[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES
=======================================================================
HEARING
before the
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
OCTOBER 7, 2015
__________
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 114-024
Available via the GPO Website: www.fdsys.gov
___________
U.S. GOVERNMENT PUBLISHING OFFICE
96-854 WASHINGTON : 2015
__________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office
Internet: bookstore.gpo.gov. Phone: toll free (866) 512-1800; DC area (202)512-1800
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001
HOUSE COMMITTEE ON SMALL BUSINESS
STEVE CHABOT, Ohio, Chairman
STEVE KING, Iowa
BLAINE LUETKEMEYER, Missouri
RICHARD HANNA, New York
TIM HUELSKAMP, Kansas
TOM RICE, South Carolina
CHRIS GIBSON, New York
DAVE BRAT, Virginia
AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
STEVE KNIGHT, California
CARLOS CURBELO, Florida
MIKE BOST, Illinois
CRESENT HARDY, Nevada
NYDIA VELAZQUEZ, New York, Ranking Member
YVETTE CLARK, New York
JUDY CHU, California
JANICE HAHN, California
DONALD PAYNE, JR., New Jersey
GRACE MENG, New York
BRENDA LAWRENCE, Michigan
ALMA ADAMS, North Carolina
SETH MOULTON, Massachusetts
MARK TAKAI, Hawaii
Kevin Fitzpatrick, Staff Director
Stephen Denis, Deputy Staff Director for Policy
Jan Oliver, Deputy Staff Director for Operation
Barry Pineles, Chief Counsel
Michael Day, Minority Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Steve Chabot................................................ 1
Hon. Nydia Velazquez............................................. 2
WITNESSES
Ms. Stephanie Ericksen, Vice President, Risk Products, Visa Inc.,
Foster City, CA................................................ 4
Mr. Scott Everett Talbott, Senior Vice President, Government
Affairs, ETA/Electronic Transactions Association, Washington,
DC............................................................. 6
Mr. Paul Weston, President & CEO, TCM Bank, N.A., Tampa, FL...... 8
Ms. Jan N. Roche, President/CEO, State Department Federal Credit
Union, Alexandria, VA, testifying on behalf of the National
Association of Federal Credit Unions........................... 10
APPENDIX
Prepared Statements:
Ms. Stephanie Ericksen, Vice President, Risk Products, Visa
Inc., Foster City, CA...................................... 33
Mr. Scott Everett Talbott, Senior Vice President, Government
Affairs, ETA/Electronic Transactions Association,
Washington, DC............................................. 39
Mr. Paul Weston, President & CEO, TCM Bank, N.A., Tampa, FL.. 47
Ms. Jan N. Roche, President/CEO, State Department Federal
Credit Union, Alexandria, VA, testifying on behalf of the
National Association of Federal Credit Unions.............. 52
Questions for the Record:
None.
Answers for the Record:
None.
Additional Material for the Record:
American Bankers Association................................. 67
The National Association of Convenience Stores (NACS)........ 75
The National Grocers Association (NGA)....................... 83
The National Retail Federation (NRF)......................... 88
THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES
----------
WEDNESDAY, OCTOBER 7, 2015
House of Representatives,
Committee on Small Business,
Washington, DC.
The Committee met, pursuant to call, at 11:00 a.m., in Room
2360, Rayburn House Office Building. Hon. Steve Chabot
[chairman of the Committee] presiding.
Present: Representatives Chabot, Luetkemeyer, Hanna, Rice,
Gibson, Brat, Radewagen, Knight, Curbelo, Bost, Hardy, Kelly,
Velazquez, Chu, Hahn, Payne, Meng, Lawrence, Takai, and
Moulton.
Chairman CHABOT. Good morning. The Committee will come to
order.
One week ago marked the official deadline for implementing
the new EMV chip card technology. The shift away from
traditional magnetic stripe credit cards to ones embedded with
a chip adds an additional layer of security to every purchase,
making our financial data less accessible to cyber criminals.
The transition to EMV chip technology impacts every American
consumer and is of great importance to this Committee. But just
how much does the average American know about this transition?
Many have probably received a new card in the mail, fewer have
probably dipped their card into a new payment terminal, and
many more may not know that a change is even taking place.
Given the number of electronic transactions that occur
every day, this is a serious transition, and with it are some
serious concerns. Small retailers are worried about the cost of
implementing these new payment terminals, and then taking time
to train staff on how to use them, and finally, helping
consumers learn how to use them. And even though the technology
shift was intended for October first, many credit card
companies are still behind in issuing new cards to consumers.
This poses significant challenges to sorting out liability
issues in the case of cyber theft.
There are also questions about how much this actually does
for security. For instance, when chip-enabled cards were
introduced in the United Kingdom, fraudulent charges with
counterfeit cards at the point of sale fell by 56 percent, but
online fraud increased by 64 percent. These challenges are
real, and they impact every American consumer and most small
businesses.
Unfortunately, this transition seems to be catching many
people off guard. A recent survey by the NFIB, the National
Federation of Independent Business, found roughly half of small
employers who accept electronic payments were only somewhat
familiar with EMV chip cards and a full 23 percent did not know
anything about them at all.
Let me be clear. I did not convene this hearing today to
take sides on this topic. This is a transition motivated by the
private sector, not by any government regulation. And this
Committee concerns itself with one thing, and that is the
impact of this transition on small businesses. To fully
understand that impact we must speak with all those involved.
Today, we start by speaking with those who process our
financial transactions. In a couple of weeks, we will speak
with the small businesses and retailers who must purchase new
payment terminals or risk being held liable for using old
technology. We need to make sure everyone knows what is
happening. The panel we have today, and those who will join us
in our subsequent hearings will help us do that.
I want to thank the witnesses for joining us this morning
to share their point of view on this transition and what it
means for small businesses.
At this time, I recognize the ranking member for her
opening statement.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
Every day, millions of Americans use their credit cards and
debit cards to make purchases. With increasing regularity,
people are using them to buy everything, from candy to flat
screen TVs, and even engagement rings. According to the Federal
Reserve, card purchases now account for over $4.8 trillion in
consumer transactions annually, a twofold increase since 2007.
As consumer buying habits have moved toward the use of
cards, merchants, especially small businesses, have had to
follow suit if they want to stay competitive. We have all seen
this progression. In just a few years, virtually every corner
store and even vendors at farmer markets have become card-
enabled. While the use of electronic payments has increased in
the last decade, so, too, has point-of-sale fraud, which occurs
when thieves steal the unencrypted account numbers stored on a
card's magnetic strip.
Until recently, the U.S. was one of a handful of countries
that still used magnetic strip cards exclusively. As a result,
our country has been responsible for nearly half of all point-
of-sale fraud globally, totaling $6.4 billion, while accounting
for less than a quarter of all transactions. In an effort to
decrease such fraud, MasterCard and Visa set a deadline of
October 1, 2015, for U.S. card issuers to replace magnetic
strip cards with EMV cards and for merchants to begin accepting
them.
EMV cards offer a significantly higher level of data
security than stripe cards. Data on the chip is secure using
both hardware and software security measures, so even if the
card data is compromised, the chip itself will still be
difficult to counterfeit.
While EMV is a step in the right direction that will lead
to greater economic efficiency, implementation has been slow on
both sides of the equation. Many financial institutions, and
even more merchants are not yet in compliance, despite the
announced transition being made over two years ago. In a
troubling sign, millions of cards have now been replaced, and
nearly one in two merchants has not upgraded their terminals to
accept EMV cards.
In the many discussions I have had with stakeholders, the
main barriers seem to be lack of awareness in the small
business community, high costs to upgrade, and disagreements
over verification methods. For small merchants, obtaining new
terminals which range from $50 to $600 can be cost prohibitive
in light of the amount of risk they face. For the deli or
bakery owner, small day-to-day transactions are an unlikely
target for thieves with stolen card numbers.
It is also an important distinction that EMV chips will
protect against counterfeit cards but cannot eliminate fraud if
it is lost or stolen. That is where authentication comes into
play. Small merchants have raised concern regarding the
financial industry's preference for signature verification over
the use of a PIN.
As we all know, there have been outspoken proponents on
both sides. Merchants have expressed the view that PIN is more
secure, while financial firms have backed the signature method
as just as secure and also more convenient.
I look forward to hearing about these issues. Regardless of
which method is used, most observers, including the Federal
Reserve Board, agree the chip cards will provide a more secure
payment environment. Technological innovation holds great
promise to spur economic activity.
EMV is not hack proof, but it is far safer than the
magnetic strip status quo. As the first step in a move toward
greater protection for our financial transactions, a smooth
transition to EMV will lay the groundwork for new ways to
secure our data, including biometrics. I look forward to
hearing how the financial services industry is handling issues
surrounding the EMV transition both in its own conversation as
well as how they are assisting their small business clients.
And with that, I want to take this opportunity to thank all
the witnesses for being here today.
Chairman CHABOT. Thank you very much.
If Committee members have opening statements, I would ask
that they submit them for the record.
And I will take a moment to explain our timing rules here.
It is basically the five minute rule. You all get five minutes
to testify and then we get five minutes to ask questions, and
there is even a lighting system. The green light will be on for
about four minutes. The yellow light will come on letting you
know you have about a minute to wrap up, and when the red light
comes on, if you would not mind concluding your testimony then
or close to then we would greatly appreciate it.
I would now like to introduce our distinguished panel here
this morning. Our first witness is Stephanie Ericksen, vice
president of Risk Products at Visa. Since joining Visa in 1994,
she has been actively involved in developing the global
smartcard implementation strategy. She is a graduate of the
University of California-Los Angeles where she received a B.A.
in History with specialization in Business Administration. She
also holds an MBA in Marketing from Santa Clara University, and
we welcome her here this morning.
Our next witness is Scott Talbott, who is the senior vice
president for Government Affairs at the Electronic Transactions
Association. He received his B.A. from Georgetown University,
and his J.D. from George Mason University School of Law. We
welcome you as well.
Our third witness this morning is Paul Weston. He has been
president and CEO of Tampa Florida's TCM Bank since 2002.
Today, TCM serves 200,000 cardholders and sponsors 640
community banks for competitive credit card services, in
addition to providing ICBA member banks with payment card
consultations. He graduated from Michigan State University, and
completed the Graduate School of Retail Bank Management at the
University of Virginia.
And I would now yield to our ranking member, Ms. Velazquez,
for introduction of our next witness.
Ms. VELAZQUEZ. It is my pleasure to introduce Jan Roche.
She is the president and CEO of State Department Federal Credit
Union in Alexandria, Virginia. Jan has over 30 years of
experience in financial credit union leadership. In addition to
chairing the Community Depository Institutions Advisory Council
for the Fifth District Federal Reserve Bank, she also serves as
treasurer of the Credit Union Cherry Blossom 10-Mile Run here
in D.C. Jan was elected to the NAFCU Board of Directors in
2013. Ms. Roche received her Bachelor of Science in Business
Administration from the University of Richmond, and she is a
certified public accountant in the Commonwealth of Virginia.
Welcome.
Chairman CHABOT. Thank you very much.
Ms. Ericksen, you are recognized for five minutes.
STATEMENTS OF STEPHANIE ERICKSEN, VICE PRESIDENT, RISK
PRODUCTS, VISA INC.; SCOTT EVERETT TALBOTT, SENIOR VICE
PRESIDENT, GOVERNMENT AFFAIRS, ELECTRONIC TRANSACTIONS
ASSOCIATION; PAUL WESTON, PRESIDENT AND CEO, TCM BANK, N.A.;
JAN N. ROCHE, PRESIDENT/CEO, STATE DEPARTMENT FEDERAL CREDIT
UNION
STATEMENT OF STEPHANIE ERICKSEN
Ms. ERICKSEN. Thank you. Thank you, Chairman Chabot,
Ranking Member Velazquez, and members of the Committee. My name
is Stephanie Ericksen, and I am vice president of Risk Products
at Visa. Thank you for the invitation to discuss Visa's ongoing
efforts to help transition the U.S. to EMV chip technology and
what this means for small businesses. Given the current cyber
threats, we need to move the payments industry away from static
account information that can be stolen and used for fraud, to
smarter, dynamic technologies that make payment data useless to
criminals. Chip is an important part of this fundamental change
in the payment system, and we are working to incentivize
consumers and businesses to make the shift.
For those who are unfamiliar with chip cards, let me
provide an overview of what they are and how they work. An EMV
chip is a microprocessor that is embedded in a payment card or
mobile phone. When a consumer uses a chip card at a terminal, a
unique one-time code is generated, or cryptogram. This type of
authentication adds a substantial layer of security and
prevents cybercriminals from creating counterfeit cards.
Counterfeit fraud represents approximately two-thirds of the
fraud that occurs in stores today, so as you can see, chip
makes merchants less attractive targets for criminals.
In August 2011, Visa announced a roadmap to transition the
U.S. to chip, and put in place a set of incentives to encourage
adoption by financial institutions and merchants. A part of the
incentive program, the party that has not implemented EMV by
October 1st will be responsible for the loss from instore
counterfeit fraud.
Getting the word out about this transition has been a key
focus, and Visa has dedicated significant resources to raising
awareness and providing small businesses with the tools they
need and the information to adopt chip technology. In March,
Visa launched our 20-city education tour to show small business
owners how to demonstrate the value of chip. To date, we have
traveled to 16 cities, including Cincinnati, New York, Miami,
and Denver, to name a few, and more than 1,000 small business
owners have turned out to learn about chip.
To amplify our efforts, we are closing working with other
partners to provide critical resources to small businesses like
the SBA, the NFIB, and local chambers of commerce across the
country. Visa created a number of online resources, including
visachip.com, which contains information specifically for the
small business community. We have also worked with terminal
providers to make transitioning to chip more easily accessible,
especially to smaller merchants.
The cost of upgrading has been a key focus for us, and I
want to highlight that low-cost chip terminal options are
available for less than $100, and in many cases, the terminal
is included in the cost of the service. For example, Square
recently announced a new $49 reader that accepts EMV chip
cards, as well as NFC mobile payments like Apple Pay and
Samsung Pay.
This raises an important point for all of the mobile
payment fans out there. When small business owners upgrade to
chip-enabled NFC terminals, they are not just investing in
payment and data security; they are also positioning themselves
to accept the next generation of secure mobile payment
technologies.
I want to emphasize that this is not a mandate. Visa's
roadmap was designed with flexibility in mind, allowing
businesses to make the transition on a timetable that meets
their needs. In other words, October 1st marked the beginning
of the process that will ultimately lead to near universal
adoption of chip technology in the U.S., and we are pleased to
report that great progress has already been made in this
migration effort. Retailers, and particularly small businesses
are making great strides. As of September 15th, more than
314,000 merchant locations are accepting EMV, which represents
a 470 percent year-over-year increase. Just last month, roughly
50 percent of the $4 billion in Visa chip transaction volume
occurred at small businesses.
We are also seeing significant progress on the issuing
side, with more than 150 million Visa chip cards in circulation
in the U.S., up from roughly 20 million a year ago, making U.S.
now the largest chip card market in the world.
It is important to note that while EMV eliminates instore
counterfeit fraud, it does not prevent fraud in the online
environment. To help mitigate this, Visa developed technology
called tokenization, which replaces the 16 digit account number
with a unique digital token. When fully deployed, tokenization
in combination with chip could virtually eliminate the need for
small businesses to store cardholder account numbers.
Today, with the expertise gained from years working with
merchants and financial institutions, Visa supports a wide
variety of cardholder verification methods, including
signature, PIN, and no-card verification for low-risk
transactions, which represent over 60 percent of our
transaction volume. However, we see dynamic verification
technologies as the way forward, and I would like to share a
few of these future technologies with you.
In February, Visa launched a new opt-in service that uses
mobile geolocation information to reliably predict whether it
is the accountholder or an unauthorized user who is making a
payment with a Visa account. In addition, last month, Visa
introduced a new specification that can enable a range of
biometrics in the authorization of payments, such as
fingerprint or voice biometrics. This innovative technology is
just rolling out but has great promise for protecting consumers
in years to come.
There has been great progress in the past year in the U.S.
transitions to EMV chip, but we must continue to work together
to protect all stakeholders in the payment space, including
small businesses.
Thank you for the opportunity to testify today, and I would
be happy to answer any questions you may have.
Chairman CHABOT. Thank you very much.
Mr. Talbott, you are recognized for five minutes.
STATEMENT OF SCOTT EVERETT TALBOTT
Mr. TALBOTT. Thank you. Mr. Chairman, Ranking Member
Velazquez, members of the Committee, I am Scott Talbott. I am
senior vice president for Government Affairs at the Electronic
Transactions Association, or ETA. Our member companies
essentially represent all the major players and many of the
minor players in the payment space. We focus on the acquiring
side, which means we are the connection between the merchants
and the payment system. So we are the handshake that helps make
all these transactions possible.
This ecosystem and the payments ecosystem is one where the
process is transacted securely and quickly, whether the
consumer pays with a credit card, a debit card, a prepaid card;
whether they tap, dip, swipe over the phone or over the
Internet. And contextually, 70 percent of all consumer spending
is done electronically. Last year, electronic payments totaled
over $5 trillion, with a ``T''. By 2017, we project that ETA
members will process over $7 trillion in electronic payments.
Combatting fraud is a major focus for ETA members, and our
payment system is built to detect and prevent fraud and to
insulate consumers from liability. It is important to note that
both before and after this EMV transition, consumers will enjoy
zero liability for any fraud when using electronic payments.
Billions of dollars of fraud occur each year, and the
largest category is counterfeit fraud. This is where a thief
steals your active account number, makes a fake card, and goes
and uses it instore. Chip cards work to prevent this fraud by
creating a special dynamic one-time code that runs with each
transaction. So frauds who obtain a chip card account number
will not know what this code is, and therefore, cannot create a
counterfeit card to be used in stores.
As Stephanie mentioned to incentivize the industry to
migrate to chip, last week, October 1st, the networks
implemented a voluntary long-planned liability shift for
payment card transactions. Liability shift means any
participant, whether it is a bank or a merchant, who is not
chip compliant, could be responsible for instore counterfeit
fraud.
To make the switch, chip cards require the cooperation of
eight million banks and credit union who have to issue 1.2
billion cards in the U.S., eight million or so merchants who
are going to upgrade their equipment, as well as consumers are
going to have to switch from the familiar swipe to a dip.
Small businesses across the board are beginning to become
EMV compliant, and I would like to talk about the way they
think about this process. First is the cost. The cost of
upgrading one chip terminal is around at least $50. I brought
an example of one here today. CardFlight based in New York
offers it for about $50. The cost for each merchant depends on
the complexity of their system. If they have multiple
terminals, or if they have integrated terminals, the cost is
going to be much higher, but on average it is going to cost
about $100.
So each merchant will have a different risk of fraud. They
have a different fraud threat matrix, and it will compare this
fraud threat matrix that they have to the cost of the upgrade,
and those merchants who experience a lot of counterfeit card
fraud because they sell easily marketable goods and services,
like jewelry or electronics, they are more likely to be chip
compliant, and if they are not, they will be quickly.
Those merchants that sell services and less marketable
goods, like hotels or car washes or dry cleaners, are less
likely to be complaint at this point. They may delay their
decision to convert.
Once a decision to switch to chip cards is made, the
merchant will work with their processors and other entities to
get their terminal certified. This is essentially a quick audit
that is done. For one terminal it is relatively simple, but if
you have a complex number of terminals, it could take longer to
become certified. And many processors are working with
merchants who, if they requested to be certified before October
1, the start of the transition, if they are not complaint now,
then the processor will actually cover the fraud for that
particular merchant while they work to get them compliant.
To assist small businesses with the migration to chip, the
payments industry is working with a large number of programs,
both financial incentives, as well as educationally, both at
the small business as well as at consumers. ETA, for example,
has an educational website, sellsafeinfo.org, which is aimed at
helping small businesses, and we will continue to work with
them through the process. We are also working with state AGs
and state regulators to help get the message out to consumers.
As I said earlier, chip cards only protect against instore
counterfeit. They do not protect against online fraud. As we
know from our experiences in Europe and Canada, the fraudsters
will simply shift their focus from counterfeit cards to online
fraud. To address online fraud, the industry is deploying
another technology called tokenization. Tokenization
essentially replaces the payment card information with a unique
identifier that cannot be reversed. Another layer of protection
that is being deployed by ETA members is point-to-point
encryption. With point-to-point encryption, the data is
encrypted during the transition process as the information runs
across the systems and merchants or thieves cannot grab the
information and use it to make fake cards.
So in conclusion, ETA members are the first line of defense
against fraud and we take this very seriously, and every day we
deploy a number of technologies--chip, tokenization,
encryption, biometrics, and other technologies to help protect
consumers, merchants, as well as the payment system from fraud.
Thank you for the opportunity to testify. I look forward to
your questions.
Chairman CHABOT. Thank you very much.
Mr. Weston, you are recognized for five minutes.
STATEMENT OF PAUL WESTON
Mr. WESTON. Chairman Chabot, Ranking Member Velazquez,
members of the Committee, my name is Paul Weston, and I am
president and CEO of TCM Bank in Tampa, Florida. I testify
today on behalf of more than 6,000 community banks represented
by the Independent Community Bankers of America. Thank you for
convening today's hearing.
TCM is a $180 million credit card bank. We issue and
service credit cards to 200,000 consumer and small business
customers for 650 community banks across the country. We adhere
to the values and standards of service of our community bank
clients, and by functioning as their back office for credit
cards, we allow community banks to focus on their core
competencies, small business consumer, and farm lending.
Community banks are uniquely positioned to help their small
business customers make a smooth transition to EMV and are
committed to doing so.
EMV, or chip cards, are much more secure than magnetic
stripe cards because they are significantly more difficult to
counterfeit. Counterfeit cards made with stolen information
represent the largest portion of payment card fraud in the U.S.
While consumers are protected against loss, having to
replace a credit card or a debit card is inconvenient for them
at best. EMV, together with merchant-provided chip readers at
the point of sale will play a critical role in reducing
counterfeit fraud. Community banks are joining other financial
institutions in the orderly migration to deploy EMV chip
technology for debit and credit cards. Recent reports indicate
that roughly 4 in 10 consumers already have an EMV credit card.
There is no mandate that card issuers adopt EMV or that
retailers invest in EMV chip card readers. However, new card
industry rules that took effect on October 1st incentivize a
shift to EMV technology. The new rules provide that the
liability for fraudulent transactions sits with the party, the
retailer, or the issuing bank that has not upgraded to chip
technology, where neither party is yet EMV complaint or where
both parties have upgraded, the pre-October 1 liability rules
prevail. That is to say that the issuing bank is responsible
for fraud losses.
October 1st is not a deadline in a meaningful sense of the
word. Instead, the liability shift serves as a catalyst for
change. Already, many card issuers in many merchant locations
have enabled EMV. Others will adopt it before year-end, and
some will choose to defer it until 2016 or even beyond. Each
issuing bank and each merchant will decide when to adopt EMV
based on their own business model, their vulnerability to
fraud, and their management of risk. We expect the migration to
full EMV chip card usage to take several years.
Based on many conversations with community banks and their
small business customers, I believe that most small businesses
are taking a very prudent approach to this migration. They are
not buying from the first terminal salesman that makes the
phone call, but they are planning to closely follow as the
larger national retailers in their marketplace begin to enable
EMV at the point of sale.
Community banks will serve as an important ally and
resource to retail small businesses making this transition.
They will help their merchant customers by providing equipment,
expertise, and education to guide them through the change.
Since community banks are local, they serve as the ``feet on
the street,'' especially for the small businesses in their
communities.
While EMV chip cards are an effective means of reducing
fraud related to counterfeit, they are not a panacea for all
types of payment card fraud. Multiple layers of security are
needed in addition to EMV to mitigate the other types of fraud.
End-to-end encryption should be deployed to protect cardholder
information in transit, and newer technologies, such as
tokenization, should and will be developed and deployed to
protect online transactions.
Some are insisting that PIN technology in combination with
EMV is the only way to eliminate payments fraud, but PINs only
protect against fraud in cases of lost or stolen cards, which
is a relatively small portion of total fraud. What is more, as
a static data element, the PIN is more vulnerable to compromise
than active technologies like EMV or tokenization.
The most important thing for cardholders to know is that
they are fully protected from fraud losses as all the major
credit card brands have zero liability provisions for consumers
and small businesses. The Electronic Funds Transfer Act limits
consumer liability for fraud on debit cards. Customers should
also know that banks are subject to rigorous examination and
supervision of their data security policies and procedures. We
believe that similar standards should apply to all industries
that handle sensitive customer financial information.
In conclusion, I fully expect that the critical partnership
between local community banks and their small business
customers will help ensure a smooth transition to EMV and a
more secure environment for all payment card users.
Thank you again for the opportunity to testify today, and I
look forward to your questions.
Chairman CHABOT. Thank you very much.
Ms. Roche, you are recognized for five minutes.
STATEMENT OF JAN N. ROCHE
Ms. ROCHE. Good morning, Chairman Chabot, Ranking Member
Velazquez, and members of the Committee. My name is Jan Roche,
and I am testifying today on behalf of NAFCU. I serve as the
president and CEO of the State Department Federal Credit Union.
NAFCU appreciates the opportunity to appear before you
today to discuss EMV. Due to the traveling habits and job
assignments of many of our members, State Department Federal
Credit Union was one of the first financial institutions in the
U.S. to start issuing EMV credit cards. Today, our credit card
portfolio of over 28,000 cards is now 100 percent EMV enabled.
EMV is the established worldwide standard for chip cards.
EMV cards are still plastic but they contain an embedded
microchip that makes it harder to produce a counterfeit card
that can be used at a point-of-sale terminal. This is because
the chip generates a new random number identifier for each
transaction. If that data is stolen, it is not traceable back
to the account. It is the EMV chip technology that makes the
new cards more secure, not a PIN or signature. While EMV is the
new market standard for combatting fraud at the point of sale
and assigning liability when a fraudulent credit card is used,
it is not a silver bullet solution to the broader problem of
data security. Also, a chip card can only be effective if the
point of sale terminal is configured to accept it.
It is important to note that the EMV transition in the U.S.
is a voluntary one established by the market, and not a
government mandate. Neither financial institutions, nor
merchants, have been forced to transition. The speed of
shifting to EMV is essentially a business decision that is
dependent upon risk tolerance. Consumers are not liable for
fraud losses in general. All credit cards have zero liability
provisions for consumers and consumer liability is limited for
any fraud on debit cards. This is true whether or not a card or
business is EMV enabled.
NAFCU has found that a majority of credit unions are
transitioning quickly and effectively to EMV. Even prior to the
announced shift in liability, many were already providing EMV
credit cards to their members as they issued new cards or
replaced older magnetic stripe cards. This is true even though
there is a greater cost for EMV cards at credit unions. At
State Department Federal Credit Union, our cost for producing
an EMV card is nearly double a non-EMV card.
A truly secure payment system must be one that evolves to
meet emerging threats and utilizes a wide range of
authentication technologies--EMV, tokenization, encryption,
biometrics, and more. There is no panacea to avoid data theft.
Accordingly, NAFCU does not support any single solution,
such as a PIN mandate, to require consumers to enter PINs for
every transaction. A PIN is a static data element that is still
vulnerable to theft. A PIN mandate would not have helped
prevent recent consumer data breaches, such as Target, Home
Depot, or Michaels.
Requiring PINs would not prevent online or mobile fraud,
often referred to as ``card not present'' fraud. This type of
fraud is also expected to rise significantly after the EMV
transition, as it has in other countries after their EMV
transitions. For my credit union, ``card not present'' fraud
was about 40 percent of our gross fraud this past year.
NAFCU has long supported comprehensive data and
cybersecurity measures to protect consumer sensitive data.
Credit unions and other financial institutions already protect
data consistent with the provisions of the 1999 Gramm-Leach-
Bliley Act. Unfortunately, there is no similar regulatory
structure for other entities that may handle sensitive personal
and financial data. GLBA requires financial institutions to
address the risks presented by the complexity and scope of
their business. This allows flexibility and ensures the
regulatory framework is workable for both the largest and
smallest financial institutions. Gramm-Leach-Bliley is an
example of how scalability is achievable for varying sized
businesses.
In conclusion, a truly secure payment system must be one
that is constantly evolving to meet emerging threats and uses a
wide range of dynamic authentication technologies--EMV,
tokenization, encryption, biometrics, and more. When it comes
to EMV, what matters most is the chip technology that makes the
cards more secure. Requiring additional measures, such as PIN
usage does not make substantial improvements to the system.
NAFCU encourages you to support H.R. 2205, the Data Security
Act of 2015. This bipartisan legislation creates a national
data security standard that is flexible and scalable.
Ultimately, consumers will only be protected when every sector
of the industry is subject to strong federal data security
standards that are enforced by corresponding regulatory
agencies.
Thank you for the opportunity to appear before you today.
On behalf of NAFCU, I welcome any questions you may have.
Chairman CHABOT. Thank you.
I recognize ourselves to ask questions, and I will
recognize myself first for five minutes.
Today is October 7th. The deadline for transition to this
new technology is about a week old now. And I am going to have
a little audience participation here. Just by a show of hands,
how many in the audience used a credit card to purchase
something over the last week? If we could just see a show of
hands. Virtually, everybody in the room. I am not going to ask
you what you purchased, but how many of you, if you know, used
this new chip technology? Okay, quite a few. Excellent. Well, I
appreciate that very much.
I know my staff could not use the new chip technology when
they tried to do so in the cafeteria downstairs in this
building this week, so that is something we probably need to
work on. And we have had a similar shift before from paper
processing to electronic processing. So we have experienced
this to some degree before, and that certainly seems to have
caught on, although I generally use cash myself.
So my first question is, and I will ask you, Ms. Ericksen,
how is the transition going? I know it is still very early in
the process, but how is it going?
Ms. ERICKSEN. Thank you, Mr. Chairman.
So we know from other countries that have moved to chip
technology, it typically takes about two or three years after
the liability shift date to get to roughly 60 or 70 percent of
a company's domestic payment volume being a chip card used at a
chip terminal. So we are in very good shape in terms of being
that we are really at the starting point of moving the west
towards using this technology more frequently. And it typically
takes about four or five years after the liability shift date
to get to greater than 90 percent of the payment volume being
chip-on-chip, or chip authenticated, if you will. So the fact
that we already have more cards here in the U.S., more chip
cards here in the U.S. than any other country, and great
participation, particularly from many of the major retailers
that even just turned on on Friday and Saturday last week, we
are seeing increasing growth on the payment volume side of
things.
If you look at consumers, many consumers have at least one
card in their wallet; many of them have more than that. What we
have seen from our research as of July is roughly 60 percent of
consumers have at least one chip card in their wallet, and as
of that time in July, 30 percent of them had done at least one
chip transaction. But we know that many retailers just enabled
in August and September, and many are enabling this month as
well, so we are seeing that increase almost on a daily basis in
terms of the actual penetration of people doing a chip
transaction going forward.
Chairman CHABOT. Thank you. Let me ask you another
question. The shift to payment cards with computer chips has
happened, as we know, in other places all around the world,
including Europe where the technology has been used for about
20 years now. What has the impact on fraud rates been in Europe
specifically since the implementation of the EMV chip card? And
what effect do you think that chip and PIN has had on instances
of fraud in Europe? And what does that mean for the
implementation here in the U.S.? What additional levels of
security are financial service providers working on to better
protect businesses and consumers and strengthen data security?
Ms. ERICKSEN. Yeah. Unfortunately, Visa Europe is a
separate legal entity from Visa Inc., so I can speak to other
parts of the world that have moved to chip technology around
the same time and same pace compared to Europe.
Chairman CHABOT. Who would we need to go to to get the
information?
Ms. ERICKSEN. Someone from Visa Europe or someone from
Europe.
Chairman CHABOT. Can you recommend anybody on that?
Ms. ERICKSEN. We can get back to you on that for sure.
Chairman CHABOT. Okay. I would appreciate that very much.
Ms. ERICKSEN. We do have data to share though from other
countries if you would like to hear that, from Australia,
Brazil, and Canada.
Chairman CHABOT. I will get that later, but I have got a
minute and 18 seconds left.
Ms. ERICKSEN. Okay.
Chairman CHABOT. A whole lot of questions, so
I understand that the cost is a deterrent to small
businesses as we know, as well as training the employees to use
the new system and even educating customers about how to use
the new terminals, and these appear to be hurdles for small
businesses, and this Committee is the Small Business Committee,
so we are obviously very concerned about the impact this will
have on small businesses. How are small businesses supposed to
overcome some of these obstacles? And what are some of the
challenges that they face? Are financial service providers
offering any assistance to businesses that encounter these
problems?
Mr. Talbott?
Mr. TALBOTT. Thank you. Good question. I think many
financial institutions, as well as other entities like
processors, are offering both financial incentives. American
Express, for example, set aside $100 million to help in this
process. Other companies are providing low costs. For example,
this CardFlight, this is $50 attached to the merchant's phone
to go on the low end. But there are lots of financial
incentives, as well as educational incentives. There are
videos, there are instore demonstrations, there is
teleconferencing. The payments industry is working very hard to
help the small merchant get to this process. The end result is
to protect everybody themselves as well as consumers from
fraud, and that is the ultimate goal.
Chairman CHABOT. Thank you very much. My time is expired.
I will recognize the ranking member, Ms. Velazquez, for
five minutes.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
Ms. Roche, as we know, under the new EMV agreements,
liability to reimburse consumers for fraud loss shifts to the
party that has not upgraded to EMV technology. What is the
process for making consumers whole, and do they contact their
bank like they have in the past? What is the process?
Ms. ROCHE. So the process will not change. The consumers,
if they have noticed a fraudulent transaction on their account,
they will contact their bank or credit union, whoever issued
the card. And then my credit union specifically will reimburse
the consumer, give them provisional credit, and then we will
work it out on the back end as far as whether or not we recover
those funds from a merchant.
Ms. VELAZQUEZ. Thank you.
Ms. Ericksen, small businesses pay considerable sums of
money to accept payment cards. Reasons given for these fees
have often included the cost of fraud. If EMV successfully
reduces fraud, will Visa commit to reducing swipe fees on its
cards commensurate with that fraud reduction?
Ms. ERICKSEN. Well, our interchange rates that we have set
are consistent across the industry in terms of incentivizing
participation for issuers to issue cards as well as merchants
to accept payments.
Ms. VELAZQUEZ. But hasn't one of the arguments always been
the cost of fraud?
Ms. ERICKSEN. Fraud is one component of it, including the
credit risk of lending that credit to the cardholders.
Ms. VELAZQUEZ. So how would you factor in if we see that
there is a reduction in fraud, how will that----
Ms. ERICKSEN. Yes. Well, unfortunately, the criminals
continue to invest in strategies in being able to commit fraud
as well, so we need to continue to invest in the ability to
address that fraud. So even though EMV is one technology that
is going to help drive fraud down, we need to continue to
invest in analytics and other types of authentication
technologies that continue to stay one step ahead of the
criminals, because, unfortunately, they are going to continue
to try to do that as well.
Ms. VELAZQUEZ. I just cannot help myself but laugh.
Ms. ERICKSEN. I am sorry, what is your question?
Ms. VELAZQUEZ. There is also typically two tiers of
interchange fees for instore and online transactions.
Ms. ERICKSEN. Excuse me. We are not sure what the question
is.
Ms. VELAZQUEZ. No, it is a statement.
Ms. ERICKSEN. Oh, okay.
Ms. VELAZQUEZ. Yeah. Will there be a day when we see a
reduction? Also, in terms of Europe, you will provide Mr.
Chabot the information on whether the percentage of fraud has
gone down, correct?
Ms. ERICKSEN. The only statement that I have is the
interchange fees that we have are very competitive, and they
incentivize participation from both issuers and merchants to
participate in accepting electronic payments, and we continue
to invest in security and technologies to make that convenient,
as well as to continue to provide consumers confidence in using
electronic payments.
Ms. VELAZQUEZ. Mr. Talbott, thank you. In Europe where the
EMV chips have been in use for decades, point-of-sale fraud is
virtually nonexistent. What took so long for the standard to be
implemented here in the U.S.?
Mr. TALBOTT. It is two different systems. Probably a better
way to answer the question is, why was Europe implemented to
quickly? And the answer is they did not have continuous access
to the Internet that we do. So in Europe when a card was
presented, the merchant needed a way to verify that transaction
at that point since they would have to batch their transactions
for authorization later that day when they could access the
Internet. And the chip helped them do that, to verify the card
at that point. They could not do it later when they went for
authorization because the customer was gone. The U.S., by
contrast, has always enjoyed continuous access to the Internet
and the ability for merchants to process and gain authorization
of that transaction in a couple seconds. And so there was less
of a need for other authentication methods at the point of
sale, which is why the U.S. is now and soon will be aligned
with the U.S.
One other quick point, as we look at other technologies
like tokenization and encryption, the U.S. is far ahead of
Europe and other countries in developing and implementing
those. And so these things do not move exactly lock step. It is
sort of a cat and mouse type of approach.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
Chairman CHABOT. The gentlelady yields back.
The gentleman from Nevada, Mr. Hardy, who is chairman of
the Subcommittee on Investigations, Oversight, and Regulations
is recognized for five minutes.
Mr. HARDY. Thank you, Mr. Chairman.
Ms. Roche, I would like to start with you. In your
testimony you mentioned that the largest consumer data breaches
that happened in places like Target and Home Depot would not
have been averted by a PIN. Do you believe this EMV would have
averted those same targets?
Ms. ROCHE. It would not have averted the breach itself, but
it would have made it very difficult to counterfeit the cards.
It is difficult to counterfeit the chip in the card so the
cards can then be used to commit fraud.
Mr. HARDY. This liability shift to the retailer or whatever
you want to call it now instead of the banks, why the October
1st deadline? Does anybody want to care to address that? The
busiest time of the year. We are going into the busiest
approach of any retail market or any selling between now and
December.
Ms. ROCHE. Yeah. The liability shift was announced August
2011, so more than four years ago, and typically around the
time of other markets announcing their liability shift, October
1 has been a very commonly accepted date because we recognize
that at that point in time we start to see increasing payment
volume. So it was just a date to align with the same dates that
many of the other parts of the world that announced their
liability shift dates effective October 1. When we announced it
in August 2011, we also made it October 1 of 2015.
Mr. HARDY. We, as in Visa?
Ms. ROCHE. We, as in Visa. Other payment systems had their
own announcements of liability shift dates.
Mr. HARDY. So October 1 is only for Visa?
Ms. ROCHE. October 1 is for Visa. MasterCard also announced
the same date later, but we announced that first in August
2011.
Mr. HARDY. Assuming that this all comes together over the
next couple of years and we have 100 percent usage of EMV and
the token and everything starts working but then the criminals
always seem to find another, avenue. Is the liability shift
still on the retailer or does it go back to the bank?
Ms. ROCHE. Well, so the liability shift actually, once the
merchant has invested in chip technology, they are then
protected from any liability for counterfeit fraud. And
merchants are not having any liability for lost and stolen
fraud, which is also commonly associated with PIN. So the
liability shift is specific to EMV and counterfeit fraud. Once
a merchant has made that investment in a chip terminal, they do
not have liability for counterfeit fraud.
Mr. HARDY. Just to be very clear, once they have had that
investment, then that liability goes back as it was?
Ms. ROCHE. Right.
Mr. HARDY. Thank you.
As EMV cards become more and more commonplace in the United
States market liable for fraudulent card use if they have not
upgraded the reader technology software, what will the cost of
this upgrade cost for small businesses? Have you included all
the other residual costs that they would have to implement? You
know, training and the whole--has that cost been in the
analysis? Because it seems awful low to me. I am a small
business owner previously myself.
Ms. ROCHE. Many of the small business owners that we have
been talking to in our 20 city tour, as well as working with
the Chambers of Commerce and other parts of the industry, have
mentioned that the upgrade to chip technology for some of them
has been kind of like replacing a cell phone where they get a
new device and they may change processors, they may shop around
to get a better processing deal that actually may save them
money compared to what they are paying today to process mag
strip transactions. So for some of them, the upgrade to EMV
chip technology is not only giving them that protection against
counterfeit fraud liability, but many of them are
futureproofing their business to accept mobile payments and
investing in some other technology that may help them run their
inventory or their supply chain and manage their businesses
more effectively. So some of them are doing other investments
and add-ons as they move to EMV technology.
But in terms of staff training, we have worked closely
across the industry, not only on Visachip.com do we have a lot
of training materials, including a 10-step implementation guide
and downloadable sales associate training materials they can
use, but we worked with MasterCard, American Express, and
Discover to do a gochipcard.com site.
Mr. HARDY. I have another question I need to ask. I also
want to know, in one of these comments here it sounded like
there was not going to be that much liability at first,
understanding it is a two to four year process. So how are we
going to determine which business is going to reap that
liability and which is not?
Ms. ROCHE. We have been doing a lot of education with the
small business merchant community and the large retailers to
identify which retailers tend to be the ones that have a high
likelihood of counterfeit fraud. It is where you think it may
be, like electronic stores, high-end luxury goods retailers,
for example, whereas small businesses typically that are in the
service industry or a local delicatessen, cafeteria, coffee
shop, they are not typically the recipients of a lot of
counterfeit fraud. So we have been doing education with the
major retailers so that they know what their counterfeit fraud
liability will be, as well as with the small business merchants
and their supplying industry so that they understand what the
counterfeit liability will be for them. We want the whole
industry to move to this technology because it does help secure
payments and preserves consumer confidence in payments, but at
the same time, typical small business merchants that are doing
services or low value transactions are not usually the
recipients of counterfeit fraud.
Chairman CHABOT. Thank you. The gentleman's time has
expired.
The gentleman from Hawaii, Mr. Takai, who is the ranking
member of the Contracting and Workforce Subcommittee is
recognized for five minutes.
Mr. TAKAI. Thank you. Thank you, Chairman, and thank you
for having this hearing. I really appreciate this.
As someone who has had to change their credit card for each
of the last three years, I think anything we can do to enhance
protections and to prevent fraud is much appreciated. But I
believe as any transition, it is very tough.
I have a few questions. I wanted to start with Ms. Roche
regarding, well, here is my question. The merchant community
has strongly advocated for this move to the chip and PIN system
here in the U.S. In fact, I may add, I was going to Japan and a
few other countries for quite a while. My Visa card had the
chip technology for maybe three years now and I was not able to
use it until just about two weeks ago here in the United
States. In fact, in Hawaii. So as a credit union with many
members going overseas, what has been your experience regarding
the fraud rates on the PIN-enabled or the chip cards?
Ms. ROCHE. That is a difficult question to answer because
the cards that we are issuing have the chip and a swipe on the
back of it. So we had to. Because the cards are getting swiped
in addition to being used as chips, we have had to reissue
cards with chips that have had fraud committed on them. So our
experience, it is very hard to segregate whether the fraud is
coming from a chip-read card or a swiped card.
Mr. TAKAI. So the merchants are going to push us now to, if
they have not been able to use the chip instead of the swipe,
they are going to ask us to do it, although we could do both,
either?
Ms. ROCHE. A lot of it depends on how the readers are
programmed, but in my experience in using the cards, if there
is a chip in the card and the merchant has the chip reader
enabled, it will force you to use the chip side.
Mr. TAKAI. Okay. Okay. And do you know what is surprising?
I have a debit card, too, and for the past year or so, some
merchants do not require a PIN, so that was surprising. But on
your credit cards, maybe your debit cards, you require a PIN.
So are PIN numbers helpful? Do they prevent fraud? And then are
they actually stored on the merchant's system?
Ms. ROCHE. So the PIN numbers are--what really matters,
what is keeping the transaction secure is the chip. So the
authentication method, whether it is PIN or signature, is not
as important. And, in fact, the PIN is a static data element
that can also be stolen. But what is most important is that the
information on the chip is what is making it more secure
because that is a random number, generated authentication
method that changes every single time and cannot easily be
counterfeited. That is what is most important about this
transition.
Mr. TAKAI. Okay. Thanks.
And then to Ms. Ericksen, on your website it states that
you are rolling out the Chip and Choice to give merchants
greater flexibility on their payment options. Do Visa rules
allow merchants to require PINs on every debit transaction if
that is the flexibility they prefer?
Ms. ERICKSEN. We support PIN, as well as signature, as well
as ``no card holder'' verification. So our rules provide
flexibility for merchants and for issuers depending on the type
of transaction that is being conducted. For example,
transactions up to $25 do not require a signature or a PIN, and
transactions up to $50 at grocery stores do not require a
signature or a PIN either. So it gives the flexibility to the
merchant depending on if they want to enable PIN or signature,
or also be compliant with the rules and not require either
signature or PIN for the transactions that qualify for that. We
do know that roughly 50 percent of the merchant locations in
the U.S., particularly small business merchants, do not have
the incremental security technology that would secure and
encrypt that PIN, so many small business merchants have not
opted to invest in PIN technology, but we do support that,
whether or not on the issuing side or on the merchant side they
want to invest in supporting PIN or signature.
Mr. TAKAI. Who has the liability for debit cards? I mean,
the debit charge transaction goes directly into my checking
account and pulls the money directly out. So do I have
liability or do you have liability?
Ms. ERICKSEN. Consumers have zero liability for that. So
from a Visa perspective, consumers have zero liability, whether
it is a credit card transaction or a debit card transaction.
Mr. TAKAI. When was the shift done to eliminate the four
PIN requirement for debit cards?
Ms. ERICKSEN. I do not understand your question.
Mr. TAKAI. Debit cards required the PIN for many years
until, like I said, just about a year ago I was able to use my
debit card without my PIN.
Ms. ERICKSEN. For many years you have been able to use your
Visa debit card as a signature card or without a PIN for point
of sale. Typically, if you are using it as a PIN, it is going
over a different network that requires a PIN for that
transaction, or to get cash back at the point of sale, or at
the ATM, for example, but using it as a Visa card at the point
of sale, you have always been able to use it without a PIN.
Mr. TAKAI. Really? Okay. Thank you.
I yield back.
Chairman CHABOT. Thank you very much. The gentleman's time
has expired.
The gentleman from Missouri, Mr. Luetkemeyer, who is the
vice chairman of this Full Committee is recognized for five
minutes.
Mr. LUETKEMEYER. Thank you, Mr. Chairman.
Just to kind of recap here, make sure I am understanding
what is going on here, basically what you are trying to do, we
have a problem. The problem is fraud and cyber theft that is
occurring against financial institutions and through the system
at which they are having a cost. Is that correct? They are
trying to alleviate. So the solution to that is for the new
chip and PIN, chip and whatever kind of technology. Is that
correct? And the cost of this, if I get this correct, is borne
by the banks or the transaction companies versus the merchants
have a small cost to get a new terminal and some software,
whatever, and then the consumer has zero cost. Is that all
correct?
Ms. ERICKSEN. So the consumer has zero cost but it is
shared across the industry in terms of the banks investing in
reissuing the cards because chip cards are more expensive to
reissue. And also on the merchant side in upgrading their
infrastructure to be able to have the chip readers.
Mr. LUETKEMEYER. Did I hear a while ago that the cost to
reissue cards is 50 bucks?
Ms. ERICKSEN. To reissue a card is not. It is more the
terminal side is roughly in the $50 range. The card can be
about $1 to $5 depending on the size of the institution and the
number of cards.
Mr. LUETKEMEYER. Okay. What is the $50 then?
Ms. ERICKSEN. The square reader is $49 that a merchant can
buy to accept payment.
Mr. LUETKEMEYER. Oh, okay. So that is a merchant cost.
Ms. ERICKSEN. It is a merchant cost.
Mr. LUETKEMEYER. Okay. So it costs then 50 bucks to be able
to read the cards?
Ms. ERICKSEN. Right.
Mr. LUETKEMEYER. Okay. Okay, so knowing all that, are there
complaints out there? What are the complaints about doing this?
It appears that we need to do this. I know I can tell you from
being in the financial institution business, you know, my
institution, local institution got hit with some of these cyber
deals and to me this is a concern from now on. Here in
Congress, we have a responsibility to try and work to try and
protect the government data, but also to help where we can the
business and industry and consumers to be able to protect their
data. And this is a huge problem. It is a burgeoning problem
for our entire society and the world as a whole. And so this is
something we are going to have to figure out over the long haul
from now on because this is, you know, I think you used it a
while ago, 70 percent of all transactions are with credit cards
now. Is that correct?
Mr. TALBOTT. Electronic.
Mr. LUETKEMEYER. So if we are headed in that direction, we
are going to have to be able to protect the data. That is a
real problem. So I guess the concern is that we know what the
problem is. You know it is going to be getting greater as the
bad guys figure out how to get around the system. What are the
complaints about doing what you are doing? What have you done
to alleviate those, I guess?
Ms. ERICKSEN. Well, we have seen a lot of great momentum in
the industry. And as I am sure Mr. Talbott can also elaborate
on, but I think the key thing to remember is it is a shared
cost and a shared effort across the industry. The issuers are
reissuing the cards. The payment systems are investing in new
technology to stay ahead of the criminals and to do more
predictive analytics on the system side as well as those
transactions are flowing through our networks. And the
merchants are investing in the technology to be able to read
chip as well as mobile as we are moving in that direction. So
it is really a shared effort.
Mr. LUETKEMEYER. Okay. What is the amount of fraud
reduction that you anticipate with EMV adoption?
Ms. ERICKSEN. Typically, in markets that move to chip
technology, when they get to that 60 to 70 percent of their
transaction volume in a country being chip on chip, it takes
about two years after the liability shift date, we also see
counterfeit fraud go down by about 60 or 70 percent and
continue to go down as the penetration level goes up.
Mr. LUETKEMEYER. Okay. And a while ago you also talked
about new technology. This enables you to do mobile technology
on taking transactions on a mobile basis as well as you are
looking at biometric safeguards as well as encryption. At what
point, or how quickly do you anticipate getting to that type of
safeguard?
Ms. ERICKSEN. Tokenization is typically used on a mobile
phone today or an ecommerce transaction. So tokenization today
is where you put in your account number on your Apple Pay
device, for example, and your account number is actually
replaced with a different number, a digital token. So that is
something that is becoming much more prevalent. It is already
in use today in Apple Pay, for example.
Mr. LUETKEMEYER. Okay. So what about the biometric? How
quickly is that?
Ms. ERICKSEN. Biometric is also being used in mobile
technology as well. So when you do Touch ID to authenticate
yourself to a smartphone, many more smartphones are enabling
that. And so Touch ID and biometric is one way that is already
being enabled, particularly on smartphones.
Mr. LUETKEMEYER. Okay. So we have it on a mobile
transaction. What about a merchant? Is he going to be able to
take that? How quickly do we move to that area?
Ms. ERICKSEN. We do not see that a lot in the face-to-face
merchant environment using your card at a reader today because
it is incremental investment in being able to do biometric. It
is much more prevalent today on the mobile phones.
Mr. LUETKEMEYER. Okay. Well, how quickly do you anticipate
that happening? I mean, I assume that, you know, I think there
was a comment made a while ago about the PIN technology is not
perfect. If the encryption is better, how long will it take to
get there?
Ms. ERICKSEN. Encryption is a different technology. I do
not know if you want to talk about encryption, Scott.
Mr. TALBOTT. Yeah. Sure. So encryption is being rolled out
now. There are a number of companies that offer it to merchants
if they would like to avail themselves of it. Some are and some
have not. It is sort of behind this migration to chip, but it
is out there and I suspect, Congressman, that it will move
pretty quickly. Because what we will see, and this goes to your
question, Mr. Chabot----
Mr. LUETKEMEYER. What kind of costs--if I can ask one more
question real quick, what kind of costs are affiliated with it?
Mr. TALBOTT. For going to tokenization?
Mr. LUETKEMEYER. Yeah.
Mr. TALBOTT. It is marginal. I do not have those numbers
exactly, but I know----
Mr. LUETKEMEYER. When you say ``marginal,'' is it 2 bucks,
20 bucks, $200, $2,000?
Mr. TALBOTT. It is a couple cents per transaction at this
point.
Mr. LUETKEMEYER. Okay. All right. Thank you. I yield back.
Chairman CHABOT. Thank you. The gentleman's time has
expired.
The gentlelady from California, Ms. Hahn, is recognized for
five minutes.
Ms. HAHN. Thank you, Mr. Chairman. I appreciate you holding
this hearing.
So Ms. Ericksen, I understand what we are trying to do
here. There was a problem. Visa and other banks are trying to
incentivize merchants out there to switch to this new
technology to reduce their fraud, so the big incentive was if
you do not by October 1st upgrade your terminals to this chip
technology, any fraud that happens, you, the merchant, are 100
percent liable for the fraud. Was that the----
Ms. ERICKSEN. There are some clarifications, too. In
general, the direction is if a merchant does not invest in a
chip terminal, they may become liable for any fraud if it is a
chip card used at their store but the mag stripe is still read
off of that card. So if it is a mag stripe card where the
issuer has not invested yet in chip technology----
Ms. HAHN. Right.
Ms. ERICKSEN. If that mag stripe card experiences fraud at
a merchant location that also does not have chip, it is still
the issuing bank who is liable for that. So the merchant is
only liable for any fraud at their location if it is a chip
card that has been used at their store where they do not yet
have a chip terminal and so they are reading the mag stripe on
that card. If that turns out to be a copied mag stripe, a
counterfeited mag stripe, then that merchant could be liable
for that transaction. Yes. But it is not for mag stripe cards
that have not yet been upgraded to chip, and once the merchant
upgrades to chip, they are then protected from any liability?
Ms. HAHN. Correct. Okay. So it is a little confusing I
think to some merchants, and in my district office in Los
Angeles, we sort of did an informal survey of our small
businesses, you know, about 30 of them. And it was surprising
how many of them did not have any idea that as of October 1st
they would be responsible for all liability under that
scenario, the one you just described.
So I guess my question to you was I know you did sort of a
20 city road trip which did not seem like a lot of cities to
me, you know, and there is a public website that people could
go on but, you know, I know a lot of my small businesses, you
know, kind of do not operate in that world of just
automatically going on a website to see what is going on in
their world. Do you really feel that you did a good job of
communicating this? And just from my informal, unscientific
survey, you know, a lot of my small businesses did not
comprehend what was happening as of October 1st. Do you think
you could do a better job? Or do you think maybe your
communication failed to reach a lot of small businesses?
Ms. ERICKSEN. Well, as we said before, it does take about
two or three years after the liability shift date to get to 60
to 70 percent adoption of chip technology, so we really are at
the start line, and we have been doing a lot of education to
this point, but we are also continuing. We are not stopping. So
next week I am going to be in Chicago working with the Chamber
of Commerce there, doing another small business education tour.
Just last month we did the Small Business Development Centers
Conference and educated the Small Business Development Centers
who counsel and provide support for small businesses so that
they would have the resources that they need to be able to
provide that information. So we are continuing to get the word
out. We are not stopping. We are certainly trying to continue
to get the word out.
Ms. HAHN. But just because you do not get the word out does
not mean that that scenario that you described is not a
reality.
Ms. ERICKSEN. Yeah. Well, their processors are also
responsible for communicating that to them. So it is not only
Visa and MasterCard in the industry but the processors that the
merchants work with are getting that information out, and many
of them are providing incentives for them to do an upgrade to
this technology. And so there are many different touch points
with the merchants to get the information out. Again, a lot of
the counterfeit fraud is concentrated in more of the higher end
retailers where you see high value transaction volume, not
typically in a lot of the small business merchants.
Ms. HAHN. Right. Right.
Ms. ERICKSEN. But we are not going to stop in terms of our
education efforts.
Ms. HAHN. Right. And you know, this is another issue, but I
will say that my Visa card that is held by Wells Fargo sent me
a letter with my--well, sent me the new chip card and then
subsequent to that sent me a very serious letter saying that
just to let you know, you know, this is--we are transitioning
to the chip card. We can see that you are still using your
other card. And I do not know how many people got that, but
that freaked me out because I had already had one card
compromised earlier, but I knew I had gotten rid of my other
card. I shredded it, and so that upset me. When I went through
the 1-800 number to call them, oh, that is a mass email we sent
out to everyone. So I think that is unfortunate, and I talked
to some other people who also with different cards had gotten
that same mass email. And I think that is unfair to the
consumer to send that sort of scare tactic letter saying they
could see that I was still using my other card. And I do not
know what we can do about that, but that is for another
hearing.
Anyway, thank you. I yield back.
Chairman CHABOT. Thank you. And if it is of any
consolation, when my wife and I got back from vacation about a
month ago, we had a phone message indicating that the IRS was
going to file a lawsuit against us the next week because we had
not paid our taxes. And I said, ``Did we not pay our taxes?''
And we had, indeed, paid our taxes. So anyway, she went online
and a whole lot of people were getting that same thing, so it
is a scary world out there. But thank you very much.
The gentlelady from American Samoa, Ms. Radewagen, who is
the chair of the Health and Technology Subcommittee is
recognized for five minutes.
Ms. RADEWAGEN. Thank you, Mr. Chairman, and Ranking Member
Velazquez. I also want to welcome the panel. Thank you for
appearing today.
I have a couple of questions for Ms. Ericksen. I was hoping
you could tell me more about Visa's opt-in geolocation service
called Visa Location Confirmation. I understand this service
could benefit customers who travel, like my constituents back
in American Samoa.
Ms. ERICKSEN. Yeah. Thank you, Congresswoman. Yes. Mobile
Location Confirmation is a new service that consumers can opt
into depending on their financial institution. More and more
financial institutions are enabling this service, and it allows
them to associate their mobile phone with their account so that
we can detect whether or not their mobile phone and their
purchase is happening within the same vicinity. So, for
example, if your constituent is doing a purchase in New York
but their mobile phone is in Los Angeles, we would score that
transaction as higher risk and there may be a chance that that
transaction would be declined versus if their transaction was
occurring in Chicago and their mobile phone was also in
Chicago, we would have better confidence that it is really then
doing that transaction. So higher likelihood of an approval.
Ms. RADEWAGEN. Thank you.
As a member of a district that is comprise mostly of small
businesses, I am concerned about the merchants in my district
that can benefit from the EMV chip but cannot afford the
transitional cost. Do you have any plans to offset this cost
for such merchants?
Ms. ERICKSEN. Well, we know that based on the countries
that have moved to chip technology in previous years, the
incremental cost of moving to chip now in the U.S. is rather
based in. So we know that roughly 30 to 40 percent of the
terminals that already exist in the U.S. have the chip hardware
slot in them but they may need a software upgrade. So in many
cases they do not need a new terminal. They just may need a
software download from their processor. And as we have
mentioned, some of the costs that are available or the
terminals that are available to merchants are now in the cost
range of $50 or $49 for the square device and under $100
merchants can buy a terminal at Costco for $99, for example.
And that device was even on sale for an additional 20 percent
off last week. So we are seeing more and more low-cost and
cost-effective solutions becoming available to the merchants.
Ms. RADEWAGEN. Wow. Thank you, Ms. Ericksen.
Ms. ERICKSEN. Thank you.
Ms. RADEWAGEN. I yield back, Mr. Chairman.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentlelady from California, Ms. Chu, who is the ranking
member of the Economic Growth, Tax, and Capital Access
Subcommittee, is recognized for five minutes.
Ms. CHU. Thank you.
Ms. Ericksen, as of July 1, 2015, the EMV Migration Forum
estimated that only 25 percent of retailers would be in
compliance with the October 1st deadline. Previous estimates
had been as high as 44 percent of merchants meeting the date.
Are we behind in terms of the adoption? First, I would like to
know the answer to that.
Ms. ERICKSEN. Yeah. I think there have been different
estimates depending on if it is coming from AITE Group or the
Payments Security Task Force or EMV Migration Forum that have
all been roughly projecting that by the end of this calendar
year, roughly 40 percent of the terminals would be upgraded by
the end of December of this calendar year. And so as we were
mentioning before, we know it takes several years to get to
critical mass of adoption, and we have seen quite a bit of
significant momentum with the 314,000 locations as of September
15th, and even more locations that came on just in the last
week and are planning to come on this month. So I would say
there has been great participation in the merchant community in
terminalizing and updating those terminals to be able to accept
chip cards. And even more plans for that to continue to roll
forward in 2016 and 2017, which is very similar to what we have
seen in other countries that have moved to chip.
Ms. CHU. Have you done a poll as to what the main issue is
in terms of adoption? Is it ignorance or is it the expense?
Ms. ERICKSEN. I think it is mainly just planning that into
their implementation time. Many large retailers have just
recently announced that they have enabled nationwide whereas
they were previously piloting in 50 to 100 stores to fine tune
the solution, train their sales staff, make sure that they had
the solution operating the way that they wanted it to operate
before they rolled it out nationwide; whereas, some small
business merchants have been upgrading as their processors have
been providing them the solution. So it depends if you are a
major retailer or a small business owner as to how that
migration is going forward. But we have actually seen quite a
few major retailers enable in just the last week or two and
more even planning to go forward.
It is also important to note that roughly 50 percent of the
volume we see today has been coming from small business
merchants, so many members of the small business community have
been upgrading to EMV and are continuing to do so as they go
forward.
Ms. CHU. So in these other countries that you mention, such
as Brazil and Canada and, of course, EU, are they at 100
percent compliance now?
Ms. ERICKSEN. They are at roughly 90 percent, so it did
take about four to five years after the liability shift date in
each of those countries to get to 90 percent. There are still
some cards and some terminals, in Australia and Brazil, for
example, that are not 100 percent updated to chip. So it really
depends. There are still some merchants that may decide that
they are going to wait, and there are still some issuers that
have not reissued all of their cards. But that is really the
benefit of the liability shift, is it provides that incentive
but it is still ultimately the end party's final business
decision as to whether or not they invest.
Ms. CHU. And have they been able to successfully reduce the
fraud in those countries?
Ms. ERICKSEN. Yes. We have seen typically around the time
of the liability shift date, two years after that they got to
60 or 70 percent of their volume being chip on chip. The
criminals tend to do a last run at counterfeit fraud right up
to the liability shift and a couple months and years after
until they get to 60, 70 percent of their volume being chip on
chip, and that is also when we see that counterfeit fraud start
to go down is when a country gets to around 60 percent of their
volume being a chip card used at a chip terminal.
Ms. CHU. And Mr. Weston and Ms. Roche, you talked about
supporting H.R. 2205, the Bipartisan Data Security Act, which
would apply Gramm-Leach-Bliley standards for all industries
that handle sensitive financial institutions. Can you elaborate
on the data security measures that you have to meet under this
act? How would this change for all of the other merchants that
you think should have these kind of standards?
Mr. WESTON. I think the important thing here is that any
entity that is handling consumer financial information needs to
have some respect for the privacy of that information and the
duty to protect it. Today there is not a clear national
standard, a federal standard, that everyone who handles that
sort of information has to abide by. Financial institutions, be
they credit unions or banks, are certainly subject and are
regulated and examined. The retail industry today has no
standards.
Ms. ROCHE. And I will add that the details are provided in
my written testimony, but agreed. The national standards would
be very important to ensuring that the data is not breached, it
is not taken.
Ms. CHU. Okay. Thank you. I yield back.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentleman from Illinois, Mr. Bost, is recognized for
five minutes.
Mr. BOST. Thank you, Mr. Chairman. And I guess my first
question is to Mr. Talbott. When you show the swipe device and
you say it is about $50, and there are many makers of that
device, are they already competing them on a price basis for
the merchants? I know every place we go, it does not matter
whether it is to take a cab, barber shop, wherever, that they
are using--if they do not have, if they are not a larger
merchant, whether it is in their cash register or they are
available right there at the register, they have those. So do
you see a competition on those?
Mr. TALBOTT. Yes, sir. The payments industry is highly
competitive, and there are a number of players who can provide
a card reader, whether it is an actual equipment device maker,
processors can cut a deal. Everyone is trying to get the
merchant's business, and they are competitive both on the price
of equipment as well as services.
Mr. BOST. So with that, are we seeing the education?
Because as a small business owner myself, I know that there are
many that do not know and do not understand the liability that
is going to be put on them. Do you think that those companies
then are also trying to educate and let people know? And then
how many times, as a small business person, do you realize when
somebody sends you something you think, ``Oh, yeah, that is
just make-believe. I am not going to respond to that.''
Mr. TALBOTT. I think everyone in the industry, at least ETA
members, are actively pursuing education as well as financial
incentives to offer to small businesses to let them know this
is a perfect opportunity. If you service a small business, your
processor could reach out and talk to them, talk about an
equipment upgrade, talk about the change, talk about what the
liability shift means. There is also a lot of negative noise
out there that we are working to fight through. Critics are
arguing that this is not great, which is inaccurate in the
sense of the ability of chip to reduce fraud, counterfeit card
fraud. But the efforts are being made both education-wise in
all forms, as well as financial incentives are being offered.
Mr. BOST. Have you heard of any, I mean, everybody thought
it was safe when you first had the swipe. You know? I mean,
when cards first came out we thought they were safe. Criminals
are always going to be looking for something else to put on
there.
Mr. TALBOTT. That is right.
Mr. BOST. And do we see already somebody trying to offset
this?
Mr. TALBOTT. Well, I think that there is always going to
be--we will build a 10-foot wall and crooks will build an 11-
foot ladder, and so we must be continuously vigilant, as well
as pulling multiple layers of protection, whether it is EMV,
tokenization, encryption, or biometrics, we need to keep moving
the system forward because the crooks will continue to fight to
try and go after the money. So devaluing the information is the
first step, and that is what tokenization, as well as chip
does.
Mr. BOST. Just another question if I can, because I have
the panel in front of me and I wanted to find this out. The
responsibility of the merchant to ask, or their agent to ask
for an ID along with the presentation of the card, is that
still pushed for?
Mr. TALBOTT. Not at this point. It is a fallback, but it is
not necessarily common practice.
Mr. BOST. Okay. Because my wife, I mean, she always thanks
people if they do that, and I have watched her do that. And so
many people, we just do not think about it.
Ms. ERICKSEN. Yeah. No, merchant does not have liability
for lost and stolen fraud, so typically checking an ID and all
of that would be associated with that. So the merchant is
actually protected against any liability for lost and stolen
fraud. There are some merchants that may want to ask for an ID,
particularly some gas station merchants sometimes do that where
they will ask for an ID and we do allow that, but we do not
require it.
Mr. BOST. Okay. All right. Thank you, Mr. Chairman. I yield
back.
Chairman CHABOT. Thank you. The gentleman yields back.
The gentlelady from Michigan, Ms. Lawrence, is recognized
for five minutes.
Ms. LAWRENCE. Thank you, Chairman.
I am very sensitive to the larger financial institutions
and the smaller financial institutions. So my question today
will be directed to Mr. Weston and Ms. Roche. You represent the
small and mid-size financial institutions. I would like to
understand from your perspective, we talked a lot about
liability for the merchants and for the industry, but let us
drill down to your piece of the market. What types of costs do
you incur? What is the impact on you as a smaller financial in
notifying your customers or responses to breaches? So would you
please elaborate on that?
Ms. ROCHE. So at our credit union, we take breaches very
seriously because we know how disruptive they are to the
consumers. I think someone on the Committee mentioned how
difficult it is when your card gets compromised to get the new
card, activate it, get all of your authorized payments set up
again, so it is very difficult and concerning problem. It does
not feel good. You have been compromised. So what we do is
proactively make phone calls when there is a breach, such as a
large Target breach or Home Depot where so many cards have been
compromised. We get a list. Typically, we get a list of those
cards that might have been involved in that, and we reach out
to the consumers, our members, on an individual basis to let
them know that their card may have been compromised, and then
we give them the option, the choice of whether or not they want
the card reissued. And that is probably a much more pro-
consumer way of handling it because otherwise, you are forcing
the consumer to switch the card out and----
Ms. LAWRENCE. And Ms. Roche, if I could just say, you know,
there is a difference between your local credit union and the
national financial institutions. One of the things I hear a lot
is that personal touch. But what I wanted to drill down, what
is the impact financially, because you do do that personal
outreach? Is it going to be a greater impact on you with the
chip or less of an impact? So that is where I am trying to go.
Ms. ROCHE. So that is a great question because really, the
EMV in the chip is a first step and only helps with one type of
fraud that is being committed. And then we have also talked
about all these other different technologies that are coming in
to play to help combat the other ones. But what NAFCU and our
credit union supports is that there is H.R. 2205, to implement
a national data security standard, because that is going to
keep everyone looking forward. It is going to put some of the
same requirements on all businesses, that financial
institutions are already having to comply with, and it will
make the consumer information much more safe and secure.
Ms. LAWRENCE. Thank you.
Mr. WESTON. I would just add that I think doing something
to combat the breaches, whether it is convincing the
organizations, be they healthcare providers or retailers to
step up to data security standards that are the equivalent of
what the financial services industry does, the chip card
deployment, certainly, anything we can do to make the
information better protected, to make it much more difficult
for the bad actors to utilize it if it is available to them,
that is going to be helpful to the community financial
institution as well as to the consumers because they are not
going to have the disruption in their lives of being on a trip
and having their card be shut down and having to get another
one overnighted, et cetera. It is an expense for us but similar
to what Ms. Roche indicated, we look at it as a high-touch
service. We have got to be there for our customers. That is the
community bank way of competing. And so it is a necessary
expense.
Ms. LAWRENCE. I just wanted to follow back on what Ms.
Ericksen said. I am refreshed that, or encouraged that you are
going to continue the education, that you will continue to do
the briefings. It is good to know that the providers are also
doing some outreach to the small businesses. Because one of the
challenges, as you know, to small businesses is the asset to
information and education. And so I really, any way that we can
enhance that with public announcements or anything that we can
do through our chambers, I really encourage that.
Ms. ERICKSEN. Thank you.
Ms. LAWRENCE. Thank you.
Chairman CHABOT. Thank you very much. The gentlelady's time
has expired.
Ms. LAWRENCE. I yield back.
Chairman CHABOT. Thank you.
The gentleman from South Carolina, who is the chairman of
the Subcommittee on Economic Growth, Tax, and Capital Access,
is recognized for five minutes.
Mr. RICE. Thank you, everybody for being here. I find this
really interesting. It brings me back to my commercial paper
classes in law school. And the shifting of liability is
certainly a worrisome but understandable thing. It sounds like
everybody on the panel thinks this is a good idea. I have not
heard anybody argue against it.
The chip cards only help for in-person transactions; right?
So what percentage are in-person versus others? Can anybody
quote those statistics?
Mr. TALBOTT. I think of the total fraud, Congressman, about
half is instore, and of that, about two-thirds is in-person. So
we are talking about 3.5 or so billion a year.
Mr. RICE. Half and two-thirds?
Mr. TALBOTT. Half of all fraud is online; half is instore.
And of that half that is instore, two-thirds is counterfeit
fraud. Counterfeit fraud.
Mr. RICE. Okay. And you say that encryption is the biggest
tool you have to fight online fraud; right?
Mr. TALBOTT. Yes, sir.
Mr. RICE. I mean, for years I would not put my credit card
on the Internet, and I finally broke down and now it is a
routine thing and it is amazing that it does not happen more
than it does.
Does this proposed--this regulation commit small businesses
to any future upgrades or just this one instance?
Ms. ERICKSEN. The liability shift is just for an upgrade to
EMV.
Mr. RICE. That is it?
Ms. ERICKSEN. That is it.
Mr. RICE. And so when you come up with your next best
thing, they are not committed to do that?
Ms. ERICKSEN. We are encouraging that when they are making
that infrastructure upgrade for EMV to protect against
counterfeit liability, that they also consider contact with an
NFC which enables them for mobile phone acceptance because it
is a very similar upgrade and many times the equipment does
both. So to make sure----
Mr. RICE. What I am worried about is you are going to come
up with something greater two years from now that they are
going to be required to do that or there will be a liability
shift. There is nothing in there that requires that.
Ms. ERICKSEN. In other countries around the world, when
they have moved to the EMV liability shift, that has been the
key driver.
Mr. RICE. Let me ask you this. Earlier people were talking
about the difference in liability for debit versus credit
cards, and you are saying the consumer has no liability for
either. I have always heard debit there is a little bit more
concern there, but what about Internet banking transactions?
You know, I log onto my bank and I put in my account name and
my password and I can move money. Who is liable for that? If
somebody stole my password and my account name, who is liable
for that?
Ms. ERICKSEN. I will leave that to my banking----
Mr. WESTON. I believe the rules would apply that it is
between you and the bank that you have chosen for your PC
banking service. So as a customer of that financial
institution, you need to look to their policies as to----
Mr. RICE. So there is no law. Like, the old law that the
bank is supposed to know your signature on your check and that
is your problem if it has been forged.
Mr. WESTON. Certainly, if you are transferring money in and
out of your account, there are rules that apply to electronic
funds transfers. Yes.
Mr. RICE. All right. One thing that has bothered me in the
past as a user of credit cards is when--it has not happened
very often, but I might be in a store to buy something and my
credit card gets declined, and I go outside and I call the
credit card company and they say, you know, this actually
happened to me. They said, ``Well, at 3 o'clock in the morning
your card was used to sign up for Vonage. We do not think that
was you.'' Well, they were right. It was not me. $14.00. They
were right. Should they not have some duty to notify me about
that before I am standing in a----
Ms. ERICKSEN. So many issuers do have the ability to give
you an alert. So this happened to me not that long ago. I was--
--
Mr. RICE. I hear ``ability,'' but should they not be
required to notify me before they start declining my card on
in-person transactions because some guy in Russia is doing
Internet transactions for $14 to Vonage?
Mr. TALBOTT. I think the challenge of that type of law
might be overinclusive and uninconclusive at the same time.
There are so many different variations of that pattern, and we
all have experienced it, that the industry is actually ahead of
that and they will notify customers. I get notified frequently,
so the industry has taken that step. I think a law would be
difficult to implement.
Mr. RICE. How difficult is it for somebody--let us say I go
into a restaurant and a waitress writes down my credit card
number and expiration date and name. How difficult is it for
somebody with that information to create a dummy credit card
and use it in person?
Mr. TALBOTT. It is actually very simple. The technology for
your mag strike is about 40 years old. It is the same
technology used in cassette tapes, if you remember those. So it
is easy for them to take the information and create a
counterfeit card. And that is really where chip comes in, is
that waitress would not be able to use that fake counterfeit
card in stores. She could use it online, and that is where
tokenization comes in, but it is actually very simple, which is
why this step is necessary to end that counterfeit card fraud.
Mr. RICE. My time is up. Thank you very much. It has been
certainly educational.
Chairman CHABOT. Thank you. The gentleman's time has
expired.
The gentleman from New Jersey, Mr. Payne, is recognized for
five minutes.
Mr. PAYNE. Thank you, Mr. Chairman, and to our ranking
member. And the gentleman from South Carolina, I tend to agree
with you. This has been very educational. For some reason I
have more problems with the cards I use than I have ever wanted
to imagine.
Mr. RICE. Mr. Payne, it seems like I agree with you a lot.
Mr. PAYNE. Absolutely. Let me just ask, and this is for Ms.
Ericksen or Mr. Weston. I am concerned about that the EMV
required will affect small banks. In my district I have the
only African-American owned bank in the State of New Jersey
and, you know, naturally, it is a small business. Minority
banks control about $5 billion in assets as compared to say a
Wells Fargo, that by itself has some $1.7 trillion in assets.
It is estimated that it costs banks and credit unions
approximately $3.04 for non-EMV cards, but the cost to produce
the new EMV cards is almost twice that cost at approximately
$5.81. How can we ensure that small business banks and credit
unions are not put at risk because of these requirements?
Mr. WESTON. Well, speaking from the community banker
standpoint, I think the best way for smaller issuers to
participate is through a combined program where we combine the
buying power of those banks and collectively do processing
arrangements or purchasing arrangements to bring those costs
down to what is a more competitive figure to help them out.
That is certainly what we have been doing at ICBA.
Mr. PAYNE. Okay.
Ms. ERICKSEN. Yeah. And from a Visa perspective, we are
certainly working across the industry to drive down the cost as
much as possible by streamlining the implementation process,
streamlining the certification process, so when those banks
come online to enable their backend system to process that chip
one-time code through the system, we have done a lot to drive
down that cost of implementation certification and enabling
that chip technology to go through the system.
Mr. PAYNE. Okay. Thank you.
Ms. Roche, you know, your testimony, you stated that in the
United Kingdom, online fraud rose 79 percent after their EMV
transition. Online fraud in the UK has doubled as well. Based
on these facts, we can presume that the U.S. should soon expect
a significant spike in online fraud. And with the holiday
online shopping season quickly approaching, this is a major
concern. In your testimony you mentioned tokenization and
cardholder verification technologies as an answer to online
fraud. When should we expect this transition, and how will it
work, and how will the liability shift work?
Ms. ROCHE. So I may yield to one of the other experts at
the end of the table about when they expect those technologies
to come into play, but what we think about at our credit union
is that there is always going to be something else coming down
the pike. And so the best way to protect the consumer data and
protect the payment system and keep that fully functioning is
to have a national security--data security standards in place.
And that is where the H.R. 2205 becomes important because it
gets all of us focused on making sure that we are staying ahead
and keeping up with the latest technologies and play and
keeping the information secure.
Ms. ERICKSEN. As it relates to the other technologies, we
really look at them as a layered security approach in working
together. So from a chip perspective, as we mentioned earlier,
there is already more chip cards in the U.S. from an issuance
perspective than any other country. And on the merchant side we
are seeing more and more merchants enable chip acceptance every
day. End-to-end encryption also protects that data when it is
in a merchant's system. It makes it harder for a criminal to
break in and get that data, but when we move to more and more
of the transactions being chip transactions, if a criminal
breaks in and gets that data, there is a lot less they can do
with it. They cannot use it for counterfeit fraud, for example.
So encryption and chip technology work together. Encryption
secures the data from being accessible and EMV chip data makes
that data less valuable to a criminal if they get it. And then
tokenization works well also for the online environment and for
mobile applications where we are replacing the account number
with a different number, so that way if the criminal gets that,
they also cannot use it for anything. They cannot use it for
counterfeit card fraud and they also cannot use it for online
fraud either.
Mr. PAYNE. Thank you. I yield back.
Chairman CHABOT. Thank you. The gentleman's time is
expired.
I will now recognize the ranking member for a statement or
question.
Ms. VELAZQUEZ. A last question. Do you expect financial
firms to phase out magnetic strips in the future?
Mr. TALBOTT. We are going to have to run two parallel
systems for a while, but eventually magnetic stripe will drop
to very small percentages.
Ms. VELAZQUEZ. Okay. All right. Thank you.
Chairman CHABOT. I have a quick question and then just a
final point. I think it was you, Mr. Talbott, that talked about
when we build the 10-foot wall the bad guys were up an 11-foot
ladder. I assume that you all are thinking of those things
relative to this, and if so, would you want to comment on that
without telling the bad guys what you are up to?
Mr. TALBOTT. Sure. Here is the secret passcode.
As we develop these technologies to deal with threats, we
are also looking to develop, and we are developing other
technologies, whether it is geolocational, whether it is
biometrics, whether it is facial or voice recognition. All of
those are in the works. Thumbprints are already in play in a
number of mobile phone applications. So we are constantly
working and committing resources on R&D to develop new types of
technology, dynamic types of technology to address future
frauds and to make the system more secure. So we are constantly
vigilant.
Chairman CHABOT. Thank you very much.
Ms. ERICKSEN. We are continuing to invest also in other
technologies that use the analytics in the system. For example,
we just announced a few months ago something called Visa
Transaction Advisor, where we send a code actually to the gas
station, to the gas pump, that detects whether or not that
might be fraudulent that would prompt the cardholder to then go
into the store where the gas station attendant could maybe ask
for ID to make sure it is really the real person. So we are
investing not only in point-of-sale technology that helps
detect fraud and possibly ask for a higher level of
authentication like an ID, but continuing to invest in those
predictive analytics that detect fraud patterns as well. So the
technology is continuing to advance. There is also some work in
the industry called 3D Secure 2.0 which is going to allow the
sharing of data, like IP address and billing and shipping
address matching for Internet or online transactions that will
help better predict any fraud in the online environment. And so
there are continuing advancement that are happening there as
well.
Chairman CHABOT. Thank you.
And I think we heard from a number on both sides of the
aisle, members who indicated that this was very helpful, and I
think we learned a lot. Hopefully, the public did as well in
educating people about what is happening here. And as I
mentioned in my opening statement, it is the Committee's
intention to have another hearing in a couple of weeks to allow
all the merchants and small business folks and retailers to
come in and voice their concerns to the Committee so we can
delve into this further and make sure we are getting a complete
picture of what is happening out there.
And I want to thank our witnesses for participating today.
I would ask unanimous consent that members have five
legislative days to submit statements and supporting materials
for the record. And if there is no further business to come
before the Committee, we are adjourned. Thank you.
[Whereupon, at 12:40 p.m., the Committee was adjourned.]
A P P E N D I X
Statement of
Stephanie Ericksen
Vice President, Risk Products
Visa Inc.
House Committee
on
Small Business
Hearing on
Transition to EMV Chip
October 7, 2015
Chairman Chabot, Ranking Member Velazquez and Members of
the Committee, my name is Stephanie Ericksen and I am Vice
President of Risk Products at Visa Inc. Thank you for the
invitation to appear before the House Committee on Small
Business to discuss Visa's ongoing efforts to help transition
the US to EMV chip technology and what this means for small
businesses.
For more than 50 years, Visa has enabled people, businesses
and governments to make and receive payments across the globe.
As a global payments technology company, we connect financial
institutions, merchants and governments around the world with
credit, debit and prepaid products. Visa works behind the
scenes to enable tens of millions of daily transactions,
powered by our core processing network--VisaNet. We make
digital commerce more convenient, reliable and secure. It's
important to note that Visa does not issue credit or debit
cards or set the rates and fees on those products--our
financial partners do.
Data breaches in recent years have highlighted that no
business or industry is exempt from cyber threats, and,
everyone--from consumers and small businesses to corporations
and governments--are the targets. In today's connected world,
it is critical that all those in the payments systems--payment
networks, merchants, and financial institutions--work together
to protect sensitive information and continue to drive
advancements in security. At Visa, nothing is more important
than maintaining trust in the payment system and we continue to
place security at the forefront of everything we do.
Given the current cyber threats, especially those that
merchants face, we need to move the payments industry away from
static account information that can be stolen and used for
fraud, to smarter technologies that make stolen account
information useless to criminals. Chip is an important part of
this fundamental change in the payments system, and we're
committed to helping consumers and businesses make the shift.
EMV Chip Technology
This morning, I look forward to sharing with the Committee
Visa's efforts to encourage the adoption of EMV chip technology
in the U.S., as well as our work to educate and empower small
businesses during this important transition period. For those
who are unfamiliar with chip cards, or smart cards as they are
often called, let me provide an overview of what they are, how
they work and how we got to where we are today.
An EMV chip is a microprocessor that is embedded in a
payment card or in other form factors such as a mobile phone.
When a consumer uses a chip card at a chip terminal, a unique,
one-time-use code, or `cryptogram' is generated for each
transactions. This type of authentication, which introduces
dynamic values for each transaction, adds a substantial layer
of safety. Chip cards effectively prevent counterfeit fraud,
virtually eliminating one of the common ways criminals use
stolen payment data. Since chip technology makes it essentially
impossible to counterfeit cards, which is approximately two-
thirds of the fraud that occurs in stores today, merchants will
be less attractive targets for criminals.
Chip technology is also the basis for future payments
innovation because it enables technologies like near field
communications (NFC) technology and tokenization. When small
business owners upgrade to chip-enabled terminals, they aren't
just investing in payment and data security. They are also
positioning themselves to accept the next generation of secure
payment technologies, such as mobile and digital payments.
The payments system in the US is larger and more complex
than any other in the world, with thousands of financial
institutions and millions of businesses accepting electronic
payments. In August 2011, Visa announced a roadmap to
transition the US to chip technology through a set of
milestones intended to encourage both issuers and merchants to
adopt the chip technology. Visa's EMV chip roadmap is not a
mandate. Instead, it provides marketplace incentives to
encourage adoption by financial institutions and merchants--
elements that have proven to be effective in moving other
markets to deploy chip technology and thereby drastically
reduce counterfeit fraud.
As part of the incentive program, Visa rules specify that,
as of October 1, 2015, liability protection from counterfeit
fraud on in-store payments is extended to the party that makes
the investment in chip technology. The party that has not
implemented chip technology, be it a bank that chooses not to
issue a chip card or merchant that cannot accept a chip card,
may bear the loss from any resulting counterfeit fraud. This
shift applies to in-store, point-of-sale environments. Due to
the complexities and life cycles of Automated Fuel Dispensers
(AFDs) and ATMs, their liability shift will take effect October
1, 2017.
Education of Small Businesses a Top Priority
Throughout the ongoing transition to chip, Visa has
dedicated significant resources to raising awareness and
providing small businesses with the tools and information they
need to adopt chip technology. In March, Visa launched our 20-
City Small Business Chip Education Road Show to help business
owners understand the value of chip card technology and to
increase chip card acceptance. To date, we've traveled to 16
cities including Cincinnati, Charlotte, San Francisco, Boston,
Houston, Miami, New York, Albuquerque, and Denver--to name a
few. More than 1,000 small businesses owners have turned out to
learn about chip technology from experts in payment security.
To amplify our efforts, we are working closely with other
partners, organizations and clients that provide critical
resources to small businesses, including the Small Business
Administration, America's Small Business Development centers,
Facebook, the National Federation of Independent Business, and
local chambers of commerce across the country.
Our efforts to educate small business owners does not stop
there. On top of our dedicated chip education website--
www.visachip.com--which contains specific information for all
of our stakeholders, we also created an online toolkit
specifically for the small business community
(www.visachip.com/businesstoolkit). With easy-to-use
navigation, small business owners can quickly access actionable
information about chip technology including a step-by-step
guide to adopting chip, videos, and infographics at their
convenience.
A key success factor in the transition to chip technology
is ensuring a seamless checkout experience. To address this,
our toolkit provides employers with a training module to ensure
their employees know and understand how to use chip technology;
it includes decals to place at the point-of-sale alerting
customers that they accept chip cards, as well as instructions
on how to complete a transaction with a chip card. Visa is
making all of these materials available free of charge to
merchants.
We have also focused on addressing the most significant
barrier to adoption small business owners face: cost. Visa has
worked with the terminal providers to make transitioning to
chip technology more easily accessible, especially to smaller
merchants. Low-cost chip terminal options are available for
less than $100 and, in many cases, the terminal is included in
the cost of the service. For example, Square, a leading
merchant processing services provider, recently announced a new
$49 card reader that accepts EMV chip cards and Apple Pay.
Square is giving away 250,000 of them for free to small
business customers and will also take on the risk of
counterfeit fraud after October 1 if the merchant pre-ordered a
device.
And, this is just one example. Other terminal providers
like Chase, Bank of America Merchant Services, and VeriFone, to
name a few have several low-cost options available to small
business owners that bring that help prepare them for the
future of accepting all payment forms including chip cards and
mobile payments.
We know that our efforts to educate and facilitate the
small business community are gaining traction. In fact, in
August 2015, nearly 50 percent of the nearly 4 billion dollars
in Visa chip transaction volume occurred at small businesses.
Chip Adoption Gaining Momentum
While we want to encourage a speedy migration to chip
technology to improve the security of payments everywhere, we
know that some businesses may take more time to upgrade. Owners
of small businesses that do not experience significant loss
from counterfeit fraud, such as dry cleaners, restaurants, or
hair salons, may decide to upgrade to chip as part of their
normal terminal replacement cycle. The roadmap was designed
with this type of flexibility in mind, allowing businesses to
make the transition on a timetable that meets their needs. Some
merchants, for example, were ready this summer ahead of the
liability shift, while others in the coming months.
In other words, October 1 marked the beginning of a process
that will ultimately lead to near-universal adoption of chip
technology in the US. With the milestones achieved to date, the
US is well-positioned to adopt the next level of payment
security for consumers, businesses, and financial institutions.
Where are we today?
Over the past twelve months we have seen significant
progress. Today, there are more than 150 million Visa chip
cards in circulation in the US, an increase of over 655 percent
in the last year alone. That number eclipses the roughly 129
million Visa chip cards in Brazil and 124 million Visa chip
cards in the United Kingdom, making the US the largest chip
market in the world.
Retailers, and particularly small businesses, are making
great strides in implementing chip technology. As of September
15, chip-enabled devices are in use at more than 314,000
merchant locations, representing a 470 percent year-over-year
increase. We are strongly encouraged by the number of small
businesses that are already using this technology and look
forward to continuing to encourage their adoption of chip.
Tokenization
While EMV technology eliminates in-store counterfeit card
fraud, it does not prevent all types of fraud--particularly
fraud that occurs online in the e-commerce environment. To
mitigate the growing risk of e-commerce fraud, Visa developed
tokenization.
Tokenization, which removes the account number from the
payment process completely, is one of the most promising
technologies for fighting fraud. Tokenization replaces the
accountholder's 16-digit account number in a payment
transaction with a unique digital ``token'' or proxy number
that is tied to the underlying account. Tokenization can
enhance transaction efficiency, improve cardholder privacy and
data security, and may enable new types or methods of payment.
When fully deployed, tokenization in combination with chip,
could virtually eliminate the need for merchants, digital
wallet operators or others to use cardholder account numbers.
Cardholder Verification Technologies
Mobile payment applications such as Apple Pay, Android Pay,
and Samsung Pay each offer enhanced security to consumers and
merchants by using tokenization solutions to prevent the
underlying card number from being comprised. And, as some of
you may know from personal experience, many of the new mobile
payment devices and applications use biometrics to verify your
identity--like a thumbprint--before you can complete a
transaction. At Visa, we believe this type of dynamic
authentication is the future.
Today, with expertise gained from years working with
merchants and issuing banks, Visa supports a variety of
cardholder verification methods, including signature, PIN, and
no cardholder verification for low value, low risk
transactions. However, we see dynamic, or one-time use,
verification technologies as the way forward. Just as the
information technology industry is looking to replace the
static password with more dynamic technologies, the payments
industry must also replace static technologies in the payments
ecosystem with more effective protections. I want to share a
few of these future technologies with you, some of which are
exist today.
In February, Visa launched a new opt-in service that uses
mobile geo-location information to more reliably predict
whether it is the account holder or an unauthorized user making
a payment with a Visa account. By matching the location of the
cardholder through a cell phone or other mobile device to the
location of the purchase, this service helps improve fraud
detection and identify unauthorized transactions.
In addition, Visa introduced a new specification just last
month to use biometrics with chip and transactions. The
specification can enable fingerprint, palm, voice, iris, or
facial biometrics in the authorization of payments. This first-
of-its-kind technology framework is designed to work with the
EMV chip industry standard to help ensure open, globally
interoperable solutions for payment security. This product
addresses increasing demand for biometrics as a more convenient
and secure alternative to signatures or PINs, especially as
biometrics technologies become more reliable and available. The
architecture Visa has designed enables fingerprints to be
securely accepted by a biometric reader, encrypted, and then
validated. The specification supports ``match-on-card''
authentication where the biometric is validated by the EMV chip
card and never exposed or stored in any central databases.
Issuers can optionally validate the biometric data within their
secure systems for transactions occurring in their own
environments, such as their own ATMs. This innovative
technology is just rolling out, but has great promise for
protecting consumers in years to come.
Conclusion
We have come a long way in the past year as the US
transitions to EMV chip technology, but, we must continue to
work together to achieve the necessary progress to protect all
stakeholders in the payments space, including small businesses.
Visa is committed to continuing our work to drive innovation
and ensure that EMV chip technology, tokenization, geo-
location, biometric authentication, and other technologies
evolve to address the needs and threats of tomorrow. This is
critical for the success of our merchant and financial
institution clients, and we look forward to working with all
stakeholders on this important goal.
Thank you again for the opportunity to testify today. I
would be happy to answer any questions you may have.
Testimony of Scott Talbott,
Sr. V.P. for Government Relations,
Electronic Transactions Association (ETA)
House Small Business Committee
Hearing on the
EMV Deadline and What It Means for Small Business
Oct. 7, 2015
Introduction:
Chairman Chabot, Ranking Member Velazquez, and members of
the Committee. I am Scott Talbott, Senior Vice President for
Government Relations of the Electronic Transactions Association
(ETA). Thank you for inviting ETA to testify on the EMV
transition and what it means for small business.
By way of background, ETA is a global trade association
whose mission is to advance the payments technology. As the
trade association of the payments industry, the ETA represents
more than 500 of the world's most innovative payments and
technology companies, from Fortune 500 financial institutions,
to small, local sales organizations, to the world's largest
technology companies. ETA's members are dedicated to providing
merchants and consumers in our country the safest, most
reliable, most secure payments system to facilitate commerce
and power our economy--and the EMV migration is another major
step forward in this regard.
The Electronic Payments Ecosystem--Driver of Economic
Growth:
To help put the electronic payments industry into context,
when consumers buy something from a merchant, they often will
use a form of electronic payment, such as a credit card, debit
card, gift card, prepaid card. Purchases can be made in person
with the card or with a mobile device, or remotely, over the
phone or the Internet. While the transaction is simply and
securely completed within seconds of a swipe, dip, or tap, it
involves an enormous and complex electronic payments ecosystem,
which includes:
consumer card issuing banks;
the card brand networks that connect
merchants and consumers;
payment processors that connect merchants
with networks of banks (issuing and acquiring) to
ensure the transaction is authorized and processed;
point of sale equipment hardware and
software companies;
program managers that work with consumers
and issuing banks to help consumers obtain credit and
prepaid cards;
enablers of payment technology and e-
commerce;
merchant acquirers, which provide payment
acceptance services;
independent sales organizations that work
directly with merchants to provide access to the
payments system;
sponsor banks, which establish policies for
merchant acquirers, sponsor their registration with the
card brands, and hold the risk of payment;
anti-fraud companies that work with
providers in the ecosystem to help ensure fraudulent
transactions do not occur; and
security companies that work with all other
providers in the ecosystem to protect and secure
transactions against intrusion.
This ecosystem is largely invisible to consumers and
merchants because it works seamlessly to process billions of
transactions each year--that's literally thousands of
transactions every second. Electronic payments are key drivers
of commerce and economic growth in our country. To put this
into greater context: 70% of U.S. GDP is attributed to consumer
spending, and 70% of consumer spending is done electronically.
Last year, electronic payments surpassed $5 trillion and
electronic consumer spending will only continue to grow.
Indeed, my 2017, we project that ETA member companies will
process $7.3 trillion in consumer spending in the U.S.
The Electronic Payments Industry's Commitment to Securing
Customer's Information:
ETA member companies take seriously their affirmative and
continuing obligation to protect the confidentiality and
security of their customers' information. Our payments systems
are built to detect and prevent fraud--and to insulate
consumers from any liability. In fact, consumers in the United
States choose electronic payments over cash and checks in large
part because they have zero liability for fraud, making
electronic payments the safest and most reliable way to pay.
The liability is borne by companies in the payments industry
due to Federal law and even more stringent payment network
rules. In light of this financial responsibility and a desire
to preserve consumer confidence in the security of electronic
transactions, ETA members have a strong interest in making sure
fraud does not occur, including through the misuse by criminals
of consumer data that happens to be compromised through a data
breach. Towards that end, payments technology businesses are
bolstered by robust compliance practices--whether their own in-
house policies, or ETA's own carefully crafted industry
Guidelines, which establish underwriting practices to help
payments companies detect and eliminate fraud.
Importantly, for those companies that follow them, self-
regulatory guidelines help ensure that consumer data is secure.
The Payment Card Industry Data Security Standard (PCI-DSS)
created by the PCI Security Standards Council, is an example of
one such successful industry-led, multi-stakeholder program,
safeguarding personal information that should serve as a model.
As a point of reference, fraud accounts for less than six cents
of every one hundred dollars spent on the payments systems--a
fraction of a tenth of a percent--and the payments industry is
on the cutting edge of technology to help further limit fraud.
But inasmuch as we just emerged from 2014, which the media
dubbed ``the year of the data breach,'' the payments industry
continues to innovate in order to further combat data breaches
and protect consumers against increasingly sophisticated cyber
criminals. It's our highest priority, since our business
depends on customers entrusting us with their personal and
financial data.
An important step in this security upgrade is the
transition to more secure chip, or ``EMV,'' cards, which use
smart technology providing enhanced security.
ETA has long championed adoption of EMV enabled chip cards
as one protection for consumers. EMV enabled chip cards, which
can be identified by a conspicuous chip on the card's face,
currently only make up about 25% of total card circulation in
the US, but this number is expected to increase to 90-95%
within the next two years.
To incentivize more rapid migration to EMV adoption, just
last week, on Oct. 1, the payments industry implement a long-
planned liability shift for their card transactions, at which
point any participant in the transaction chain who is not EMV
compliant became responsible for any resulting fraud. This
industry-led initiative is an example of how payments companies
are proactively working to strengthen protection for consumers
and the payments system.
To explain further, EMV, which stands for EuroPay,
Mastercard, Visa, is the global standard for integrated
circuit, or ``chip'' cards. Today, EMVCo (the body that sets
that EMV specifications) is owned jointly by American Express,
Discover, JCB, MasterCard, UnionPay, and Visa, and includes
other organizations from the payments industry. EMV cards
feature embedded microprocessor chips that store and protect
cardholder data--similar to magstripe, but safer. An EMV card
is superior to a traditional magstripe card because it supports
dynamic authentication. EMV technology does this by generating
a unique, or ``dynamic,'' one-time security code for each
transaction, which makes the card nearly impossible to
replicate. Counterfeiting such cards is currently far more
difficult than producing cards with data that is ``skimmed''
from the magnetic stripes of genuine cards or stolen from
stored payments data, such as the high-profile merchant
breaches of recent months. Because EMV cards generate a dynamic
security code with each transaction, unlike a magnetic stripe
card which uses the same static code with every purchase, a
counterfeit card could not successfully produce the correct
security code and would not work in a card-present or face-to-
face transaction. Accordingly, EMV is an effective tool to
combat the manufacture and use of counterfeit cards and card-
present fraud. Because counterfeit card represents the single
largest type of card fraud in stores in the U.S. today, the EMV
migration is the most important step we can take. But although
chip cards reduce the value of compromised data by inhibiting
the creation of counterfeit cards, they do not stop data
breaches. Later in my testimony, I will describe other
initiatives within the industry that further augment the
protections provided by EMV and will help erect additional
barriers to bad actors, while simultaneously reducing the value
of the data they may attempt to obtain.
Small Business Merchant Perspective
Of course, EMV-enabled cards are only half the EMV-
migration equation, the other half is whether merchants have
converted their point of sale terminals to accept them.
Merchant acceptance of EMV cards is voluntary, and there are
any number of factors facing individual small business
merchants at this juncture which may affect their relative
focus on, and timing for, their respective conversions. For
instance, the cost of the conversion of terminals for the
average small business merchant is in the $50-$500 range, and
the cost and complexity vary depending on whether a small
business merchant only needs to convert a single terminal,
versus those with multiple terminals or terminals with
integrated systems that combine payments functions with other
functions, like inventory or payroll. For some, conversion to
new EMV terminals may provide them an opportunity to upgrade to
near field communication-enabled terminals in order to also be
able to accept mobile payments, adding additional benefit for
the merchant to convert sooner rather than later. In addition,
there is a certification process all merchants must undertake
in order to ensure compliance with card network rules and
safeguards. On a much more practical level, we expect merchants
right now are focusing on the upcoming holiday shopping season,
but that migration efforts will really resume in 2016 after the
holidays when many small business merchants renew their
contracts with the card networks.
However, given that it was only last week that the official
EMV liability shift happened, it appears as if the migration
for some small business merchants will lag behind other
businesses, especially if a small business merchant is the type
where the likelihood of fraudster using a fraudulent card is
low due to the low dollars involved in an average transaction--
like at a dry cleaner or a car wash--and the resulting
financial exposure to the merchant from the fraudulent
transaction is, therefore, low. Put another way, a small
business merchant may view the need to convert to EMV
terminals--in order to avoid liability for a $16 dry cleaning
bill or a $10 car wash paid for by a fraudulent card--as a
relatively low priority. By contrast a small jeweler's risk of
liability for a fraudulently purchased $6,000 diamond ring
likely provides a greater incentive to concert to EMV terminals
as soon as possible. Small businesses will make this risk/
reward calculation, and this will cause variation amongst small
business merchants in their respective EMV migration rates. At
the end of the day, in the near term, the migration may require
small business merchants to teach consumers how to check out
with their newly-issued EMV cards in the new point of sale
terminals in order to keep customer transactions flowing
smoothly, and this will take some effort on the merchant's
part.
All of that said, there are any number of payments industry
financial assistance and incentive programs to assist those
merchants who many need it, and ETA has an educational website,
www.sellsafeinfo.org, to assist small business merchants with
the EMV migration. Additionally, ETA's own Risk and Fraud
Council recently published materials for small merchants to
determine what they need to do when a breach occurs.
Finally, ETA is a participant in the PCI Security Standards
Council Small Merchant Task Force. The goals and objectives of
the task force are focused on ensuring that small merchants
understand their responsibility for protecting payment card
data and to identify and mitigate areas of risk in their
environment. The payments industry has, and will continue, to
educate and assist small business merchants in this regard.
EMV Chip and Cardholder Verification Methods
While this hearing specifically focuses on EMV, it is
important to note that a separate question, independent of the
EMV migration, has arisen regarding whether consumers should be
required to use a personal identification number (PIN) for each
credit card transaction at the point of sale. The EMV chip
functions as a fraud prevention tool by generating a dynamic
security code, thus preventing the production of counterfeit
cards, the single largest (by far) cause of fraud in stores.
Put another way, this ensures that the card itself is valid.
The protection provided by EMV cards does not require a PIN. It
is important to note that a PIN is a method of verifying the
cardholder's identity (not that the card itself is valid, but
rather that, in theory, the person presenting the card is the
actual cardholder). This is referred to as a cardholder
verification method, or CVM. A CVM prevents a specific type of
card fraud called ``lost and stolen'' fraud--where a criminal
has stolen a physical card from a wallet, for example, and then
attempts to use the card before it has been reported stolen.
Other methods of CVM include signature end, in some cases, no
CVM is required, for example, because the transaction is a low
dollar amount or low risk of fraud, and a CVM would not be
beneficial to require.
ETA strongly supports the migration to EMV, and we believe
that card issuers should be permitted to make the choice that
is best for their customers as to cardholder verification
method to accompany the chip cards, whether it be signature,
PIN, or neither, when authorizing a transaction. Consumers and
merchants have benefitted from flexibility in cardholder
verification methods--including speedier checkout times for low
dollar, low risk transactions. For example, drive throughs,
quick service restaurants and convenience stores, in
collaboration with payments companies and card networks, allow
consumers to move quickly through checkout lines through
``swipe and go'' transactions that benefit all parties to the
transaction and help maintain overall consumer satisfaction.
Similarly, new mobile payments technology replaces traditional
CVMs with even more secure biometrics that promise both fraud
protection and consumer convenience at a higher level. An
important part of the decision of card issuers whether to
require their customers to use a PIN is whether merchants have
the capability to accept PIN as a CVM. It should be noted that,
at present, roughly 2/3 of the nation's merchants do not have a
PIN pad and thus cannot accept a PIN transaction from their
customers. For such merchants, consumers who are required to
use a PIN for a transaction could represent lost customers. It
could also result in a shift of additional liability for
fraudulent card transactions to those merchants that do not
have a PIN pad.
Similarly, not all mobile payments can use a static PIN
with the transaction. As merchants and consumers move from
plastic cards to mobile devices, including mobile phones and
wearables, this next generation of payments technology must not
be inhibited by plastic card-era systems. Also, many consumers
prefer not to have to remember PINs. Indeed, in 1967, the
inventor of the ATM, John Shepherd-Barron, first envisioned a
six-digit numeric code for customer authentication, but his
spouse could only remember four digits, which became the
commonly used length. Furthermore, the PIN is static and can be
stored on a card, making it vulnerable to interception or even
being guessed (there are only 10,000 possible 4 digit PIN
combinations). As our industry moves to dynamic security,
biometrics, and other systems that are even more secure, we
must consider these important factors in making the right
choice to secure transactions.
The fact remains that criminals are adaptive and constantly
probe for vulnerabilities. Focusing on one specific technology
gives hackers an open invitation to focus their energies on
that technology and to detect and exploit loopholes in the
payments system. Strong security involves a multi-layer
approach which has the ability to evolve in response to the
changing threat environment, allowing the industry to be as
nimble as the bad actors it is attempting to thwart. At the end
of the day, we all need to work continuously and
collaboratively across banks, payments companies, merchants and
consumers to find the most effective and efficient security
mechanisms.
ETA Members: Fostering other new technology
As previously mentioned, EMV is one part of the overall,
multi-layered solution to protecting data, consumers, and the
payments system. ETA members are simultaneously deploying new
innovations to further enhance security. For example, another
technology, tokenization, removes sensitive information from a
transaction by replacing customer data with a unique identifier
that cannot be mathematically reversed. In its simplest form,
it works like a secret code substituting symbols for important
information like a credit card number. This way, only the bank
that issued the card knows the real account information.
Tokenization is designed to work when a consumer pays with
plastic in person, online or with a mobile phone.
In a non-tokenized transaction, a consumer's actual account
number is transmitted and, in some cases, stored by retailers,
e.g, for purposes of facilitating returns. This trove of
information is what hackers typically seek in the case of
retailer data breaches. But in a tokenized environment, actual
account numbers are replaced by one time-use tokens that
represent account numbers but cannot be tied back to the actual
number. If a breach occurs, the criminal only sees the
tokenized code, which is useless to them because it cannot be
used to generate a subsequent fraudulent transaction.
Another layer of protection deployed by ETA member
companies is the use of point-to-point encryption. Point-to-
point encryption is an advanced risk management tool that helps
further protect data throughout the transaction lifecycle. With
point-to-point encryption, card data is encrypted from the
moment the card is swiped or tapped, while the data is in
transit, all the way to authorization. This technology
minimizes opportunities for hackers and criminals to access
data during a purchase.
Additionally, many payment companies continue to innovate
advanced computer systems that monitor transactions and data
patterns detect unusual activity that may indicate an account
has been hacked or a card lost or stolen. This monitoring
occurs in both traditional, card-present as well as in card-
not-present transactions, such as those taking place over the
Internet or phone.
Lastly, using a mobile device to initiate a transaction may
well be as common as swiping a card. Mobile payments and
digital wallet cloud technology are actively employing new
security technology that improves on legacy systems. Mobile
devices provide enhanced security, including passcode
protection for the phone, biometrics security features like a
fingerprint, secure chip technology, geo-locational information
to assist with verification, as well as both device and cloud
based encryption and tokenization capabilities.
The payments industry is creating innovative solutions
today--like voice and facial recognition-to solve tomorrow's
security threats. This protection ensures the flow of
information vital to helping consumers access and use
electronic payments, promotes competition and ensures the free
flow of commerce, and maintains public confidence. It is
imperative to find ways to encourage new technologies and
enterprises, ensuring that the payments revolution will realize
its maximum potential.
Conclusion:
Headline-grabbing events inevitably lead to calls for
additional government regulations. The members of the ETA are
the first line of defense for consumers to avoid the fraud
perpetuated by criminals in the financial systems. As
described, the payments industry takes seriously this charge
and works hard every day to detect and deter crime. ETA members
are deploying multiple layers of protection, including EMV,
tokenization, encryption, biometrics, and other payments
technologies that secure systems against criminal intrusions
and protect consumers and merchants. As the trade association
of the payments industry, ETA stands ready to assist the
Committee in its efforts to ensure that merchants, consumers
and the economy continue to benefit from the safety and
security of our nation's payments systems.
[GRAPHIC] [TIFF OMITTED] T6854.001
Chairman Chabot, Ranking Member Velazquez, and members of
the committee, my name is Paul Weston, and I am President and
CEO of TCM Bank, N.A. in Tampa, Florida. I testify today on
behalf of the more than 6,000 community banks represented by
the Independent Community Bankers of America (ICBA). Thank you
for convening this hearing on the migration to EMV chip credit
and debit card technology and what it means for small
businesses. We're grateful to you for raising the profile of
this important topic.
TCM Bank, N.A. is a $178 million asset bank that serves as
the credit card issuer and ``back office'' for over 650
community banks that have chosen to outsource the specialized
function of credit card issuance. TCM Bank community bank
clients brand and market their credit cards, expand their
product offerings and customer relationships, and gain access
to a new revenue stream, without committing financial,
technical, or personnel resources to the day-to-day
administration of a credit card program. This arrangement
allows our community back clients to focus on their core
lending competencies: small business, consumer, and farm
lending. TCM operates by the values and standards of service of
our community bank clients.
The community bank business model is directly linked to the
success of their small business customers. Community banks hold
a disproportionate market share of small business loans--nearly
50 percent--though they hold less than 20 percent of all
banking assets. ICBA and its community banks members take a
keen interest in the migration to EMV chip cards, both as card
issuers and as partners with the small businesses that are so
important to the national economy. Locally-managed community
banks are uniquely positioned to help small businesses make a
smooth transition to EMV chip cards and are committed to doing
so. TCM talks with community banks and their small business
customers every day.
Before discussing in greater detail the ongoing migration
to EMV chip and the respective roles of card issuers and
merchants, I would like to stress that consumers--your
constituents--are not on the hook for fraud losses as all
credit cards have zero liability provisions for consumers and
the Electronic Funds Transfer Act limits consumer liability for
any fraud on debit cards. This is true whether or not the card
issuer or the merchant is EMV chip compliant.
Small businesses that are involved with retail are already
being presented with payment cards with an EMV chip on the
front of the card in additional to the familiar magnetic stripe
on the back of the card. In order to process those cards using
EMV chip technology at the point of sale, most small business
merchants will need to upgrade their terminals and train their
front line staff to assist customers.
EMV chip cards contain a microprocessor that generates a
unique, one-time code to authenticate card transactions. If the
card information is stolen, it is useless to a criminal because
it cannot be used to conduct another transaction. EMV chip
cards are much more secure than magnetic stripe cards because
they are exponentially more difficult to counterfeit.
Counterfeit cards made with stolen information represent the
largest portion of fraud in the United States. And while
consumers are protected against loss, having to replace a
credit or debit card is inconvenient at best. EMV chip cards,
together with merchant-provided chip readers at the point of
sale, will play a critical role in reducing counterfeit fraud
for both debit and credit cards.
Community banks are joining other financial institutions in
the orderly migration to deploy EMV chip technology for debit
and credit cards. This migration is already underway. A story
in USA Today last week reported that roughly four in ten
consumers already have an EMV chip card.
There is no legal mandate that card issuers adopt EMV chip
or that retailers invest in EMV chip card readers. However, new
rules in the card industry took effect on October 1, 2015 that
will incentivize a shift to EMV chip technology that is in the
best interest of all parties. The new rule provides that
liability for fraudulent transactions sits with the party (i.e.
retailer or bank) that didn't invest in chip technology. In a
case where the bank doesn't offer chip cards and the merchant
doesn't have a card reader, the bank will continue to be held
responsible for covering the cost of the fraud. Similarly, in a
case where both the bank and the merchant are chip compliant,
the bank will continue to be responsible for losses incurred
from fraudulent use. The October 1 liability shift represents a
change in economic incentives rather than a legal mandate.
October 1 is not a deadline in any meaningful sense of the
word. Instead the liability shift serves as a catalyst for
change. Already, many card issuers and merchants have adopted
EMV chip. Others will limit their liability exposure by
adopting EMV chip before year-end. Some will choose to defer
adoption into 2016 or even 2017 for automated fuel dispensers.
Each issuing bank and each merchant will decide when to adopt
EMV chip based on its own business model, vulnerability to
fraud, and management of risk. The timing to complete each
bank's reissuance of all cards in chip form will vary.
Community banks will weigh the implementation and issuance
costs with potential risk and demand from consumers. The
migration to full EMV chip card usage will likely take several
years to accomplish.
Based on many conversations with community banks and their
small business customers, I believe that most small businesses
are taking a very prudent approach to the migration. They are
not buying from the first terminal salesperson who calls, and
they are planning to closely follow as larger national
retailers begin to enable EMV chip at the point of sale.
To give you a sense of what's involved for community banks,
the initial costs of issuing EMV chip cards fall broadly into
three categories:
1. Card production and deployment- Includes artwork and
card redesign, acquiring new inventory of card stock, card
personalization, and postage.
2. Implementation- Includes programming, software upgrades,
processor costs, and new authorization techniques. ATMs and
branch card issuance systems also need to be upgraded.
3. Training- All parties have to be trained. Community
banks will focus on educating the cardholders as they adapt to
a new way of presenting a card for payment at the point of sale
in addition to training bank personnel and merchants to ensure
that all parties can assist the consumer, even at the point of
sale.
For merchants, the costs involve the purchase, deployment,
and activation of EMV chip card readers. They must also train
retail personnel to assist cardholders in the use of an EMV
chip card. Community banks will serve as an important ally and
resource to smaller retail businesses making the transition.
They will help their merchant customers by providing equipment,
expertise, and education to guide them through this change.
Since community banks are local, they serve as ``feet on the
street,'' especially for the small businesses in their
communities.
For consumers, the transition will involve relearning a
process which has become second nature. Instead of swiping a
card through the magnetic stripe slot, a process that has
become very well ingrained over many years, using an EMV chip
card involves inserting the card into an open slot and leaving
it there for a short time as the transaction is completed.
Community banks are actively working to educate and reassure
their customers about these changes coming to the point of
sale.
While EMV chip cards are an effective means of reducing
fraud related to counterfeit cards, they are not a panacea for
all types of payment card fraud. Multiple layers of security
technologies are needed in addition to EMV chip to mitigate
other types of fraud. Card numbers and cardholder information
must still be protected. The PCI Data Security Standards
provide requirements for all merchants and processors to
mitigate data breaches and compromise events that fuel payment
card fraud. End-to-end encryption should be deployed to protect
cardholder information while in transit, and newer
technologies, such as tokenization, should and will be
developed and deployed to protect online transactions.
Until this layered approach can be fully implemented,
consumers should know that banks comply with significant legal
and regulatory requirements and are subject to rigorous
examination and supervision of their data security practices
and procedures.
Some are touting PIN in combination with EMV chip as the
only way to eliminate payments fraud. We believe any form of a
PIN mandate would be misguided for a number of reasons. First,
PINs only protect against fraud in cases of lost or stolen
cards, which is a relatively small portion of total fraud.
Second, as a static data element, PIN is more vulnerable than
active technologies like EMV chip or tokenization. As PIN use
becomes more prevalent, it attracts more criminal activity. A
2012 report by the Federal Reserve Bank of Atlanta found that
debit PIN fraud rates have increased more than threefold since
2004.
Additionally, in order to better protect consumers, all
participants of the payment system--including merchants--should
be subject to the same federal data security standards and
oversight as financial institutions. ICBA supports legislation
introduced by Reps. Randy Neugebauer (R-TX) and John Carney (D-
DE), the Data Security Act (H.R. 2205), that would apply Gramm-
Leach-Bliley Act-like data security standards for all
industries that handle sensitive financial information.
Closing
Thank you again for the opportunity to testify today. We
hope that this hearing will help to educate all stakeholders,
especially small businesses and consumers. The engagement and
cooperation of all parties is critical for a smooth transition
to EMV chip which will ultimately reduce fraud and bolster
confidence in the payments system.
[GRAPHIC] [TIFF OMITTED] T6854.002
Introduction
Good morning, Chairman Chabot, Ranking Member Velazquez and
Members of the Committee. My name is Jan Roche and I am
testifying today on behalf of the National Association of
Federal Credit Unions (NAFCU). I serve as the President and CEO
of State Department Federal Credit Union (SDFCU), headquartered
in Alexandria, Virginia, and also serve on the Board of
Directors of NAFCU. I have over 30 years of experience in
credit union and financial management.
State Department Federal Credit Union was chartered in 1935
through the efforts of eight employees of the Department of
State. Now, 80 years later, we serve over 67,000 members
worldwide and have over $1.6 billion in assets. Due to the
traveling habits and job assignments of many of our members and
the fact that 8 percent of our membership is located overseas
at any given time, we were one of the first financial
institutions in the U.S. to start issuing EMV VISA Credit Cards
in June, 2012.
As you are aware, NAFCU is the only national organization
exclusively representing the federal interests of the nation's
federally-insured credit unions. NAFCU-member credit unions
collectively account for approximately 70 percent of the assets
of all federal credit unions. We appreciate the opportunity to
appear before you today to talk about the EMV transition
deadline in the United States and the need for data security
legislation, including H.R. 2205, the Data Security Act of
2015.
Background on Credit Unions
Historically, credit unions have served a unique function
in the delivery of essential financial services to American
consumers. Established by an Act of Congress in 1934, the
federal credit union system was created, and has been
recognized, as a way to promote thrift and to make financial
services available to all Americans, many of whom may otherwise
have limited access to financial services. Congress established
credit unions as an alternative to banks and to meet a precise
public need--a niche that credit unions still fill today.
Every credit union, regardless of size, is a cooperative
institution organized ``for the purpose of promoting thrift
among its members and creating a source of credit for provident
or productive purposes.'' (12 USC 1752(1)). While over 80 years
have passed since the Federal Credit Union Act (FCUA) was
signed into law, two fundamental principles regarding the
operation of credit unions remain every bit as important today
as in 1934:
credit unions remain wholly committed to
providing their members with efficient, low-cost,
personal financial services; and,
credit unions continue to emphasize
traditional cooperative values such as democracy and
volunteerism.
Credit unions are small businesses themselves, especially
when compared to our nation's mega banks and largest retailers,
facing challenges of meeting the products and service needs of
their community, while dealing with various laws and
regulations.
EMV
EMV is the established global standard for ``chip'' cards
and their compatibility with point of sale terminals. EMV
stands for ``EuroPay, Mastercard and VISA,'' the three
companies that created the standard. EMV cards are still
plastic, but they contain an imbedded microprocessor (or
``chip'') that stores data and adds additional protection by
making it harder to produce a counterfeit card that can be used
at a point of sale terminal. This is because the chip generates
unique data (a new, random number) for each transaction. If
that data is stolen, it is not traceable back to the account.
It is important to understand that it is this EMV ``chip''
technology that makes the new cards more secure--not a PIN or
signature. It is also important to recognize that the EMV
solution is the new market standard for combating fraud at the
point-of-sale and assigning liability when a fraudulent credit
card is used. It is not a ``silver bullet'' solution to the
broader problem of data security or to combat online identity
theft.
EMV is just one step in a larger universe of measures that
credit unions take to protect the financial data of their
members (consumers) and the payments system. Credit unions and
other financial institutions already protect data consistent
with the provisions of the 1999 Gramm-Leach-Bliley Act (GLBA)
and are innovators in the ever-developing payments system as
they strive to protect the financial information of the 101
million Americans who are credit union members.
My testimony today will cover how credit unions are
protecting consumers in the payment system, the impact of the
EMV transition and what steps are needed to better protect
consumer financial data moving forward.
NAFCU's Work in Various Cyber and Data Security Initiatives
NAFCU is pleased to be an active participant in various
industry and government payments, cyber and data security
initiatives, doubling down these efforts as data breaches
continue to rise and innovations in payments technology make
the entire ecosystem more complex for financial institutions
and consumers.
Specific to payments, NAFCU is a member of the Payments
Security Task Force, a diverse group of participants in the
payments industry that is driving a discussion relative to
systems security. NAFCU also supports many of the ongoing
efforts at the Financial Services Sector Coordinating Council
(FSSCC) and the Financial Services Information Sharing and
Analysis Center (FS-ISAC). These organizations work closely
with partners throughout the government creating unique
information sharing relationships that allow threat information
to be distributed in a timely manner.
NAFCU also worked with the National Institute of Standards
and Technology (NIST) on the voluntary cybersecurity framework
released in 2013 designed to help guide financial institutions
of varying size and complexity through the process of reducing
cyber risks to critical infrastructure. The recommendations are
designed to evolve and will be updated to keep pace with
changes in technology and threats.
Earlier this year, NAFCU also participated in President
Barack Obama's White House Summit on Cybersecurity and Consumer
Protection at Stanford University which featured leaders from
across the country--industry, tech companies, law enforcement,
consumer and privacy advocates, law professors who specialize
in this field, and students--to collaborate and explore
partnerships that will help develop the best ways to bolster
cybersecurity. Credit unions continue to pursue greater data
security through innovation.
During the Summit, NAFCU-member First Tech Federal Credit
Union's recent partnership with MasterCard in the area of card
security was announced. First Tech is innovative in this area
and is implementing a new pilot program this year that will
allow consumers to authenticate and verify their transactions
using a combination of unique biometrics such as facial and
voice recognition. This type of innovation is a generation
beyond EMV, and is not unusual at member-owned and member-
driven credit unions as we take data security seriously.
Technological innovations like this are a prime example of why
Congress needs to ignore calls to legislate technological
solutions, which can soon become out-of-date, rather than
creating basic standards of data protection.
NAFCU is also a participant in the Federal Reserve's
initiative to improve the U.S. payments systems through two
industry taskforces launched earlier this year: the Faster
Payments Taskforce and the Secure Payments Taskforce. Through
the Faster Payments Taskforce, NAFCU is working with the
Federal Reserve and industry participants to create criteria to
identify and evaluate alternative approaches for implementing
safe, ubiquitous, faster payment capabilities. Additionally, on
the Secure Payments Task Force, NAFCU is providing input to the
Federal Reserve on payment security matters and is helping
determine priorities for future action to advance payment
system safety, security and resiliency.
The EMV Transition
October 1, 2015, was the deadline established by the four
major U.S. credit card issuers (Mastercard, Visa, Discover and
American Express) when the liability for the majority of card-
present fraudulent transactions on credit cards is shifted to
whichever party is not EMV-compliant. Given the nature of our
field of membership, which includes many State Department
employees that travel or are stationed overseas in countries
where the EMV transition has already occurred, SDFCU was an
early adapter to the U.S. transition, first issuing EMV cards
in June of 2012 for new cards and replacements for lost and
stolen cards. Our credit card portfolio of over 28,000 cards is
now 100% EMV.
It is important to note that the EMV transition in the U.S.
is a voluntary one established by the market, and not a
government mandate. The October 1, 2015, deadline is not the
endpoint of transition, rather just a step along the road of
progress when the incentives to be EMV-compliant changed.
Companies have not been forced to transition (whether it's
issuing or accepting EMV cards) if they are willing to bear the
liability. The speed of shifting to EMV is essentially a
business decision that is dependent on risk-tolerance. It is
important to note that, whether or not a card or business is
EMV-compliant, consumers are not liable for fraud losses as all
credit cards have zero liability provisions for consumers and
the Electronic Funds Transfer Act limits consumer liability for
any fraud on debit cards. Consumers remain protected in the new
system.
Based on a NAFCU survey of our members, a majority of
credit unions are ready for the EMV transition and are issuing
EMV credit cards to their members as they issue new cards or
replace older magnetic-stripe cards. There is a greater cost
for an EMV card for credit unions. At SDFCU, the cost (not
including staff costs, set up and postage) to produce a non-EMV
card is approximately $3.04 and to produce a new EMV card it is
approximately $5.81.
A comprehensive study released September 17, 2015, by the
Strawhecker Group reported that only 27% of merchants were to
be EMV-ready by October 1, 2015. In other recent surveys, the
reasons given by merchants for not being ready include: not
knowing about the transition (despite it being several years in
the works), not wanting to pay for an EMV terminal, not being
concerned about the liability shift and thinking that the EMV
shift is unfair. Many of these are small and mid-size
businesses that could find themselves the next targets of data
thieves that will seek to exploit this vulnerability in the
payment system as many big box retailers make the conversion.
We believe that successful protection of the payments system
requires all parties to be actively involved and hope that
these businesses will work with the financial services
community to recognize their role in making the payments system
safer.
The PIN Debate
Some have argued that the EMV transition should have
included a PIN mandate to require consumers to enter PINs for
every transaction. Imposing such a mandate or requirement would
be unrealistic and would not be a panacea for the problem of
data security. As I noted earlier, it is the chip technology
that makes new cards secure, not the PIN or signature. A PIN is
a static data element that is still vulnerable to theft. If it
is compromised, a consumer's entire account can be put at risk.
A 2012 report by the Federal Reserve Bank of Atlanta found that
PIN fraud rates had increased significantly since 2004. A PIN
mandate would not have helped prevent recent major consumer
data breaches such as Target, Home Depot and Michaels.
A PIN mandate also does not prevent online or mobile fraud,
often referred to as ``card-not-present'' fraud, which is
already 45% of card fraud in the U.S. according to the Aite
Group (at SDFCU in the last year, it was about 40% of our gross
card fraud). This type of fraud is also expected to rise
significantly after the EMV transition. Wider use of PINs in
other EMV countries have done nothing to prevent spikes in
card-not-present fraud. In the United Kingdom, online fraud
rose 79% after their EMV transition. In Canada, while card-
present fraud declined after the switch to EMV, card-not-
present fraud more than doubled.
A truly secure payments system must be one that is
constantly evolving to meet emerging threats and uses a wide
range of dynamic authentication technologies--EMV,
tokenization, encryption, biometrics and more. Many retailers
today are increasingly moving away from traditional point-of-
sale authentication methods, like PIN or signature, and relying
on network-based monitoring to identify fraud as it can improve
the customer experience by reducing time spent in the checkout
line. Many of you may have experienced transactions where the
merchant does not request a signature nor PIN with card usage.
Retailers have demanded this change of the industry to speed
the checkout process. Because retailers do not have standards
requiring them to protect consumer data collected at the point
of sale, they have sometimes prioritized the speed of the
transaction to increase customer sales at the expense of the
security of the payment system. This can make retailers a
vulnerable point of entry to data breaches in the payments
ecosystem, even with PIN and signature authentication.
Credit Unions and Consumers Suffer in Data Breaches
The EMV transition is not a silver bullet to addressing the
scourge of data breaches. More needs to be done to establish a
national standard for protecting the financial data of
consumers. Americans are becoming more aware and more concerned
about data security and its impact. A Gallup poll from October,
2014, found that 69 percent of U.S. adults said they frequently
or occasionally are concerned about having their credit card
information stolen by hackers, while 27 percent of Americans
say they or another household member had information from a
credit card used at a store stolen in the last year. These
staggering survey results speak for themselves and should cause
serious pause among lawmakers on Capitol Hill.
Data security breaches are more than just an inconvenience
to consumers as they wait for their plastic cards to be
reissued. Breaches often result in compromised card information
leading to fraud losses, unnecessarily damaged credit ratings,
and even identity theft. Symantec's Internet Security Threat
Report issued earlier this year found that 36% (roughly 74
million consumers) of the over 205 million individuals
compromised in retail breaches in 2014 had their financial
information exposed. That percentage doubled from 18% in 2013.
More than 23% of the US population had their financial
identities compromised by a retailer data breach in 2014.
While the headline grabbing breaches are certainly
noteworthy, the simple fact is that data security breaches at
our nation's retailers are happening almost every day. A survey
of NAFCU member credit unions, found that respondents were
alerted to potential breaches an average of 164 times in 2014.
Two-thirds of the respondents said that they saw an increase in
these alerts from 2013. When credit unions are alerted to
breaches, they take action to respond to protect
[GRAPHIC] [TIFF OMITTED] T6854.003
Credit Unions and GLBA
As I noted above, credit unions, and all financial
institutions, are subject to the 1999 Gramm-Leach-Bliley Act,
GLBA and its implementing regulations have successfully limited
data breaches among financial institutions and this standard
has a proven track record of success since its enactment. This
record of success is why we believe any future requirements
must recognize and incorporate this existing national standard
for financial institutions such as credit unions.
Consistent with Section 501 of the GLBA, the National
Credit Union Administration (NCUA) established administrative,
technical and physical safeguards to ensure the (1) security,
(2) confidentiality, (3) integrity, (4) and proper disposal of
consumer information and other records. Under the rules
promulgated by the NCUA, every credit union must develop and
maintain an information security program to protect customer
data. Additionally, the rules require third party service
providers that have access to credit union data take
appropriate steps to protect the security and confidentiality
of the information.
GLBA and its implementing regulations have successfully
limited data breaches among credit unions. NAFCU believes that
the best way to move forward and address data breaches is to
create a comprehensive regulatory scheme for those industries
that are not already subject to oversight. At the same time,
the oversight of credit unions, banks and other financial
institutions is best left to the functional financial
institution regulators that have experience in this field. It
would be redundant at best and possibly counter-productive to
authorize any agency--other than the functional financial
institution regulators--to promulgate new, and possibly
duplicative or contradictory, data security regulations for
financial institutions already in compliance with GLBA.
There are a number of key elements, requirements and
definitions of the GLBA that apply to credit unions and are
outlined below. The GLBA directed regulators to establish
evolving standards for financial institutions to ensure the
security and confidentiality of consumer information.
The GLBA also sets a number of important definitions and
requirements:
Sensitive Consumer Information
Sensitive consumer information is defined as a member's
name, address, or telephone number in conjunction with the
member's social security number, driver's license number,
account number, credit or debit card number, or personal
identification number or password that would permit access to
the member's account. Sensitive consumer information also
includes any combination of components of consumer information
that would allow someone to log into or access the member's
account, such as user name and password or password and account
number. Under the guidelines, an institution must protect
against unauthorized access to or use of consumer information
that could result in substantial harm or inconvenience to any
consumer.
Unauthorized Access to Consumer Information
The agencies published guidance to interpret privacy
provisions of GLBA and interagency guidelines establishing
information security standards. The guidance describes response
programs, including member notification procedures, that a
financial institution should develop and implement to address
unauthorized access to or use of consumer information that
could result in substantial harm or inconvenience to a member.
The security guidelines require every financial institution
to have an information security program designed to:
Ensure the security and confidentiality of
consumer information;
Protect against any anticipated threats or
hazards to the security or integrity of such
information; and,
Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to a member.
Risk Assessment and Controls
The security guidelines direct every financial institution
to assess the following risks, among others, when developing
its information security program:
Reasonably foreseeable internal and external
threats that could result in unauthorized disclosure,
misuse, alteration, or destruction of consumer
information or consumer information systems;
The likelihood and potential damage of
threats, taking into consideration the sensitivity of
consumer information; and,
The sufficiency of policies, procedures,
consumer information systems, and other arrangements to
control for the risks to sensitive data.
Following the assessment of these risks, the security
guidelines require a financial institution to design a program
to address the identified risks. The particular security
measures an institution should adopt depend upon the risks
presented by the complexity and scope of its business. This is
a critical aspect of GLBA that allows flexibility and ensures
the regulatory framework is workable for the largest and
smallest in the financial services arena. As the committee
considers cyber and data security measures, it should be noted
that scalability is achievable and that it is a misnomer when
other industries claim they cannot have a federal data
safekeeping standard that could work across a sector of varying
size businesses.
At a minimum, the credit union is required to consider the
specific security measures enumerated in the Security
Guidelines, and adopt those that are appropriate for the
institution, including:
Access controls on consumer information
systems, including controls to authenticate and permit
access only to authorized individuals and controls to
prevent employees from providing consumer information
to authorized individuals who may seek to obtain this
information through fraudulent means;
Background checks for employees with
responsibilities for access to consumer information;
Response programs that specify actions to be
taken when the financial institution suspects or
detects that unauthorized individuals have gained
access to consumer information systems, including
appropriate reports to regulatory and law enforcement
agencies;
Train staff to implement the credit union's
information security program; and,
Regularly test the key controls, systems and
procedures of the information security program. The
frequency and nature of such tests should be determined
by the credit union's risk assessment. Tests should be
conducted or reviewed by independent third parties or
staff independent of those that develop or maintain the
security programs.''
Service Providers
The security guidelines direct every financial institution
to require its service providers through contract to implement
appropriate measures designed to protect against unauthorized
access to, or use of, consumer information that could result in
substantial harm or inconvenience to any consumer.
Third-party providers are very popular for many reasons,
most frequently associated with cost-savings/overhead
reduction. However, where costs may be saved for overhead
purposes, they may be added for audit purposes. Because audits
typically are annual or semi-annual events, costs savings may
still be realized but the risk associated with outsourcing must
be managed regardless of cost. In order to manage risks, they
must first be identified.
An institution that chooses to use a third-party provider
for the purposes of information systems-related functions must
recognize that it must ensure adequate levels of controls so
the institution does not suffer the negative impact of such
weaknesses.
Response Program
Every financial institution must develop and implement a
risk-based response program to address incidents of authorized
access to consumer information. A response program should be a
key part of an institution's information security program. The
program should be appropriate to the size and complexity of the
institution and the nature and scope of its activities.
In addition, each institution should be able to address
incidents of unauthorized access to consumer information in
consumer information systems maintained by its service
providers. Where an incident of unauthorized access to consumer
information involves consumer information systems maintained by
an institution's service providers, it is the responsibility of
the financial institution to notify the institution's consumers
and regulator. However, an institution may authorize or
contract with its service provider to notify the institution's
consumers or regulator on its behalf.
Consumer Notice
Timely notification to members after a security incident
involving the unauthorized access or use of their information
is important to manage an institution's reputation risk.
Effective notice may also mitigate an institution's legal risk,
assist in maintaining good consumer relations, and enable the
institution's members to take steps to protect themselves
against the consequences of identity theft.
Content of Consumer Notice
Consumer notice should be given in a clear and conspicuous
manner. The notice should describe the incident in general
terms and the type of consumer information that was the subject
of unauthorized access or use. It should also generally
describe what the institution has done to protect consumers'
information from further unauthorized access. In addition it
should include a telephone number that members can call for
further information assistance. The notice should also remind
members of the need to remain vigilant over the next 12 to 24
months, and to promptly report incidents of suspected fraud or
identity theft to the institution.
Delivery of Consumer Notice
Notice should be delivered in any manner designed to ensure
that a consumer can reasonably be expected to receive it.
Preventing Future Breaches
While financial institutions are subject to the robust
standards of the GLBA outlined above, retailers and others who
handle financial data are not subject to the same type of
national standard. NAFCU has long argued that protecting
consumers and financial institutions by preventing future data
breaches hinges on establishment of strong federal data
safekeeping standards for retailers and merchants akin to what
credit unions already comply with under the GLBA. NAFCU has
developed a number of key principles that should be considered
and incorporated in the data security debate (Appendix A).
Unfortunately, merchants have attempted to use the EMV and PIN
debate to stop any meaningful discussion about data security
legislation--thus not addressing the real issue of the broader
responsibility of merchants to protect consumers' financial
data.
The time has come for Congress to enact a national standard
on data protection for consumers' personal financial
information. Such a standard must recognize the existing
protection standards that financial institutions have under the
GLBA and ensure the costs associated with a data breach are
borne by those who incur the breach.
While some have said that voluntary industry standards
should be the solution, the recently released Verizon 2015
Payment Card Industry Compliance Report found that 4 out of
every 5 global companies fail to meet the widely accepted
Payment Card Industry (PCI) data security standards for their
payment card processing systems. In fact, Verizon found that
out of every data breach they studied over the past 10 years,
not one single company was in compliance with the PCI standards
at the time of the breach. This should cause serious pause
among lawmakers as failing to meet these standards, exacerbated
by the lack of a strong federal data safekeeping standard,
leaves merchants, and therefore consumers, more vulnerable to
breaches.
One basic but important concept to point out with regard to
almost all cyber and data threats is that a breach may never
come to fruition if any entity handling sensitive information
limits the amount of data collected on the front end and is
diligent in not storing sensitive personal and financial data
in their systems. Enforcement of prohibition on data retention
cannot be over emphasized and it is a cost effective and
commonsense way to cut down on emerging threats. If there is no
financial data to steal, it is not worth the effort of cyber
criminals.
Legislative Solutions
NAFCU believes that the best legislative solution on the
issue of data security that has been introduced in this
Congress is the bipartisan legislation introduced by
Representatives Randy Neugebauer and John Carney, H.R. 2205,
the Data Security Act of 2015. This legislation creates a
national data security standard that is flexible and scalable,
does not mandate static technology solutions and recognizes
those who already have a working standard under the GLBA. We
support this legislation and would urge you to support it as
well.
Conclusion
Cyber and data security, ensuring member safety, and
incentivizing data safekeeping in every link of the payments
chain is a top challenge facing the credit union industry
today. A truly secure payments system must be one that is
constantly evolving to meet emerging threats and uses a wide
range of dynamic authentication technologies--EMV,
tokenization, encryption, biometrics and more. When it comes to
EMV, what matters most is the chip technology that makes the
cards more secure. Requiring additional measures such as PIN
usage does not make substantial improvements to the system.
While credit unions are largely ready for the EMV transition,
wider adoption of EMV technology by others in the payment
system, such as retailers, will only strengthen the system.
Still, more needs to be done.
Consumers will only be protected when every sector of
industry is subject to robust federal data safekeeping
standards that are enforced by corresponding regulatory
agencies. It is with this in mind that NAFCU urges Congress to
modernize data security laws to reflect the complexity of the
current environment and insist that retailers and merchants
adhere to a strong federal standard in this regard. Enacting
H.R. 2205, the Data Security Act of 2015, would be an important
step toward this goal.
Thank you for the opportunity to appear before you today on
behalf of NAFCU. I welcome any questions you may have.
Appendix A
NAFCU's Key Data Security Principles
Payment of Breach Costs by Breached Entities:
NAFCU asks that credit union expenditures for breaches
resulting from card use be reduced. A reasonable and equitable
way of addressing this concern would be to require entities to
be accountable for costs of data breaches that result on their
end, especially when their own negligence is to blame.
National Standards for Safekeeping Information: It
is critical that sensitive personal information be safeguarded
at all stages of transmission. Under the GLBA, credit unions
and other financial institutions are required to meet certain
criteria for safekeeping consumers' personal information.
Unfortunately, there is no comprehensive regulatory structure
akin to the GLBA that covers retailers, merchants and others
who collect and hold sensitive information. NAFCU strongly
supports the passage of legislation requiring any entity
responsible for the storage of consumer data to meet standards
similar to those imposed on financial institutions under the
GLBA.
Data Security Policy Disclosure: Many consumers
are unaware of the risks they are exposed to when they provide
their personal information. NAFCU believes this problem can be
alleviated by simply requiring merchants to post their data
security policies at the point of sale if they take sensitive
financial data. Such a disclosure requirement would come at
little or no cost to the merchant but would provide an
important benefit to the public at large.
Notification of the Account Servicer: The account
servicer or owner is in the unique position of being able to
monitor for suspicious activity and prevent fraudulent
transactions before they occur. NAFCU believes that it would
make sense to include entities such as financial institutions
on the list of those to be informed of any compromised
personally identifiable information when associated accounts
are involved.
Disclosure of Breached Entity: NAFCU believes that
consumers should have the right to know which business entities
have been breached. We urge Congress to mandate the disclosure
of identities of companies and merchants whose data systems
have been violated so consumers are aware of the ones that
place their personal information at risk.
Enforcement of Prohibition on Data Retention:
NAFCU believes it is imperative to address the violation of
existing agreements and law by merchants and retailers who
retain payment card information electronically. Many entities
do not respect this prohibition and store sensitive personal
data in their systems, which can be breached easily in many
cases.
Burden of Proof in Data Breach Cases: In line with
the responsibility for making consumers whole after they are
harmed by a data breach, NAFCU believes that the evidentiary
burden of proving a lack of fault should rest with the merchant
or retailer who incurred the breach. These parties should have
the duty to demonstrate that they took all necessary
precautions to guard consumers' personal information but
sustained a violation nonetheless. The law is currently vague
on this issue, and NAFCU asks that this burden of proof be
clarified in statute.
[GRAPHIC] [TIFF OMITTED] T6854.004
Statement for the Record
American Bankers Association
Committee on Small Business
United States House of Representatives
October 7, 2015
The members of the American Bankers Association, who serve
small businesses across the Nation, deeply appreciate Chairman
Chabot's and Ranking Member Velazquez's decision to hold this
important hearing on the EMV chi card upgrade. The ABA is the
voice of the nation's $15 trillion banking industry, which is
composed of small, mid-size, regional and large banks that
together employ more than 2 million people, safeguard $12
trillion in deposits and extend more than $8 trillion in loans.
Every day, ABA's thousands of members, found primarily on
the Main Streets of America, have the privilege to work with
the millions of American small businesses who form the bedrock
of our economy. Most banks are small businesses themselves,
with the median sized-bank having 42 employees and four
branches. In fact, the Small Business Administration considers
80 percent of banks to be small businesses. Providing small
businesses with credit and payment services is the bread and
butter of banking.
As the Committee is aware, the banking industry is leading
a major payment card security upgrade, with ``EMV'' credit and
debit chip cards being issued to protect consumers and brick-
and-mortar merchants from criminals who engage in card
counterfeiting.\1\ This change is all about security--the chips
are almost impossible to copy or counterfeit. Banks have been
moving quickly to put this security upgrade into consumers'
wallets. Most people have at least one chip card in their
wallet now, and we estimate that 575 million chip cards will
have been issued by the end of 2015.
---------------------------------------------------------------------------
\1\ EMV stands for ``Europay, MasterCard, Visa,'' which were the
original chip developers, but chip cards can be used on all major U.S.
card networks, including American Express, Discover, MasterCard, and
Visa.
Consumers will start seeing more point-of-sale terminals
that are ready to accept their chip cards. This is critical, of
course, as the benefit of this advanced chip technology can
only be realized if merchants have chip-card readers in their
stores. This will be a gradual process--which really began in
2011 with the announcement of the move to EMV in the U.S.--but
the incentives changed on October 1 to encourage both banks and
merchants to adopt the new advanced EMV standard as soon as
possible. Whichever party has not updated to the EMV standard
would be liable for any fraud losses. This was not a government
mandate, nor a deadline, but rather a private sector joint
effort--banks, networks, and merchants--to enhance payment
---------------------------------------------------------------------------
security for all our customers.
Banks have worked closely with small businesses throughout
this upgrade process to ensure that they are prepared. Several
banks and merchant services companies have offered incentives
to offset costs involved in upgrading terminals, making them
free in some cases.
Since this is a gradual process, consumers do not have to
worry about their current card being accepted after October 1--
their chip card will still have a magnetic stripe that will
work at stores without a chip terminal. It is also important to
emphasize that consumers will continue to enjoy the same
protections for fraud--zero liability in most cases.
EMV chips are an important innovation that better protect
consumers' financial data, but they are part of the greater
effort being made by banks and networks to combat hackers.
Other innovations are on the horizon and will play an important
role fighting future threats. Tokenization technologies that
replace account numbers with a random number at the point of
purchase rendering them useless to thieves (like Apple Pay and
Samsung Pay) are becoming more common. Point-to-point
encryption scrambles data at every point of the transaction. In
addition to today's sophisticated neural networks which spot
fraud at the point of sale, these new technologies will be
layered on top of EMV and create multiple dynamic layers of
security necessary to fight increasingly sophisticated forms of
fraud. We do not know what thieves might do next, which is why
dynamic security features are so critical and why mandating a
static technology approach to security (such as Personal
Identification Numbers, PINs), as some advocate, is a mistake.
There are three key points we would like to make in the
remainder of this statement:
> Banks are committed to secure payment solutions for
small businesses;
> EMV chip cards confront counterfeit card fraud,
helping customers, merchants and banks; and
> Banks and small businesses must partner to assure a
safe payment system for our customers.
I. Banks are Committed to Secure Payment Solutions for
Small Businesses
Banks have always acted as a trusted payment intermediary,
facilitating confidence in commerce. Unlike much of the world
(including most of Europe), the United States has benefited
from a truly network-based, electronic payment card system for
many decades. While these other countries were still developing
the telecom infrastructure to support real-time card payments,
Americans were able to have transactions authorized in seconds.
Fortunately, this real-time card technology has largely become
the global standard. That adoption speaks to the leadership
role that American banks, networks, and others play in
providing the most secure and reliable solutions to our
customers. We understand the seriousness of this trust to
operate a payment system that is transparent, efficient, and
most importantly, secure for all participants.
Banks are committed to protecting small businesses from
fraud. When payment fraud occurs, there are three parties who
are indisputable victims of crime: consumers, merchants, and
financial institutions. We all share the sense of violation
when a credit or debit card is misused by thieves intent on
obtaining ill-gotten gains. In a world where criminals are
working full-time to steal from consumers, it falls upon
financial institutions to be sentinels of the consumer's
financial security. It is often a banker who takes the first
call in these situations, and usually the banker who must relay
the news to a card customer that they also have been a victim
of a crime. Many times, ABA's members detect and stop these
crimes in progress.
ABA's members accept this duty and demonstrate it by
investing billions of dollars a year in security measures, and
by making consumers whole through no-hassle liability
protection policies that almost always exceed legal
requirements. In an era where criminals are constantly changing
their tactics, the payments industry is not sitting still.
II. EMV Chip Cards Confront Counterfeit Card Fraud
Despite all this progress, there has been an uptick in a
certain kind of fraud, known as card counterfeiting, which
makes up the vast majority of in-person card fraud today. As
its name implies, card counterfeiting involves creating a fake
card using information gleaned from a real card.
It used to be that counterfeit cards were made from
criminals using skimmers to strip the data from the magnetic
strip (``magstripe'') and make duplicate cards--a very labor-
intensive process. Criminals, like water, always seek paths of
less resistance, which is why a second route of counterfeit
fraud is increasingly important: big retailer data breaches.
The prospect of being able to access millions of card numbers
at once, from a great distance away, makes hacking into
retailers' systems their new preferred way to steal customer
information.
Recent high-profile data breaches at retailers like Target
and Home Depot underscore the critical need for stronger and
more innovative security solutions that protect consumers. The
damage done by these breaches is well-known and affected
perhaps more victims than any other financial crime in American
history.
In the wake of these breaches, card-issuing banks made
consumers whole quickly, often wiping fraudulent charges off
their account immediately upon being notified. Through
proactive steps on the part of banks, most affected customers
did not see any fraudulent activity, although the disruption of
card reissuance was real for both consumers and businesses.
These high-profile retail breaches added urgency to the
efforts already underway to fight counterfeit fraud that would
make it harder to monetize stolen card data. Moving from the
magstripe (which stores unencrypted information) to the EMV
standard was one of those, and that process had begun in
earnest in 2011 in the U.S. Some have questioned why the U.S.
was slower than Europe to adopt chip technology. The answer
lies in the fact that EMV was originally designed to solve a
European payments problem: Europe lacked the advanced telecom
infrastructure that was allowing U.S. retailers to authorize
card transactions in real time.
While American businesses routinely sent card information
across phone lines to obtain authorization from card-issuing
banks, European retailers found telecom rates too expensive to
make a call for every transaction. The solution was to issue
Europeans cards with microchips which contained information
like credit limits and fraud indicators, which would have been
kept on the issuing bank's computer in the U.S. system. Instead
of processing transactions ``over the wires'' (as in the U.S.)
EMV chips and terminals allowed European card transactions to
be processed without an immediate connection to the payment
network. Transaction data would be stored in the terminal until
the merchant terminal contacted the bank to settle the day's
transactions.
This ``offline'' approach had obvious limitations (mainly
that transactions were not checked through a central system at
each sale) and disadvantages compared to the U.S. system of
live authorizations. Fortunately, these European systems have
been upgraded over the years.
In contrast, the U.S. EMV introduction combines the
security benefits of EMV chips and the real-time authorization
of transactions through the bank's computers. From the outset,
EMV chips in the U.S. are running software that produces a one-
time code which is sent across the network during each
transaction and is required for authorization by the bank
computer on the other end. Neural network and live
authorizations, which spot and shut down suspicious
transactions, form the basis for dynamic security for U.S.
transactions. A crucial distinction is that EMV chip cards'
anti-counterfeiting properties are found in the chip itself and
are unrelated to the use of a Personal Identification Number
(PIN). Simply put, the chip is what makes the difference, not a
PIN.
The EMV chip that was built to meet the challenge is
serious security equipment. For starters, the chips are
inherently counterfeit-resistant hardware, making it virtually
impossible to create a fake chip. A core security feature of
EMV is a one-time, non-reusable code that the chip produces for
each transaction. Called a ``cryptogram,'' this code is the
result of advanced mathematical algorithms which cannot be
entirely observed by hackers. The code can only be used once,
so it is useless for future transactions if stolen. If a
criminal attempts to use the code, the payment systems will
recognize that it has already been used and will not authorize
the transaction. This one-time code is an additional layer of
security that rides on top of other card data.
The ``Liability Shift'' Gives Banks and Merchants
Incentives to Employ the Best Technology
In 2011, one of the card payment networks announced that it
would begin supporting EMV in the U.S. This was a major step in
combatting counterfeit fraud. However, this upgrade would not
happen overnight. Of course, banks would have to issue hundreds
of millions of new cards, at several times the price of
magstripe cards. Card-accepting businesses would incur costs
and require transition time as well. EMV cards can only be read
by EMV-enabled terminals (``dipping'' the card and letting it
stay in a terminal through the entire transaction replaces
``swiping'' a magstripe).
That network set October 1, 2015 as the date on which
merchant or bank liability for fraudulent counterfeit
transactions would depend on whether either party was using EMV
technology. ATMs and gas stations were given later incentive
dates, to allow their owners more time to address technical
issues which are specific to those applications.
This ``liability shift'' has sometimes been
mischaracterized and we want to ensure that the Committee has
an accurate understanding of what it means. Today banks absorb
less from in-person use of counterfeit cards at merchants.
After October 1, 2015, banks will still absorb these losses if
a counterfeit card of any kind is used at an EMV-enabled
merchant. This includes magstripe cards used at an EMV-enable
merchant. Simply put, if the merchant has upgraded to an EMV-
enabled terminal and is using it, nothing changes for them--the
issuing bank will still be liable. However, if the bank has
issued an EMV card and the merchant does not have a terminal to
accept the chip (forcing consumers to use the more easily
counterfeited magstripe part of the card), the merchant is
liable for the resulting fraud, because they have failed to use
the latest technology available to them.
The October 1, 2015 date was a private sector incentive to
get consumers protected as soon as possible. It was most
certainly not a ``deadline'' or government mandate. Small
businesses which did not accept EMV cards on that day did not
see their card terminals turned off or see the experience
change for their customers. It was a contractual change that
only became relevant in the case of criminals using counterfeit
cards.
It is important to note that the security benefits of EMV
deployment in the U.S. are more powerful than in the original
introductions of the technology in other countries. Since U.S.
cardholders already conduct real time transactions, they are
already protected by a complex series of seen and unseen
security systems (including neural networks which spot and shut
down suspicious transactions). The EMV chip technology is
another layer that fits in well with these other measures. The
EMV chips used in the U.S. contain security software, which
work with the security systems at the payment network and
issuing bank to further protect transactions. The
microprocessor in the chip can run this software whenever a
transaction occurs. These security checks happen in the
background, sometimes triggering a ``pause'' in the transaction
to obtain further verification from the person presenting the
card. The EMV chip is built on a flexible standard, which is
also capable of facilitating data encryption and can be
customized for emerging security paradigms.
By deploying EMV cards in the U.S. and combining this chip
technology with the real-time transaction capabilities which
Americans are used to, the payment industry was able to
leverage more than the original security features of EMV. Not
only do American consumers benefit from a card that is
difficult to counterfeit, but transactions are also protected
by cutting-edge fraud prevention measures.
III. Banks and Businesses Must Partner to Ensure a Safe
Payment System for Our Customers
From the beginning of the EMV upgrade effort in 2011, the
financial services sector has been focused on ensuring that the
upgrade would be accessible to small businesses. Recognizing
that there are costs involved, several banks and merchant
services companies have incentives to upgrade terminals, making
them free in some cases. These free terminals are often
provided in the context of an ongoing relationship between the
merchant and a payment services company. Many terminals have
been ``turned over'' into EMV terminals during routine register
hardware changes, meaning little to no marginal costs to
merchants to upgrade. Payment services companies have
proactively engaged their business customers to inform them
about the October 1, 2015 incentive date and offer hardware and
software solutions to help them become part of the upgrade. An
``in the market'' survey of options available in the market
demonstrates that a basic terminal can be obtained for about
$200 and more sophisticated systems cost a few hundred dollars
more, but include helpful features like inventory tracking and
customer relationship features, which many retailers will find
useful. For mobile merchants or those using tablet-computer
based points of sale, Square sells an EMV-reading accessory
that cost $29.
This upgrade is also an opportunity for many businesses to
grow their acceptance of emerging payments which consumers are
demanding. Although not mandatory, EMV terminals which come
equipped with NFC (``near field contactless'') capabilities
provide a shorter route to accepting Apple Pay, Samsung Pay and
similar mobile wallets. Some of these ancillary options contain
powerful security mechanisms like ``tokenization'' and strong
encryption. These newer terminals also have upgradable
software, meaning that merchants can likely ``keep up'' with
consumer trends for several years before having to upgrade
again. These are all choices that merchants can make with the
help of their merchant services company. It all means that EMV
upgrades at the register are the gateway to the future of
payments.
This dynamic, open approach to payment innovations is the
vision that the banking industry has for the future of payment
security. Fortunately, the global EMV standard has shown itself
to be flexible enough to be adapted from the chip to mobile
devices.
Although news coverage may focus most on how businesses
accept chip cards, we must remember that businesses are also
cardholders themselves. They deserve payment cards that are
reliable and safe. As the EMV upgrade progresses, businesses
that use credit cards for purchases will likely find that
fraud-related card deactivations and reissuances become rarer.
This will eliminate disruptions to business operations for the
large number of firms that have turned to card payments as a
way to manage risk and streamline purchasing.
Conclusion
The banking industry continues to take its role as sentinel
of consumer payments seriously. Importantly, we recognize that
payments are only secure when all stakeholders guard data and
participate in the upgrades that are developed to protect
consumers. Every day, Americans are receiving new chip cards in
the mail and retailers are plugging in their new terminals (or
attaching them to their mobile phones). EMV is gradually
becoming a way of life for shoppers and its security benefits
are being realized more with each passing day. Soon, using EMV
cards will be second nature for consumers, and we fully expect
that small businesses will be able to claim a large share of
the credit for making this transition successful.
But EMV is not the endpoint of card security, no more than
physical cards are the endpoint for payments. Like the many
cumulative measures introduced before EMV, this technology is
one more layer of protection introduced in a long line of
security upgrades. In a world of emerging security threats,
there is always more that can be done to protect consumer
payment information. This is why banks continue to urge large
retailers to upgrade their data security to match the levels
that our industry must meet under federal law.
For our part, banks will continue to innovate to put
criminals on the defensive and protect legitimate commercial
actors, including small businesses. In the battle against
modern criminals, the EMV upgrade continues to be an
opportunity for a positive story about collaboration between
America's small businesses and the bankers who have the
privilege to serve them.
STATEMENT FOR THE RECORD
BY LYLE BECKWITH
ON BEHALF OF
THE NATIONAL ASSOCIATION OF CONVENIENCE STORES
FOR THE
HEARING OF THE HOUSE SMALL BUSINESS COMMITTEE
OCTOBER 7, 2015
``THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES''
My name is Lyle Beckwith. I am the Senior Vice President,
Government Relations for the National Association of
Convenience Stores (NACS) and I appreciate this opportunity to
present NACS' views regarding the implications of the EMV chip
deadline for small businesses.
NACS is an international trade association representing
more than 2,200 retail and 1,800 supplier company members in
the convenience and petroleum retailing industry. NACS member
companies do business in nearly 50 countries worldwide, with
the majority of members based in the United States. In 2014,
the industry employed more than two million workers and
generated $696.1 billion in total sales, representing
approximately 4.0 percent of the United States' GDP-or one of
every 25 dollars spent. The majority of the industry are small,
independent operators. More than 70 percent of the industry is
composed of companies that operate ten stores or fewer, and 63
percent of them operate a single store.
The process of transitioning to EMV--a process dictated by
the major card companies without input from retailers,
consumers, or banks--has been and will continue to be onerous
and very expensive for merchants. On top of that, the full
security and consumer protection benefits of the transition
will not be realized. By the card companies' choice--and unlike
what has been done in other parts of the world--Visa and
MasterCard are having the U.S. transition to chip technology
without the use of Personal Identification Numbers (``PIN''),
rather than the chip-and-PIN technology that has a proven track
record of success. Below we offer more detailed comments on the
transition, its impact on small businesses, and the lost
opportunity for substantially reducing fraud in the payment
card system.
I. The card companies' justification for this mandatory
transition is flawed.
Beginning October 1, 2015, any merchant that is not
equipped and certified by the major card companies to accept
EMV or ``chip'' cards will have liability for fraudulent credit
and debit card transactions involving chip-embedded cards. The
card companies claim they are requiring merchants to transition
to EMV to increase security in card transactions, and so they
and the banks will no longer have to pay for losses caused by
fraud. This rationale does not make sense for multiple reasons.
First, merchants pay for the majority of fraud losses
today, not card companies or banks.
Second, the card companies have intentionally chosen not to
transition to the most secure payment method available. If the
card companies were legitimately interested in minimizing fraud
losses, they would require chip and PIN, not just chip (as
discussed in further detail below).
And third, the card companies themselves, not merchants,
have delayed bringing new technologies and security measures to
the U.S. payment card industry.
Notwithstanding the foregoing, NACS strongly believes that
something must be done to reduce fraudulent transactions. Our
commitment to improving card security stems from the fact that
merchants currently pay the majority of fraud costs, which are
spiraling out of control. In 2014, global credit and debit card
fraud topped $16.3 billion across all industries--$7.6 billion
of that fraud occurred in the U.S.\1\ Despite banks' claims
that they provide a ``payment guarantee,'' merchants are
absorbing the vast majority of the costs associated with
fraudulent transactions.\2\
---------------------------------------------------------------------------
\1\ Skowronski, Jeanine, US coming back to credit cards, Bankrate
(May 28, 2015), available at http://www.bankrate.com/financing/credit-
cards/u-s-coming-back-to-credit-cards/; see also, Global Card Fraud
Losses Reach $16.31 Billion--Will Exceed $35 Billion in 2020 According
to The Nilson Report, Business Wire (Aug. 4, 2015), available at http:/
/www.businesswire.com/news/home/20150804007054/en/Global-Card-Fraud-
Losses-Reach-16.31-Billion#.VgGWMd9VhBc.
\2\ Press Release: U.S. Retailers Face $191 Billion in Fraud Losses
Each Year, LexisNexis Risk Solutions (Nov. 9, 2009) (highlighting
findings of LexisNexis and Javelin Strategy & Research ``True Cost of
Fraud Benchmark Study''), available at http://www.lexisnexis.com/risk/
newsevents/press-release.aspx?Id=1258571377346174; ``House of Cards:
Why your accounts are vulnerable to thieves,'' Consumer Reports, June
2011.
While chip-embedded cards are harder to counterfeit or
copy, without a PIN number, they do not help reduce many types
of fraud. For example, chip cards and card numbers can still be
stolen and used by someone who is not the account holder.
Stolen chip card numbers can be used online. And counterfeit
chip cards can still be made, but when someone presents a card
with a non-functioning chip, the card's magnetic stripe will be
used or the card's number will be entered to complete the
fraudulent transaction. Requiring PIN would help in all of
---------------------------------------------------------------------------
these scenarios. Simply put, chip without PIN is not enough.
The fraud-reduction benefits of requiring chip and PIN--or
even just PIN on old magnetic strip technology--are far greater
than requiring chip alone. It is no wonder that chip and PIN
technology has been the standard in Europe for almost 20 years;
or that the technology is already used in virtually every other
industrialized country. Use of outdated magnetic strip
technology in the U.S. has been the only option because the
card companies have not, until now, provided chip and PIN in
this market, despite the urging of retailers, consumer
advocates, and cyber security experts.
Thus, before considering the cost to small businesses of
completing the mandatory transition to EMV, it is worth
questioning the card companies' justification and motivation
for this particular mandate. For instance, it is worth asking:
why mandate the transition to EMV--with all of its attendant
effort and cost--without requiring PIN? Why would anyone choose
not to maximize fraud prevention benefits with this costly
transition? And why, after years of delay in bringing EMV
capability to the U.S. market, impose an arbitrary and
inflexible deadline on merchants, despite implementation
challenges beyond their control?
II. The transition is costly for merchants and especially
difficult for small businesses to implement.
The cost to businesses to become EMV-ready is substantial.
There are approximately 152,000 convenience stores in the U.S.
and it will cost approximately $3.9 billion--$26,000 per
store--to make them EMV capable. To put those figures in
perspective, about 60 percent of convenience stores belong to
single-store owner/operators and the average profits for a
convenience store per year are $47,000. So the initial upfront
cost--not even counting future maintenance and update costs--is
more than half of an average store's profits. On top of that,
on-going maintenance and upgrade expenses are expected to be
upward of $2,240 per year, per store.
The transition to EMV necessitates the purchase by
merchants of specialized hardware and software, along with
numerous other steps. According to one survey of U.S.
retailers, ordering new terminals can take 6 to 16 weeks. Then
retailers and payment card processors must program the new
equipment according to card company specifications, which can
take months. In fact, it has been very difficult for small
businesses to get the programming help they need given the high
demand for these services. Notably, the card networks did not
release the debit specifications necessary to program terminals
to accept those cards until March 2015. That delay did not
leave enough time for many merchants to program their systems
and accept EMV by October 1st, and it added to the bottle-neck
of demand for programming services.
Following the programming phase, retailers must conduct
internal testing and trouble-shooting, and then obtain
certification by the card companies. Visa, MasterCard, American
Express and Discover each require a separate certification. On
top of that, separate certifications are required for credit,
PIN debit, and signature debt. This has been another source of
delay--particularly for small businesses. The card networks
simply have not deployed the resources necessary to get
merchants that want EMV operating on time. Finally, after the
new technology is certified, stores must conduct store-level
staff training and roll out the new system (from initial pilot
programs to taking the entire system live).
All in all, under a best-care scenario, it can take
merchants a full year--working after hours to avoid
inconveniencing customers--to install and operate new EMV
terminals. And a lot of small businesses are not facing the
best-case scenario with respect to this transition. The card
companies' certification requirements are especially
problematic because there is a shortage in the industry of
trained personnel capable of conducting the certifications.
Even large retailers are experiencing severe delays because of
this capacity shortage. Small businesses, despite their best
efforts to meet the deadline, are at the back of the line and
are having to wait even longer--years in some cases--to
complete the EMV transition process.
The U.S., with over 12 million payment terminals and about
1.2 billion cards, is the largest single-market deployment of
EMV to date. It is no small undertaking. Notably, banks have
been given additional time to get their ATMs EMV-ready; a full
two years longer, in fact, than merchants have received. But
small businesses have not been extended the same assistance,
despite the difficulties--beyond their control--with getting
their equipment programmed and certified.\3\
---------------------------------------------------------------------------
\3\ It is little wonder that this process entails substantial costs
and unreasonable timeliness for retailers. The transition process has
been dictated entirely by the card companies without input from
businesses, consumers, or even banks. In Canada, by contrast, the
process of transitioning to EMV had broad stakeholder participation
throughout. Their transition to EMV, which was first announced in 2003
(as opposed to 2011 in the U.S.), took 10 years to deploy, even though
Canada's network is 1/10th the size of the U.S. network.
III. Fraud prevention benefits are lost without an
---------------------------------------------------------------------------
accompanying PIN requirement.
Not only is the transition process expensive and onerous
for small business owners, but businesses and consumers will
not even get full fraud-prevention benefits from it. Making
every card PIN-enabled and allowing merchants to require a PIN
on their transactions would substantially reduce fraud.
Statements Visa and MasterCard have made in other countries
suggest they agree with that assessment. Merchants are truly
dedicated to effective fraud prevention because they pay the
bulk of costs associated with card fraud. The card networks, on
the other hand, are standing in the way of achieving maximum
fraud reduction in the payment card system. Perhaps this should
not be a surprise given that those networks do not shoulder any
of the losses from fraudulent transactions.
A. Using PIN is the best way to reduce fraud.
Today, the U.S. card payment system is a fraud magnet. Even
though the U.S. market accounts for about one quarter of global
card volume, almost half of all global credit card fraud occurs
in the U.S. Allowing merchants to require PIN numbers for their
transactions would dramatically help this situation.
According to the Federal Reserve Board, PIN authentication
is six times more secure than signature authentication.\4\ When
a PIN is required, it protects against fraud in instances where
a card number or the card itself is stolen. Chip without PIN,
on the other hand, cannot do anything to prevent fraud on
stolen cards or prevent online fraud with stolen card numbers.
And, chip without PIN may not do much of anything to protect
against fraud when card numbers are stolen--which is supposed
to be the benefit of the chip. That is because all chip cards
will still have a magnetic stripe and a static account number.
Fraudsters know they can make a fake card with a fake (non-
functioning) chip and it will get run through the magstripe
reader as a back-up when the ``chip'' doesn't work. So, for
chip-without-PIN cards, we remain exposed to all forms of
fraud.
---------------------------------------------------------------------------
\4\ Federal Reserve Board, Debit Card Interchange Fees and Routing,
77 Fed. Reg. at 46,261 (Aug. 3, 2010), available at http://www.gpo.gov/
fdsys/pkg/FR-2012-08-03/pdf/2012-18726.pdf.
Chip and PIN authentication, on the other hand, has a
proven track record of significantly decreasing fraud. In fact,
Visa advertises these benefits on its own website, noting that
in the United Kingdom, fraud related to lost and stolen payment
cards has decreased by more than half since chip and PIN was
---------------------------------------------------------------------------
adopted there in 2004.\5\
\5\ The Benefits of Chip and PIN for Merchants, available at http:/
/www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last visited
Sept. 21, 2015).
Chip without PIN will enable fraud perpetrators to easily
shift targets. According to a recent article in the Washington
Post, ``security experts sa they widely expect credit card
fraud to move online, where thieves can still use the card
number and expiration date to make fraudulent purchase.'' \6\
Requiring a PIN, however, would address that scenario. And
despite card companies' claims to the contrary, PINs can be--
---------------------------------------------------------------------------
and already are--used online.
\6\ Marte, Jonnelle, Get Ready to Dip, Not Swipe, Your Credit
Cards, Washington Post (Sept. 30, 2015), available at http://
www.washingtonpost.com/news/get-there/wp/2015/09/30/get-ready-to-dip-
not-swipe-your-credit-cards/.
In sum, there is simply no legitimate reason for the card
companies to move toward a PIN-less path when PIN (with or
---------------------------------------------------------------------------
without a chip) has proven so effective at reducing fraud.
B. Visa and MasterCard agree that PIN increases
transaction security
In 2013, Visa and MasterCard jointly petitioned the
Australian Competition and Consumer Commission for
authorization to require PIN authentication on transactions
involving their cards.\7\ In their application, they made
numerous statements in support of requiring PIN at the point of
sale, including:
\7\ See generally, Visa and MasterCard--Authorisations--A91379 &
A91380, available at http://registers.accc.gov.au/content/
index.phtml?itemId=1120516.
``The Applicants' view is that chip and PIN is a
significantly more secure form of [customer
---------------------------------------------------------------------------
verification method] than signature.''
``Based on the experience of the introduction of
mandatory PIN@[Point of Sale] is overseas markets (in
the UK, Canada, Europe and elsewhere), the Applicants
expect that certain types of card present fraud will
decline in Australia as a result of the introduction of
mandatory PIN@POS in Australia.''
``The Applicants note that overseas experience has
shown that fraud will move to jurisdictions where there
are lower security measures in place and in particular
jurisdictions that do not use EMV and PIN security. For
example, the UK experience has been that the countries
where fraud on UK-issued cards occurs has changed with
fraudsters focusing on countries without `chip and
PIN,' such as the United States. There has been a
similar experience in Europe. Card fraud is highly
mobile and is often internationally organized. The
coordinated introduction of mandatory PIN@POS in
Australia will increase card security in Australia and
make it a less attractive jurisdiction for
fraudsters.''
``The Applicants believe that mandatory PIN@POS is an
important step in the right direction, in terms of
reducing credit card fraud in Australia.''\8\
\8\ Submission of Visa Worldwide, Visa AP (Australia), and
MasterCard Asia/Pacific to the Australian Competition & Consumer
Commission in support of Authorisations A91379 & A91380 (Aug. 30,
2013), ``Security of Chip and PIN vs. Signature,'' pp. 1-2, available
at http://registers.accc.gov.au/content/
index.phtml?itemId=1120516&display=submission (last visited Sept. 21,
2015).
Despite their representations to the Australian authorities
and their affirmative recognition that the use of PIN does
improve transaction security, Visa and MasterCard have declined
to advance the use of PIN here in the U.S. Instead, they have
opted to incentivize chip-without-PIN cards--a move that simply
---------------------------------------------------------------------------
cannot be justified given their own experience and data.
IV. Merchants are committed to reducing fraud because they
pay for most of it.
Unlike the card companies, merchants are 100 percent
committed to reducing fraudulent transactions and minimizing
fraud losses because they currently bear the brunt of an
unsecure payments system. We are not opposed to making
investments in effective security measures. Unfortunately, this
very costly transition to EMV will not reduce fraud nearly as
much as it could and should, and merchants will not see the
relief that they could under a chip and PIN system.
According to an annual report by LexisNexis and Javelin
Strategy & Research on the ``True Cost of Fraud,'' in 2009,
retailers suffered fraud losses 10 times higher than financial
institutions. The report found that half of retailers' fraud
losses came from unauthorized transactions and card
chargebacks--both of which would be significantly reduced by
PIN authentication.\9\ The Mercator report has estimated that
merchant fraud losses of tens of billions of dollars a year
dwarf card-issuer losses.\10\ And merchants have no way to
remedy this situation. While the card companies give banks the
option of requiring PIN at ATMs--and every bank we are aware of
does so--they will not allow merchants to do the same. Under
the card companies' operating rules, retailers are prohibited
from requiring customers to enter a PIN when accepting debit
cards. Ultimately, merchants are at the mercy of the card
companies' policies, which, like this EMV transition, are not
designed to maximize consumer protection or card transaction
security.
\9\ Visa recognizes this fact on its Canadian website. In fact, it
promotes to retailers:
``Whatever your retail size or specialty, accepting Visa Chip &
PIN cards can result in enhanced security and convenience, helping to
improve efficiency and reduce the frequency of chargebacks due to
fraud. Businesses that accept Chip & PIN cards have benefited from . .
. Increased protection against fraud - A PIN is used for cardholder
verification and the embedded Chip in the Visa card is virtually
impossible to copy. Together these features provide you and your
customers with increased protection against fraud, which can result in
fewer chargebacks.''
``The Benefits of Chip and PIN for Merchants,'' available at http:/
/www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last visited
Sept. 21, 2015).
\10\ Cited in ``House of Cards: Why your accounts are vulnerable to
thieves,'' Consumer Reports, June 2011.
---------------------------------------------------------------------------
V. Consumers want PIN.
Card companies and banks argue that American consumers do
not want PIN. Often, they claim that consumers oppose PIN
because consumers will not or cannot remember and use a 4-digit
code, or consumers do not want to be inconvenienced by entering
a PIN. That argument is belied by consumer research and our
everyday experience with ATMs, smart phones, and other devices
requiring secure access codes.
In a recent survey commissioned by the National Retail
Federation, 62 percent of consumers stated that they would
prefer to use chip-and-PIN cards rather than chip-and-signature
cards.\11\ Visa's own statements on this issue are telling.
Visa advertises to consumers on its website in Canada (where
chip and PIN has been implemented), in a section titled ``The
Importance of PIN,'' that ``PIN transactions are easy.''\12\ On
the same website, Visa advertises to merchants that businesses
that accept chip and PIN cards ``have benefited from increased
checkout speed and improved customer service--using a PIN is 2
to 4 seconds faster than obtaining a signature . . . .'' \13\
It is difficult to fathom that the ease and convenience of PIN
for consumers and merchants is so much different between Canada
and the U.S.
---------------------------------------------------------------------------
\11\ See NRF Survey, available at https://nrf.com/sites/default/
files/Documents/Chip-and-Pin%20Consumer%20Survey%20One-Pager%2009-16-
2015%20REV.pdf.
\12\ ``The Importance of PIN,'' available at http://www.visa.ca/
chip/cardholders/importance-of-pin/index.jsp (last visited Sept. 21,
2015).
\13\ ``The Benefits of Chip and PIN for Merchants,'' available at
http://www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last
visited Sept. 21, 2015).
---------------------------------------------------------------------------
***
In conclusion, the mandated transition to EMV is flawed in
several respects. The transition process, which was developed
by the card companies with no other stakeholder input, is very
expensive for businesses, contains unreasonable timelines, and
is especially difficult for small retailers to implement. To
make matters worse, the transition will not achieve the
consumer protection and fraud-prevention benefits it easily
could. NACS strongly supports effective and meaningful efforts
to improve card security, protect consumers, and reduce fraud
losses. Unfortunately, this transition is not one of those
efforts and it will do more harm than good to small businesses.
[GRAPHIC] [TIFF OMITTED] T6854.005
[GRAPHIC] [TIFF OMITTED] T6854.006
[GRAPHIC] [TIFF OMITTED] T6854.007
[GRAPHIC] [TIFF OMITTED] T6854.008
[GRAPHIC] [TIFF OMITTED] T6854.009
[GRAPHIC] [TIFF OMITTED] T6854.010
The EMV Deadline and What It Means for Small Businesses
Statement of the National Retail Federation
October 7, 2015
The National Retail Federation submits this statement for
the record with respect to the House Small Business Committee
October 7, 2015 hearing regarding the ``EMV Deadline and What
it Means for Small Businesses.'' By way of background, the
National Retail Federation is the world's largest retail trade
association, representing discount and department stores, home
goods and specialty stores, Main Street merchants, grocers,
wholesalers, chain restaurants and Internet retailers from the
United States and more than 45 countries. Retail is the
nation's largest private sector employers, supporting one in
four U.S. jobs--42 million working Americans. Contributing $2.6
trillion to annual GDP, retail is a daily barometer for the
nation's economy. NRF's This is Retail campaign highlights the
industry's opportunities for life-long careers, how retailers
strengthen communities, and the critical role that retail plays
in driving innovation. Thousands of our retail members, and
millions of merchants of all types, whether small retailers or
other operations, such as doctors' offices, tax drivers, or dry
cleaners, will be affected by the subject of the hearing.
It is important to note at the outset that the EMV deadline
at issue is neither legislatively established, nor is it in
fact a true deadline. Rather, it is an arbitrary date, imposed
by a consortium of card companies and banks who have, for many
years, collectively exerted near monopoly power over the
business community. This ``deadline'' is for the financial
benefit and convenience of those companies and banks. The
relationship between those powerful entities and small
businesses is purely contractual; albeit largely compulsory in
effect, since retailers and other small businesses are subject
to the substantial combined market power of the financial
institutions.
A second important note is that the standard in question,
EMV, is purely a propriety technology of the largest card
companies and banks. EMV Co. is essentially the creation of
MasterCard and Visa. Visa and MasterCard in turn are the
collective creations of the thousands of banks and credit
unions who formed them, originally as trade associations, to
advance their card products and other interests. When Visa and
MasterCard set suggested fees that businesses must remit from
their gross sales to financial institutions, with virtually no
exceptions, every bank and credit union simultaneously imposes
those fees. There is no competition. And the fees are very
high. For many small businesses, card fees are their second
largest expense after labor.
These collective entities also impose a multitude of
complex rules on small businesses. The rules govern not only
what business may say or do in their stores and at their cash
registers, but also dictate steps that businesses may or may
not take to prevent fraud. It has been known for several years
that the cards U.S. consumers carry in their wallets are fraud-
prone. The rules ensure that businesses, not the card-issuing
banks, pay for the majority of that fraud. For example,
businesses are either primarily or totally responsible for
disputed transaction fraud and Card-Not-Present fraud (such as
Internet transactions), among other categories. The financial
institutions are responsible, in some instances, for
authenticating their cards. But beyond those limited
circumstances the burden of fraud has been shifted by card
company rules onto businesses. What's more, businesses are told
they must pay for fraud ``up front'' in the form of ever rising
swipe fee for the privilege of accepting cards.
Secure, PIN-protected cards (computer chips were primarily
added for other purposes) were long ago introduced in Europe
and elsewhere to combat fraud; however, the card issuing
collective rejected both measures in the U.S. for two decades.
So long as fraud was effectively being absorbed by small
businesses and others, it apparently was not a serious concern
of the card issuing consortium. The sensitive card numbers
remained exposed, not only on the magnetic stripe, but embossed
on the face of the card itself. Nearly a decade ago, NRF
strongly encouraged the card industry to remove the raw card
numbers from common circulation. The card industry rejected
that suggestion.
Rather than jointly work with the businesses community to
encrypt or tokenize card numbers and thus make them less
valuable to thieves, the card companies instead created yet
another entity (PCI Co.) to impose additional rules on business
of all sizes. It basically demanded that everyone attempt to
build even higher walls within their systems to ``protect'' the
card companies' numbers. Of course, if one builds eight foot
walls, cyber thieves will bring ten foot ladders. And they did.
Aided by ever more powerful computers, hacks on processors,
banks, merchants and networks escalated.
Fraud has increased. The type of fraud for which banks are
initially responsible has also increased. Consequently, they
and the card companies have belatedly sought to introduce into
the U.S. cards that would reduce fraud, much as they did in
Europe and Canada years ago. But they have ignored the lessons
of those countries. Rather than introduce U.S. cards with PINs
(which reduce all types of fraud), abetted by Chips (which help
reduce just in-store, counterfeit fraud), they are introducing
Chip without PIN cards; i.e. partially protective cards.
In turn, the card industry is demanding that the entire
merchant community spend between $30 and $35 billion dollars to
install Chip and PIN terminals, but, with precious few
exceptions, banks are only willing to undertake the expense of
introducing Chip without PIN cards. These new cards do not
reduce fraud across the board. They only reduce the particular
type of fraud for which the banks are primarily responsible.
Installation costs vary dramatically, from a few hundred
dollars to thousands of dollars per terminal. The only
``incentive'' merchants are given to purchase and install the
expensive new systems is the threat that merchants will be
forced to absorb not only the fraud banks already make
businesses shoulder, but also to pay the full measure of the
banks' fraud exposure if small businesses do not comply with
the consortium's mandate.
While the new cards make it somewhat more difficult for
criminals to use stolen card numbers, they do not actually
prevent numbers from being stolen in the first place, and
stolen numbers can still be used for online and other types of
fraud.
The new EMV equipment does not stop breaches. Indeed, in
many cases it provides no significant benefits either to the
business or to the business' regular customers. It is merely an
additional expense small businesses are being told to bear as
part of the card companies' efforts to extend their growing
monopoly over the payment system. If businesses can be forced
to quickly install, at significant expense, the kinds of
equipment that is most compatible with EMV Co.'s and the card
companies' future business plans (EMV Card Personalization;
Chip-based contact specifications--near field communications
technology, etc.) then competitive alternatives, such as new
mobile platforms (e.g. Starbucks-style payment programs) may
effectively be locked out of the market.
These are important considerations that businesses of all
sizes must carefully ponder. It would be inappropriate to
prejudge their decision-making and stampede businesses into the
adoption of solutions less protective for businesses and
consumers than has existed throughout the industrialized world
for more than a generation.