumers' personal 
information appropriately. Data security is of critical importance to 
consumers. If companies do not protect the personal information they 
collect and store, that information could fall into the wrong hands, 
resulting in fraud and other harm, along with a potential loss of 
consumer confidence in particular business sectors or entities, payment 
methods, or types of transactions. Accordingly, the Commission has 
undertaken substantial efforts for over a decade to promote data 
security in the private sector through civil law enforcement, 
education, and policy initiatives.
    This testimony offers an overview of the Commission's recent 
efforts in the enforcement, education, and policy areas. It then 
describes the FTC's cooperation with Federal and State agencies on 
issues of privacy and data security. Finally, while the testimony does 
not offer views on any particular legislation, the Commission 
reiterates its bipartisan support for Congress to enact data security 
legislation that would (1) strengthen its existing authority governing 
data security standards on companies and (2) require companies, in 
appropriate circumstances, to provide notification to consumers when 
there is a security breach.\4\
---------------------------------------------------------------------------
    \4\ The Commission has long supported data security and breach 
notification legislation. See, e.g., Prepared Statement of the Federal 
Trade Commission, ``Privacy and Data Security: Protecting Consumers in 
the Modern World,'' Before the Senate Committee on Commerce, Science, 
and Transportation, 112th Cong., June 29, 2011, available at http://
www.ftc.gov/sites/default/files/documents/public_statements/prepared-
statement-federal-tradecommission-privacy-and-data-security-protecting-
consumers-modern/110629privacytestimonybrill.pdf; Prepared Statement of 
the Federal Trade Commission, ``Data Security,'' Before Subcommittee on 
Commerce, Manufacturing, and Trade of the House Committee on Energy and 
Commerce, 112th Cong., June 15, 2011, available at http://www.ftc.gov/
sites/default/files/documents/public_statements/preparedstatement-
federal-trade-commission-data-security/110615datasecurity
house.pdf; FTC, Security in Numbers, SSNs and ID Theft (Dec. 2008), 
available at http://www.ftc.gov/sites/default/files/documents/reports/
security-numbers-social-security-numbers-and-identity-theft-federal-
trade-commission-report/p075414ssnreport.pdf; President's Identity 
Theft Task Force, Identity Theft Task Force Report (Sept. 2008), 
available at http://www.ftc.gov/sites/default/files/documents/reports/
presidents-identity-theft-task-force-report/081021taskforcereport.pdf.
---------------------------------------------------------------------------
II. THE COMMISSION'S DATA SECURITY PROGRAM
A. Law Enforcement
    To promote data security, the Commission enforces several statutes 
and rules that impose obligations upon businesses that collect and 
maintain consumer data. The Commission's Safeguards Rule, which 
implements the Gramm-Leach-Bliley Act (``GLB Act''), for example, 
provides data security requirements for nonbank financial 
institutions.\5\ The Fair Credit Reporting Act (``FCRA'') requires 
consumer reporting agencies to use reasonable procedures to ensure that 
the entities to which they disclose sensitive consumer information have 
a permissible purpose for receiving that information,\6\ and imposes 
safe disposal obligations on entities that maintain consumer report 
information.\7\ The Children's Online Privacy Protection Act (COPPA) 
requires reasonable security for children's information collected 
online.\8\
---------------------------------------------------------------------------
    \5\ 16 C.F.R. Part 314, implementing 15 U.S.C.  6801(b).
    \6\ 15 U.S.C.  1681e.
    \7\ Id. at  1681w. The FTC's implementing rule is at 16 C.F.R. 
Part 682.
    \8\ 15 U.S.C.  6501-6506; see also 16 C.F.R. Part 312 (``COPPA 
Rule'').
---------------------------------------------------------------------------
    In addition, the Commission enforces the proscription against 
unfair or deceptive acts or practices in Section 5 of the FTC Act.\9\ 
If a company makes materially misleading statements or omissions about 
a matter, including data security, and such statements or omissions are 
likely to mislead reasonable consumers, they can be found to be 
deceptive in violation of Section 5.\10\ Using its deception authority, 
the Commission has settled more than 30 matters challenging companies' 
express and implied claims that they provide reasonable security for 
consumers' personal data. Further, if a company's data security 
practices cause or are likely to cause substantial injury to consumers 
that is neither reasonably avoidable by consumers nor outweighed by 
countervailing benefits to consumers or to competition, those practices 
can be found to be unfair and violate Section 5.\11\ The Commission has 
settled more than 20 cases alleging that a company's failure to 
reasonably safeguard consumer data was an unfair practice.\12\
---------------------------------------------------------------------------
    \9\ 15 U.S.C.  45(a).
    \10\ See Federal Trade Commission Policy Statement on Deception, 
appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984).
    \11\ See Federal Trade Commission Policy Statement on Unfairness, 
appended to Int'l Harvester Co., 104 F.T.C. 949, 1070 (1984) (``FTC 
Unfairness Statement'').
    \12\ Some of the Commission's data security settlements allege both 
deception and unfairness.
---------------------------------------------------------------------------
    In the data security context, the FTC conducts its investigations 
with a focus on reasonableness--a company's data security measures must 
be reasonable and appropriate in light of the sensitivity and volume of 
consumer information it holds, the size and complexity of its business, 
and the cost of available tools to improve security and reduce 
vulnerabilities.\13\ In each investigation, the Commission examines 
such factors as whether the risks at issue were well known or 
reasonably foreseeable, the costs and benefits of implementing various 
protections, and the tools that are currently available and used in the 
marketplace.
---------------------------------------------------------------------------
    \13\ In many of the FTC's data security cases based on deception, 
the company has made an express or implied claim that its information 
security practices are reasonable, which is analyzed through the same 
lens.
---------------------------------------------------------------------------
    Since 2001, the Commission has used its authority to settle 50 
cases against businesses that it charged with failing to provide 
reasonable protections for consumers' personal information.\14\ In each 
of these cases, the Commission has examined a company's practices as a 
whole and challenged alleged data security failures that were multiple 
and systemic. Through these settlements, the Commission has made clear 
that reasonable and appropriate security is a continuous process of 
assessing and addressing risks; that there is no one-size-fits-all data 
security program; that the Commission does not require perfect 
security; and that the mere fact that a breach occurred does not mean 
that a company has violated the law.
---------------------------------------------------------------------------
    \14\ See Commission Statement Marking the FTC's 50th Data Security 
Settlement, Jan. 31, 2014, available at http://www.ftc.gov/system/
files/documents/cases/140131gmrstatement.pdf.
---------------------------------------------------------------------------
    In its most recent case, the FTC entered into a settlement with GMR 
Transcription Services, Inc., a company that provides audio file 
transcription services for its clients--which includes health care 
providers.\15\ According to the complaint, GMR relies on service 
providers and independent typists to perform this work, and conducts 
its business primarily over the Internet by exchanging audio files and 
transcripts with customers and typists by loading them on a file 
server. As a result of GMR's alleged failure to implement reasonable 
and appropriate security measures or to ensure its service providers 
also implemented reasonable and appropriate security, at least 15,000 
files containing sensitive personal information--including consumers' 
names, birth dates, and medical histories--were available to anyone on 
the Internet. The Commission's order prohibits GMR from making 
misrepresentations about privacy and security, and requires the company 
to implement a comprehensive information security program and undergo 
independent audits for the next 20 years.
---------------------------------------------------------------------------
    \15\ In the Matter of GMR Transcription Servs., Inc., et al., 
Matter No. 112-3120 (Dec. 16, 2013), available at http://www.ftc.gov/
news-events/press-releases/2014/01/provider-medical-transcript-
services-settles-ftc-charges-it.
---------------------------------------------------------------------------
    The FTC also recently announced a case against TRENDnet, which 
involved a video camera designed to allow consumers to monitor their 
homes remotely.\16\ The complaint alleges that TRENDnet marketed its 
SecurView cameras for purposes ranging from baby monitoring to home 
security. Although TRENDnet claimed that the cameras were ``secure,'' 
they had faulty software that left them open to online viewing, and in 
some instances listening, by anyone with the cameras' Internet address. 
This resulted in hackers posting 700 consumers' live feeds on the 
Internet. Under the FTC settlement, TRENDnet must maintain a 
comprehensive security program, obtain outside audits, notify consumers 
about the security issues and the availability of software updates to 
correct them, and provide affected customers with free technical 
support for the next 2 years.
---------------------------------------------------------------------------
    \16\ In the Matter of TRENDnet, Inc., Matter No. 122-3090 (Sept. 4, 
2013), available at http://www.ftc.gov/opa/2013/09/trendnet.shtm.
---------------------------------------------------------------------------
    Finally, one of the best-known FTC data security cases is the 2006 
action against ChoicePoint, Inc., a data broker that allegedly sold 
sensitive information (including Social Security numbers in some 
instances) concerning more than 160,000 consumers to data thieves 
posing as ChoicePoint clients.\17\ In many instances, the thieves used 
that information to steal the consumers' identities. The Commission 
alleged that ChoicePoint failed to use reasonable procedures to screen 
prospective purchasers of the consumers' information and ignored 
obvious security red flags. For example, the FTC alleged that the 
company approved as purchasers individuals who lied about their 
credentials, used commercial mail drops as business addresses, and 
faxed multiple applications from public commercial photocopying 
facilities. In settling the case, ChoicePoint agreed to pay $10 million 
in civil penalties for violations of the FCRA and $5 million in 
consumer redress for identity theft victims, and agreed to undertake 
comprehensive data security measures.\18\
---------------------------------------------------------------------------
    \17\ United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga.) 
(settlement entered on Feb. 15, 2006), available at http://www.ftc.gov/
enforcement/cases-and-proceedings/cases/2010/09/choicepoint-inc.
    \18\ In 2009, the Commission charged that the company violated the 
earlier court order and obtained a stipulated modified order under 
which ChoicePoint agreed to expand its data security obligations and 
pay monetary relief in the amount of $275,000. United States v. 
ChoicePoint, Inc., No. 1:06-CV-0198-JTC (N.D. Ga. 2009) (settlement 
entered on Oct. 14, 2009).
---------------------------------------------------------------------------
B. Policy Initiatives
    The Commission also undertakes policy initiatives to promote 
privacy and data security. For example, through its reports, the FTC 
has encouraged companies to provide reasonable security for consumer 
data by following certain key principles.\19\ First, companies should 
know what consumer information they have and what personnel or third 
parties have, or could have, access to it. Understanding how 
information moves into, through, and out of a business is essential to 
assessing its security vulnerabilities. Second, companies should limit 
the information they collect and retain based on their legitimate 
business needs, so that needless storage of data does not create 
unnecessary risks of unauthorized access to the data. Third, businesses 
should protect the information they maintain by assessing risks and 
implementing protections in certain key areas--physical security, 
electronic security, employee training, and oversight of service 
providers. Fourth, companies should properly dispose of information 
that they no longer need. Finally, companies should have a plan in 
place to respond to security incidents, should they occur.\20\
---------------------------------------------------------------------------
    \19\ FTC Report, Protecting Privacy in an Era of Rapid Change: 
Recommendations for Businesses and Policymakers (Mar. 2012), available 
at http://www.ftc.gov/sites/default/files/documents/reports/federal-
trade-commission-report-protecting-consumer-privacy-era-rapid-change-
recommendations/120326privacyreport.pdf.
    \20\ Id. at 24-32.
---------------------------------------------------------------------------
    The FTC also hosts workshops on business practices and technologies 
affecting consumer data. For example, in November, the FTC held a 
workshop on the phenomenon known as the ``Internet of Things''--i.e., 
Internet-connected refrigerators, thermostats, cars, and other products 
and services that can communicate with each other and/or consumers.\21\ 
The workshop brought together academics, industry representatives, and 
consumer advocates to explore the security and privacy issues from 
increased connectivity in everyday devices, in areas as diverse as 
smart homes, connected health and fitness devices, and connected cars. 
Also, last June, the Commission hosted a public forum on mobile 
security issues, including potential threats to U.S. consumers and 
possible solutions to them.\22\ The forum brought together technology 
researchers, industry members and academics to explore the security of 
existing and developing mobile technologies and the roles various 
members of the mobile ecosystem can play in protecting consumers from 
potential security threats.
---------------------------------------------------------------------------
    \21\ FTC Workshop, Internet of Things: Privacy & Security in a 
Connected World (Nov. 19, 2013), available at http://www.ftc.gov/bcp/
workshops/internet-of-things/.
    \22\ FTC Workshop, Mobile Security: Potential Threats and Solutions 
(June 4, 2013), available at http://www.ftc.gov/bcp/workshops/mobile-
security/.
---------------------------------------------------------------------------
    The Commission has also hosted programs on emerging forms of 
identity theft, such as child identity theft and senior identity theft. 
In these programs, the Commission discussed unique challenges facing 
children and seniors, and worked with stakeholders to develop outreach 
for these two communities. Since the workshops took place, the 
Commission has continued to engage in such tailored outreach.
C. Consumer Education and Business Guidance
    The Commission is also committed to promoting better data security 
practices through consumer education and business guidance. On the 
consumer education front, the Commission sponsors OnGuard Online, a Web 
site designed to educate consumers about basic computer security.\23\ 
OnGuard Online and its Spanish-language counterpart, Alerta en 
Linea,\24\ average more than 2.2 million unique visits per year. Also, 
as part of its efforts to educate consumers about identity theft, 
Commission staff have worked with Members of Congress to host numerous 
town hall meetings on identity theft in order to educate their 
constituents. And, for consumers who may have been affected by the 
recent Target and other breaches, the FTC posted information online 
about steps they should take to protect themselves.\25\
---------------------------------------------------------------------------
    \23\ See http://www.onguardonline.gov.
    \24\ See http://www.alertaenlinea.gov.
    \25\ See Nicole Vincent Fleming, An Unfortunate Fact About 
Shopping, FTC Consumer Blog, http://www.consumer.ftc.gov/blog/
unfortunate-fact-about-shopping (Jan. 27, 2014); Nicole Vincent 
Fleming, Are you affected by the recent Target hack?, FTC Consumer 
Blog, https://www.consumer.ftc.gov/blog/are-you-affected-recent-target-
hack. In addition to these materials posted in response to recent 
breaches, the FTC has long published a victim recovery guide and other 
resources to explain the immediate steps identity theft victims should 
take to address the crime; how to obtain a free credit report and 
correct fraudulent information in credit reports; how to file a police 
report; and how to protect their personal information. See http://
www.consumer.ftc.gov/features/feature-0014-identity-theft.
---------------------------------------------------------------------------
    The Commission directs its outreach to businesses as well. The FTC 
widely disseminates its business guide on data security,\26\ along with 
an online tutorial based on the guide.\27\ These resources are designed 
to provide a variety of businesses--and especially small businesses--
with practical, concrete advice as they develop data security programs 
and plans for their companies.
---------------------------------------------------------------------------
    \26\ See Protecting Personal Information: A Guide for Business, 
available at http://business.ftc.gov/documents/bus69-protecting-
personal-information-guide-business.
    \27\ See Protecting Personal Information: A Guide for Business 
(Interactive Tutorial), available at http://business.ftc.gov/
multimedia/videos/protecting-personal-information.
---------------------------------------------------------------------------
    The Commission has also released articles directed toward a 
nonlegal audience regarding basic data security issues for 
businesses.\28\ For example, because mobile applications (``apps'') and 
devices often rely on consumer data, the FTC has developed specific 
security guidance for mobile app developers as they create, release, 
and monitor their apps.\29\ The FTC also creates business educational 
materials on specific topics--such as the risks associated with peer-
to-peer (``P2P'') file-sharing programs and companies' obligations to 
protect consumer and employee information from these risks \30\ and how 
to properly secure and dispose of information on digital copiers.\31\
---------------------------------------------------------------------------
    \28\ See generally http://www.business.ftc.gov/privacy-and-
security/data-security.
    \29\ See Mobile App Developers: Start with Security (Feb. 2013), 
available at http://business.ftc.gov/documents/bus83-mobile-app-
developers-start-security.
    \30\ See Peer-to-Peer File Sharing: A Guide for Business (Jan. 
2010), available at http://business.ftc.gov/documents/bus46-peer-peer-
file-sharing-guide-business.
    \31\ See Copier Data Security: A Guide for Business (Nov. 2010), 
available at http://business.ftc.gov/documents/bus43-copier-data-
security.
---------------------------------------------------------------------------
III. COOPERATION WITH STATE AND FEDERAL AGENCIES
    The Commission has a long history of working closely with Federal 
and State agencies, as well as the private sector, to further its 
mission of promoting privacy and data security. State, Federal, and 
private sector entities each have served a unique role in data 
security: States have innovated by passing data breach notification 
laws; Federal banking agencies have protected consumers' security in 
the banking sector; the FTC has protected the security of consumers' 
information in retail, technology, and other sectors; Federal criminal 
law enforcement agencies have prosecuted identity thieves; credit 
reporting agencies have provided credit monitoring services to 
consumers in the event of a breach; and trade associations sponsor 
educational seminars and publish guidance to help their members 
understand their legal obligations.
    In terms of cooperation with States, the FTC works closely with 
State Attorneys General to ensure that we coordinate our investigations 
and leverage our resources most effectively. For example, in one of the 
largest FTC-State coordinated settlements on record, LifeLock, Inc. 
agreed to pay $11 million to the FTC and $1 million to 35 State 
Attorneys General to settle charges that the company used false claims 
to promote its identity theft protection services.\32\ As part of the 
settlement, LifeLock and its principals are barred from making 
deceptive claims and required to take more stringent measures to 
safeguard the personal information they collect from customers. The FTC 
also coordinated with the State AGs on cases such as TJX \33\ and 
ChoicePoint.\34\
---------------------------------------------------------------------------
    \32\ FTC v. LifeLock, Inc., et al., No. 2:10-cv-00530-NVW (D. 
Ariz.) (filed Mar. 9, 2010), available at http://www.ftc.gov/
enforcement/cases-and-proceedings/cases/2010/11/lifelock-inc-
corporation.
    \33\ In the Matter of The TJX Cos., Inc., No. C-4227 (F.T.C. July 
29, 2008), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2008/08/tjx-companies-inc-matter; see also Press 
Release, Agency Announces Settlement of Separate Actions Against 
Retailer TJX, and Data Brokers Reed Elsevier and Seisent for Failing to 
Provide Adequate Security for Consumers' Data (Mar. 27, 2008), 
available at http://www.ftc.gov/news-events/press-releases/2008/03/
agency-announces-settlement-separate-actions-against-retailer-tjx 
(citing the Commission's coordination with 39 State Attorneys General).
    \34\ United States v. ChoicePoint, Inc., supra note 17; see also 
Press Release, ChoicePoint Settles Data Security Breach Charges; to Pay 
$10 Million in Civil Penalties, $5 Million for Consumer Redress (Jan. 
26, 2006), available at http://www.ftc.gov/news-events/press-releases/
2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million 
(mentioning the FTC's cooperation with the Department of Justice and 
Securities and Exchange Commission).
---------------------------------------------------------------------------
    In terms of Federal enforcement cooperation, the FTC has worked 
with criminal law enforcement agencies such as the Federal Bureau of 
Investigation and Secret Service. The goals of FTC and Federal criminal 
law enforcement agencies are complementary: FTC actions send a message 
that businesses need to protect their customers' data on the front end, 
and criminal law enforcement actions send a message to identity 
thieves, fraudsters, and other criminals that their efforts to 
victimize consumers will be punished.
    The FTC also works closely with State and Federal agencies to 
educate consumers and businesses on issues involving data security and 
privacy. For example, identity theft has been the top consumer 
complaint to the FTC for 13 consecutive years, and tax identity theft--
which often begins by thieves obtaining Social Security numbers and 
other personal information from consumers in order to obtain their tax 
refund--has been an increasing share of the Commission's identity theft 
complaints.\35\ Just last month, the FTC hosted 16 events across the 
country, along with a series of national Webinars and Twitter chats as 
part of Tax Identity Theft Awareness Week.\36\ The events, which 
included representatives of the Internal Revenue Service, the American 
Association of Retired Persons, and local U.S. Attorney's offices, were 
designed to raise awareness about tax identity theft and provide 
consumers with tips on how to protect themselves, and what to do if 
they become victims.
---------------------------------------------------------------------------
    \35\ In 2012, tax identity theft accounted for more than 43 percent 
of the identity theft complaints, making it the largest category of 
identity theft complaints by a substantial margin. See Press Release, 
FTC Releases Top 10 Complaint Categories for 2012 (Feb. 26, 2013), 
available at http://www.ftc.gov/newsevents/press-releases/2013/02/ftc-
releases-top-10-complaint-categories-2012.
    \36\ Press Release, FTC's Tax Identity Theft Awareness Week Offers 
Consumers Advice, Guidance (Jan. 10, 2014), available at http://
www.ftc.gov/news-events/press-releases/2014/01/ftcs-tax-identity-theft-
awareness-week-offers-consumers-advice.
---------------------------------------------------------------------------
IV. CONCLUSION
    Thank you for the opportunity to provide the Commission's views on 
data security. The FTC remains committed to promoting reasonable 
security for consumer data and we look forward to continuing to work 
with Congress on this critical issue.
                                 ______
                                 
                 PREPARED STATEMENT OF JAMES A. REUTER
                  Executive Vice President, FirstBank,
             on behalf of the American Bankers Association
                            February 3, 2014
    Chairman Warner, Ranking Member Kirk, and Members of the 
Subcommittee, my name is James A. Reuter, Executive Vice President, 
FirstBank, based in Lakewood, Colorado. Founded in 1963, FirstBank 
currently has over $13 billion in assets, over 115 locations and 2,000 
employees serving Colorado, Arizona, and California. I serve as 
President of FirstBank Support Services, which provides information 
technology, payment processing services, 24 hour call center, and 
electronic banking services for 115 FirstBank locations. In addition, I 
serve on the American Bankers Association's (ABA) Payments Systems 
Administrative Committee, which focuses on emerging technologies that 
affect the payments system and assesses the implications for the 
financial services industry.
    I appreciate the opportunity to be here to represent the ABA and 
discuss the recent Target and other data security breaches. The ABA 
represents banks of all sizes and charters and is the voice for the 
Nation's $14 trillion banking industry and its two million employees.
    Notwithstanding these recent breaches, our payment system remains 
strong and functional. No security breach seems to stop the $3 trillion 
that Americans spend safely and securely each year with their credit 
and debit cards. And with good reason: Customers can use these cards 
confidently because their banks protect them from losses by investing 
in technology to detect and prevent fraud, reissuing cards and 
absorbing fraud costs.
    At the same time, these breaches have reignited the long-running 
debate over consumer data security policy. ABA and the thousands of 
community, mid-size, regional, and large banks we represent recognize 
the paramount importance of a safe and secure payments system to our 
Nation and its citizens. We thank the Subcommittee for holding this 
hearing and welcome the ongoing discussion. From ABA's perspective, 
Congress should examine the specific circumstances of the Target breach 
and the broader data security issues involved, and we stand ready as a 
resource to assist in your efforts.
    In my testimony I will focus on four main points:

    Protecting consumers is the banking industry's first 
        priority. As the stewards of the direct customer relationship, 
        the banking industry's overarching priority in breaches like 
        that of Target's is to protect consumers and make them whole 
        from any loss due to fraud.

    A National data breach standard is essential. Consumers' 
        electronic payments are not confined by borders between States. 
        As such, a national standard for data security and breach 
        notification is of paramount importance, and we strongly 
        support S. 1927, the Data Security Act of 2014.

    All players in the payments systems, including retailers, 
        must significantly improve their internal security systems as 
        the criminal threat continues to evolve.

    Protecting the Payments System is a Shared Responsibility. 
        Banks, retailers, processors, and all of the participants in 
        the payments system must share the responsibility of keeping 
        the system secure, reliable, and functioning in order to 
        preserve consumer trust. That responsibility should not fall 
        predominantly on the financial services sector.

    Before addressing each of these points in detail, it is important 
to understand the data security vulnerabilities in our system. The 
numbers are telling and point to the need for shared responsibility to 
fight off the continual attacks on data.
I. Data Security: Where are the Vulnerabilities?
    It is a sobering fact that, since January 2005, a total of over 
4,200 breaches exposing almost 600 million records have occurred 
nationwide. (Source: Identity Theft Resource Center) There were over 
600 reported data breaches during 2013 alone, an increase of 30 percent 
over 2012 and the third highest number of breaches over the last 9 
years. The two sectors reporting the highest number of breaches were 
the healthcare sector at 43 percent of reported breaches and the 
business sector, including merchants, which accounted for nearly 34 
percent of reported breaches.
    Moreover, the business sector, because of the Target breach, 
accounted for almost 82 percent of 2013's breached records. The 
Banking, Credit and Financial sector accounted for only 4 percent of 
all breaches and less than 2 percent of all breached records.\1\ 
However, in spite of the small percentage of actual data breaches, the 
Banking, Credit and Financial sector bears a disproportionate share of 
breach recovery and fraud expenses. This is a consistent trend since 
2005, where over this 9-year period our sector accounted for 
approximately 8 percent of all reported breaches. The business sector 
accounted for approximately 36 percent and health care sector 
approximately 23 percent of all breaches over the same time period.
---------------------------------------------------------------------------
    \1\ 2013 Data Breach Category Summary, Identity Theft Resource 
Center, January 1, 2014, available at: http://www.idtheftcenter.org/
images/breach/2013/BreachStatsReport
Summary2013.pdf


---------------------------------------------------------------------------
Source: Identity Theft Resource Center

    These numbers point to the central challenge associated with 
breaches of financial account data or personally identifiable 
information: while the preponderance of data breaches occur at entities 
far removed from the banking sector, it is the bank's customer 
potentially at the end of the line who must be protected.
II. Protecting Consumers is Our First Priority
    While the facts of the Target breach remain fluid, the company has 
acknowledged that the breach occurred within its internal systems, 
affecting nearly 40 million credit and debit card accounts while also 
revealing the personally identifiable information (e.g., name, address, 
email, telephone number) of potentially 70 million people. On average, 
the Target breach has affected 10 percent of every bank's credit and 
debit card customer base.
Paying for Fraud
    When a retailer like Target speaks of its customers having ``zero 
liability'' from fraudulent transactions, it is because our Nation's 
banks are making customers whole, not the retailer that suffered the 
breach. Banks are required to swiftly research and reimburse customers 
for unauthorized transactions, and normally exceed legal requirements 
by making customers whole within days of the customer alerting the bank 
of the fraud, if not immediately.\2\
---------------------------------------------------------------------------
    \2\ With traditional card payments, the rights and obligations of 
all parties are well-defined by Federal statute when an unauthorized 
transaction occurs. For example, Regulation E describes consumers' 
rights and card issuers' obligations when a debit card is used, while 
Regulation Z does so for credit card transactions. The payment networks 
also have well-established rules for merchants and issuers. For 
instance, while Regulation Z limits a customer's liability for 
unauthorized transactions on a lost or stolen credit card to $50, the 
card networks require issuers to provide their cardholders with zero 
liability.
---------------------------------------------------------------------------
    After the bank has reimbursed a customer for the fraudulent 
transaction, it can then attempt to ``charge-back'' the retailer where 
the transaction occurred. Unfortunately, and certainly in my 
experience, the majority of these attempts are unsuccessful, with the 
bank ultimately shouldering the vast majority of fraud loss and other 
costs associated with the breach. Overall, for 2009, 62 percent of 
reported debit card fraud losses were borne by banks, while 38 percent 
were borne by merchants.\3\
---------------------------------------------------------------------------
    \3\ 2009 Interchange Revenue, Covered Issuer Cost, and Covered 
Issuer and Merchant Fraud Loss Related to Debit Card Transactions, June 
2011, Board of the Governors of the Federal Reserve System, available 
at: http://www.federalreserve.gov/paymentsystems/files/
debitfees_costs.pdf.
---------------------------------------------------------------------------
    It is an unfortunate truth that, in the end (and often well after 
the breach has occurred and the banks have made customers whole) banks 
generally receive pennies for each dollar of fraud losses and other 
costs that were incurred by banks in protecting their customers. This 
minor level of reimbursement, when taken in concert with the fact that 
banks bear over 60 percent of reported fraud losses yet have accounted 
for less than 8 percent of reported breaches since 2005 is clearly 
inequitable. We believe banks should be fully reimbursed for the costs 
they bear for breaches that occur elsewhere.
Reissuing and Ongoing Monitoring
    Each bank makes its own decision as to when and whether to reissue 
cards, which in the case of our bank costs $5 per card. In the case of 
the Target breach, the decision of whether to reissue cards was made 
even more difficult considering the inconvenience this can cause during 
the holiday season: breach or no breach, many consumers would not have 
wanted their cards shut down leading up to Christmas. Those cards that 
have not been reissued are being closely monitored for fraudulent 
transactions. In some instances, banks gave customers an option of 
keeping their cards open through the holidays until they could reissue 
all cards in January or, if they were concerned, to shut their card 
down and be reissued a new card immediately.
    The Target compromise was also unique in terms of the high 
awareness of the ``Target'' name, the sheer number of people affected, 
and the media coverage of the event. In addition to proactively 
communicating with customers about the breach, bank call centers and 
branches have handled millions of calls and in-person inquiries 
regarding the card compromise. Many smaller and community banks have 
increased staffing to meet consumer demand. At the end of the day, 
consumers expect answers and to be protected by their bank, which is 
why they call us, not Target or whoever actually suffered the breach.
    We also remain vigilant to the potential for fraud to occur in the 
future as a result of the Target breach. Standard fraud mitigation 
methods banks use on an ongoing basis include monitoring transactions, 
reissuing cards, and blocking certain merchant or types of 
transactions, for instance, based on the location of the merchant or a 
transaction unusual for the customer. Most of us are familiar with that 
call from a card issuer rightfully questioning a transaction and having 
a card canceled as a result. In many cases, however, the lifespan of 
compromised consumer data extends well beyond the weeks immediately 
following the breach itself. Just because the headlines fade away does 
not mean that banks can afford to relax their ongoing fraud protection 
and screening efforts. In addition there are ongoing customer support 
issues as customers setup new card numbers for recurring transactions 
related to health club memberships, online stores such as iTunes, etc.
III. A National Data Breach Standard is Essential
    In many instances, the identity of the entity that suffered the 
breach is either not known or, oftentimes, intentionally not revealed 
as there is no requirement to do so. Understandably, a retailer or 
other entity would rather pass the burden on to the affected consumers' 
banks rather than taking the reputational hit themselves. In such 
cases, the bank is put in the position of notifying their customers 
that their credit or debit card data is at risk without being able to 
divulge where the breach occurred. Many banks have expressed great 
frustration regarding this process, with their customers--absent better 
information--blaming the bank for the breach itself and inconvenience 
they are now suffering.
    Like the well-defined Federal regulations surrounding consumer 
protections for unauthorized credit or debit transactions, data breach 
notification for State and nationally chartered banks is governed by 
guidance from the Federal Financial Institutions Examination Council 
(FFIEC), as enacted in the Gramm-Leach-Bliley Act, requiring every bank 
to have a customer response program. Retail establishments have no 
comparable Federal requirements. In addition, not only are retailers, 
healthcare organizations, and others who suffer the majority of 
breaches not subject to Federal regulatory requirements in this space, 
no entity oversees them in any substantive way. Instead they are held 
to a wide variety of State data breach laws that aren't always 
consistent. Banks too must also abide by many of these State laws, 
creating a patchwork of breach notification and customer response 
standards that are confusing to consumers as well as to companies.
    Currently, 46 States, three U.S. territories, and the District of 
Columbia have enacted laws governing data security in some fashion, 
such as standards for data breach notification and for the safeguarding 
of consumer information. Although some of these laws are similar, many 
have inconsistent and conflicting standards, forcing businesses to 
comply with multiple regulations and leaving many consumers without 
proper recourse and protections.
    Establishing a national data security and notification law would 
provide better protection for consumers nationwide. It is for this 
reason that we applaud and fully support the introduction of the Data 
Security Act of 2014 (S. 1927) by Senators Tom Carper (D-DE) and Roy 
Blunt (R-MO). This bipartisan legislation would better protect 
consumers by replacing the current patchwork of State laws and 
establishing one set of national requirements. The bill requires any 
business that maintains sensitive personal and financial information--
including banks, verified-retailers, and data brokers--to implement, 
maintain, and enforce reasonable policies and procedures to protect the 
confidentiality and security of sensitive information from unauthorized 
use.
    Our existing national payments system serves hundreds of millions 
of consumers, retailers, banks, and the economy well. It only stands to 
reason that such a system functions most effectively when it is 
governed by a consistent national data breach policy.
IV. All Players in the Payments System Must Improve Their Internal 
        Systems as the Criminal Threat Continues to Evolve
    While many details of the Target breach are still largely unknown, 
it is clear that criminal elements responsible for such attacks are 
growing increasingly sophisticated in their efforts to breach the 
payments system. This disturbing evolution, as demonstrated by the 
Target breach, will require enhanced attention, resources, and 
diligence on the part of all payments system participants.
    The increased sophistication and prevalence of breaches caused by 
criminal attacks--as opposed to negligence or unintentional system 
breaches is also borne out in a recent study by the Ponemon Institute. 
Evaluating annual breach trends, the Institute found that 2012 was the 
first year in which malicious or criminal attacks were the most 
frequently encountered root cause of data breaches by organizations in 
the study, at 41 percent.\4\
---------------------------------------------------------------------------
    \4\ 2013 Cost of Data Breach Study: United States, May 2013, 
Ponemon Institute, available at: http://www.symantec.com/content/en/us/
about/media/pdfs/b-cost-of-a-data-breach-us-
report-
2013.enus.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin
_
2013Jun_worldwide_CostofaDataBreach.
---------------------------------------------------------------------------
    Emerging details of the Target breach are allowing us to see a 
troubling picture of the direction the criminal evolution is taking, 
and what it means for at-risk consumer data. For example:

    While Target's last public statement on the issue stated 
        that the PINs that were compromised as part of the breach were 
        encrypted, the company originally stated that PINs were not 
        compromised at all. If the PINs were unencrypted, this would be 
        particularly troubling, as that would make bank customer 
        accounts vulnerable to ATM cash withdrawals as well as 
        unauthorized purchases. We call on law enforcement and those in 
        the forensics process to be as transparent as possible in 
        outlining what are the precise threats to our customers.

    Even if the PINs that were breached were in fact encrypted, 
        there is still the potential that they could be decrypted, 
        placing our customers at just as much risk as if unencrypted 
        PINs had been captured.

    Banks also do not know the extent to which their customers' 
        bank account numbers, which are linked to Target's RedCard, 
        were compromised as a result of the breach. If this information 
        was compromised, customers could be vulnerable to unauthorized 
        Automated Clearing House (ACH) transactions directly from their 
        accounts.

    More generally, banks have also encountered significant 
        customer confusion as to the nature of Target's RedCard and the 
        bank's ability to help. Many believe the bank can cancel the 
        card and reissue it even though the card was issued by Target. 
        This confusion points to a broader problem with the emergence 
        of many nontraditional payments providers: customers have a 
        hard time understanding which payment entity is responsible for 
        what, and often just assume the bank is the responsible party.

    These threats to bank customer accounts point to the security 
vulnerabilities associated with nontraditional payments companies, such 
as Target, having direct linkages to the payments system without 
information security regulatory requirements comparable to that of 
financial institutions.
V. Protecting the Payments System is a Shared Responsibility
    While much has recently been made about the on-going disagreements 
between the retail community and the banking industry over who is 
responsible for protecting the payments system, in reality our Nation's 
payments system is made up of a wide variety of players: banks, card 
networks, retailers, processors, and even new entrants, such as Square, 
Google, and PayPal. Protecting this system is a shared responsibility 
of all parties involved and we need to work together and invest the 
necessary resources to combat increasingly sophisticated threats to 
breach the payments system.
    We must work together to combat the ever-present threat of criminal 
activity at our collective doorstops. Inter-industry squabbles, like 
those over interchange, have had a substantial impact on bank resources 
available to combat fraud. Policymakers must examine that impact 
closely to ensure that the necessary resources are not diverted from 
addressing the real concern at hand--the security of our Nation's 
payment system and the need to protect consumers. All participants must 
invest the necessary resources to combat this threat.
    In the wake of this breach, there has been significant discussion 
over how to enhance payment card security, focusing on the 
implementation of chip-based security technology known as EMV.\5\ This 
technology makes it much harder for criminals to create duplicate cards 
or make sense of encrypted data that they steal.
---------------------------------------------------------------------------
    \5\ EMV stands for Europay, Mastercard, and Visa, the developers of 
a global standard for inter-operation of integrated circuit, or 
``chip'' cards and chip card compatible point-of-sale terminals and 
automated teller machines.
---------------------------------------------------------------------------
    We encourage the implementation of chip technology, both on the 
card and at the point-of-sale. In fact, the rollout of this technology 
in the United States is well underway, with the next set of deadlines 
for banks and retailers coming in late 2015. It takes time for full 
implementation of chip technology in the United States, as our country 
supports the largest economy in the world, with over 300 million 
customers, 8 million retailers, and 14,000 financial institutions.
    Even though EMV is an important step in the right direction, there 
is no panacea for the everchanging threats that exist today. For 
instance, EMV technology would not have prevented the potential harm of 
the Target breach to the 70 million customers that had their name, 
address, email, and/or telephone number compromised. Moreover, EMV 
technology will help to address potential fraud at the point-of-sale, 
but it does not address online security, nor is it a perfect solution 
even at the point-of-sale as criminal efforts evolve. Because it is 
impossible to anticipate what new challenges will come years from now, 
we must therefore be cautious not to embrace any ``one'' solution as 
the answer to all concerns.
VI. The Path Forward
    Any system is only as strong as its weakest link. The same 
certainly holds true in our rapidly changing consumer payments 
marketplace. The innovations that are driving the industry forward and 
presenting consumers with exciting new methods of making purchases is 
also rapidly expanding beyond the bounds of our existing regulatory and 
consumer protection regimes. And, as has historically been the case, 
the criminals are often one step ahead as the marketplace searches for 
consensus. That said, there are several positive steps policymakers can 
take to facilitate a higher level of security for consumers going 
forward. For example:

    Raise all participants in the payments system to comparable levels 
of security. Security within the payments system is currently uneven. 
In addition to adhering to the Payment Card Industry Data Security 
Standards, banks and other financial institutions are also subject to 
significantly higher information security requirements than others that 
facilitate electronic payments and house bank customer payment data.\6\ 
More must be done to buttress and enforce the current regulatory 
requirements that merchants face.
---------------------------------------------------------------------------
    \6\ For instance, banks are subject to the information security 
requirements contained within the Gramm-Leach-Bliley Act, the FFIEC Red 
Flag Rules regarding identity theft, and are continually examined 
against these requirements.
---------------------------------------------------------------------------
    Establish a national data security breach and notification 
standard. A national data breach standard would provide better and more 
consistent protection for consumers nationwide. We applaud and fully 
support the introduction of The Data Security Act of 2014 (S. 1927) by 
Senators Carper and Blunt and believe this legislation meets that goal 
by replacing the current patchwork of State laws and establishing one 
set of national requirements.
    Make those responsible for data breaches responsible for their 
costs. Banks bear the majority of costs associated with the fraud 
caused by breaches even though our industry is responsible for only a 
small percentage of the breaches that have occurred since 2005. When 
any entity--be it a bank, merchant, college or hospital--is responsible 
for a breach that compromises customer payment data or personally 
identifiable information, that entity should be responsible for the 
range of costs associated with that breach to the extent it was not 
adhering to the necessary security requirements.
    Increase the speed and transparency with which the results of 
forensic investigations are shared with the financial community. When a 
breach occurs, there is much banks and others do not know and are not 
told for extended periods of time regarding the vulnerability of 
certain aspects of their customers' data. Similar to the robust manner 
in which banks and law enforcement currently share other cybersecurity 
threat data, we must examine ways to share the topline threat data from 
merchant and other breaches that does not impede the overall 
investigation. For example, banks and payment networks currently share 
an increasing amount of cybersecurity threat and fraud information 
through groups such as the Financial Services Information Sharing and 
Analysis Center and other groups within ABA. Our efforts would be 
greatly enhanced if that information sharing capacity expanded to 
include the merchant community. We would welcome such expansion and 
look forward to working collectively with merchants to combat our 
common adversaries.
    Banks are committed to doing our share, but cannot be the sole 
bearer of that responsibility. Policymakers, card networks, and all 
industry participants have a vital role to play in addressing the 
regulatory gaps that exist in our payments system, and we stand ready 
to assist in that effort. Thank you for giving ABA the opportunity to 
provide this testimony. We look forward to continuing to work with 
Congress to enhance the security of our Nation's payment system, and 
maintain the trust and confidence hundreds of millions of Americans 
place in it every day.
                                 ______
                                 
                  PREPARED STATEMENT OF MALLORY DUNCAN
               General Counsel and Senior Vice President
                       National Retail Federation
                            February 3, 2014
    Chairman Warner, Ranking Member Kirk and Members of the 
Subcommittee, thank you for giving me this opportunity to provide you 
with my thoughts on safeguarding consumers' financial information. My 
name is Mallory Duncan, and I am General Counsel of the National Retail 
Federation (NRF). NRF is the world's largest retail trade association, 
representing discount and department stores, home goods and specialty 
stores, Main Street merchants, grocers, wholesalers, chain restaurants 
and Internet retailers from the United States and more than 45 
countries. Retail is the Nation's largest private sector employer, 
supporting one in four U.S. jobs--42 million working Americans. 
Contributing $2.5 trillion to annual GDP, retail is a daily barometer 
for the Nation's economy.
    Collectively, retailers spend billions of dollars safeguarding 
consumers' data and fighting fraud. Data security is something that our 
members strive to improve every day. Virtually all of the data breaches 
we've seen in the United States during the past couple of months--from 
those at retailers that have been prominent in the news to those at 
banks and card network companies that have received less attention--
have been perpetrated by criminals that are breaking the law. All of 
these companies are victims of these crimes and we should keep that in 
mind as we explore this topic and public policy initiatives relating to 
it.
    This issue is one that we urge the Committee to examine in a 
holistic fashion: we need to reduce fraud. That is, we should not be 
satisfied with deciding what to do after a data breach occurs--who to 
notify and how to assign liability. Instead, it's important to look at 
why such breaches occur and what the perpetrators get out of them so 
that we can find ways to reduce and prevent not only the breaches 
themselves, but the fraudulent activity that is often the goal of these 
events. If breaches become less profitable to criminals then they will 
dedicate fewer resources to committing them and our goals will become 
more achievable.
    With that in mind, this testimony is designed to provide some 
background on data breaches and on fraud, explain how these events 
interact with our payments system, discuss some of the technological 
advancements that could improve the current situation, raise some ways 
to achieve those improvements, and then discuss the aftermath of data 
breaches and some ways to approach things when problems do occur.
Data Breaches in the United States
    Unfortunately, data breaches are a fact of life in the United 
States. In its 2013 data breach investigations report, Verizon analyzed 
more than 47,000 security incidents and 621 confirmed data breaches 
that took place during the prior year. Virtually every part of the 
economy was hit in some way: 37 percent of breaches happened at 
financial institutions; 24 percent happened at retail; 20 percent 
happened at manufacturing, transportation and utility companies; and 20 
percent happened at information and professional services firms.
    It may be surprising to some given recent media coverage that more 
data breaches occur at financial institutions than at retailers. And, 
it should be noted, even these figures obscure the fact that there are 
far more merchants that are potential targets of criminals in this 
area. There are hundreds of times as many merchants accepting card 
payments in the United States than there are financial institutions 
issuing and processing those payments. So, proportionally, and not 
surprisingly, the thieves focus far more often on banks which have our 
most sensitive financial information--including not just card account 
numbers but bank account numbers, social security numbers and other 
identifying data that can be used to steal identities beyond completing 
some fraudulent transactions.



Source: 2013 Data Breach Investigations Report, Verizon

    Nearly one-fifth of all of these breaches were perpetrated by 
State-affiliated actors connected to China. Three in four breaches were 
driven by financial motives. Two-thirds of the breaches took months or 
more to discover and 69 percent of all breaches were discovered by 
someone outside the affected organization.\1\
---------------------------------------------------------------------------
    \1\ 2013 Data Breach Investigations Report, Verizon.
---------------------------------------------------------------------------
    These figures are sobering. There are far too many breaches. And, 
breaches are often difficult to detect and carried out in many cases by 
criminals with real resources behind them. Financially focused crime 
seems to most often come from organized groups in Eastern Europe rather 
than State-affiliated actors in China, but the resources are there in 
both cases. The pressure on our financial system due to the overriding 
goal of many criminals intent on financial fraud is acute. We need to 
recognize that this is a continuous battle against determined 
fraudsters and be guided by that reality.
Background on Fraud
    Fraud numbers raise similar concerns. Just a year ago, Forbes found 
that Mexico and the United States were at the top of the charts 
worldwide in credit and debit card fraud.\2\ And fraud losses in the 
United States have been going up in recent years while some other 
countries have had success reducing their fraud rates. The United 
States in 2012 accounted for nearly 30 percent of credit and debit card 
charges but 47 percent of all fraud losses.\3\ Credit and debit card 
fraud losses totaled $11.27 billion in 2012.\4\ And retailers spend 
$6.47 billion trying to prevent card fraud each year.\5\
---------------------------------------------------------------------------
    \2\ ``Countries with the most card fraud: U.S. and Mexico,'' Forbes 
by Halah Touryalai, Oct. 22, 2012.
    \3\ ``U.S. credit cards, chipless and magnetized, lure global 
fraudsters,'' by Howard Schneider, Hayley Tsukayama and Amrita 
Jayakumar, Washington Post, January 21, 2014.
    \4\ ``Credit Card and Debit Card Fraud Statistics,'' CardHub 2013, 
available at http://www.cardhub.com/edu/creditdebit-card-fraud-
statistics/.
    \5\ Id.
---------------------------------------------------------------------------
    Fraud is particularly devastating for retailers in the United 
States. LexisNexis and Javelin Strategy & Research have published an 
annual report on the ``True Cost of Fraud'' each year for the last 
several years. The 2009 report found, for example, that retailers 
suffer fraud losses that are 10 times higher than financial 
institutions and 20 times the cost incurred by consumers. This study 
covered more than just card fraud and looked at fraudulent refunds/
returns, bounced checks, and stolen merchandise as well. Of the total, 
however, more than half of what merchants lost came from unauthorized 
transactions and card chargebacks.\6\ The founder and President of 
Javelin Strategy, James Van Dyke, said at the time, ``We weren't 
completely surprised that merchants are paying more than half of the 
share of the cost of unauthorized transactions as compared to financial 
institutions. But we were very surprised that it was 90-10.''\7\ 
Similarly, Consumer Reports wrote in June 2011, ``The Mercator report 
estimates U.S. card issuers' total losses from credit- and debit-card 
fraud at $2.4 billion. That figure does not include losses that are 
borne by merchants, which probably run into tens of billions of dollars 
a year.''\8\
---------------------------------------------------------------------------
    \6\ A fraud chargeback is when the card-issuing bank and card 
network take the money for a transaction away from the retailer so that 
the retailer pays for the fraud.
    \7\ ``Retailers are bearing the brunt: New report suggests what 
they can do to fight back,'' by M.V. Greene, NRF Stores, Jan. 2010.
    \8\ ``House of Cards: Why your accounts are vulnerable to 
thieves,'' Consumer Reports, June 2011.
---------------------------------------------------------------------------
    Online fraud is a significant problem. It has jumped 36 percent 
from 2012 to 2013.\9\ In fact, estimates are that online and other 
fraud in which there is no physical card present accounts for 90 
percent of all card fraud in the United States.\10\ And, not 
surprisingly, fraud correlates closely with data breaches among 
consumers. More than 22 percent of breach victims suffered fraud while 
less than 3 percent of consumers who didn't have their data breached 
experienced fraud.\11\
---------------------------------------------------------------------------
    \9\ 2013 True Cost of Fraud, LexisNexis at 6.
    \10\ ``What you should know about the Target case,'' by Penny 
Crosman, American Banker, Jan. 23, 2014.
    \11\ 2013 True Cost of Fraud, LexisNexis at 20.
    
    

---------------------------------------------------------------------------
Source: 2013 True Cost of Fraud, LexisNexis

    These numbers provide insights as to how to get to the right 
solutions of better safeguarding consumer and cardholder data and the 
need to improve authentication of transactions to protect against 
fraud. But before delving into those areas, some background on our 
payments system could be helpful.
The Payments System
    Payments data is sought in breaches more often than any other type 
of data.\12\ Now, every party in the payment system, financial 
institutions, networks, processors, retailers and consumers, has a role 
to play in reducing fraud. However, although all parties have a 
responsibility, some of those parties are integral to the system's 
design and promulgation while others, such as retailers and consumers, 
must work with the system as it is delivered to them.
---------------------------------------------------------------------------
    \12\ 2013 Data Breach Investigations Report, Verizon at 445, figure 
35.
---------------------------------------------------------------------------
    As the following chart shows, while the banks are intimately 
connected to Visa and MasterCard, merchants and consumers have 
virtually no role in designing the payment system. Rather, they are 
bound to it by separate agreements issued by financial intermediaries.


    Thus consumers are obligated to keep their cards safe and secure in 
their wallets and avoid misuse, but must necessarily turn their card 
data over to others in order to effectuate a transaction. Retailers are 
likewise obligated to collect and protect the card data they receive, 
but are obligated to deliver it to processors in order to complete a 
transaction, resolve a dispute or process a refund. In contrast, those 
inside the triangle have much more systemic control.
    For example, retailers are essentially at the mercy of the dominant 
credit card companies when it comes to protecting payment card data. 
The credit card networks--Visa, MasterCard, American Express, Discover 
and JCB--are responsible for an organization known as the PCI (which 
stands for Payment Card Industry) data security council. PCI 
establishes data security standards (PCI-DSS) for payment cards. While 
well intentioned in concept, these standards have not worked quite as 
well in practice. They have been inconsistently applied, and their 
avowed purpose has been significantly altered.
    PCI has in critical respects over time pushed card security costs 
onto merchants even when other decisions might have more effectively 
reduced fraud--or done so at lower cost. For example, retailers have 
long been required by PCI to encrypt the payment card information that 
they have. While that is appropriate, PCI has not required financial 
institutions to be able to accept that data in encrypted form. That 
means the data often has to be de-encrypted at some point in the 
process in order for transactions to be processed.
    Similarly, merchants are expected to annually demonstrate PCI 
compliance to the card networks, often at considerable expense, in 
order to benefit from a promise that the merchants would be relieved of 
certain fraud inherent in the payment system, which PCI is supposed to 
prevent. However, certification by the networks as PCI Compliant 
apparently has not been able to adequately contain the growing fraud 
and retailers report that the ``promise'' increasingly has been 
abrogated or ignored. Unfortunately, as card security expert Avivah 
Litan of Gartner Research wrote recently, ``The PCI (Payment Card 
Industry) security standard has largely been a failure when you 
consider its initial purpose and history.''\13\
---------------------------------------------------------------------------
    \13\ ``How PCI Failed Target and U.S. Consumers,'' by Avivah Litan, 
Gartner Blog Network, Jan. 20, 2014, available at http://
blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-
s-consumers/.
---------------------------------------------------------------------------
    PCI has not addressed many obvious deficiencies in cards 
themselves. There has been much attention to the fact that the United 
States is one of the last places on earth to put card information onto 
magnetic stripes on the backs of cards that can easily be read and can 
easily be counterfeited (in part because that data is static and 
unchanging). We need to move past magstripe technology.
    But, before we even get to that question, we need to recognize that 
sensitive card data is right on the front of the card, embossed with 
prominent characters. Simply seeing the front of a card is enough for 
some fraudsters and there have been fraud schemes devised to trick 
consumers into merely showing someone their cards. While having the 
embossed card number on the front of the card might have made sense in 
the days of knuckle-buster machines and carbon copies, those days are 
long passed.
    In fact, cards include the cardholder's name, card number, 
expiration date, signature and card verification value (CVV) code. 
Everything a fraudster needs is right there on the card. The bottom 
line is that cards are poorly designed and fraud-prone products that 
the system has allowed to continue to proliferate.
    PCI has also failed to require that the identity of the cardholder 
is actually verified or authenticated at the time of the transaction. 
Signatures don't do this. Not only is it easy to fake a signature, but 
merchants are not allowed by the major card networks to reject a 
transaction based on a deficient signature. So, the card networks 
clearly know a signature is a useless gesture which proves nothing more 
than that someone was there purporting to be the cardholder.
    The use of personal identification numbers (PINs) has actually 
proven to be an effective way to authenticate the identity of the 
cardholder. PIN numbers are personal to each cardholder and do not 
appear on the cards themselves. While they are certainly not perfect, 
their use is effective at reducing fraud. On debit transactions, for 
example, PIN transactions have one-sixth the amount of fraud losses 
that signature transactions have.\14\ But PINs are not required on 
credit card transactions. Why? From a fraud prevention perspective, 
there is no good answer except that the card networks which set the 
issuance standards have failed to protect people in a very basic way.
---------------------------------------------------------------------------
    \14\ See 77 Fed. Reg. 46261 (Aug. 3, 2012) reporting $1.11 billion 
in signature debit fraud losses and $181 million in PIN debit fraud 
losses.
---------------------------------------------------------------------------
    As noted by LexisNexis, merchant fraud costs are much higher than 
banks' fraud costs. When credit or debit card fraud occurs, Visa and 
MasterCard have pages of rules providing ways that banks may be able to 
charge back the transaction to the retailer (which is commonly referred 
to as a ``chargeback''). That is, the bank will not pay the retailer 
the money for the fraudulent transaction even though the retailer 
provided the consumer with the goods in question. When this happens, 
and it happens a lot, the merchant loses the goods and the money on the 
sale. According to the Federal Reserve, this occurs more than 40 
percent of the time when there is fraud on a signature debit 
transaction,\15\ and our members tell us that the percentage is even 
higher on credit transactions. In fact, for online transactions, which 
as noted account for 90 percent of fraud, merchants pay for the vast 
majority of fraudulent transactions.\16\
---------------------------------------------------------------------------
    \15\ Id. at 46262.
    \16\ Merchants assume 74 percent of fraud losses for online and 
other card-not-present signature debit transactions. 77 Fed. Reg. 
46262.
---------------------------------------------------------------------------
    Retailers have spent billions of dollars on card security measures 
and upgrades to comply with PCI card security requirements, but it 
hasn't made them immune to data breaches and fraud. The card networks 
have made those decisions for merchants and the increases in fraud 
demonstrate that their decisions have not been as effective as they 
should have been.
Improved Technology Solutions
    There are technologies available that could reduce fraud. An 
overhaul of the fraud-prone cards that are currently used in the U.S. 
market is long overdue. As I noted, requiring the use of a PIN is one 
way to reduce fraud. Doing so takes a vulnerable piece of data (the 
card number) and makes it so that it cannot be used on its own. This 
ought to happen not only in the brick-and-mortar environment in which a 
physical card is used but also in the online environment in which the 
physical card does not have to be used. Canada, for example, is 
exploring the use of a PIN for online purchases. The same should be 
true here. Doing so would help directly with the 90 percent of U.S. 
fraud which occurs online. It is not happenstance that automated teller 
machines (ATMs) require the entry of a PIN before dispensing cash. 
Using the same payment cards for purchases should be just as secure as 
using them at ATMs.
    Cards should also be smarter and use dynamic data rather than 
magnetic stripes. In much of the world this is done using computer 
chips that are integrated into physical credit and debit cards. That is 
a good next step for the United States. It is important to note, 
however, that there are many types of technologies that may be employed 
to make this upgrade. EMV, which is an acronym for Europay, MasterCard 
and Visa, is merely one particular proprietary technology. As the name 
indicates, EMV was established by Europay, MasterCard and Visa. A 
proprietary standard could be a detriment to the other potentially 
competitive networks.\17\ Adopting a closed system, such as EMV, means 
we are locking out the synergistic benefits of competition.
---------------------------------------------------------------------------
    \17\ There are issues with EMV because the technology is just one 
privately owned solution. For example, EMV includes specifications for 
near field communications that would form the technological basis of 
Visa and MasterCard's mobile payments solutions. That raises serious 
antitrust concerns for retailers because we are just starting to get 
some competitors exploring mobile payments. If the currently dominant 
card networks are able to lock-in their proprietary technology in a way 
that locks-out competition in mobile payments, that would be a bad 
result for merchants and consumers who might be on the verge of 
enjoying the benefits of some new innovations and competition.
    So, while chip cards would be a step forward in terms of improving 
card products, if EMV is forced as the chip card technology that must 
be used--rather than an open-source chip technology which would 
facilitate competition and not predetermine mobile payment market-
share--it could be a classic case of one step forward and two steps 
backward.
---------------------------------------------------------------------------
    But even within that closed framework, it should also be noted that 
everywhere in the world that EMV has been deployed to date the card 
networks have required that the cards be used with a PIN. That makes 
sense. But here, the dominant card networks are proposing to force 
chips (or even EMV) on the U.S. market without requiring PIN 
authentication. Doing that makes no sense and loses a significant part 
of the fraud prevention benefits of chip technology. To do otherwise 
would mean that merchants would spend billions to install new card 
readers without they or their customers obtaining PINs' fraud-reducing 
benefits. We would essentially be spending billions to combine a 1990s 
technology (chips) with a 1960s relic (signature) in the face of 21st 
century threats.
    Another technological solution that could help deter and prevent 
data breaches and fraud is encryption. Merchants are already required 
by PCI standards to encrypt cardholder data but, as noted earlier, not 
everyone in the payments chain is required to be able to accept data in 
encrypted form. That means that data may need to be de-encrypted at 
some points in the process. Experts have called for a change to require 
``end-to-end'' (or point-to-point) encryption which is simply a way to 
describe requiring everyone in the payment-handling chain to accept, 
hold and transmit the data in encrypted form. According to the 
September 2009 issue of the Nilson Report ``most recent cyber attacks 
have involved intercepting data in transit from the point of sale to 
the merchant or acquirer's host, or from that host to the payments 
network.'' The reason this often occurs is that ``data must be 
decrypted before being forwarded to a processor or acquirer because 
Visa, MasterCard, American Express, and Discover networks can't accept 
encrypted data at this time.''\18\
---------------------------------------------------------------------------
    \18\ The Nilson Report, Issue 934, Sept. 2009 at 7.
---------------------------------------------------------------------------
    Keeping sensitive data encrypted throughout the payments chain 
would go a long way to convincing fraudsters that the data is not worth 
stealing in the first place--at least, not unless they were prepared to 
go through the arduous task of trying to de-encrypt the data which 
would be necessary in order to make use of it. Likewise, using PIN-
authentication of cardholders now would offer some additional 
protection against fraud should this decrypted payment data be 
intercepted by a criminal during its transmission ``in the clear.''
    Tokenization is another variant that could be helpful. Tokenization 
is a system in which sensitive payment card information (such as the 
account number) is replaced with another piece of data (the ``token''). 
Sensitive payment data could be replaced with a token to represent each 
specific transaction. Then, if a data breach occurred and the token 
data were stolen, it could not be used in any other transactions 
because it was unique to the transaction in question. This technology 
has been available in the payment card space since at least 2005.\19\
---------------------------------------------------------------------------
    \19\ For information on Shift4's 2005 launch of tokenization in the 
payment card space see http://www.internetretailer.com/2005/10/13/
shift4-launches-security-tool-that-lets-merchants-re-use-credit.
---------------------------------------------------------------------------
    And, mobile payments offer the promise of greater security as well. 
In the mobile setting, consumers won't need to have a physical card--
and they certainly won't replicate the security problem of physical 
cards by embossing their account numbers on the outside of their mobile 
phones. It should be easy for consumers to enter a PIN or password to 
use payment technology with their smart phones. Consumers are already 
used to accessing their phones and a variety of services on them 
through passwords. Indeed, if we are looking to leapfrog the already 
aging current technologies, mobile-driven payments may be the answer.
    Indeed, as much improved as they are, chips are essentially dumb 
computers. Their dynamism makes them significantly more advanced than 
magstripes, but their sophistication pales in comparison with the 
common smartphone. Smartphones contain computing powers that could 
easily enable comparatively state-of-the-art fraud protection 
technologies. The phones soon may be nearly ubiquitous, and if their 
payment platforms are open and competitive, they will only get better.
    The dominant card networks have not made all of the technological 
improvements suggested above to make the cards issued in the United 
States more resistant to fraud, despite the availability of the 
technology and their adoption of it in many other developed countries 
of the world, including Canada, the United Kingdom, and most countries 
of Western Europe.
    In this section, I have merely described some of the solutions 
available, but the United States isn't using any of them the way that 
it should be. While everyone in the payments space has a responsibility 
to do what they can to protect against fraud and data theft, the card 
networks have arranged the establishment of the data security 
requirements and yet, in light of the threats, there is much left to be 
desired.
A Better System
    How can we make progress toward the types of solutions that would 
reduce the crimes of data theft and fraud? One thing seems clear at 
this point: we won't get there by doing more of the same. We need PIN-
authentication of card holders, regardless of the chip technology used 
on newly issued cards. We also need chip cards that use open standards 
and allow for competition among payment networks as we move into a 
world of growing mobile commerce. Finally, we need companies throughout 
the payment system to work together on achieving end-to-end encryption 
so that there are no weak links in the system where sensitive card 
payment information may be acquired more easily than in other parts of 
the system.
Steps Taken by Retailers After Discovery of a Breach of Security
    In our view, it is after a fulsome evaluation of data breaches, 
fraud, the payments system and how to improve each of those areas in 
order to deter and prevent problems that we should turn to the issue of 
what to do when breaches occur. Casting blame and trying to assign 
liability is, at best, putting the cart before the horse and, at worst, 
an excuse for some actors to ignore their own responsibility for trying 
to prevent these crimes.
    One cannot reasonably demand greater security of a system than the 
system is reasonably capable of providing. Some participants act as if 
the system is more robust than it is. Currently, when the existing card 
products are hit in a criminal breach, that company is threatened from 
many sides. The threats come from entities seeking to exact fines and 
taking other penalizing action even before the victimized company can 
secure its network from further breaches and determine through a 
forensic analysis what has happened in order to notify potentially 
affected customers. For example, retailers that have suffered a breach 
are threatened with fines for the breach based on allegations of 
noncompliance with PCI rules (even when the company has been certified 
as PCI-compliant). Other actors may expect the breached party to pay 
for all of the fraudulent transactions that take place on card accounts 
that were misused, even though the design of the cards facilitated 
their subsequent counterfeiting. Indeed, some have seriously suggested 
that retailers reimburse financial institutions for the cost of 
reissuing more fraud-prone cards. And, as a consequence of the breach, 
some retailers must then pay higher fees on its card transactions going 
forward. Retailers pay for these breaches over and over again, despite 
often times being victims of sophisticated criminal methods not 
reasonably anticipated prior to the attack.
    Breaches require retailers to devote significant resources to 
remedy the breach, help inform customers and take preventative steps to 
ward off future attacks and any other potential vulnerabilities 
discovered in the course of the breach investigation. Weeks or months 
of forensic analysis may be necessary to definitively discover the 
cause and scope of the breach. Any discovered weaknesses must be shored 
up. Quiet and cooperative law enforcement efforts may be necessary in 
an effort to identify and capture the criminals. Indeed, law 
enforcement may temporarily discourage publication of the breach so as 
to not alert the perpetrators that their efforts have been detected.
    It is worth noting that in some of these cases involving payment 
card data, retailers discover that they actually were not the source of 
the breach and that someone else in the payments chain was victimized 
or the network intrusion and theft occurred during the transmission of 
the payment card data between various participants in the system. For 
this reason, early attempts to assign blame and shift costs are often 
misguided and policymakers should take heed of the fact that often the 
earliest reports are the least accurate. Additionally, policymakers 
should consider that there is no independent organization devoted to 
determining where a breach occurred, and who is to blame--these 
questions are often raised in litigation that can last for years. This 
is another reason why it is best to at least wait until the forensic 
analysis has been completed to determine what happened. Even then, 
there may be questions unanswered if the attack and technology used was 
sophisticated enough to cover the criminals' digital tracks.
    The reality is that when a criminal breach occurs, particularly in 
the payments system, all of the businesses that participate in that 
system and their shared customers are victimized. Rather than resort to 
blame and shame, parties should work together to ensure that the breach 
is remedied and steps are taken to prevent future breaches of the same 
type and kind.
Legislative Solutions
    In addition to the marketplace and technological solutions 
suggested above, NRF also supports a range of legislative solutions 
that we believe would help improve the security of our networked 
systems, ensure better law enforcement tools to address criminal 
intrusions, and standardize and streamline the notification process so 
that consumers may be treated equally across the Nation when it comes 
to notification of data security breaches.
    NRF supports the passage by Congress of the bipartisan ``Cyber 
Intelligence Sharing and Protection Act'' (H.R. 624) so that the 
commercial sector can lawfully share information about cyber-threats in 
real-time and enable companies to defend their own networks as quickly 
as possible from cyber-attacks as soon as they are detected elsewhere 
by other business.
    We also support legislation that provides more tools to law 
enforcement to ensure that unauthorized network intrusions and other 
criminal data security breaches are thoroughly investigated and 
prosecuted, and that the criminals that breach our systems to commit 
fraud with our customers' information are swiftly brought to justice.
    Finally, and for nearly a decade, NRF has supported passage of 
legislation that would establish one, uniform Federal breach 
notification law that would be modeled on, and preempt, the varying 
breach notification laws currently in operation in 46 States, the 
District of Columbia and Federal territories. A Federal law could 
ensure that all entities handling the same type of sensitive consumer 
information, such as payment card data, are subject to the same 
statutory rules and penalties with respect to notifying consumers of a 
breach affecting that information, Further, a preemptive Federal breach 
notification law would allow retailers and other businesses that have 
been victimized by a criminal breach to focus their resources on 
remedying the breach and notifying consumers rather than hiring outside 
legal assistance to help guide them through the myriad and sometimes 
conflicting set of 50 data breach notification standards in the State 
and Federal jurisdictions. Additionally, the use of one set of 
standardized notice rules would permit the offering to consumers of the 
same notice and the same rights regardless of where they live.
Conclusion
    In closing three points are uppermost.
    First, retailers take the increasing incidence of payment card 
fraud very seriously. We do so as Main Street members of the community, 
because it affects our neighbors and our customers. We do so as 
businesses, because it affects the bottom line. Merchants already bear 
at least an equal, and often a greater, cost of fraud than any other 
participant in the payment card system. We have every reason to want to 
see fraud reduced, but we have only a portion of the ability to make 
that happen. We did not design the system; we do not configure the 
cards; we do not issue the cards. We will work to effectively upgrade 
the system, but we cannot do it alone.
    Second, the vast majority of breaches are criminal activity. The 
hacked party, whether a financial institution, a card network, a 
processor, a merchant, a governmental institution, or a consumer is the 
victim of a crime. Traditionally, we don't blame the victim of violence 
for the resulting stains; we should be similarly cautious about 
penalizing the hackee for the hack. The payment system is complicated. 
Every party has a role to play; we need to play it together. No system 
is invulnerable to the most sophisticated and dedicated of thieves. 
Consequently, eliminating all fraud is likely to remain an aspiration. 
Nevertheless, we will do our part to help achieve that goal.
    Third, it is long past time for the United States to adopt PIN and 
chip card technology. The PIN authenticates and protects the consumer 
and the merchant. The chip authenticates the card to the bank. If the 
goal is to reduce fraud we must, at a minimum, do both.
                PREPARED STATEMENT OF EDMUND MIERZWINSKI
                  Consumer Program Director, U.S. PIRG
                            February 3, 2014
    Chairman Warner, Senator Kirk, Members of the Committee, I 
appreciate the opportunity to testify before you on the important 
matter of consumer data security. Since 1989, I have worked on data 
privacy issues, among other financial system issues, for the U.S. 
Public Interest Research Group. The State PIRGs are nonprofit, 
nonpartisan public interest advocacy organizations that take on 
powerful interests on behalf of their members.
Summary:
    The authoritative Privacy Rights Clearinghouse has estimated that 
since 2005, 663,182,386 records have been breached in a total of 4,163 
separate data breaches.\1\ The latest exploit against Target Stores, 
depending on how it is measured, is among the largest ever.
---------------------------------------------------------------------------
    \1\ See ``Chronology of Data Breaches,'' Privacy Rights 
Clearinghouse, last visited 30 January 2014: https://
www.privacyrights.org/data-breach.
---------------------------------------------------------------------------
    Target should be held accountable for its failure to comply with 
applicable security standards but that does not mean it is 100 percent 
responsible for this breach. Merchants, and their customers, have been 
forced by the card monopolies to use an unsafe payment card system that 
relies on obsolete magnetic stripe technology. When the technology was 
used only for safer credit cards, this may have been acceptable, but 
since the banks and card networks have also aggressively promoted the 
use of debit cards on the unsafe signature (not safer PIN) based 
platform, consumer bank accounts have also been placed at risk.
    Congress should carefully weigh its response to the breach. 
Increasing consumer protections under the Electronic Funds Transfer Act 
(EFTA), which applies to debit cards, to the gold standard levels of 
the Truth In Lending Act, which applies to credit cards, should be the 
first step. Facing higher liability may ``focus the mind'' of the banks 
on improving security. Second, Congress should not preempt the 
strongest State breach notification laws, especially with a Federal 
breach law that may include a Trojan Horse preemption provision 
eliminating not only State breach laws, but all future State actions to 
protect privacy. That's the wrong response as we discuss below. 
Finally, Congress should also investigate the deceptive marketing of 
subscription-based credit monitoring and ID theft insurance products, 
which are over-priced and provide a false sense of security. In this 
case, although the highest risk to consumers is fraud on existing 
accounts, the modest credit monitoring product offered (for free) to 
Target customers will at best warn that you have become an identity 
theft victim. We make additional recommendations in the testimony below 
and are at all times available to brief Committee staff or members.
The Target Breach:
    The card information acquired in the first 40 million breached 
accounts that Target reported placed those debit/ATM or credit card 
customers at risk of fraud on their existing accounts. Because the 
scope of the records acquired in that RAM-scraping incident included 
not only the card number but also the expiration date, 3-digit security 
code (from the back of the card) and the (encrypted but probably 
hackable) PIN number or password, these numbers became very valuable on 
the underground market, as the Secret Service has already explained.
    Target's later admission that additional information--including 
telephone numbers and email addresses--for up to a total of 70-110 
million consumer records (some may have been the same consumers) held 
in a Customer Relations Management (CRM) database was also obtained, 
placed those customers at the risk of new account identity theft. 
Criminals will seek to obtain additional information, such as a 
consumer's Social Security Number, which would enable them to submit 
false applications for credit in your name.
    When bad guys obtain emails and phone numbers, they make phishing 
attacks to obtain more information: While the emails and phone numbers 
are not enough information to commit identity theft, it is enough 
information to conduct such ``phishing attacks'' designed to collect 
additional information, including Social Security Numbers and encrypted 
passwords, from consumers.
    They do this either through placing dangerous links in emails or 
various ``social engineering'' techniques to trick you into providing 
more information. A phishing email will appear to be from your bank. 
But if you click on any links, either a virus explodes on your computer 
to collect any personal information stored on it, or you are redirected 
to a site that will allow them to obtain the information they need. Or, 
if they call you, they use the information that they have as a 
validation that they are from the bank, to trick you into providing the 
information that they need. The additional information the bad guys 
seek, then, would either allow them direct access to your account 
(through the PIN) or to open new accounts in your name (with your 
Social Security Number) by committing identity theft. They use what 
they know to convince you to tell them what they don't know. They want 
your PIN, or your birth date and Social Security Number. They hope to 
trick you into giving it up.
    However, I believe the greater risk in this case is fraud on 
existing accounts, not identity theft. That is why so many banks re-
issued debit and credit cards, or both, following the incident. But 
disappointingly, Target's main response to consumers--offering a free 
credit monitoring service--won't stop or warn of fraud on existing 
accounts. That provides consumers a false sense of security.\2\
---------------------------------------------------------------------------
    \2\ Even worse, consumers who accept the monitoring product, 
ProtectmyID from the credit bureau Experian, must accept a boilerplate 
forced arbitration clause that restricts their ability to sue Experian. 
See http://www.protectmyid.com/terms/. And under current U.S. Supreme 
Court jurisprudence, that clause's outrageous ban on joining a class 
action is also permissible.
---------------------------------------------------------------------------
    It actually won't even stop identity theft, it will simply notify 
you after the fact of changes to your Experian credit report (but not 
to your Trans Union or Equifax reports, which may include different 
account information). Positively, the offered product terminates after 
1 year, rather than auto-renewing for a monthly fee (when similar 
products were offered after some previous breaches, the over-priced, 
under-performing credit monitoring products were sometimes set to auto-
renew for a fee).
    Despite my reservations about Target's delayed and drawn out 
notifications to customers about the breach,\3\ and its provision of 
the inadequate credit monitoring product, I don't believe that Target 
or other merchants deserve all of the blame for the data breaches that 
occur on their watch.
---------------------------------------------------------------------------
    \3\ I understand that some State Attorneys General are 
investigating whether adequate notification was made under their breach 
laws.
---------------------------------------------------------------------------
    The card networks are largely at fault. They have continued to use 
an obsolete 1970s magnetic stripe technology well into the 21st 
century. When the technology was solely tied to credit cards, where 
consumers enjoy strong fraud rights and other consumer protections by 
law, this may have been barely tolerable.
    But when the big banks and credit card networks asked consumers to 
expose their bank accounts to the unsafe signature-based payment 
system, by piggybacking once safer PIN-only debit cards onto the 
signature-based system, the omission became unacceptable. The vaunted 
``zero-liability'' promises of the card networks and issuing banks are 
by contract, not law. Of course, the additional problem any debit card 
fraud victim faces is that she is missing money from her own account 
while the bank conducts an allowable reinvestigation for 10 days or 
more, even if the bank eventually lives up to its promise.\4\
---------------------------------------------------------------------------
    \4\ Compare some of the Truth In Lending Act's robust credit card 
protections by law to the Electronic Funds Transfer Act's weak debit 
card consumer rights at this FDIC Web site: http://www.fdic.gov/
consumers/consumer/news/cnfall09/debit_vs_credit.html.
---------------------------------------------------------------------------
    Further, the card networks' failure to upgrade, let alone enforce, 
their PCI or security standards, despite the massive revenue stream 
provided by consumers and merchants through swipe, or interchange, 
fees, is yet another outrage by the banks and card networks.
    Incredibly, the Federal Reserve Board's rule interpreting the 
Durbin amendment limiting swipe fees on the debit cards of the biggest 
banks also provides for additional fraud revenue to the banks in 
several ways. Even though banks and card networks routinely pass along 
virtually all costs of fraud to merchants in the form of chargebacks, 
the Fed rule interpreting the Durbin amendment allows for much more 
revenue. So, not only are banks and card networks compensated with 
general revenue from the ever-increasing swipe fees, but the Fed allows 
them numerous additional specific bites of the apple for fraud-related 
fees.
    To be sure, Target should be held accountable if it turns out, as 
has been reported, that it was not in compliance with the latest and 
highest level of security standards throughout its system. But 
understand that that system was inadequate at best because, like acting 
as any monopolists would, the card duopoly refused to make adequate 
technological improvements to its system, preferring to extract excess 
rents for as long as possible. For that reason, I cannot endorse any 
reform that makes Target, or other merchants, the only ones at blame. 
In many ways, the merchants are as much victims of the banks' unsecure 
systems as consumers are.
Recommendations:
  1)  Congress should improve debit/ATM card consumer rights and make 
        all plastic equal:

    Up until now, both banks and merchants have looked at fraud and 
identity theft as a modest cost of doing business and have not 
protected the payment system well enough. They have failed to look 
seriously at harms to their customers from fraud and identity theft--
including not just monetary losses and the hassles of restoring their 
good names, but also the emotional harm that they must face as they 
wonder whether future credit applications will be rejected due to the 
fraudulent accounts.
    Currently, debit card fraud victims are reimbursed at ``zero 
liability'' only by promise. The EFTA's fraud standard actually 
provides for 3-tiers of consumer fraud losses. Consumers lose up to $50 
if they notify the bank within 2 days of learning of the fraud, up to 
$500 if they notify the bank within 60 days and up to their entire 
loss, including from any linked accounts, if they notify the bank after 
60 days. However, if the physical debit card itself is not lost or 
stolen, consumers are not liable for any fraud charges if they report 
them within 60 days of their bank statement.
    This shared risk fraud standard under the EFTA, which governs debit 
cards, appears to be vestigial, or left over from the days when debit 
cards could only be used with a PIN. Since banks encourage consumers to 
use debit cards, placing their bank accounts at risk, on the unsafe 
signature debit platform, this fraud standard should be changed.
    As a first step, Congress should institute the same fraud cap, $50, 
on debit/ATM cards as exists on credit cards. (Or, even eliminate the 
cap of $50 in all cases, since it is never imposed.) Congress should 
also provide debit and prepaid card customers with the stronger billing 
dispute rights and rights to dispute payment for products that do not 
arrive or do not work as promised that credit card users enjoy (through 
the Fair Credit Billing Act, a part of the Truth In Lending Act).\5\
---------------------------------------------------------------------------
    \5\ For a detailed discussion of these problems and recommended 
solutions, see Hillebrand, Gail (2008) ``Before the Grand Rethinking: 
Five Things to Do Today with Payments Law and Ten Principles to Guide 
New Payments Products and New Payments Law,'' Chicago-Kent Law Review: 
Vol. 83, Iss. 2, Article 12, available at http://
scholarship.kentlaw.iit.edu/cklawreview/vol83/iss2/12.
---------------------------------------------------------------------------
    Debit/ATM card customers already face the aforementioned cash-flow 
and bounced check problems while banks investigate fraud under the 
Electronic Funds Transfer Act. Reducing their possible liability by 
law, not simply by promise, won't solve this particular problem, but it 
will force banks to work harder to avoid fraud. If they face greater 
liability to their customers and account holders, they will be more 
likely to develop better security.

  2)  Congress should not endorse a specific technology, such as EMV 
        (parent technology of Chip and PIN and Chip and Signature). If 
        Congress takes steps to encourage use of higher standards, its 
        actions should be technology-neutral and apply equally to all 
        players.

    Chip and PIN and CHIP and signature are variants of the EMV 
technology standard commonly in use in Europe. The current pending U.S. 
rollout of chip cards will allow use of the less-secure Chip and 
Signature cards rather than the more-secure Chip and PIN cards. Why not 
go to the higher Chip and PIN authentication standard immediately and 
skip past Chip and Signature? As I understand the rollout schedule, 
there is still time to make this improvement.
    This example demonstrates why Congress should not embrace a 
specific technology. Instead, it should take steps to encourage all 
users to use the highest possible existing standard. Congress should 
also take steps to ensure that additional technological improvements 
and security innovations are not blocked by actions or rules of the 
existing players.
    If Congress does choose to impose higher standards, then it must 
impose them equally on all players. For example, current legislative 
proposals may unwisely impose softer regimes on financial institutions 
subject to the weaker Gramm-Leach-Bliley rules than to merchants and 
other nonfinancial institutions.
    Further, as most observers are aware, chip technology will only 
prevent the use of cloned cards in card-present (Point-of-Sale) 
transactions. It is an improvement over obsolete magnetic stripe 
technology in that regard, yet it will have no impact on online 
transactions, where fraud volume is much greater already than in point-
of-sale transactions. Experiments, such as with ``virtual card 
numbers'' for one-time use, are being carried out online. It would be 
worthwhile for the Committee to inquire of the industry and the 
regulators how well those experiments are proceeding and whether 
requiring the use of virtual card numbers in all online debit and 
credit transactions should be considered a best practice.
    Further, as I understand it, had Chip and PIN (or Chip and 
Signature) been in use, it would not have stopped the Target breach, 
since unencrypted information was collected from the Target system's 
internal RAM memory, after the cards had already been used.

  3)  Investigate card security standards bodies and ask the prudential 
        regulators for their views:

    To ensure that improvements continue to be made in the system, the 
Committee should also inquire into the governance and oversight of the 
development of card network security standards. Do regulators sit on 
the PCI board? As I understand it, merchants do not; they are only 
allowed to sit on what may be a meaningless ``advisory'' board. 
Further, do regulators have any mandatory oversight function over 
standards body rules?
    Recently, the networks have been in to see the Federal Reserve 
Board ostensibly to talk about interchange fees. Since the Fed is not a 
witness today, the Committee should ask the Fed and other prudential 
regulators about these matters at its pending Oversight hearing on 
these matters later this week. In particular, ask the Fed to testify as 
to the purposes and discussions at these meetings. Its summary of one 
of these meetings indicates that the issue was EMV (CHIP card 
technology) rollout:

        Summary (Meeting Between Federal Reserve Board Staff and 
        Representatives of Visa, January 8, 2014): Representatives of 
        Visa met with Federal Reserve Board staff to discuss their 
        observations of market developments related to the deployment 
        of EMV (i.e., chip-based) debit cards in the United States. 
        Topics discussed included an overview of their current EMV 
        roadmap and Visa's proposed common application for enabling 
        multiple networks on an EMV card while preserving merchant 
        routing and choice.\6\
---------------------------------------------------------------------------
    \6\ Available at http://www.federalreserve.gov/newsevents/rr-
commpublic/pin-debit-networks-20131107.pdf.

  4)  Congress should not enact any new legislation sought by the banks 
---------------------------------------------------------------------------
        to impose their costs of replacement cards on the merchants:

    Target should pay its share but this breach was not entirely 
Target's fault. The merchants are forced to use an obsolete and unsafe 
system designed by the banks and card networks, which, to make matters 
worse, don't uniformly enforce their additional often-changing security 
standards intended to ameliorate the flaws in the underlying platform. 
Disputes over costs of replacement cards should be handled by contracts 
and agreements between the players. How could you possibly draft a bill 
to address all the possible shared liabilities?
    Of course, the Federal Reserve has already allowed compensation to 
banks for card replacement in circumstances where the Fed's Durbin 
amendment rule applies. It states:

    ``Costs associated with research and development of new fraud-
prevention technologies, card reissuance due to fraudulent activity, 
data security, card activation, and merchant blocking are all examples 
of costs that are incurred to detect and prevent fraudulent electronic 
debit transactions. Therefore, the Board has included the costs of 
these activities in setting the fraud prevention adjustment amount to 
the extent the issuers reported these costs in response to the survey 
on 2009 costs.''\7\
---------------------------------------------------------------------------
    \7\ See 77 Fed. Reg. page 46264 (August 3, 2012), available at 
http://www.gpo.gov/fdsys/pkg/FR-2012-08-03/pdf/2012-18726.pdf. 

    Under the Fed's Durbin rules the amount of this compensation is as 
follows: banks can also get 5 basis points per transaction for fraud 
costs, 1.2 cents per transaction for transaction monitoring, and 1 cent 
per transaction for the fraud prevention adjustment. Again, this is in 
addition to merchants already paying chargebacks for fraud as well as 
---------------------------------------------------------------------------
PCI violation fines, plus litigation damages.

  5)  Congress should  not  enact any Federal breach law that preempts 
        State breach laws or, especially, preempts other State data 
        security rights:

    In 2003, when Congress, in the FACT Act, amended the Fair Credit 
Reporting Act, it specifically did not preempt the right of the States 
to enact stronger data security and identity theft protections.\8\ We 
argued that since Congress hadn't solved all the problems, it shouldn't 
prevent the States from doing so.
---------------------------------------------------------------------------
    \8\ See ``conduct required'' language in Section 711 of the Fair 
and Accurate Credit Transactions Act of 2003, Public Law 108-159. Also 
see Hillebrand, Gail, ``After the FACT Act: What States Can Still Do to 
Prevent Identity Theft,'' Consumers Union, 13 January 2004, available 
at http://consumersunion.org/research/after-the-fact-act-what-states-
can-still-do-to-prevent-identity-theft/.
---------------------------------------------------------------------------
    From 2004-today, 46 States enacted security breach notification 
laws and 49 State-enacted security freeze laws. Many of these laws were 
based on the CLEAN Credit and Identity Theft Protection Model State Law 
developed by Consumers Union and U.S. PIRG.\9\
---------------------------------------------------------------------------
    \9\ See http://consumersunion.org/wp-content/uploads/2013/02/
model.pdf.
---------------------------------------------------------------------------
    A security freeze, not credit monitoring, is the best way to 
prevent identity theft. If a consumer places a security freeze on her 
credit reports, a criminal can apply for credit in her name, but the 
new potential creditor cannot access your ``frozen'' credit report and 
will reject the application. The freeze is not for everyone, since you 
must unfreeze your report on a specific or general basis whenever you 
re-enter the credit marketplace, but it is only way to protect your 
credit report from unauthorized access. See this footnoted Consumers 
Union page for a list of security freeze rights.\10\
---------------------------------------------------------------------------
    \10\ http://defendyourdollars.org/document/guide-to-security-
freeze-protection.
---------------------------------------------------------------------------
    The other problem with enacting a preemptive Federal breach 
notification law is that industry lobbyists will seek language that not 
only preempts breach notification laws but also prevents States from 
enacting any future data security laws, despite the laudable 2003 FACT 
Act example above.
    Simply as an example, S. 1927 (Carper) includes sweeping preemption 
language that is unacceptable to consumer and privacy groups and likely 
also to most State Attorneys General:

        SEC. 7. RELATION TO STATE LAW.

        No requirement or prohibition may be imposed under the laws of 
        any State with respect to the responsibilities of any person 
        to----

    (1)  protect the security of information relating to consumers that 
        is maintained or communicated by, or on behalf of, the person;

    (2)  safeguard information relating to consumers from potential 
        misuse;

    (3)  investigate or provide notice of the unauthorized access to 
        information relating to consumers, or the potential misuse of 
        the information, for fraudulent, illegal, or other purposes; or

    (4)  mitigate any loss or harm resulting from the unauthorized 
        access or misuse of information relating to consumers.

Other bills before the Congress include similar, if not even more 
sweeping, abuses of our Federal system, despite that at least one 
merchant I have spoken with told me: ``Actually, Ed, it is relatively 
easy to comply with the different State breach laws. We haven't had a 
problem.''
    Such broad preemption will prevent States from acting as first 
responders to emerging privacy threats. Congress should not preempt the 
States. In fact, Congress should think twice about whether a Federal 
breach law that is weaker than the best State laws is needed at all.

  6)  Congress should allow for private enforcement and broad State and 
        local enforcement of any law it passes:

    The marketplace only works when we have strong Federal laws and 
strong enforcement of those laws, buttressed by State and local and 
private enforcement.
    Many of the data breach bills I have seen specifically state no 
private right of action is created. Such clauses should be eliminated 
and it should also be made clear that the bills have no effect on any 
State private rights of action. Further, no bill should include 
language reducing the scope of State Attorney General or other State-
level public official enforcement. Further, any Federal law should not 
restrict State enforcement only to State Attorneys General.
    For example, in California not only the State Attorney General but 
also county District Attorneys and even city attorneys of large cities 
can bring unfair practices cases.
    Although we currently have a diamond age of Federal enforcement, 
with strong but fair enforcement agencies including the CFPB, OCC and 
FDIC, that may not always be the case. By preserving State remedies and 
the authority of State and local enforcers, you can better protect your 
constituents from the harms of fraud and identity theft.

  7)  Any Federal breach law should not include any ``harm trigger'' 
        before notice is required:

    The better State breach laws, starting with California's, require 
breach notification if information is presumed to have been 
``acquired.'' The weaker laws allow the company that failed to protect 
the consumer's information in the first place to decide whether to tell 
them, based on its estimate of the likelihood of identity theft or 
other harm.
    Only an acquisition standard will serve to force data collectors to 
protect the financial information of their trusted customers, account 
holders or, as Target calls them, ``guests,'' well enough to avoid the 
costs, including to reputation, of a breach.

  8)  Congress should further investigate marketing of overpriced 
        credit monitoring and identity theft subscription products:

    In 2005 and then again in 2007 the FTC imposed fines on the credit 
bureau Experian for deceptive marketing of its various credit 
monitoring products, which are often sold as add-ons to credit cards 
and bank accounts. Prices range up to $19.99/month. While it is likely 
that recent CFPB enforcement orders \11\ against several large credit 
card companies for deceptive sale of the add-on products--resulting in 
recovery of approximately $800 million to aggrieved consumers--may 
cause banks to think twice about continuing these relationships with 
third-party firms, the Committee should also consider its own 
examination of the sale of these credit card add-on products.
---------------------------------------------------------------------------
    \11\ We discuss some of the CFPB cases here http://www.uspirg.org/
news/usp/cfpb-gets-results-orders-chase-bank-repay-consumers-over-300-
million-over-sale-junky-credit.
---------------------------------------------------------------------------
    In addition to profits from credit monitoring, banks and other 
firms reap massive revenues from ID Theft insurance, sometimes sold in 
the same package and sometimes sold separately. Companies that don't 
protect our information as the law requires add insult to injury by 
pitching us over-priced monitoring and insurance products. The 
Committee should call in the companies that provide ID theft insurance 
and force the industry to open its books and show what percentage of 
premiums are paid out to beneficiaries. It is probable that the loss 
ratio on these products is so low as to be meaningless, meaning profits 
are sky-high.
    Consumers who want credit monitoring can monitor their credit 
themselves. No one should pay for it. You have the right under Federal 
law to look at each of your 3 credit reports (Equifax, Experian and 
TransUnion) once a year for free at the federally mandated central site 
annualcreditreport.com. Don't like Web sites? You can also access your 
Federal free report rights by phone or email. You can stagger these 
requests--1 every 4 months--for a type of do-it-yourself no-cost 
monitoring. And, if you suspect you are a victim of identity theft, you 
can call each bureau directly for an additional free credit report. If 
you live in Colorado, Georgia, Massachusetts, Maryland, Maine, New 
Jersey, Puerto Rico or Vermont, you are eligible for yet another free 
report annually under State law by calling each of the Big 3 credit 
bureaus.
    Although Federal authority against unfair monitoring marketing was 
improved in the 2009 Credit CARD Act,\12\ the Committee should also ask 
the regulators whether any additional changes are needed.
---------------------------------------------------------------------------
    \12\ The Credit Card Accountability, Responsibility and Disclosure 
(CARD) Act of 2009, Public Law 111-24. See Section 205.

  9)  Review Title V of the Gramm-Leach-Bliley Act and its data 
---------------------------------------------------------------------------
        security requirements:

    The 1999 Gramm-Leach-Bliley Act imposed data security 
responsibilities on regulated financial institutions, including banks. 
The requirements include breach notification in certain 
circumstances.\13\ The Committee should ask the regulators for 
information on their enforcement of its requirements and should 
determine whether additional legislation is needed. The Committee 
should also recognize, as noted above, that compliance with GLBA should 
not constitute constructive compliance with any additional security 
duties imposed on other players in the card network system as that 
could lead to a system where those other nonfinancial-institution 
players are treated unfairly.
---------------------------------------------------------------------------
    \13\ See the Federal Financial Institutions Examination Council's 
``Final Guidance on Response Programs: Guidance on Response Programs 
for Unauthorized Access to Customer Information and Customer Notice,'' 
2005, available at http://www.fdic.gov/news/news/financial/2005/
fil2705.html.

  10)  Congress should investigate the over-collection of consumer 
        information for marketing purposes. More information means more 
        information at risk of identity theft. It also means there is a 
        greater potential for unfair secondary marketing uses of 
---------------------------------------------------------------------------
        information:

    In the Big Data world, companies are collecting vast troves of 
information about consumers. Every day, the collection and use of 
consumer information in a virtually unregulated marketplace is 
exploding. New technologies allow a web of interconnected businesses--
many of which the consumer has never heard of--to assimilate and share 
consumer data in real-time for a variety of purposes that the consumer 
may be unaware of and may cause consumer harm. Increasingly, the 
information is being collected in the mobile marketplace and includes a 
new level of localized information.
    Although the Fair Credit Reporting Act limits the use of financial 
information for marketing purposes and gives consumers the right to 
opt-out of the limited credit marketing uses allowed, these new Big 
Data uses of information may not be fully regulated by the FCRA. The 
development of the Internet marketing ecosystem, populated by a variety 
of data brokers and advertisers buying and selling consumer information 
without their knowledge and consent, is worthy of Congressional 
inquiry.\14\
---------------------------------------------------------------------------
    \14\ See the FTC's March 2012 report, ``Protecting Consumer Privacy 
in an Era of Rapid Change: Recommendations For Businesses and 
Policymakers,'' available at http://www.ftc.gov/news-events/press-
releases/2012/03/ftc-issues-final-commission-report-protecting-
consumer-privacy. Also see Edmund Mierzwinski and Jeff Chester, 
``Selling Consumers Not Lists: The New World of Digital Decision-Making 
and the Role of the Fair Credit Reporting Act,'' 46 Suffolk University 
Law Review Vol. 3, page 845 (2013), also available at http://
suffolklawreview.org/selling-consumers-not-lists/.
---------------------------------------------------------------------------
    Thank you for the opportunity to provide the Committee with our 
views. We are happy to provide additional information to Members or 
staff.
                                 ______
                                 
                    PREPARED STATEMENT OF TROY LEACH
  Chief Technology Officer, Payment Card Industry Security Standards 
                                Council
                            February 3, 2014
Introduction
    Chairman Warner, Ranking Member Kirk, Members of the Subcommittee, 
on behalf of the PCI Security Standards Council, thank you for inviting 
us to testify today before the Subcommittee.
    My name is Troy Leach and I am the Chief Technology Officer of the 
Payment Card Industry (PCI) Security Standards Council (SSC), a global 
industry initiative and membership organization, focused on securing 
payment card data. Working with a global community of industry players, 
our organization has created data security standards--notably the PCI 
Data Security Standard (PCI DSS)-certification programs, training 
courses and best practice guidelines to help improve payment card 
security.
    Together with our community of over one thousand of the world's 
leading businesses, we're tackling data security challenges from 
password complexity to proper protection of PIN entry devices on 
terminals. Our work is broad for a simple reason: there is no single 
answer to securing payment card data. No one technology is a panacea; 
security requires a multi-layered approach across the payment chain.
    The PCI Security Standards Council is an excellent example of 
effective industry collaboration to develop private sector standards. 
Simply put, the PCI Standards are the best line of defense against the 
criminals seeking to steal payment card data. And while several recent 
high profile breaches have captured the Nation's attention, great 
progress has been made over the past 7 years in securing payment card 
data, through a collaborative cross-industry approach, and we continue 
to buildupon the way we protect this data.
    Consumers are understandably upset when their payment card data is 
put at risk of misuse and--while the PCI Security Standards Council is 
not a name most consumers know--we are sensitive to the impact that 
breaches cause for consumers. And consumers should take comfort from 
the fact that a great number of the organizations they do business with 
have joined the PCI SSC to collaborate in the effort to better protect 
their payment card data.
Payment card security: a dynamic environment
    Since the threat landscape is constantly evolving, the PCI SSC 
expects its standards will do the same. Confidence that businesses are 
protecting payment card data is paramount to a healthy economy and 
payment process--both in person and online. That's why to date, more 
than one thousand of the world's leading retailers, airlines, banks, 
hotels, payment processors, Government agencies, universities, and 
technology companies have joined the PCI Council as members and as part 
of our assessor community to develop security standards that apply 
across the spectrum of today's global multi-channel and online 
businesses.
    Our community members are living on the front lines of this 
challenge and are therefore well placed, through the unique forum of 
the PCI Security Standards Council, to provide input on threats they 
are seeing and ideas for how to tackle these threats through the PCI 
Standards.
    The Council develops standards through a defined, published 3-year 
lifecycle. Our Participating Organization members told us that 3 years 
was the appropriate timeframe to update and deploy security approaches 
in their organizations. In addition to the formal lifecycle, the 
Council and the PCI community have the resources to continually monitor 
and provide updates through standards, published FAQs, Special Interest 
Group work, and guidance papers on emerging threats and new ways to 
improve payment security. Examples include updated wireless guidance 
and security guidelines for merchants wishing to accept mobile 
payments.
    This year, on January 1, 2014, our latest version of the PCI Data 
Security Standard (PCI DSS) became effective. This is our overarching 
data security standard, built on 12 principles that cover everything 
from implementing strong access control, monitoring and testing 
networks, to having an information security policy. During updates to 
this standard, we received hundreds of pieces of feedback from our 
community. This was almost evenly split between feedback from domestic 
and international organizations, highlighting the global nature of 
participation in the PCI SSC and the need to provide standards and 
resources that can be adopted globally to support the international 
nature of the payment system.
    This feedback has enabled us to be directly responsive to 
challenges that organizations are facing every day in securing 
cardholder data. For example, in this latest round of PCI DSS 
revisions, community feedback indicated changes were needed to secure 
password recommendations. Password strength remains a challenge--as 
``password'' is still among the most common password used by global 
businesses--and is highlighted in industry reports as a common failure 
leading to data compromise. Small merchants in particular often do not 
change passwords on point of sale (POS) applications and devices. With 
the help of the PCI community, the Council has updated requirements to 
make clear that default passwords should never be used, all passwords 
must be regularly changed and not continually repeated, should never be 
shared, and must always be of appropriate strength. Beyond promulgating 
appropriate standards, we have taken steps through training and public 
outreach to educate the merchant community on the importance of 
following proper password protocols.
    Recognizing the need for a multi-layer approach, in addition to the 
PCI DSS, the Council and community have developed standards that cover 
payment applications and point of sale devices. In other areas, based 
on community feedback, we are working on standards and guidance on 
other technologies such as tokenization and point-to-point encryption. 
These technologies can dramatically increase data security at 
vulnerable points along the transactional chain. Tokenization and 
point-to-point encryption remove or render payment card information 
useless to cyber criminals, and work in concert with other PCI 
Standards to offer additional protection to payment card data.
    In addition to developing and updating standards, every year the 
PCI community votes on which topics they would like to explore with the 
Council and provide guidance on. Over the last few years the working 
groups formed by the Council to address these concerns have drawn 
hundreds of organizations to collaborate together to produce resources 
on third party security assurance, cloud computing, best practices for 
maintaining compliance, e-commerce guidelines, virtualization, and 
wireless security. Other recent Council initiatives have addressed ATM 
security, PIN security, and mobile payment acceptance security for 
developers and merchants.
EMV Chip & PCI Standards--a strong combination
    One technology that has garnered a great deal of attention in 
recent weeks is EMV chip--a technology that has widespread use in 
Europe and other markets. EMV chip is an extremely effective method of 
reducing counterfeit and lost/stolen card fraud in a face-to-face 
payments environment. That's why the PCI Security Standards Council 
supports the deployment of EMV chip technology.
    Global adoption of EMV chip, including broad deployment in the U.S. 
market, does not preclude the need for a strong data security posture 
to prevent the loss of cardholder data from intrusions and data 
breaches. We must continue to strengthen data security protections that 
are designed to prevent the unauthorized access and exfiltration of 
cardholder data.
    Payment cards are used in variety of remote channels--such as 
electronic commerce--where today's EMV chip technology is not typically 
an option for securing payment transactions. Security innovation 
continues to occur for online payments beyond existing fraud detection 
and prevention systems. Technologies such authentication, tokenization, 
and other frameworks are being developed, including some solutions that 
may involve EMV chip--yet broad adoption of these solutions is not on 
the short-term horizon. Consequently, the industry needs to continue to 
protect cardholder data across all payment channels to minimize the 
ongoing risks of data loss and resulting cross-channel fraud such as 
may be experienced in the online channel.
    Nor does EMV chip negate the need for secure passwords, patching 
systems, monitoring for intrusions, using firewalls, managing access, 
developing secure software, educating employees, and having clear 
processes for the handling of sensitive payment card data. These 
processes are critical for all businesses--both large retailers and 
small businesses--who themselves have become a target for cyber 
criminals. At smaller businesses, EMV chip technology will have a 
strong positive impact. But if small businesses are not aware of the 
need to secure other parts of their systems, or if they purchase 
services and products that are not capable of doing that for them, then 
they will still be subject to the ongoing exposure of the compromise of 
cardholder data and resulting financial or reputational risk.
    Similarly, protection from malware-based attacks requires more than 
just EMV chip technology. Reports in the press regarding recent 
breaches point to insertion of complex malware. EMV chip technology 
could not have prevented the unauthorized access, introduction of 
malware, and subsequent exfiltration of cardholder data. Failure of 
other security protocols required under Council standards is necessary 
for malware to be inserted.
    Finally, EMV chip technology does not prevent memory scraping, a 
technique that has been highlighted in press reports of recent 
breaches. Other safeguards are needed to do so. In our latest versions 
of security standards for Point of Sale devices, (PCI PIN Transaction 
Security Requirements), the Council includes requirements to further 
counter this threat. These include improved tamper responsiveness so 
that devices will ``self-destruct'' if they are opened or tampered with 
and the creation of electronic signatures that prevent applications 
that have not been ``whitelisted'' from being installed. Our recently 
released update to the standard, PTS 4.0, requires a default reset 
every 24 hours that would remove malware from memory and reduce the 
risk of data being obtained in this way. By responding to the Council's 
PTS requirements, POS manufacturers are bringing more secure products 
to market that reflect a standards development process that 
incorporates feedback from a broad base of diverse stakeholders.
    Used together, EMV chip, PCI Standards, along with many other tools 
can provide strong protections for payment card data. I want to take 
this opportunity to encourage all parties in the payment chain--whether 
they are EMV chip ready or not--to take a multi-layered approach to 
protect consumers' payment card data. There are no easy answers and no 
shortcuts to security.
    Global adoption of EMV chip is necessary and important. Indeed, 
when EMV chip technology does become broadly deployed in the U.S. 
marketplace and fraud migrates to less secure transaction environments, 
PCI Standards will remain critical.
Beyond Standards--building a support infrastructure
    An effective security program through PCI is not focused on 
technology alone; it includes people and process as key parts of 
payment card data protection. PCI Standards highlight the need for 
secure software development processes, regularly updated security 
policies, clear access controls, and security awareness education for 
employees. Employees have to know not to click on suspicious links, why 
it is important to have secure passwords, and to question suspicious 
activity at the point of sale.
    Most standards' organizations create standards, and no more. PCI 
Security Standards Council, however, recognizes that standards, without 
more, are only tools, and not solutions. And this does not address the 
critical challenges of training people and improving processes.
    To help organizations improve payment data security, the Council 
takes a holistic approach to securing payment card data, and its work 
encompasses both PCI Standards development and maintenance of programs 
that support standards implementation across the payment chain. The 
Council believes that providing a full suite of tools to support 
implementation is the most effective way to ensure the protection of 
payment card data. To support successful implementation of PCI 
Standards, the Council maintains programs that certify and validate 
certain hardware and software products to support payment security. For 
example, the Council wants to make it easy for merchants and financial 
institutions to deploy the latest and most secure terminals and so 
maintains a public listing on its Web site for them to consult before 
purchasing products. We realize it takes time and money to upgrade POS 
terminals and we encourage businesses that are looking to upgrade for 
EMV chip to consider other necessary security measures by choosing a 
POS terminal from this list. Similarly, we are supporting the adoption 
of point-to-point encryption, and listing appropriate solutions on our 
Web site to take a solutions-oriented approach to helping retailers 
more readily implement security in line with the PCI standards.
    Additionally, the Council runs a program that develops and 
maintains a pool of global assessment personnel to help work with 
organizations that deploy PCI Standards to assess their performance in 
using PCI Standards. The Council also focuses on creating education and 
training opportunities to build expertise in protecting payment card 
data in different environments and from the various viewpoints of 
stakeholders in the payment chain. Since our inception, we have trained 
tens of thousands of individuals, including staff from large merchants, 
leading technology companies and Government agencies, and are currently 
under contract to train members of the United States Secret Service. 
Finally, we devote substantial resources to creating public campaigns 
to raise awareness of these resources and the issue of protecting 
payment card data.
    The PCI community and large organizations that accept, store, or 
transmit payment card data worldwide have made important strides in 
adopting globally consistent security protocols. However, the Council 
recognizes that small organizations remain vulnerable. Smaller 
businesses lack IT staff and budgets to devote resources to following 
or participating in the development of industry standards. But they can 
take simple steps like updating passwords, firewalls, and ensuring they 
are configured to accept automatic security updates. Additionally, to 
help this population, the Council promotes its listings of validated 
products, and recently launched a program, the Qualified Integrator and 
Reseller program (QIR) to provide a pool of personnel able to help 
small businesses ensure high quality and secure installation of their 
payment systems.
    The work of the Council covers the entire payment security 
environment with the goal of providing or facilitating access to all 
the tools necessary--standards, products, assessors, educational 
resources, and training--for stakeholders to successfully secure 
payment card data. We do this because we believe that no one technology 
is a panacea and effective security requires a multi-layered approach.
Public-private collaboration
    The Council welcomes this hearing and the Government's attention on 
this critical issue. The recent compromises underscore the importance 
constant vigilance in the face of threats to payment card data. We are 
hopeful that this hearing will help raise awareness of the importance 
of a multi-layered approach to payment card security.
    There are very clear ways in which the Government can help improve 
the payment data security environment. For example, by championing 
stronger law enforcement efforts worldwide, particularly due to the 
global nature of these threats, and by encouraging stiff penalties for 
crimes of this kind to act as a deterrent. There is much public 
discussion about simplifying data breach notification laws and 
promoting information sharing between public and private sector. These 
are all opportunities for the Government to help tackle this challenge.
    The Council is an active participant in Government research in this 
area: we have provided resources, expertise and ideas to NIST, DHS, and 
other Government entities, and we remain ready and willing to do so.
    Almost 20 years ago, through its passage of the Technology Transfer 
and Advancement Act of 1995, Congress recognized that Government should 
rely on the private sector to develop standards rather than to develop 
them itself. The substantial benefits of the unique, U.S. ``bottom up'' 
standards development process have been well recognized. They include 
the more rapid development and adoption of standards that are more 
responsive to market needs, representing an enormous savings in time to 
Government and in cost to taxpayers.
    The Council believes that the development of standards to protect 
payment card data is something the private sector, and PCI 
specifically, is uniquely qualified to do. It is unlikely any 
Government agency could duplicate the expansive reach, expertise, and 
decisiveness of PCI. High profile events such as the recent breaches 
are a legitimate area of inquiry for the Congress, but should not serve 
as a justification to impose new Government regulations. Any Government 
standard in this area would likely be significantly less effective in 
addressing current threats, and less nimble in protecting consumers 
from future threats, than the constantly evolving PCI Standards.
Conclusion
    In 2011, the Ponemon Institute, a nonpartisan research center 
dedicated to privacy, data protection, and information security policy 
wrote, ``The Payment Card Industry Data Security Standard (PCI DSS) 
continues to be one of the most important regulations for all 
organizations that hold, process or exchange cardholder information.''
    While we are pleased to have earned accolades such as this, we 
cannot rest on our laurels.
    The recent breaches at retailers underscore the complex nature of 
payment card security. A complex problem cannot be solved by any single 
technology, standard, mandate, or regulation. It cannot be solved by a 
single sector of society--business, standards-setting bodies, 
policymakers, and law enforcement--must work together to protect the 
financial and privacy interests of consumers. Today as this Committee 
focuses on recent damaging data breaches we know that there are 
criminals focusing on committing inventing the next threat.
    There is no time to waste. The PCI Security Standards Council and 
business must commit to promoting stronger security protections while 
Congress leads efforts to combat global cyber-crimes that threaten us 
all. We thank the Committee for taking an important leadership role in 
seeking solutions to one of the largest security concerns of our time.
RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM JESSICA RICH

Q.1. Banks are bound by regulations (the Graham-Leach-Bliley 
Act and Reg. E to name a few) regarding how to store consumer 
data, and are regularly examined by Federal regulators to 
ensure ongoing and accurate compliance. Regulators have a 
number of enforcement mechanisms in place to deal with banks 
found to be noncompliant, such as requiring prompt corrective 
action for material violations--even before a breach occurs. 
What are the rules binding merchants to protect consumer 
information? How are they monitored and enforced?
A.1. The FTC enforces Section 5 of the FTC, which Act prohibits 
unfair or deceptive acts or practices. A company acts 
deceptively if it makes materially misleading statements or 
omissions about data security, and such statements or omissions 
are likely to mislead reasonable consumers. Further, a company 
engages in unfair acts or practices if its data security 
practices cause or are likely to cause substantial injury to 
consumers that is neither reasonably avoidable by consumers nor 
outweighed by countervailing benefits to consumers or to 
competition. The FTC can bring an enforcement action against a 
company engaged in deceptive or unfair practices, either 
through administrative adjudication or in Federal district 
court. Through these mechanisms, the FTC can obtain injunctive 
relief, such as prohibitions on misrepresentations, additional 
disclosures, implementation of comprehensive data security 
programs, and outside third party audits.
    Merchants may also be subject to other Federal laws that 
contain data security requirements. For example, the Fair 
Credit Reporting Act (``FCRA'') imposes safe disposal 
obligations on any entity that maintains consumer report 
information. The FTC's Safeguards Rule, which implements the 
Gramm-Leach-Bliley Act, requires certain nonbank financial 
institutions to implement a comprehensive information security 
program. And, the Children's Online Privacy Protection Act 
(``COPPA'') requires reasonable security for children's 
information collected online. In addition to the injunctive 
relief discussed above, the FTC can also seek civil penalties 
against merchants violating the FCRA and COPPA. To date, the 
Commission has settled 50 data security cases using its 
authority.
    Beyond Federal laws, State data security and breach 
notification laws may place additional requirements on 
merchants. And, merchants may also be subject to self-
regulatory standards that place additional security 
requirements on data they maintain.

Q.2. There has been a 30 percent increase in data breaches from 
2012 to 2013. Clearly, these criminals are getting more 
sophisticated--but because the majority of these breaches are 
occurring within the healthcare space and with retailers, is 
there reason to believe more should be done in these spaces to 
protect consumers?

A.2. Yes--companies should ensure that they have sound 
information security practices. They can start by doing a 
thorough risk assessment of their security practices for 
managing personal information and then designing a security 
program to control and limit these risks. This should be done 
in all areas of a company's operations and not just its 
computer networks. Many breaches we have seen have not involved 
high-tech hacking or other sophisticated techniques. Some 
occurred because companies did not do background checks on 
employees with access to personal information, did not manage 
the termination of an employee well, or did not properly secure 
or dispose of paper records. In other cases, companies have 
failed to implement basic technical security measures such as 
requiring strong passwords, encrypting sensitive information, 
or updating security patches.
    The Commission's Safeguards Rule under the Gramm-Leach-
Bliley Act provides a good roadmap as to the procedures and 
basic elements necessary to develop a sound security program. 
Although it applies only to nonbank financial institutions, we 
believe it provides helpful guidance to other companies as 
well.
    Finally, as discussed in more detail below, enacting a 
Federal data security and data breach notification law would 
help to ensure better data security practices, primarily by 
imposing civil penalties against companies that do not maintain 
reasonable security or do not send appropriate breach notices 
to consumers. Civil penalties can help further deter lax data 
security and breach notification practices.

Q.3. What additional authorities--such as additional 
monitoring, increased penalties for noncompliance, etc.--should 
we give to the FTC have to be more effective?

A.3. The FTC supports Federal legislation that would (1) 
strengthen its existing authority governing data security 
standards on companies and (2) require companies, in 
appropriate circumstances, to provide notification to consumers 
when there is a security breach. Legislation in both areas--
data security and breach notification--should give the FTC the 
ability to seek civil penalties to help deter unlawful conduct, 
rulemaking authority under the Administrative Procedure Act, 
and jurisdiction over nonprofits. Under current laws, the FTC 
only has the authority to seek civil penalties for data 
security violations with regard to children's online 
information under COPPA or credit report information under the 
FCRA. To help ensure effective deterrence, we urge Congress to 
allow the FTC to seek civil penalties for all data security and 
breach notice violations in appropriate circumstances. 
Likewise, enabling the FTC to bring cases against nonprofits, 
such as universities and health systems, would help ensure that 
whenever personal information is collected from consumers, 
entities that maintain such data adequately protect it. 
Finally, rulemaking authority under the Administrative 
Procedure Act would enable the FTC to respond to changes in 
technology in implementing the legislation.

Q.4. Do you feel that having a Merchant ISAC would be helpful 
in ensuring information about malware is quickly communicated 
to retail groups and others so that additional precautions can 
be taken?

A.4. In light of the recent data breaches at a number of large 
retailers, this is a particularly appropriate time to evaluate 
whether more can be done to secure consumers' information. 
Better information sharing, such as through ISACs, can be part 
of the solution. ISACs enable companies to pool information 
about security threats and defenses so that they can prepare 
for new attacks and quickly address potential vulnerabilities. 
This kind of information is valuable, and we are committed to 
working with retail businesses and associations to discuss 
these issues and to explore the formation of a Merchant ISAC, 
or similar organization.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM JAMES A. 
                             REUTER

Q.1. I understand that large banks and payment networks see and 
stop illegal attempts to intercept customer information on a 
daily basis. What have banks done to invest in keeping ahead of 
the criminals and what is the relationship with law enforcement 
to investigate and prosecute these crimes?

A.1. According to the American Bankers Association's (ABA's) 
most recent Deposit Account Fraud Survey and other benchmarking 
data, while fraud against bank deposit accounts cost the 
industry $1.744 billion in losses in 2012, bank prevention 
measures stopped approximately $13 billion in fraudulent 
transactions during that year. The fact that, in 2012, banks 
prevented over $7 in fraud for every $1 in actual fraud losses 
that occurred speaks to the substantial investment banks have 
made in counteracting attempts to compromise customer 
information or conduct unauthorized transactions against 
customer accounts.
    In addition to individual institution efforts, banks 
collaborate, through the Financial Services Information Sharing 
and Analysis Center (FS-ISAC) to share vital cybersecurity 
threat and vulnerability information. Over 4,500 companies 
currently belong to the FS-ISAC. The ABA serves on the board of 
the Center on behalf of its membership, and in that capacity 
ensures that this information is also available to the broader 
financial community that the Association represents.
    Banks are also currently investing, through the FS-ISAC, in 
an effort to automate that evaluation of threat data to the 
greatest extent possible. This initiative is consistent with 
the recently published NIST Cybersecurity Framework, which 
noted that the automated sharing of indicator information can 
provide organizations with timely, actionable information that 
they can use to detect and respond to cybersecurity events as 
they are occurring.
    On February 13, 2014, ABA and other major financial 
institution trade associations announced a significant 
initiative with major merchant trade associations to work 
together to ensure customer personal and financial information 
is secure and protected. The partnership will focus on 
exploring paths to increased information sharing, better card 
security technology, and maintaining the trust of customers.
    Banks have a strong relationship, at both the local and 
national levels, with law enforcement in the investigation and 
prosecution of cyber-crimes. The fact that many of the 
criminals are attacking our banks and customers from overseas 
does, however, make prosecution difficult. As an industry we 
are heartened by the FBI's commitment to staffing offices in 
foreign countries, and we encourage Congress to support these 
efforts.

Q.2. How much does it cost to replace a single debit or credit 
card? How much does your bank expect to lose from the most 
recent Target data breach--including losses for both card 
replacement and for fraud?

A.2. After a breach of a third party affecting customer card 
data, each bank makes its own decision as to when and whether 
to reissue cards, which in the case of FirstBank costs on 
average $5 per card.
    In addition to replacing the actual card, banks incur a 
number of other expenses associated with breaches of third 
parties, including sending notices to customers, increasing 
call center staffing, and monitoring for potential fraud. In 
some instances, losses due to fraud from the breach of a third 
party can occur many months after the breach occurred. Because 
of the sheer magnitude of the Target breach, impacting on 
average 10 percent of the retail customer base of every bank in 
the country, many banks, including FirstBank, made the decision 
to reissue cards to all customers that shopped at Target during 
the period the company's point-of-sale system was compromised. 
This swift action on the part of our and other banks should 
serve to limit fraud losses due to the breach.

Q.3. What recourse is available to community banks such as 
yours for these breaches? How much do you typically recoup from 
these breaches? Is 5 to 10 cents on the dollar a fairly good 
estimate?

A.3. After a bank has reimbursed a customer for a fraudulent 
transaction, it can then attempt to ``chargeback'' the retailer 
where the transaction occurred. Unfortunately, and certainly in 
my experience, the majority of these attempts are unsuccessful, 
with the bank ultimately shouldering the vast majority of fraud 
loss and other costs associated with the breach. In 2009, 
according to the Federal Reserve Board, 62 percent of reported 
debit card fraud losses were borne by banks, while 38 percent 
were borne by merchants.
    Five to 10 cents on the dollar is a good estimate of what a 
community bank will typically recoup from the breach of a third 
party. And this reimbursement generally occurs often well after 
these banks have made customers whole. This minor level of 
reimbursement, when taken in concert with the fact that banks 
bear over 60 percent of reported fraud losses yet have 
accounted for less than 8 percent of reported breaches since 
2005 is clearly inequitable.

Q.4. Are smaller banks more negatively and unfairly impacted in 
these payments? I am sure that, because this recourse is 
determined by contracts drafted by PCI and others, the larger 
banks might expect to get more back but the smaller banks often 
see nothing returned.

A.4. The experience of ABA members is that banks of all sizes 
are uniformly negatively and unfairly impacted by these 
payments. Large and small banks alike receive pennies for each 
dollar of fraud losses and other costs that were incurred by 
banks in protecting their customers.

Q.5. I also understand that there are a number of smaller, 
lower-profile breaches, and in those, in most instances, a 
community bank can expect to receive nothing back. Correct?

A.5. In the case of smaller, lower-profile breaches, unless 
enough information is known about the time period associated 
with the breach and the specific cards that were compromised, 
it may be difficult to attribute individual transactions a 
customer deemed unauthorized to that breach. In those instances 
the experience of both small and large banks is that very 
little, if any reimbursement for fraud losses and other costs 
will occur.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MALLORY 
                             DUNCAN

Q.1. What is the retailers' strategy to combat online fraud?

A.1. Online fraud may take many forms; some of these involve 
payment card fraud. The payment cards in use in the United 
States were designed for face-to-face transactions. The 
authentication of the card is generally based on verifying the 
numbers (and sometimes the codes) printed visibly on the card 
or embedded in a magnetic stripe. Authentication of the 
cardholder is premised on verifying the signature and 
occasionally on some corroborating data. In an ideal face-to-
face transaction, the card is observed and the signed receipt 
results in a perfect match for the signature on the card. This 
is the customer authentication. In addition, the card's numbers 
are transmitted to the issuing bank which supplies an approval 
code to accomplish the former--the card authentication. If the 
media involved in the transaction is saved for some months by 
the retailer for use in subsequent retrieval requests, then the 
merchant is promised a ``payment guarantee'' by the card 
networks. All elements, including the contemporaneously signed 
duplicate receipt containing identifying details and the 
approval code indication must be present for payment to be 
guaranteed.
    U.S. cards were not designed for remote (``card not 
present'') transactions. Card issuers are unwilling to allow 
the transaction to be authenticated solely by the unobservable 
card's number unless two conditions are met. First, the 
interchange fee charged for the transaction is higher--
ostensibly to cover the greater risk of fraud. Second, the 
merchant is essentially required to bear all risks of fraud--
i.e., there effectively is no payment guarantee.
    In the early days of online sales, merchants with a tiny 
online footprint--indeed many were literally one-store 
sellers--were willing to accept these conditions on the 
assumption that most purchasers were honest and that use of a 
card was more efficient than was use of a check, as had been 
common with mail order catalog sellers. As online sales grew 
and become more mainstream, these requirements stuck. Thus 
merchants generally bear virtually all of the risk of online 
fraud. The transaction can be ``charged back'' to them and the 
merchants will be out both the goods and the money.
    Consequently, merchants have adopted numerous techniques to 
reduce their exposure to, and to combat, online fraud. For 
example, many merchants will not ship online orders to 
nonphysical location addresses. This is because thieves often 
use ``drop boxes'' where they can retrieve fraudulently 
purchased merchandise without being readily observed. Thieves 
are less likely to have fraudulently procured goods delivered 
to their homes. Nevertheless, because some do, merchants' loss 
prevention departments develop lists of names and physical 
addresses that are known to receive fraudulent deliveries and 
will not routinely ship to those locations as well. Merchants 
may also monitor characteristics of online orders searching for 
those that are indicative of fraud and respond accordingly. In 
conjunction with card companies, merchants may request the 
customer verification number (CVV) that is printed, rather than 
embossed, on the payment card. This provides greater assurance 
that the card used for the transaction was in the physical 
possession of the individual placing the order, even if it does 
not authenticate the customer to the merchant.
    These and other techniques have allowed merchants to 
restrain online fraud. If more fraud migrates to the 6 percent 
of purchases that are now online, either more robust techniques 
may be needed (e.g., computers with built-in chip readers; 
open, competition-friendly tokenization technology; or new 
mobile payment platforms) or merchants may need to more 
stringently monitor, control and price the transactions in 
which they will engage.
    The development of payment platforms in which the loss of 
fraud is more equitably shared by the proponents of the 
platform would give all parties incentives to reduce online 
fraud.

Q.2. It is already a requirement for merchants and banks to 
move to chip technologies by 2015. Currently, less than 1 
percent of U.S. retailers have chip-compatible point-of-sale 
terminals. What percentage of retailers do you expect will 
switch to chip-ready terminals by the end of next year?

A.2. It is not required that either banks or merchants move to 
chip technologies by 2015. Rather, the card networks have said 
they will abrogate their promise of a payment guarantee, and 
not pay for fraud inherent in their system, if merchants do not 
do so by that date. In short, the card networks have told 
merchants to invest huge sums to correct problems with the card 
networks' payment system, but have provided no equitable 
sharing of the costs of that fix--only increased penalties for 
not doing so.
    There are approximately 15 million payment terminals in the 
United States of which roughly 9 million are in retail 
locations. Of these, approximately 18 percent are chip-ready. 
Those merchants are hoping card networks will require, and 
banks will begin issuing, fraud resistant PIN and Chip 
authenticated credit and debit cards. Only one major bank has 
suggested that it plans to do so. It will be difficult to 
convince the remaining merchants to collectively invest tens of 
billions of dollars to purchase and install new terminals if 
most banks and credit unions continue issuing cards that do not 
address obvious fraud flaws in the current system--i.e., if 
they continue issuing signature authenticated cards. There is 
considerable reluctance to spend hugeamounts of money to 
accomplish a half-baked solution.
    Policy makers could help by discouraging the continued 
issuance of fraud prone cards.

Q.3. Why are NRF and other retail groups pushing for chip and 
PIN and not tokenization?

A.3. Retailers are not opposed to tokenization. Like point-to-
point encryption, it is a potentially useful element in a more 
secure payment card system. Successful nationwide deployment 
would take years. Furthermore, in many models tokenization 
occurs ``after the fact''--generally post authorization. Thus 
some fraud risk remains. To deal with this point-to-point 
encryption is preferred and would be complimentary to 
tokenization. The former would occur between the card being 
read and the assignment of a token. From the merchant's 
perspective, tokenization involves significant operational 
changes and could carry significant out-of-pocket costs. 
Despite that, for the majority of transactions, tokenization 
still may not address both ends of the security/authentication 
equation as well as would PIN and Chip. It has greatest utility 
in the 6 percent of transactions that currently do not occur 
face-to-face. Consequently, while point-to-point encryption and 
tokenization could be valuable adjuncts to PIN and Chip 
authentication, they are not a substitute.
    On the other hand, chip and PIN is relatively quickly 
achievable, and indeed is already deployed successfully in 
nearly all of the industrialized world (and much of the Third 
World). Ideally, the United States would at least move to the 
21st century standard before attempting to chase the next new 
thing. Finally, the fact that 18 percent of U.S. retail point 
of sale locations have already, at the card networks' urging, 
invested billions of dollars to install PIN and Chip 
authentication equipment is not an inconsequential 
consideration.

Q.4. Could retailers voluntarily adopt tokenization?

A.4. To some extent we already have. Many retailers routinely 
encrypt sensitive data at rest in their systems and take steps 
to tokenize data in other locations on their own. For example 
retailers print receipts with the credit and debit card in a 
blocked format (i.e., xxx xxxx xxxx 4115). More elaborate forms 
of encryption and tokenization would require coordinated 
activity by all parties to the payment card system and several 
years to fully deploy.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM TROY LEACH

Q.1. In your estimation, would chip and pin technology have 
prevented the major recent retail breaches? If chip and pin is 
not the silver bullet, what other options may work? What about 
tokenization or encryption?

A.1. From the details emerging in the press,\1\ it does not 
appear as though the use of EMV chip in and of itself, 
regardless of whether it is used with or without PINs would 
have prevented the recent major breaches. However, use of EMV 
chip technology is likely to have reduced the value of the 
compromised data as it would inhibit the creation of 
counterfeit cards.
---------------------------------------------------------------------------
    \1\See for example, http://krebsonsecurity.com/2014/02/email-
attack-on-vendor-set-up-breach-at-target/.
---------------------------------------------------------------------------
    Tokenization and encryption are both important additional 
technologies to further limit payment card data from being 
stolen. As the market migrates payment terminals to support 
deployment of EMV chip, the PCI Security Standards Council 
(``the Council'') advocates for all involved to consider 
additional layers of security for data protection through these 
and other approaches. There are no silver bullets--one specific 
technological approach will not address all security 
challenges. The potential for a breach and damages caused by a 
breach can be mitigated if the entity has preventative, 
detective and incident response controls which employ a 
combination of people, process and technology, like those 
outlined in the PCI security standards. The PCI security 
standards are a critical layer of defense in this battle 
against cyber criminals.

Q.2. We've been told that retailers store some information to 
make transactions, such as returns, easier. What information is 
needed to process returns and for marketing purposes? Are 
retailers required to store the 16-digit code and expiration 
date to process returns? Why might retailers store credit card 
information?

A.2. As a technical standards body, the Council does not have 
insight into specific business processes of retailers or other 
groups. We set our standards to be the framework that all 
sectors of the payment chain can use to protect payment card 
data. To the extent that a merchant chooses to store card data, 
the PCI standards define how that data must be protected. This 
question is best directed to the banking and credit card 
companies that have contractual relationships with retailers. 
That said, possible use cases might include loyalty, marketing 
programs or legacy business processes.
    To further minimize risk of payment card data exposure, the 
Council advocates that retailers and others take advantage of 
technologies and methods that help them reduce the amount of 
payment card data vulnerable to compromise. Such approaches 
include only storing the data that's needed; eliminating 
unnecessary user access; limiting the number of systems and 
networks used for payments; and deploying technologies such as 
Point-to-Point Encryption (P2PE) and tokenization that protect 
the data.

Q.3. Is the PIN technology that is widely touted a security 
measure or used for other purposes? Do retailers really need 
access to PINs?

A.3. The Personal Identification Number or PIN is used as a 
security measure by means of authenticating the legitimacy of 
the cardholder. Only cardholders themselves should have 
knowledge of the PIN. It is one of a number of measures that 
can be used to authenticate the legitimacy of the payment 
transaction. The PIN is also universally used as a cardholder 
authentication method for ATM transactions. PIN data should not 
be used for other purposes.
    However, PINs are extremely sensitive static data that can 
be reused by criminals if stolen and requires special handling. 
That is why PCI requirements in the PIN Transaction Security 
(PTS) standards require that PINs be encrypted by an approved 
POS terminal upon entry. When using a properly validated POS 
terminal, merchants do not have access to non-encrypted PIN 
data before a transaction is authorized. PTS requirements 
prohibit the storage of PINs by merchants after authorization 
of a transaction has been received by the acquiring bank. PINs 
also require stronger encryption methods as well as physical 
security to prevent shoulder surfing or pin hole cameras.

Q.4. Why would a retailer un-encrypt consumers' credit and 
debit card data as it travels through their system? Is there 
ever any reason that data should be unencrypted when it is 
passed from the retailer to the processor?

A.4. The Council cannot speak to an individual retailers need 
or decision to maintain unencrypted payment card data.
    The Council recommends the use of point-to-point encryption 
or P2PE technology, through its PCI P2PE standard and 
supporting program. When implemented properly, current P2PE 
technology solutions that are part of our program ensure that 
payment card data is encrypted at the point of entry, such as a 
secured POS terminal, and not decrypted until received into a 
secured zone. The PCI Council is actively engaged with industry 
stakeholders to continue developing encryption standards usable 
for various types of merchant needs.

Q.5. Target was considered ``PCI compliant'' when it had its 
annual audit September. It appears that a merchant or other 
party can be PCI compliant and fall out of compliance the 
minute auditors walk out the door. Is this, then, really the 
best standard?

A.5. It is important to note that in order to remain compliant 
with any security standard (SOX, HIPAA, PCI, etc.), merchants 
must treat compliance efforts as ``business as usual'' rather 
than as a once-per-year activity. If a merchant has been 
validated as compliant, they generally only ``fall out'' of 
compliance when choosing to implement insecure changes after 
the auditor walks out the door. We encourage merchants to 
allocate their resources to maintaining a secure posture year 
round rather than focusing on being ``compliant'' once per 
year.
    Proper implementation and ongoing maintenance are critical 
to protecting card data, as highlighted by the recently 
released Verizon 2014 PCI Compliance Report.\2\ According to 
Verizon they, ``continue to see many organizations viewing PCI 
compliance as a single annual event, unaware that compliance 
needs to have a 365 day-a-year focus.'' Organizations with 
security controls in place as part of complying with PCI 
security standards improve their chances both of avoiding a 
breach in the first place, and of minimizing the resulting 
damage if they are breached.
---------------------------------------------------------------------------
    \2\ http://newscenter.verizon.com/corporate/news-articles/2014/02-
11-2014-pci-compliance-report/.
---------------------------------------------------------------------------
    Organizations should focus on maintaining strong security 
controls, day in and day out. The Council believes that 
organizations following PCI Standards as the basis for their 
security programs are best positioned to protect consumers' 
payment card data. PCI security standards provide the baseline 
of security controls for card data. Just like a lock is no good 
if you forget to lock it, these controls are only effective if 
they are implemented properly and as a part of an everyday, 
ongoing business process.
    To maintain the effectiveness of the standards, the Council 
continues to develop and evolve PCI security standards to be 
responsive to emerging threats. We do this through our unique 
global industry forum, taking feedback from retailers, 
hoteliers, airlines, restaurants, banks, processors, technology 
vendors and all those involved in the payment transaction chain 
around the world.
    For example, based on industry feedback, with the release 
of version 3.0 of the PCI DSS and Payment Application-Data 
Security Standard (PA-DSS, the standard that covers payment 
applications) we made changes to address emerging threat areas 
such as third party remote access, POS terminal tampering, and 
vendor accountability. All updates are aimed at providing the 
right balance of flexibility, rigor and consistency to help 
organizations make payment security part of their business-as-
usual activity, not something centered on an annual assessment. 
PCI security standards are developed to provide business 
process that must be performed consistently on a daily basis. 
Failing to commit to security as a regular practice of business 
operation is not meeting the intent of PCI DSS requirements.

Q.6. I understand that PCI sets the security standard and does 
not enforce compliance, but does do an annual audit for the 
larger retailers. In your opinion, should there be additional 
audits, oversight and precautions large retailers should be 
held to in order to best protect consumers' data?

A.6. It's important to clarify the PCI Council's role here. The 
Council does not mandate retailers' compliance with or auditing 
against any of the PCI standards. Additionally, the Council 
itself does not conduct an annual audit for large retailers or 
any type of audits for any organization. The Council's role is 
to develop and manage the PCI DSS and other standards. 
Frequency of assessment of an organization is determined 
between a merchant and its acquiring bank or payment card brand 
business partner.
    To best protect consumers' payment card information, the 
Council recommends retailers deploy and maintain the controls 
outlined in the PCI DSS, which is a strong foundation for a 
multi-layered security program. Additional layers of security 
at the merchant level might include deployment of Point-to-
Point Encryption (P2PE) and tokenization solutions that would 
devalue payment card data.
    The Council also promotes the mantra ``if you don't need 
it, don't store it'', encouraging organizations to examine 
business process to reduce or eliminate storage of payment card 
data.
    To support implementation and maintenance of PCI security 
controls the Council manages a number of programs and listings 
of information on our public Website. In addition to standards, 
Council programs include: Website listings of lab-tested secure 
PIN and non-PIN POS terminals and other payment devices; 
security of payment applications; testing and qualification of 
assessors performing PCI DSS audits, training and qualifying 
professionals to install payment equipment and software; and 
many other programs focused on the integrity of payment systems 
and third parties that merchants rely on to conduct business.

Q.7. Do you think that there should be a merchant ISAC formed?

A.7. Payment card security is a shared responsibility. The 
Council encourages any information sharing and collaboration 
that will drive greater awareness of risks, threats and 
solutions, within industry sectors and across the payment chain 
to help prevent future data breaches. From our own experience 
the Council has found that global merchant input to PCI 
security standards development through the lifecycle and 
feedback process, PCI Special Interest Groups, task forces and 
Board of Advisors participation continues to be highly 
valuable.

              Additional Material Supplied for the Record