[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





        THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES

=======================================================================

                                HEARING

                               before the

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                            OCTOBER 7, 2015

                               __________

                 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                 
                 
                               

            Small Business Committee Document Number 114-024
              Available via the GPO Website: www.fdsys.gov
              


                              ___________   
                              
                U.S. GOVERNMENT PUBLISHING OFFICE

96-854                   WASHINGTON : 2015
   __________________________________________________________________________

  For sale by the Superintendent of Documents, U.S. Government Publishing Office
Internet: bookstore.gpo.gov. Phone: toll free (866) 512-1800; DC area (202)512-1800
         Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001              
              
              
              
              
              
              
              
                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                        RICHARD HANNA, New York
                         TIM HUELSKAMP, Kansas
                        TOM RICE, South Carolina
                         CHRIS GIBSON, New York
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        CARLOS CURBELO, Florida
                          MIKE BOST, Illinois
                         CRESENT HARDY, Nevada
               NYDIA VELAZQUEZ, New York, Ranking Member
                         YVETTE CLARK, New York
                          JUDY CHU, California
                        JANICE HAHN, California
                     DONALD PAYNE, JR., New Jersey
                          GRACE MENG, New York
                       BRENDA LAWRENCE, Michigan
                       ALMA ADAMS, North Carolina
                      SETH MOULTON, Massachusetts
                           MARK TAKAI, Hawaii

                   Kevin Fitzpatrick, Staff Director
            Stephen Denis, Deputy Staff Director for Policy
            Jan Oliver, Deputy Staff Director for Operation
                      Barry Pineles, Chief Counsel
                  Michael Day, Minority Staff Director
                  
                  
                  
                  
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                               WITNESSES

Ms. Stephanie Ericksen, Vice President, Risk Products, Visa Inc., 
  Foster City, CA................................................     4
Mr. Scott Everett Talbott, Senior Vice President, Government 
  Affairs, ETA/Electronic Transactions Association, Washington, 
  DC.............................................................     6
Mr. Paul Weston, President & CEO, TCM Bank, N.A., Tampa, FL......     8
Ms. Jan N. Roche, President/CEO, State Department Federal Credit 
  Union, Alexandria, VA, testifying on behalf of the National 
  Association of Federal Credit Unions...........................    10

                                APPENDIX

Prepared Statements:
    Ms. Stephanie Ericksen, Vice President, Risk Products, Visa 
      Inc., Foster City, CA......................................    33
    Mr. Scott Everett Talbott, Senior Vice President, Government 
      Affairs, ETA/Electronic Transactions Association, 
      Washington, DC.............................................    39
    Mr. Paul Weston, President & CEO, TCM Bank, N.A., Tampa, FL..    47
    Ms. Jan N. Roche, President/CEO, State Department Federal 
      Credit Union, Alexandria, VA, testifying on behalf of the 
      National Association of Federal Credit Unions..............    52
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    American Bankers Association.................................    67
    The National Association of Convenience Stores (NACS)........    75
    The National Grocers Association (NGA).......................    83
    The National Retail Federation (NRF).........................    88

 
        THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES

                              ----------                              


                       WEDNESDAY, OCTOBER 7, 2015

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 11:00 a.m., in Room 
2360, Rayburn House Office Building. Hon. Steve Chabot 
[chairman of the Committee] presiding.
    Present: Representatives Chabot, Luetkemeyer, Hanna, Rice, 
Gibson, Brat, Radewagen, Knight, Curbelo, Bost, Hardy, Kelly, 
Velazquez, Chu, Hahn, Payne, Meng, Lawrence, Takai, and 
Moulton.
    Chairman CHABOT. Good morning. The Committee will come to 
order.
    One week ago marked the official deadline for implementing 
the new EMV chip card technology. The shift away from 
traditional magnetic stripe credit cards to ones embedded with 
a chip adds an additional layer of security to every purchase, 
making our financial data less accessible to cyber criminals. 
The transition to EMV chip technology impacts every American 
consumer and is of great importance to this Committee. But just 
how much does the average American know about this transition? 
Many have probably received a new card in the mail, fewer have 
probably dipped their card into a new payment terminal, and 
many more may not know that a change is even taking place.
    Given the number of electronic transactions that occur 
every day, this is a serious transition, and with it are some 
serious concerns. Small retailers are worried about the cost of 
implementing these new payment terminals, and then taking time 
to train staff on how to use them, and finally, helping 
consumers learn how to use them. And even though the technology 
shift was intended for October first, many credit card 
companies are still behind in issuing new cards to consumers. 
This poses significant challenges to sorting out liability 
issues in the case of cyber theft.
    There are also questions about how much this actually does 
for security. For instance, when chip-enabled cards were 
introduced in the United Kingdom, fraudulent charges with 
counterfeit cards at the point of sale fell by 56 percent, but 
online fraud increased by 64 percent. These challenges are 
real, and they impact every American consumer and most small 
businesses.
    Unfortunately, this transition seems to be catching many 
people off guard. A recent survey by the NFIB, the National 
Federation of Independent Business, found roughly half of small 
employers who accept electronic payments were only somewhat 
familiar with EMV chip cards and a full 23 percent did not know 
anything about them at all.
    Let me be clear. I did not convene this hearing today to 
take sides on this topic. This is a transition motivated by the 
private sector, not by any government regulation. And this 
Committee concerns itself with one thing, and that is the 
impact of this transition on small businesses. To fully 
understand that impact we must speak with all those involved. 
Today, we start by speaking with those who process our 
financial transactions. In a couple of weeks, we will speak 
with the small businesses and retailers who must purchase new 
payment terminals or risk being held liable for using old 
technology. We need to make sure everyone knows what is 
happening. The panel we have today, and those who will join us 
in our subsequent hearings will help us do that.
    I want to thank the witnesses for joining us this morning 
to share their point of view on this transition and what it 
means for small businesses.
    At this time, I recognize the ranking member for her 
opening statement.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Every day, millions of Americans use their credit cards and 
debit cards to make purchases. With increasing regularity, 
people are using them to buy everything, from candy to flat 
screen TVs, and even engagement rings. According to the Federal 
Reserve, card purchases now account for over $4.8 trillion in 
consumer transactions annually, a twofold increase since 2007.
    As consumer buying habits have moved toward the use of 
cards, merchants, especially small businesses, have had to 
follow suit if they want to stay competitive. We have all seen 
this progression. In just a few years, virtually every corner 
store and even vendors at farmer markets have become card-
enabled. While the use of electronic payments has increased in 
the last decade, so, too, has point-of-sale fraud, which occurs 
when thieves steal the unencrypted account numbers stored on a 
card's magnetic strip.
    Until recently, the U.S. was one of a handful of countries 
that still used magnetic strip cards exclusively. As a result, 
our country has been responsible for nearly half of all point-
of-sale fraud globally, totaling $6.4 billion, while accounting 
for less than a quarter of all transactions. In an effort to 
decrease such fraud, MasterCard and Visa set a deadline of 
October 1, 2015, for U.S. card issuers to replace magnetic 
strip cards with EMV cards and for merchants to begin accepting 
them.
    EMV cards offer a significantly higher level of data 
security than stripe cards. Data on the chip is secure using 
both hardware and software security measures, so even if the 
card data is compromised, the chip itself will still be 
difficult to counterfeit.
    While EMV is a step in the right direction that will lead 
to greater economic efficiency, implementation has been slow on 
both sides of the equation. Many financial institutions, and 
even more merchants are not yet in compliance, despite the 
announced transition being made over two years ago. In a 
troubling sign, millions of cards have now been replaced, and 
nearly one in two merchants has not upgraded their terminals to 
accept EMV cards.
    In the many discussions I have had with stakeholders, the 
main barriers seem to be lack of awareness in the small 
business community, high costs to upgrade, and disagreements 
over verification methods. For small merchants, obtaining new 
terminals which range from $50 to $600 can be cost prohibitive 
in light of the amount of risk they face. For the deli or 
bakery owner, small day-to-day transactions are an unlikely 
target for thieves with stolen card numbers.
    It is also an important distinction that EMV chips will 
protect against counterfeit cards but cannot eliminate fraud if 
it is lost or stolen. That is where authentication comes into 
play. Small merchants have raised concern regarding the 
financial industry's preference for signature verification over 
the use of a PIN.
    As we all know, there have been outspoken proponents on 
both sides. Merchants have expressed the view that PIN is more 
secure, while financial firms have backed the signature method 
as just as secure and also more convenient.
    I look forward to hearing about these issues. Regardless of 
which method is used, most observers, including the Federal 
Reserve Board, agree the chip cards will provide a more secure 
payment environment. Technological innovation holds great 
promise to spur economic activity.
    EMV is not hack proof, but it is far safer than the 
magnetic strip status quo. As the first step in a move toward 
greater protection for our financial transactions, a smooth 
transition to EMV will lay the groundwork for new ways to 
secure our data, including biometrics. I look forward to 
hearing how the financial services industry is handling issues 
surrounding the EMV transition both in its own conversation as 
well as how they are assisting their small business clients.
    And with that, I want to take this opportunity to thank all 
the witnesses for being here today.
    Chairman CHABOT. Thank you very much.
    If Committee members have opening statements, I would ask 
that they submit them for the record.
    And I will take a moment to explain our timing rules here. 
It is basically the five minute rule. You all get five minutes 
to testify and then we get five minutes to ask questions, and 
there is even a lighting system. The green light will be on for 
about four minutes. The yellow light will come on letting you 
know you have about a minute to wrap up, and when the red light 
comes on, if you would not mind concluding your testimony then 
or close to then we would greatly appreciate it.
    I would now like to introduce our distinguished panel here 
this morning. Our first witness is Stephanie Ericksen, vice 
president of Risk Products at Visa. Since joining Visa in 1994, 
she has been actively involved in developing the global 
smartcard implementation strategy. She is a graduate of the 
University of California-Los Angeles where she received a B.A. 
in History with specialization in Business Administration. She 
also holds an MBA in Marketing from Santa Clara University, and 
we welcome her here this morning.
    Our next witness is Scott Talbott, who is the senior vice 
president for Government Affairs at the Electronic Transactions 
Association. He received his B.A. from Georgetown University, 
and his J.D. from George Mason University School of Law. We 
welcome you as well.
    Our third witness this morning is Paul Weston. He has been 
president and CEO of Tampa Florida's TCM Bank since 2002. 
Today, TCM serves 200,000 cardholders and sponsors 640 
community banks for competitive credit card services, in 
addition to providing ICBA member banks with payment card 
consultations. He graduated from Michigan State University, and 
completed the Graduate School of Retail Bank Management at the 
University of Virginia.
    And I would now yield to our ranking member, Ms. Velazquez, 
for introduction of our next witness.
    Ms. VELAZQUEZ. It is my pleasure to introduce Jan Roche. 
She is the president and CEO of State Department Federal Credit 
Union in Alexandria, Virginia. Jan has over 30 years of 
experience in financial credit union leadership. In addition to 
chairing the Community Depository Institutions Advisory Council 
for the Fifth District Federal Reserve Bank, she also serves as 
treasurer of the Credit Union Cherry Blossom 10-Mile Run here 
in D.C. Jan was elected to the NAFCU Board of Directors in 
2013. Ms. Roche received her Bachelor of Science in Business 
Administration from the University of Richmond, and she is a 
certified public accountant in the Commonwealth of Virginia. 
Welcome.
    Chairman CHABOT. Thank you very much.
    Ms. Ericksen, you are recognized for five minutes.

    STATEMENTS OF STEPHANIE ERICKSEN, VICE PRESIDENT, RISK 
    PRODUCTS, VISA INC.; SCOTT EVERETT TALBOTT, SENIOR VICE 
    PRESIDENT, GOVERNMENT AFFAIRS, ELECTRONIC TRANSACTIONS 
 ASSOCIATION; PAUL WESTON, PRESIDENT AND CEO, TCM BANK, N.A.; 
 JAN N. ROCHE, PRESIDENT/CEO, STATE DEPARTMENT FEDERAL CREDIT 
                             UNION

                STATEMENT OF STEPHANIE ERICKSEN

    Ms. ERICKSEN. Thank you. Thank you, Chairman Chabot, 
Ranking Member Velazquez, and members of the Committee. My name 
is Stephanie Ericksen, and I am vice president of Risk Products 
at Visa. Thank you for the invitation to discuss Visa's ongoing 
efforts to help transition the U.S. to EMV chip technology and 
what this means for small businesses. Given the current cyber 
threats, we need to move the payments industry away from static 
account information that can be stolen and used for fraud, to 
smarter, dynamic technologies that make payment data useless to 
criminals. Chip is an important part of this fundamental change 
in the payment system, and we are working to incentivize 
consumers and businesses to make the shift.
    For those who are unfamiliar with chip cards, let me 
provide an overview of what they are and how they work. An EMV 
chip is a microprocessor that is embedded in a payment card or 
mobile phone. When a consumer uses a chip card at a terminal, a 
unique one-time code is generated, or cryptogram. This type of 
authentication adds a substantial layer of security and 
prevents cybercriminals from creating counterfeit cards. 
Counterfeit fraud represents approximately two-thirds of the 
fraud that occurs in stores today, so as you can see, chip 
makes merchants less attractive targets for criminals.
    In August 2011, Visa announced a roadmap to transition the 
U.S. to chip, and put in place a set of incentives to encourage 
adoption by financial institutions and merchants. A part of the 
incentive program, the party that has not implemented EMV by 
October 1st will be responsible for the loss from instore 
counterfeit fraud.
    Getting the word out about this transition has been a key 
focus, and Visa has dedicated significant resources to raising 
awareness and providing small businesses with the tools they 
need and the information to adopt chip technology. In March, 
Visa launched our 20-city education tour to show small business 
owners how to demonstrate the value of chip. To date, we have 
traveled to 16 cities, including Cincinnati, New York, Miami, 
and Denver, to name a few, and more than 1,000 small business 
owners have turned out to learn about chip.
    To amplify our efforts, we are closing working with other 
partners to provide critical resources to small businesses like 
the SBA, the NFIB, and local chambers of commerce across the 
country. Visa created a number of online resources, including 
visachip.com, which contains information specifically for the 
small business community. We have also worked with terminal 
providers to make transitioning to chip more easily accessible, 
especially to smaller merchants.
    The cost of upgrading has been a key focus for us, and I 
want to highlight that low-cost chip terminal options are 
available for less than $100, and in many cases, the terminal 
is included in the cost of the service. For example, Square 
recently announced a new $49 reader that accepts EMV chip 
cards, as well as NFC mobile payments like Apple Pay and 
Samsung Pay.
    This raises an important point for all of the mobile 
payment fans out there. When small business owners upgrade to 
chip-enabled NFC terminals, they are not just investing in 
payment and data security; they are also positioning themselves 
to accept the next generation of secure mobile payment 
technologies.
    I want to emphasize that this is not a mandate. Visa's 
roadmap was designed with flexibility in mind, allowing 
businesses to make the transition on a timetable that meets 
their needs. In other words, October 1st marked the beginning 
of the process that will ultimately lead to near universal 
adoption of chip technology in the U.S., and we are pleased to 
report that great progress has already been made in this 
migration effort. Retailers, and particularly small businesses 
are making great strides. As of September 15th, more than 
314,000 merchant locations are accepting EMV, which represents 
a 470 percent year-over-year increase. Just last month, roughly 
50 percent of the $4 billion in Visa chip transaction volume 
occurred at small businesses.
    We are also seeing significant progress on the issuing 
side, with more than 150 million Visa chip cards in circulation 
in the U.S., up from roughly 20 million a year ago, making U.S. 
now the largest chip card market in the world.
    It is important to note that while EMV eliminates instore 
counterfeit fraud, it does not prevent fraud in the online 
environment. To help mitigate this, Visa developed technology 
called tokenization, which replaces the 16 digit account number 
with a unique digital token. When fully deployed, tokenization 
in combination with chip could virtually eliminate the need for 
small businesses to store cardholder account numbers.
    Today, with the expertise gained from years working with 
merchants and financial institutions, Visa supports a wide 
variety of cardholder verification methods, including 
signature, PIN, and no-card verification for low-risk 
transactions, which represent over 60 percent of our 
transaction volume. However, we see dynamic verification 
technologies as the way forward, and I would like to share a 
few of these future technologies with you.
    In February, Visa launched a new opt-in service that uses 
mobile geolocation information to reliably predict whether it 
is the accountholder or an unauthorized user who is making a 
payment with a Visa account. In addition, last month, Visa 
introduced a new specification that can enable a range of 
biometrics in the authorization of payments, such as 
fingerprint or voice biometrics. This innovative technology is 
just rolling out but has great promise for protecting consumers 
in years to come.
    There has been great progress in the past year in the U.S. 
transitions to EMV chip, but we must continue to work together 
to protect all stakeholders in the payment space, including 
small businesses.
    Thank you for the opportunity to testify today, and I would 
be happy to answer any questions you may have.
    Chairman CHABOT. Thank you very much.
    Mr. Talbott, you are recognized for five minutes.

               STATEMENT OF SCOTT EVERETT TALBOTT

    Mr. TALBOTT. Thank you. Mr. Chairman, Ranking Member 
Velazquez, members of the Committee, I am Scott Talbott. I am 
senior vice president for Government Affairs at the Electronic 
Transactions Association, or ETA. Our member companies 
essentially represent all the major players and many of the 
minor players in the payment space. We focus on the acquiring 
side, which means we are the connection between the merchants 
and the payment system. So we are the handshake that helps make 
all these transactions possible.
    This ecosystem and the payments ecosystem is one where the 
process is transacted securely and quickly, whether the 
consumer pays with a credit card, a debit card, a prepaid card; 
whether they tap, dip, swipe over the phone or over the 
Internet. And contextually, 70 percent of all consumer spending 
is done electronically. Last year, electronic payments totaled 
over $5 trillion, with a ``T''. By 2017, we project that ETA 
members will process over $7 trillion in electronic payments.
    Combatting fraud is a major focus for ETA members, and our 
payment system is built to detect and prevent fraud and to 
insulate consumers from liability. It is important to note that 
both before and after this EMV transition, consumers will enjoy 
zero liability for any fraud when using electronic payments.
    Billions of dollars of fraud occur each year, and the 
largest category is counterfeit fraud. This is where a thief 
steals your active account number, makes a fake card, and goes 
and uses it instore. Chip cards work to prevent this fraud by 
creating a special dynamic one-time code that runs with each 
transaction. So frauds who obtain a chip card account number 
will not know what this code is, and therefore, cannot create a 
counterfeit card to be used in stores.
    As Stephanie mentioned to incentivize the industry to 
migrate to chip, last week, October 1st, the networks 
implemented a voluntary long-planned liability shift for 
payment card transactions. Liability shift means any 
participant, whether it is a bank or a merchant, who is not 
chip compliant, could be responsible for instore counterfeit 
fraud.
    To make the switch, chip cards require the cooperation of 
eight million banks and credit union who have to issue 1.2 
billion cards in the U.S., eight million or so merchants who 
are going to upgrade their equipment, as well as consumers are 
going to have to switch from the familiar swipe to a dip.
    Small businesses across the board are beginning to become 
EMV compliant, and I would like to talk about the way they 
think about this process. First is the cost. The cost of 
upgrading one chip terminal is around at least $50. I brought 
an example of one here today. CardFlight based in New York 
offers it for about $50. The cost for each merchant depends on 
the complexity of their system. If they have multiple 
terminals, or if they have integrated terminals, the cost is 
going to be much higher, but on average it is going to cost 
about $100.
    So each merchant will have a different risk of fraud. They 
have a different fraud threat matrix, and it will compare this 
fraud threat matrix that they have to the cost of the upgrade, 
and those merchants who experience a lot of counterfeit card 
fraud because they sell easily marketable goods and services, 
like jewelry or electronics, they are more likely to be chip 
compliant, and if they are not, they will be quickly.
    Those merchants that sell services and less marketable 
goods, like hotels or car washes or dry cleaners, are less 
likely to be complaint at this point. They may delay their 
decision to convert.
    Once a decision to switch to chip cards is made, the 
merchant will work with their processors and other entities to 
get their terminal certified. This is essentially a quick audit 
that is done. For one terminal it is relatively simple, but if 
you have a complex number of terminals, it could take longer to 
become certified. And many processors are working with 
merchants who, if they requested to be certified before October 
1, the start of the transition, if they are not complaint now, 
then the processor will actually cover the fraud for that 
particular merchant while they work to get them compliant.
    To assist small businesses with the migration to chip, the 
payments industry is working with a large number of programs, 
both financial incentives, as well as educationally, both at 
the small business as well as at consumers. ETA, for example, 
has an educational website, sellsafeinfo.org, which is aimed at 
helping small businesses, and we will continue to work with 
them through the process. We are also working with state AGs 
and state regulators to help get the message out to consumers.
    As I said earlier, chip cards only protect against instore 
counterfeit. They do not protect against online fraud. As we 
know from our experiences in Europe and Canada, the fraudsters 
will simply shift their focus from counterfeit cards to online 
fraud. To address online fraud, the industry is deploying 
another technology called tokenization. Tokenization 
essentially replaces the payment card information with a unique 
identifier that cannot be reversed. Another layer of protection 
that is being deployed by ETA members is point-to-point 
encryption. With point-to-point encryption, the data is 
encrypted during the transition process as the information runs 
across the systems and merchants or thieves cannot grab the 
information and use it to make fake cards.
    So in conclusion, ETA members are the first line of defense 
against fraud and we take this very seriously, and every day we 
deploy a number of technologies--chip, tokenization, 
encryption, biometrics, and other technologies to help protect 
consumers, merchants, as well as the payment system from fraud.
    Thank you for the opportunity to testify. I look forward to 
your questions.
    Chairman CHABOT. Thank you very much.
    Mr. Weston, you are recognized for five minutes.

                    STATEMENT OF PAUL WESTON

    Mr. WESTON. Chairman Chabot, Ranking Member Velazquez, 
members of the Committee, my name is Paul Weston, and I am 
president and CEO of TCM Bank in Tampa, Florida. I testify 
today on behalf of more than 6,000 community banks represented 
by the Independent Community Bankers of America. Thank you for 
convening today's hearing.
    TCM is a $180 million credit card bank. We issue and 
service credit cards to 200,000 consumer and small business 
customers for 650 community banks across the country. We adhere 
to the values and standards of service of our community bank 
clients, and by functioning as their back office for credit 
cards, we allow community banks to focus on their core 
competencies, small business consumer, and farm lending. 
Community banks are uniquely positioned to help their small 
business customers make a smooth transition to EMV and are 
committed to doing so.
    EMV, or chip cards, are much more secure than magnetic 
stripe cards because they are significantly more difficult to 
counterfeit. Counterfeit cards made with stolen information 
represent the largest portion of payment card fraud in the U.S.
    While consumers are protected against loss, having to 
replace a credit card or a debit card is inconvenient for them 
at best. EMV, together with merchant-provided chip readers at 
the point of sale will play a critical role in reducing 
counterfeit fraud. Community banks are joining other financial 
institutions in the orderly migration to deploy EMV chip 
technology for debit and credit cards. Recent reports indicate 
that roughly 4 in 10 consumers already have an EMV credit card.
    There is no mandate that card issuers adopt EMV or that 
retailers invest in EMV chip card readers. However, new card 
industry rules that took effect on October 1st incentivize a 
shift to EMV technology. The new rules provide that the 
liability for fraudulent transactions sits with the party, the 
retailer, or the issuing bank that has not upgraded to chip 
technology, where neither party is yet EMV complaint or where 
both parties have upgraded, the pre-October 1 liability rules 
prevail. That is to say that the issuing bank is responsible 
for fraud losses.
    October 1st is not a deadline in a meaningful sense of the 
word. Instead, the liability shift serves as a catalyst for 
change. Already, many card issuers in many merchant locations 
have enabled EMV. Others will adopt it before year-end, and 
some will choose to defer it until 2016 or even beyond. Each 
issuing bank and each merchant will decide when to adopt EMV 
based on their own business model, their vulnerability to 
fraud, and their management of risk. We expect the migration to 
full EMV chip card usage to take several years.
    Based on many conversations with community banks and their 
small business customers, I believe that most small businesses 
are taking a very prudent approach to this migration. They are 
not buying from the first terminal salesman that makes the 
phone call, but they are planning to closely follow as the 
larger national retailers in their marketplace begin to enable 
EMV at the point of sale.
    Community banks will serve as an important ally and 
resource to retail small businesses making this transition. 
They will help their merchant customers by providing equipment, 
expertise, and education to guide them through the change. 
Since community banks are local, they serve as the ``feet on 
the street,'' especially for the small businesses in their 
communities.
    While EMV chip cards are an effective means of reducing 
fraud related to counterfeit, they are not a panacea for all 
types of payment card fraud. Multiple layers of security are 
needed in addition to EMV to mitigate the other types of fraud. 
End-to-end encryption should be deployed to protect cardholder 
information in transit, and newer technologies, such as 
tokenization, should and will be developed and deployed to 
protect online transactions.
    Some are insisting that PIN technology in combination with 
EMV is the only way to eliminate payments fraud, but PINs only 
protect against fraud in cases of lost or stolen cards, which 
is a relatively small portion of total fraud. What is more, as 
a static data element, the PIN is more vulnerable to compromise 
than active technologies like EMV or tokenization.
    The most important thing for cardholders to know is that 
they are fully protected from fraud losses as all the major 
credit card brands have zero liability provisions for consumers 
and small businesses. The Electronic Funds Transfer Act limits 
consumer liability for fraud on debit cards. Customers should 
also know that banks are subject to rigorous examination and 
supervision of their data security policies and procedures. We 
believe that similar standards should apply to all industries 
that handle sensitive customer financial information.
    In conclusion, I fully expect that the critical partnership 
between local community banks and their small business 
customers will help ensure a smooth transition to EMV and a 
more secure environment for all payment card users.
    Thank you again for the opportunity to testify today, and I 
look forward to your questions.
    Chairman CHABOT. Thank you very much.
    Ms. Roche, you are recognized for five minutes.

                   STATEMENT OF JAN N. ROCHE

    Ms. ROCHE. Good morning, Chairman Chabot, Ranking Member 
Velazquez, and members of the Committee. My name is Jan Roche, 
and I am testifying today on behalf of NAFCU. I serve as the 
president and CEO of the State Department Federal Credit Union.
    NAFCU appreciates the opportunity to appear before you 
today to discuss EMV. Due to the traveling habits and job 
assignments of many of our members, State Department Federal 
Credit Union was one of the first financial institutions in the 
U.S. to start issuing EMV credit cards. Today, our credit card 
portfolio of over 28,000 cards is now 100 percent EMV enabled.
    EMV is the established worldwide standard for chip cards. 
EMV cards are still plastic but they contain an embedded 
microchip that makes it harder to produce a counterfeit card 
that can be used at a point-of-sale terminal. This is because 
the chip generates a new random number identifier for each 
transaction. If that data is stolen, it is not traceable back 
to the account. It is the EMV chip technology that makes the 
new cards more secure, not a PIN or signature. While EMV is the 
new market standard for combatting fraud at the point of sale 
and assigning liability when a fraudulent credit card is used, 
it is not a silver bullet solution to the broader problem of 
data security. Also, a chip card can only be effective if the 
point of sale terminal is configured to accept it.
    It is important to note that the EMV transition in the U.S. 
is a voluntary one established by the market, and not a 
government mandate. Neither financial institutions, nor 
merchants, have been forced to transition. The speed of 
shifting to EMV is essentially a business decision that is 
dependent upon risk tolerance. Consumers are not liable for 
fraud losses in general. All credit cards have zero liability 
provisions for consumers and consumer liability is limited for 
any fraud on debit cards. This is true whether or not a card or 
business is EMV enabled.
    NAFCU has found that a majority of credit unions are 
transitioning quickly and effectively to EMV. Even prior to the 
announced shift in liability, many were already providing EMV 
credit cards to their members as they issued new cards or 
replaced older magnetic stripe cards. This is true even though 
there is a greater cost for EMV cards at credit unions. At 
State Department Federal Credit Union, our cost for producing 
an EMV card is nearly double a non-EMV card.
    A truly secure payment system must be one that evolves to 
meet emerging threats and utilizes a wide range of 
authentication technologies--EMV, tokenization, encryption, 
biometrics, and more. There is no panacea to avoid data theft.
    Accordingly, NAFCU does not support any single solution, 
such as a PIN mandate, to require consumers to enter PINs for 
every transaction. A PIN is a static data element that is still 
vulnerable to theft. A PIN mandate would not have helped 
prevent recent consumer data breaches, such as Target, Home 
Depot, or Michaels.
    Requiring PINs would not prevent online or mobile fraud, 
often referred to as ``card not present'' fraud. This type of 
fraud is also expected to rise significantly after the EMV 
transition, as it has in other countries after their EMV 
transitions. For my credit union, ``card not present'' fraud 
was about 40 percent of our gross fraud this past year.
    NAFCU has long supported comprehensive data and 
cybersecurity measures to protect consumer sensitive data. 
Credit unions and other financial institutions already protect 
data consistent with the provisions of the 1999 Gramm-Leach-
Bliley Act. Unfortunately, there is no similar regulatory 
structure for other entities that may handle sensitive personal 
and financial data. GLBA requires financial institutions to 
address the risks presented by the complexity and scope of 
their business. This allows flexibility and ensures the 
regulatory framework is workable for both the largest and 
smallest financial institutions. Gramm-Leach-Bliley is an 
example of how scalability is achievable for varying sized 
businesses.
    In conclusion, a truly secure payment system must be one 
that is constantly evolving to meet emerging threats and uses a 
wide range of dynamic authentication technologies--EMV, 
tokenization, encryption, biometrics, and more. When it comes 
to EMV, what matters most is the chip technology that makes the 
cards more secure. Requiring additional measures, such as PIN 
usage does not make substantial improvements to the system. 
NAFCU encourages you to support H.R. 2205, the Data Security 
Act of 2015. This bipartisan legislation creates a national 
data security standard that is flexible and scalable. 
Ultimately, consumers will only be protected when every sector 
of the industry is subject to strong federal data security 
standards that are enforced by corresponding regulatory 
agencies.
    Thank you for the opportunity to appear before you today. 
On behalf of NAFCU, I welcome any questions you may have.
    Chairman CHABOT. Thank you.
    I recognize ourselves to ask questions, and I will 
recognize myself first for five minutes.
    Today is October 7th. The deadline for transition to this 
new technology is about a week old now. And I am going to have 
a little audience participation here. Just by a show of hands, 
how many in the audience used a credit card to purchase 
something over the last week? If we could just see a show of 
hands. Virtually, everybody in the room. I am not going to ask 
you what you purchased, but how many of you, if you know, used 
this new chip technology? Okay, quite a few. Excellent. Well, I 
appreciate that very much.
    I know my staff could not use the new chip technology when 
they tried to do so in the cafeteria downstairs in this 
building this week, so that is something we probably need to 
work on. And we have had a similar shift before from paper 
processing to electronic processing. So we have experienced 
this to some degree before, and that certainly seems to have 
caught on, although I generally use cash myself.
    So my first question is, and I will ask you, Ms. Ericksen, 
how is the transition going? I know it is still very early in 
the process, but how is it going?
    Ms. ERICKSEN. Thank you, Mr. Chairman.
    So we know from other countries that have moved to chip 
technology, it typically takes about two or three years after 
the liability shift date to get to roughly 60 or 70 percent of 
a company's domestic payment volume being a chip card used at a 
chip terminal. So we are in very good shape in terms of being 
that we are really at the starting point of moving the west 
towards using this technology more frequently. And it typically 
takes about four or five years after the liability shift date 
to get to greater than 90 percent of the payment volume being 
chip-on-chip, or chip authenticated, if you will. So the fact 
that we already have more cards here in the U.S., more chip 
cards here in the U.S. than any other country, and great 
participation, particularly from many of the major retailers 
that even just turned on on Friday and Saturday last week, we 
are seeing increasing growth on the payment volume side of 
things.
    If you look at consumers, many consumers have at least one 
card in their wallet; many of them have more than that. What we 
have seen from our research as of July is roughly 60 percent of 
consumers have at least one chip card in their wallet, and as 
of that time in July, 30 percent of them had done at least one 
chip transaction. But we know that many retailers just enabled 
in August and September, and many are enabling this month as 
well, so we are seeing that increase almost on a daily basis in 
terms of the actual penetration of people doing a chip 
transaction going forward.
    Chairman CHABOT. Thank you. Let me ask you another 
question. The shift to payment cards with computer chips has 
happened, as we know, in other places all around the world, 
including Europe where the technology has been used for about 
20 years now. What has the impact on fraud rates been in Europe 
specifically since the implementation of the EMV chip card? And 
what effect do you think that chip and PIN has had on instances 
of fraud in Europe? And what does that mean for the 
implementation here in the U.S.? What additional levels of 
security are financial service providers working on to better 
protect businesses and consumers and strengthen data security?
    Ms. ERICKSEN. Yeah. Unfortunately, Visa Europe is a 
separate legal entity from Visa Inc., so I can speak to other 
parts of the world that have moved to chip technology around 
the same time and same pace compared to Europe.
    Chairman CHABOT. Who would we need to go to to get the 
information?
    Ms. ERICKSEN. Someone from Visa Europe or someone from 
Europe.
    Chairman CHABOT. Can you recommend anybody on that?
    Ms. ERICKSEN. We can get back to you on that for sure.
    Chairman CHABOT. Okay. I would appreciate that very much.
    Ms. ERICKSEN. We do have data to share though from other 
countries if you would like to hear that, from Australia, 
Brazil, and Canada.
    Chairman CHABOT. I will get that later, but I have got a 
minute and 18 seconds left.
    Ms. ERICKSEN. Okay.
    Chairman CHABOT. A whole lot of questions, so
    I understand that the cost is a deterrent to small 
businesses as we know, as well as training the employees to use 
the new system and even educating customers about how to use 
the new terminals, and these appear to be hurdles for small 
businesses, and this Committee is the Small Business Committee, 
so we are obviously very concerned about the impact this will 
have on small businesses. How are small businesses supposed to 
overcome some of these obstacles? And what are some of the 
challenges that they face? Are financial service providers 
offering any assistance to businesses that encounter these 
problems?
    Mr. Talbott?
    Mr. TALBOTT. Thank you. Good question. I think many 
financial institutions, as well as other entities like 
processors, are offering both financial incentives. American 
Express, for example, set aside $100 million to help in this 
process. Other companies are providing low costs. For example, 
this CardFlight, this is $50 attached to the merchant's phone 
to go on the low end. But there are lots of financial 
incentives, as well as educational incentives. There are 
videos, there are instore demonstrations, there is 
teleconferencing. The payments industry is working very hard to 
help the small merchant get to this process. The end result is 
to protect everybody themselves as well as consumers from 
fraud, and that is the ultimate goal.
    Chairman CHABOT. Thank you very much. My time is expired.
    I will recognize the ranking member, Ms. Velazquez, for 
five minutes.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Ms. Roche, as we know, under the new EMV agreements, 
liability to reimburse consumers for fraud loss shifts to the 
party that has not upgraded to EMV technology. What is the 
process for making consumers whole, and do they contact their 
bank like they have in the past? What is the process?
    Ms. ROCHE. So the process will not change. The consumers, 
if they have noticed a fraudulent transaction on their account, 
they will contact their bank or credit union, whoever issued 
the card. And then my credit union specifically will reimburse 
the consumer, give them provisional credit, and then we will 
work it out on the back end as far as whether or not we recover 
those funds from a merchant.
    Ms. VELAZQUEZ. Thank you.
    Ms. Ericksen, small businesses pay considerable sums of 
money to accept payment cards. Reasons given for these fees 
have often included the cost of fraud. If EMV successfully 
reduces fraud, will Visa commit to reducing swipe fees on its 
cards commensurate with that fraud reduction?
    Ms. ERICKSEN. Well, our interchange rates that we have set 
are consistent across the industry in terms of incentivizing 
participation for issuers to issue cards as well as merchants 
to accept payments.
    Ms. VELAZQUEZ. But hasn't one of the arguments always been 
the cost of fraud?
    Ms. ERICKSEN. Fraud is one component of it, including the 
credit risk of lending that credit to the cardholders.
    Ms. VELAZQUEZ. So how would you factor in if we see that 
there is a reduction in fraud, how will that----
    Ms. ERICKSEN. Yes. Well, unfortunately, the criminals 
continue to invest in strategies in being able to commit fraud 
as well, so we need to continue to invest in the ability to 
address that fraud. So even though EMV is one technology that 
is going to help drive fraud down, we need to continue to 
invest in analytics and other types of authentication 
technologies that continue to stay one step ahead of the 
criminals, because, unfortunately, they are going to continue 
to try to do that as well.
    Ms. VELAZQUEZ. I just cannot help myself but laugh.
    Ms. ERICKSEN. I am sorry, what is your question?
    Ms. VELAZQUEZ. There is also typically two tiers of 
interchange fees for instore and online transactions.
    Ms. ERICKSEN. Excuse me. We are not sure what the question 
is.
    Ms. VELAZQUEZ. No, it is a statement.
    Ms. ERICKSEN. Oh, okay.
    Ms. VELAZQUEZ. Yeah. Will there be a day when we see a 
reduction? Also, in terms of Europe, you will provide Mr. 
Chabot the information on whether the percentage of fraud has 
gone down, correct?
    Ms. ERICKSEN. The only statement that I have is the 
interchange fees that we have are very competitive, and they 
incentivize participation from both issuers and merchants to 
participate in accepting electronic payments, and we continue 
to invest in security and technologies to make that convenient, 
as well as to continue to provide consumers confidence in using 
electronic payments.
    Ms. VELAZQUEZ. Mr. Talbott, thank you. In Europe where the 
EMV chips have been in use for decades, point-of-sale fraud is 
virtually nonexistent. What took so long for the standard to be 
implemented here in the U.S.?
    Mr. TALBOTT. It is two different systems. Probably a better 
way to answer the question is, why was Europe implemented to 
quickly? And the answer is they did not have continuous access 
to the Internet that we do. So in Europe when a card was 
presented, the merchant needed a way to verify that transaction 
at that point since they would have to batch their transactions 
for authorization later that day when they could access the 
Internet. And the chip helped them do that, to verify the card 
at that point. They could not do it later when they went for 
authorization because the customer was gone. The U.S., by 
contrast, has always enjoyed continuous access to the Internet 
and the ability for merchants to process and gain authorization 
of that transaction in a couple seconds. And so there was less 
of a need for other authentication methods at the point of 
sale, which is why the U.S. is now and soon will be aligned 
with the U.S.
    One other quick point, as we look at other technologies 
like tokenization and encryption, the U.S. is far ahead of 
Europe and other countries in developing and implementing 
those. And so these things do not move exactly lock step. It is 
sort of a cat and mouse type of approach.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Chairman CHABOT. The gentlelady yields back.
    The gentleman from Nevada, Mr. Hardy, who is chairman of 
the Subcommittee on Investigations, Oversight, and Regulations 
is recognized for five minutes.
    Mr. HARDY. Thank you, Mr. Chairman.
    Ms. Roche, I would like to start with you. In your 
testimony you mentioned that the largest consumer data breaches 
that happened in places like Target and Home Depot would not 
have been averted by a PIN. Do you believe this EMV would have 
averted those same targets?
    Ms. ROCHE. It would not have averted the breach itself, but 
it would have made it very difficult to counterfeit the cards. 
It is difficult to counterfeit the chip in the card so the 
cards can then be used to commit fraud.
    Mr. HARDY. This liability shift to the retailer or whatever 
you want to call it now instead of the banks, why the October 
1st deadline? Does anybody want to care to address that? The 
busiest time of the year. We are going into the busiest 
approach of any retail market or any selling between now and 
December.
    Ms. ROCHE. Yeah. The liability shift was announced August 
2011, so more than four years ago, and typically around the 
time of other markets announcing their liability shift, October 
1 has been a very commonly accepted date because we recognize 
that at that point in time we start to see increasing payment 
volume. So it was just a date to align with the same dates that 
many of the other parts of the world that announced their 
liability shift dates effective October 1. When we announced it 
in August 2011, we also made it October 1 of 2015.
    Mr. HARDY. We, as in Visa?
    Ms. ROCHE. We, as in Visa. Other payment systems had their 
own announcements of liability shift dates.
    Mr. HARDY. So October 1 is only for Visa?
    Ms. ROCHE. October 1 is for Visa. MasterCard also announced 
the same date later, but we announced that first in August 
2011.
    Mr. HARDY. Assuming that this all comes together over the 
next couple of years and we have 100 percent usage of EMV and 
the token and everything starts working but then the criminals 
always seem to find another, avenue. Is the liability shift 
still on the retailer or does it go back to the bank?
    Ms. ROCHE. Well, so the liability shift actually, once the 
merchant has invested in chip technology, they are then 
protected from any liability for counterfeit fraud. And 
merchants are not having any liability for lost and stolen 
fraud, which is also commonly associated with PIN. So the 
liability shift is specific to EMV and counterfeit fraud. Once 
a merchant has made that investment in a chip terminal, they do 
not have liability for counterfeit fraud.
    Mr. HARDY. Just to be very clear, once they have had that 
investment, then that liability goes back as it was?
    Ms. ROCHE. Right.
    Mr. HARDY. Thank you.
    As EMV cards become more and more commonplace in the United 
States market liable for fraudulent card use if they have not 
upgraded the reader technology software, what will the cost of 
this upgrade cost for small businesses? Have you included all 
the other residual costs that they would have to implement? You 
know, training and the whole--has that cost been in the 
analysis? Because it seems awful low to me. I am a small 
business owner previously myself.
    Ms. ROCHE. Many of the small business owners that we have 
been talking to in our 20 city tour, as well as working with 
the Chambers of Commerce and other parts of the industry, have 
mentioned that the upgrade to chip technology for some of them 
has been kind of like replacing a cell phone where they get a 
new device and they may change processors, they may shop around 
to get a better processing deal that actually may save them 
money compared to what they are paying today to process mag 
strip transactions. So for some of them, the upgrade to EMV 
chip technology is not only giving them that protection against 
counterfeit fraud liability, but many of them are 
futureproofing their business to accept mobile payments and 
investing in some other technology that may help them run their 
inventory or their supply chain and manage their businesses 
more effectively. So some of them are doing other investments 
and add-ons as they move to EMV technology.
    But in terms of staff training, we have worked closely 
across the industry, not only on Visachip.com do we have a lot 
of training materials, including a 10-step implementation guide 
and downloadable sales associate training materials they can 
use, but we worked with MasterCard, American Express, and 
Discover to do a gochipcard.com site.
    Mr. HARDY. I have another question I need to ask. I also 
want to know, in one of these comments here it sounded like 
there was not going to be that much liability at first, 
understanding it is a two to four year process. So how are we 
going to determine which business is going to reap that 
liability and which is not?
    Ms. ROCHE. We have been doing a lot of education with the 
small business merchant community and the large retailers to 
identify which retailers tend to be the ones that have a high 
likelihood of counterfeit fraud. It is where you think it may 
be, like electronic stores, high-end luxury goods retailers, 
for example, whereas small businesses typically that are in the 
service industry or a local delicatessen, cafeteria, coffee 
shop, they are not typically the recipients of a lot of 
counterfeit fraud. So we have been doing education with the 
major retailers so that they know what their counterfeit fraud 
liability will be, as well as with the small business merchants 
and their supplying industry so that they understand what the 
counterfeit liability will be for them. We want the whole 
industry to move to this technology because it does help secure 
payments and preserves consumer confidence in payments, but at 
the same time, typical small business merchants that are doing 
services or low value transactions are not usually the 
recipients of counterfeit fraud.
    Chairman CHABOT. Thank you. The gentleman's time has 
expired.
    The gentleman from Hawaii, Mr. Takai, who is the ranking 
member of the Contracting and Workforce Subcommittee is 
recognized for five minutes.
    Mr. TAKAI. Thank you. Thank you, Chairman, and thank you 
for having this hearing. I really appreciate this.
    As someone who has had to change their credit card for each 
of the last three years, I think anything we can do to enhance 
protections and to prevent fraud is much appreciated. But I 
believe as any transition, it is very tough.
    I have a few questions. I wanted to start with Ms. Roche 
regarding, well, here is my question. The merchant community 
has strongly advocated for this move to the chip and PIN system 
here in the U.S. In fact, I may add, I was going to Japan and a 
few other countries for quite a while. My Visa card had the 
chip technology for maybe three years now and I was not able to 
use it until just about two weeks ago here in the United 
States. In fact, in Hawaii. So as a credit union with many 
members going overseas, what has been your experience regarding 
the fraud rates on the PIN-enabled or the chip cards?
    Ms. ROCHE. That is a difficult question to answer because 
the cards that we are issuing have the chip and a swipe on the 
back of it. So we had to. Because the cards are getting swiped 
in addition to being used as chips, we have had to reissue 
cards with chips that have had fraud committed on them. So our 
experience, it is very hard to segregate whether the fraud is 
coming from a chip-read card or a swiped card.
    Mr. TAKAI. So the merchants are going to push us now to, if 
they have not been able to use the chip instead of the swipe, 
they are going to ask us to do it, although we could do both, 
either?
    Ms. ROCHE. A lot of it depends on how the readers are 
programmed, but in my experience in using the cards, if there 
is a chip in the card and the merchant has the chip reader 
enabled, it will force you to use the chip side.
    Mr. TAKAI. Okay. Okay. And do you know what is surprising? 
I have a debit card, too, and for the past year or so, some 
merchants do not require a PIN, so that was surprising. But on 
your credit cards, maybe your debit cards, you require a PIN. 
So are PIN numbers helpful? Do they prevent fraud? And then are 
they actually stored on the merchant's system?
    Ms. ROCHE. So the PIN numbers are--what really matters, 
what is keeping the transaction secure is the chip. So the 
authentication method, whether it is PIN or signature, is not 
as important. And, in fact, the PIN is a static data element 
that can also be stolen. But what is most important is that the 
information on the chip is what is making it more secure 
because that is a random number, generated authentication 
method that changes every single time and cannot easily be 
counterfeited. That is what is most important about this 
transition.
    Mr. TAKAI. Okay. Thanks.
    And then to Ms. Ericksen, on your website it states that 
you are rolling out the Chip and Choice to give merchants 
greater flexibility on their payment options. Do Visa rules 
allow merchants to require PINs on every debit transaction if 
that is the flexibility they prefer?
    Ms. ERICKSEN. We support PIN, as well as signature, as well 
as ``no card holder'' verification. So our rules provide 
flexibility for merchants and for issuers depending on the type 
of transaction that is being conducted. For example, 
transactions up to $25 do not require a signature or a PIN, and 
transactions up to $50 at grocery stores do not require a 
signature or a PIN either. So it gives the flexibility to the 
merchant depending on if they want to enable PIN or signature, 
or also be compliant with the rules and not require either 
signature or PIN for the transactions that qualify for that. We 
do know that roughly 50 percent of the merchant locations in 
the U.S., particularly small business merchants, do not have 
the incremental security technology that would secure and 
encrypt that PIN, so many small business merchants have not 
opted to invest in PIN technology, but we do support that, 
whether or not on the issuing side or on the merchant side they 
want to invest in supporting PIN or signature.
    Mr. TAKAI. Who has the liability for debit cards? I mean, 
the debit charge transaction goes directly into my checking 
account and pulls the money directly out. So do I have 
liability or do you have liability?
    Ms. ERICKSEN. Consumers have zero liability for that. So 
from a Visa perspective, consumers have zero liability, whether 
it is a credit card transaction or a debit card transaction.
    Mr. TAKAI. When was the shift done to eliminate the four 
PIN requirement for debit cards?
    Ms. ERICKSEN. I do not understand your question.
    Mr. TAKAI. Debit cards required the PIN for many years 
until, like I said, just about a year ago I was able to use my 
debit card without my PIN.
    Ms. ERICKSEN. For many years you have been able to use your 
Visa debit card as a signature card or without a PIN for point 
of sale. Typically, if you are using it as a PIN, it is going 
over a different network that requires a PIN for that 
transaction, or to get cash back at the point of sale, or at 
the ATM, for example, but using it as a Visa card at the point 
of sale, you have always been able to use it without a PIN.
    Mr. TAKAI. Really? Okay. Thank you.
    I yield back.
    Chairman CHABOT. Thank you very much. The gentleman's time 
has expired.
    The gentleman from Missouri, Mr. Luetkemeyer, who is the 
vice chairman of this Full Committee is recognized for five 
minutes.
    Mr. LUETKEMEYER. Thank you, Mr. Chairman.
    Just to kind of recap here, make sure I am understanding 
what is going on here, basically what you are trying to do, we 
have a problem. The problem is fraud and cyber theft that is 
occurring against financial institutions and through the system 
at which they are having a cost. Is that correct? They are 
trying to alleviate. So the solution to that is for the new 
chip and PIN, chip and whatever kind of technology. Is that 
correct? And the cost of this, if I get this correct, is borne 
by the banks or the transaction companies versus the merchants 
have a small cost to get a new terminal and some software, 
whatever, and then the consumer has zero cost. Is that all 
correct?
    Ms. ERICKSEN. So the consumer has zero cost but it is 
shared across the industry in terms of the banks investing in 
reissuing the cards because chip cards are more expensive to 
reissue. And also on the merchant side in upgrading their 
infrastructure to be able to have the chip readers.
    Mr. LUETKEMEYER. Did I hear a while ago that the cost to 
reissue cards is 50 bucks?
    Ms. ERICKSEN. To reissue a card is not. It is more the 
terminal side is roughly in the $50 range. The card can be 
about $1 to $5 depending on the size of the institution and the 
number of cards.
    Mr. LUETKEMEYER. Okay. What is the $50 then?
    Ms. ERICKSEN. The square reader is $49 that a merchant can 
buy to accept payment.
    Mr. LUETKEMEYER. Oh, okay. So that is a merchant cost.
    Ms. ERICKSEN. It is a merchant cost.
    Mr. LUETKEMEYER. Okay. So it costs then 50 bucks to be able 
to read the cards?
    Ms. ERICKSEN. Right.
    Mr. LUETKEMEYER. Okay. Okay, so knowing all that, are there 
complaints out there? What are the complaints about doing this? 
It appears that we need to do this. I know I can tell you from 
being in the financial institution business, you know, my 
institution, local institution got hit with some of these cyber 
deals and to me this is a concern from now on. Here in 
Congress, we have a responsibility to try and work to try and 
protect the government data, but also to help where we can the 
business and industry and consumers to be able to protect their 
data. And this is a huge problem. It is a burgeoning problem 
for our entire society and the world as a whole. And so this is 
something we are going to have to figure out over the long haul 
from now on because this is, you know, I think you used it a 
while ago, 70 percent of all transactions are with credit cards 
now. Is that correct?
    Mr. TALBOTT. Electronic.
    Mr. LUETKEMEYER. So if we are headed in that direction, we 
are going to have to be able to protect the data. That is a 
real problem. So I guess the concern is that we know what the 
problem is. You know it is going to be getting greater as the 
bad guys figure out how to get around the system. What are the 
complaints about doing what you are doing? What have you done 
to alleviate those, I guess?
    Ms. ERICKSEN. Well, we have seen a lot of great momentum in 
the industry. And as I am sure Mr. Talbott can also elaborate 
on, but I think the key thing to remember is it is a shared 
cost and a shared effort across the industry. The issuers are 
reissuing the cards. The payment systems are investing in new 
technology to stay ahead of the criminals and to do more 
predictive analytics on the system side as well as those 
transactions are flowing through our networks. And the 
merchants are investing in the technology to be able to read 
chip as well as mobile as we are moving in that direction. So 
it is really a shared effort.
    Mr. LUETKEMEYER. Okay. What is the amount of fraud 
reduction that you anticipate with EMV adoption?
    Ms. ERICKSEN. Typically, in markets that move to chip 
technology, when they get to that 60 to 70 percent of their 
transaction volume in a country being chip on chip, it takes 
about two years after the liability shift date, we also see 
counterfeit fraud go down by about 60 or 70 percent and 
continue to go down as the penetration level goes up.
    Mr. LUETKEMEYER. Okay. And a while ago you also talked 
about new technology. This enables you to do mobile technology 
on taking transactions on a mobile basis as well as you are 
looking at biometric safeguards as well as encryption. At what 
point, or how quickly do you anticipate getting to that type of 
safeguard?
    Ms. ERICKSEN. Tokenization is typically used on a mobile 
phone today or an ecommerce transaction. So tokenization today 
is where you put in your account number on your Apple Pay 
device, for example, and your account number is actually 
replaced with a different number, a digital token. So that is 
something that is becoming much more prevalent. It is already 
in use today in Apple Pay, for example.
    Mr. LUETKEMEYER. Okay. So what about the biometric? How 
quickly is that?
    Ms. ERICKSEN. Biometric is also being used in mobile 
technology as well. So when you do Touch ID to authenticate 
yourself to a smartphone, many more smartphones are enabling 
that. And so Touch ID and biometric is one way that is already 
being enabled, particularly on smartphones.
    Mr. LUETKEMEYER. Okay. So we have it on a mobile 
transaction. What about a merchant? Is he going to be able to 
take that? How quickly do we move to that area?
    Ms. ERICKSEN. We do not see that a lot in the face-to-face 
merchant environment using your card at a reader today because 
it is incremental investment in being able to do biometric. It 
is much more prevalent today on the mobile phones.
    Mr. LUETKEMEYER. Okay. Well, how quickly do you anticipate 
that happening? I mean, I assume that, you know, I think there 
was a comment made a while ago about the PIN technology is not 
perfect. If the encryption is better, how long will it take to 
get there?
    Ms. ERICKSEN. Encryption is a different technology. I do 
not know if you want to talk about encryption, Scott.
    Mr. TALBOTT. Yeah. Sure. So encryption is being rolled out 
now. There are a number of companies that offer it to merchants 
if they would like to avail themselves of it. Some are and some 
have not. It is sort of behind this migration to chip, but it 
is out there and I suspect, Congressman, that it will move 
pretty quickly. Because what we will see, and this goes to your 
question, Mr. Chabot----
    Mr. LUETKEMEYER. What kind of costs--if I can ask one more 
question real quick, what kind of costs are affiliated with it?
    Mr. TALBOTT. For going to tokenization?
    Mr. LUETKEMEYER. Yeah.
    Mr. TALBOTT. It is marginal. I do not have those numbers 
exactly, but I know----
    Mr. LUETKEMEYER. When you say ``marginal,'' is it 2 bucks, 
20 bucks, $200, $2,000?
    Mr. TALBOTT. It is a couple cents per transaction at this 
point.
    Mr. LUETKEMEYER. Okay. All right. Thank you. I yield back.
    Chairman CHABOT. Thank you. The gentleman's time has 
expired.
    The gentlelady from California, Ms. Hahn, is recognized for 
five minutes.
    Ms. HAHN. Thank you, Mr. Chairman. I appreciate you holding 
this hearing.
    So Ms. Ericksen, I understand what we are trying to do 
here. There was a problem. Visa and other banks are trying to 
incentivize merchants out there to switch to this new 
technology to reduce their fraud, so the big incentive was if 
you do not by October 1st upgrade your terminals to this chip 
technology, any fraud that happens, you, the merchant, are 100 
percent liable for the fraud. Was that the----
    Ms. ERICKSEN. There are some clarifications, too. In 
general, the direction is if a merchant does not invest in a 
chip terminal, they may become liable for any fraud if it is a 
chip card used at their store but the mag stripe is still read 
off of that card. So if it is a mag stripe card where the 
issuer has not invested yet in chip technology----
    Ms. HAHN. Right.
    Ms. ERICKSEN. If that mag stripe card experiences fraud at 
a merchant location that also does not have chip, it is still 
the issuing bank who is liable for that. So the merchant is 
only liable for any fraud at their location if it is a chip 
card that has been used at their store where they do not yet 
have a chip terminal and so they are reading the mag stripe on 
that card. If that turns out to be a copied mag stripe, a 
counterfeited mag stripe, then that merchant could be liable 
for that transaction. Yes. But it is not for mag stripe cards 
that have not yet been upgraded to chip, and once the merchant 
upgrades to chip, they are then protected from any liability?
    Ms. HAHN. Correct. Okay. So it is a little confusing I 
think to some merchants, and in my district office in Los 
Angeles, we sort of did an informal survey of our small 
businesses, you know, about 30 of them. And it was surprising 
how many of them did not have any idea that as of October 1st 
they would be responsible for all liability under that 
scenario, the one you just described.
    So I guess my question to you was I know you did sort of a 
20 city road trip which did not seem like a lot of cities to 
me, you know, and there is a public website that people could 
go on but, you know, I know a lot of my small businesses, you 
know, kind of do not operate in that world of just 
automatically going on a website to see what is going on in 
their world. Do you really feel that you did a good job of 
communicating this? And just from my informal, unscientific 
survey, you know, a lot of my small businesses did not 
comprehend what was happening as of October 1st. Do you think 
you could do a better job? Or do you think maybe your 
communication failed to reach a lot of small businesses?
    Ms. ERICKSEN. Well, as we said before, it does take about 
two or three years after the liability shift date to get to 60 
to 70 percent adoption of chip technology, so we really are at 
the start line, and we have been doing a lot of education to 
this point, but we are also continuing. We are not stopping. So 
next week I am going to be in Chicago working with the Chamber 
of Commerce there, doing another small business education tour. 
Just last month we did the Small Business Development Centers 
Conference and educated the Small Business Development Centers 
who counsel and provide support for small businesses so that 
they would have the resources that they need to be able to 
provide that information. So we are continuing to get the word 
out. We are not stopping. We are certainly trying to continue 
to get the word out.
    Ms. HAHN. But just because you do not get the word out does 
not mean that that scenario that you described is not a 
reality.
    Ms. ERICKSEN. Yeah. Well, their processors are also 
responsible for communicating that to them. So it is not only 
Visa and MasterCard in the industry but the processors that the 
merchants work with are getting that information out, and many 
of them are providing incentives for them to do an upgrade to 
this technology. And so there are many different touch points 
with the merchants to get the information out. Again, a lot of 
the counterfeit fraud is concentrated in more of the higher end 
retailers where you see high value transaction volume, not 
typically in a lot of the small business merchants.
    Ms. HAHN. Right. Right.
    Ms. ERICKSEN. But we are not going to stop in terms of our 
education efforts.
    Ms. HAHN. Right. And you know, this is another issue, but I 
will say that my Visa card that is held by Wells Fargo sent me 
a letter with my--well, sent me the new chip card and then 
subsequent to that sent me a very serious letter saying that 
just to let you know, you know, this is--we are transitioning 
to the chip card. We can see that you are still using your 
other card. And I do not know how many people got that, but 
that freaked me out because I had already had one card 
compromised earlier, but I knew I had gotten rid of my other 
card. I shredded it, and so that upset me. When I went through 
the 1-800 number to call them, oh, that is a mass email we sent 
out to everyone. So I think that is unfortunate, and I talked 
to some other people who also with different cards had gotten 
that same mass email. And I think that is unfair to the 
consumer to send that sort of scare tactic letter saying they 
could see that I was still using my other card. And I do not 
know what we can do about that, but that is for another 
hearing.
    Anyway, thank you. I yield back.
    Chairman CHABOT. Thank you. And if it is of any 
consolation, when my wife and I got back from vacation about a 
month ago, we had a phone message indicating that the IRS was 
going to file a lawsuit against us the next week because we had 
not paid our taxes. And I said, ``Did we not pay our taxes?'' 
And we had, indeed, paid our taxes. So anyway, she went online 
and a whole lot of people were getting that same thing, so it 
is a scary world out there. But thank you very much.
    The gentlelady from American Samoa, Ms. Radewagen, who is 
the chair of the Health and Technology Subcommittee is 
recognized for five minutes.
    Ms. RADEWAGEN. Thank you, Mr. Chairman, and Ranking Member 
Velazquez. I also want to welcome the panel. Thank you for 
appearing today.
    I have a couple of questions for Ms. Ericksen. I was hoping 
you could tell me more about Visa's opt-in geolocation service 
called Visa Location Confirmation. I understand this service 
could benefit customers who travel, like my constituents back 
in American Samoa.
    Ms. ERICKSEN. Yeah. Thank you, Congresswoman. Yes. Mobile 
Location Confirmation is a new service that consumers can opt 
into depending on their financial institution. More and more 
financial institutions are enabling this service, and it allows 
them to associate their mobile phone with their account so that 
we can detect whether or not their mobile phone and their 
purchase is happening within the same vicinity. So, for 
example, if your constituent is doing a purchase in New York 
but their mobile phone is in Los Angeles, we would score that 
transaction as higher risk and there may be a chance that that 
transaction would be declined versus if their transaction was 
occurring in Chicago and their mobile phone was also in 
Chicago, we would have better confidence that it is really then 
doing that transaction. So higher likelihood of an approval.
    Ms. RADEWAGEN. Thank you.
    As a member of a district that is comprise mostly of small 
businesses, I am concerned about the merchants in my district 
that can benefit from the EMV chip but cannot afford the 
transitional cost. Do you have any plans to offset this cost 
for such merchants?
    Ms. ERICKSEN. Well, we know that based on the countries 
that have moved to chip technology in previous years, the 
incremental cost of moving to chip now in the U.S. is rather 
based in. So we know that roughly 30 to 40 percent of the 
terminals that already exist in the U.S. have the chip hardware 
slot in them but they may need a software upgrade. So in many 
cases they do not need a new terminal. They just may need a 
software download from their processor. And as we have 
mentioned, some of the costs that are available or the 
terminals that are available to merchants are now in the cost 
range of $50 or $49 for the square device and under $100 
merchants can buy a terminal at Costco for $99, for example. 
And that device was even on sale for an additional 20 percent 
off last week. So we are seeing more and more low-cost and 
cost-effective solutions becoming available to the merchants.
    Ms. RADEWAGEN. Wow. Thank you, Ms. Ericksen.
    Ms. ERICKSEN. Thank you.
    Ms. RADEWAGEN. I yield back, Mr. Chairman.
    Chairman CHABOT. Thank you. The gentlelady yields back.
    The gentlelady from California, Ms. Chu, who is the ranking 
member of the Economic Growth, Tax, and Capital Access 
Subcommittee, is recognized for five minutes.
    Ms. CHU. Thank you.
    Ms. Ericksen, as of July 1, 2015, the EMV Migration Forum 
estimated that only 25 percent of retailers would be in 
compliance with the October 1st deadline. Previous estimates 
had been as high as 44 percent of merchants meeting the date. 
Are we behind in terms of the adoption? First, I would like to 
know the answer to that.
    Ms. ERICKSEN. Yeah. I think there have been different 
estimates depending on if it is coming from AITE Group or the 
Payments Security Task Force or EMV Migration Forum that have 
all been roughly projecting that by the end of this calendar 
year, roughly 40 percent of the terminals would be upgraded by 
the end of December of this calendar year. And so as we were 
mentioning before, we know it takes several years to get to 
critical mass of adoption, and we have seen quite a bit of 
significant momentum with the 314,000 locations as of September 
15th, and even more locations that came on just in the last 
week and are planning to come on this month. So I would say 
there has been great participation in the merchant community in 
terminalizing and updating those terminals to be able to accept 
chip cards. And even more plans for that to continue to roll 
forward in 2016 and 2017, which is very similar to what we have 
seen in other countries that have moved to chip.
    Ms. CHU. Have you done a poll as to what the main issue is 
in terms of adoption? Is it ignorance or is it the expense?
    Ms. ERICKSEN. I think it is mainly just planning that into 
their implementation time. Many large retailers have just 
recently announced that they have enabled nationwide whereas 
they were previously piloting in 50 to 100 stores to fine tune 
the solution, train their sales staff, make sure that they had 
the solution operating the way that they wanted it to operate 
before they rolled it out nationwide; whereas, some small 
business merchants have been upgrading as their processors have 
been providing them the solution. So it depends if you are a 
major retailer or a small business owner as to how that 
migration is going forward. But we have actually seen quite a 
few major retailers enable in just the last week or two and 
more even planning to go forward.
    It is also important to note that roughly 50 percent of the 
volume we see today has been coming from small business 
merchants, so many members of the small business community have 
been upgrading to EMV and are continuing to do so as they go 
forward.
    Ms. CHU. So in these other countries that you mention, such 
as Brazil and Canada and, of course, EU, are they at 100 
percent compliance now?
    Ms. ERICKSEN. They are at roughly 90 percent, so it did 
take about four to five years after the liability shift date in 
each of those countries to get to 90 percent. There are still 
some cards and some terminals, in Australia and Brazil, for 
example, that are not 100 percent updated to chip. So it really 
depends. There are still some merchants that may decide that 
they are going to wait, and there are still some issuers that 
have not reissued all of their cards. But that is really the 
benefit of the liability shift, is it provides that incentive 
but it is still ultimately the end party's final business 
decision as to whether or not they invest.
    Ms. CHU. And have they been able to successfully reduce the 
fraud in those countries?
    Ms. ERICKSEN. Yes. We have seen typically around the time 
of the liability shift date, two years after that they got to 
60 or 70 percent of their volume being chip on chip. The 
criminals tend to do a last run at counterfeit fraud right up 
to the liability shift and a couple months and years after 
until they get to 60, 70 percent of their volume being chip on 
chip, and that is also when we see that counterfeit fraud start 
to go down is when a country gets to around 60 percent of their 
volume being a chip card used at a chip terminal.
    Ms. CHU. And Mr. Weston and Ms. Roche, you talked about 
supporting H.R. 2205, the Bipartisan Data Security Act, which 
would apply Gramm-Leach-Bliley standards for all industries 
that handle sensitive financial institutions. Can you elaborate 
on the data security measures that you have to meet under this 
act? How would this change for all of the other merchants that 
you think should have these kind of standards?
    Mr. WESTON. I think the important thing here is that any 
entity that is handling consumer financial information needs to 
have some respect for the privacy of that information and the 
duty to protect it. Today there is not a clear national 
standard, a federal standard, that everyone who handles that 
sort of information has to abide by. Financial institutions, be 
they credit unions or banks, are certainly subject and are 
regulated and examined. The retail industry today has no 
standards.
    Ms. ROCHE. And I will add that the details are provided in 
my written testimony, but agreed. The national standards would 
be very important to ensuring that the data is not breached, it 
is not taken.
    Ms. CHU. Okay. Thank you. I yield back.
    Chairman CHABOT. Thank you. The gentlelady yields back.
    The gentleman from Illinois, Mr. Bost, is recognized for 
five minutes.
    Mr. BOST. Thank you, Mr. Chairman. And I guess my first 
question is to Mr. Talbott. When you show the swipe device and 
you say it is about $50, and there are many makers of that 
device, are they already competing them on a price basis for 
the merchants? I know every place we go, it does not matter 
whether it is to take a cab, barber shop, wherever, that they 
are using--if they do not have, if they are not a larger 
merchant, whether it is in their cash register or they are 
available right there at the register, they have those. So do 
you see a competition on those?
    Mr. TALBOTT. Yes, sir. The payments industry is highly 
competitive, and there are a number of players who can provide 
a card reader, whether it is an actual equipment device maker, 
processors can cut a deal. Everyone is trying to get the 
merchant's business, and they are competitive both on the price 
of equipment as well as services.
    Mr. BOST. So with that, are we seeing the education? 
Because as a small business owner myself, I know that there are 
many that do not know and do not understand the liability that 
is going to be put on them. Do you think that those companies 
then are also trying to educate and let people know? And then 
how many times, as a small business person, do you realize when 
somebody sends you something you think, ``Oh, yeah, that is 
just make-believe. I am not going to respond to that.''
    Mr. TALBOTT. I think everyone in the industry, at least ETA 
members, are actively pursuing education as well as financial 
incentives to offer to small businesses to let them know this 
is a perfect opportunity. If you service a small business, your 
processor could reach out and talk to them, talk about an 
equipment upgrade, talk about the change, talk about what the 
liability shift means. There is also a lot of negative noise 
out there that we are working to fight through. Critics are 
arguing that this is not great, which is inaccurate in the 
sense of the ability of chip to reduce fraud, counterfeit card 
fraud. But the efforts are being made both education-wise in 
all forms, as well as financial incentives are being offered.
    Mr. BOST. Have you heard of any, I mean, everybody thought 
it was safe when you first had the swipe. You know? I mean, 
when cards first came out we thought they were safe. Criminals 
are always going to be looking for something else to put on 
there.
    Mr. TALBOTT. That is right.
    Mr. BOST. And do we see already somebody trying to offset 
this?
    Mr. TALBOTT. Well, I think that there is always going to 
be--we will build a 10-foot wall and crooks will build an 11-
foot ladder, and so we must be continuously vigilant, as well 
as pulling multiple layers of protection, whether it is EMV, 
tokenization, encryption, or biometrics, we need to keep moving 
the system forward because the crooks will continue to fight to 
try and go after the money. So devaluing the information is the 
first step, and that is what tokenization, as well as chip 
does.
    Mr. BOST. Just another question if I can, because I have 
the panel in front of me and I wanted to find this out. The 
responsibility of the merchant to ask, or their agent to ask 
for an ID along with the presentation of the card, is that 
still pushed for?
    Mr. TALBOTT. Not at this point. It is a fallback, but it is 
not necessarily common practice.
    Mr. BOST. Okay. Because my wife, I mean, she always thanks 
people if they do that, and I have watched her do that. And so 
many people, we just do not think about it.
    Ms. ERICKSEN. Yeah. No, merchant does not have liability 
for lost and stolen fraud, so typically checking an ID and all 
of that would be associated with that. So the merchant is 
actually protected against any liability for lost and stolen 
fraud. There are some merchants that may want to ask for an ID, 
particularly some gas station merchants sometimes do that where 
they will ask for an ID and we do allow that, but we do not 
require it.
    Mr. BOST. Okay. All right. Thank you, Mr. Chairman. I yield 
back.
    Chairman CHABOT. Thank you. The gentleman yields back.
    The gentlelady from Michigan, Ms. Lawrence, is recognized 
for five minutes.
    Ms. LAWRENCE. Thank you, Chairman.
    I am very sensitive to the larger financial institutions 
and the smaller financial institutions. So my question today 
will be directed to Mr. Weston and Ms. Roche. You represent the 
small and mid-size financial institutions. I would like to 
understand from your perspective, we talked a lot about 
liability for the merchants and for the industry, but let us 
drill down to your piece of the market. What types of costs do 
you incur? What is the impact on you as a smaller financial in 
notifying your customers or responses to breaches? So would you 
please elaborate on that?
    Ms. ROCHE. So at our credit union, we take breaches very 
seriously because we know how disruptive they are to the 
consumers. I think someone on the Committee mentioned how 
difficult it is when your card gets compromised to get the new 
card, activate it, get all of your authorized payments set up 
again, so it is very difficult and concerning problem. It does 
not feel good. You have been compromised. So what we do is 
proactively make phone calls when there is a breach, such as a 
large Target breach or Home Depot where so many cards have been 
compromised. We get a list. Typically, we get a list of those 
cards that might have been involved in that, and we reach out 
to the consumers, our members, on an individual basis to let 
them know that their card may have been compromised, and then 
we give them the option, the choice of whether or not they want 
the card reissued. And that is probably a much more pro-
consumer way of handling it because otherwise, you are forcing 
the consumer to switch the card out and----
    Ms. LAWRENCE. And Ms. Roche, if I could just say, you know, 
there is a difference between your local credit union and the 
national financial institutions. One of the things I hear a lot 
is that personal touch. But what I wanted to drill down, what 
is the impact financially, because you do do that personal 
outreach? Is it going to be a greater impact on you with the 
chip or less of an impact? So that is where I am trying to go.
    Ms. ROCHE. So that is a great question because really, the 
EMV in the chip is a first step and only helps with one type of 
fraud that is being committed. And then we have also talked 
about all these other different technologies that are coming in 
to play to help combat the other ones. But what NAFCU and our 
credit union supports is that there is H.R. 2205, to implement 
a national data security standard, because that is going to 
keep everyone looking forward. It is going to put some of the 
same requirements on all businesses, that financial 
institutions are already having to comply with, and it will 
make the consumer information much more safe and secure.
    Ms. LAWRENCE. Thank you.
    Mr. WESTON. I would just add that I think doing something 
to combat the breaches, whether it is convincing the 
organizations, be they healthcare providers or retailers to 
step up to data security standards that are the equivalent of 
what the financial services industry does, the chip card 
deployment, certainly, anything we can do to make the 
information better protected, to make it much more difficult 
for the bad actors to utilize it if it is available to them, 
that is going to be helpful to the community financial 
institution as well as to the consumers because they are not 
going to have the disruption in their lives of being on a trip 
and having their card be shut down and having to get another 
one overnighted, et cetera. It is an expense for us but similar 
to what Ms. Roche indicated, we look at it as a high-touch 
service. We have got to be there for our customers. That is the 
community bank way of competing. And so it is a necessary 
expense.
    Ms. LAWRENCE. I just wanted to follow back on what Ms. 
Ericksen said. I am refreshed that, or encouraged that you are 
going to continue the education, that you will continue to do 
the briefings. It is good to know that the providers are also 
doing some outreach to the small businesses. Because one of the 
challenges, as you know, to small businesses is the asset to 
information and education. And so I really, any way that we can 
enhance that with public announcements or anything that we can 
do through our chambers, I really encourage that.
    Ms. ERICKSEN. Thank you.
    Ms. LAWRENCE. Thank you.
    Chairman CHABOT. Thank you very much. The gentlelady's time 
has expired.
    Ms. LAWRENCE. I yield back.
    Chairman CHABOT. Thank you.
    The gentleman from South Carolina, who is the chairman of 
the Subcommittee on Economic Growth, Tax, and Capital Access, 
is recognized for five minutes.
    Mr. RICE. Thank you, everybody for being here. I find this 
really interesting. It brings me back to my commercial paper 
classes in law school. And the shifting of liability is 
certainly a worrisome but understandable thing. It sounds like 
everybody on the panel thinks this is a good idea. I have not 
heard anybody argue against it.
    The chip cards only help for in-person transactions; right? 
So what percentage are in-person versus others? Can anybody 
quote those statistics?
    Mr. TALBOTT. I think of the total fraud, Congressman, about 
half is instore, and of that, about two-thirds is in-person. So 
we are talking about 3.5 or so billion a year.
    Mr. RICE. Half and two-thirds?
    Mr. TALBOTT. Half of all fraud is online; half is instore. 
And of that half that is instore, two-thirds is counterfeit 
fraud. Counterfeit fraud.
    Mr. RICE. Okay. And you say that encryption is the biggest 
tool you have to fight online fraud; right?
    Mr. TALBOTT. Yes, sir.
    Mr. RICE. I mean, for years I would not put my credit card 
on the Internet, and I finally broke down and now it is a 
routine thing and it is amazing that it does not happen more 
than it does.
    Does this proposed--this regulation commit small businesses 
to any future upgrades or just this one instance?
    Ms. ERICKSEN. The liability shift is just for an upgrade to 
EMV.
    Mr. RICE. That is it?
    Ms. ERICKSEN. That is it.
    Mr. RICE. And so when you come up with your next best 
thing, they are not committed to do that?
    Ms. ERICKSEN. We are encouraging that when they are making 
that infrastructure upgrade for EMV to protect against 
counterfeit liability, that they also consider contact with an 
NFC which enables them for mobile phone acceptance because it 
is a very similar upgrade and many times the equipment does 
both. So to make sure----
    Mr. RICE. What I am worried about is you are going to come 
up with something greater two years from now that they are 
going to be required to do that or there will be a liability 
shift. There is nothing in there that requires that.
    Ms. ERICKSEN. In other countries around the world, when 
they have moved to the EMV liability shift, that has been the 
key driver.
    Mr. RICE. Let me ask you this. Earlier people were talking 
about the difference in liability for debit versus credit 
cards, and you are saying the consumer has no liability for 
either. I have always heard debit there is a little bit more 
concern there, but what about Internet banking transactions? 
You know, I log onto my bank and I put in my account name and 
my password and I can move money. Who is liable for that? If 
somebody stole my password and my account name, who is liable 
for that?
    Ms. ERICKSEN. I will leave that to my banking----
    Mr. WESTON. I believe the rules would apply that it is 
between you and the bank that you have chosen for your PC 
banking service. So as a customer of that financial 
institution, you need to look to their policies as to----
    Mr. RICE. So there is no law. Like, the old law that the 
bank is supposed to know your signature on your check and that 
is your problem if it has been forged.
    Mr. WESTON. Certainly, if you are transferring money in and 
out of your account, there are rules that apply to electronic 
funds transfers. Yes.
    Mr. RICE. All right. One thing that has bothered me in the 
past as a user of credit cards is when--it has not happened 
very often, but I might be in a store to buy something and my 
credit card gets declined, and I go outside and I call the 
credit card company and they say, you know, this actually 
happened to me. They said, ``Well, at 3 o'clock in the morning 
your card was used to sign up for Vonage. We do not think that 
was you.'' Well, they were right. It was not me. $14.00. They 
were right. Should they not have some duty to notify me about 
that before I am standing in a----
    Ms. ERICKSEN. So many issuers do have the ability to give 
you an alert. So this happened to me not that long ago. I was--
--
    Mr. RICE. I hear ``ability,'' but should they not be 
required to notify me before they start declining my card on 
in-person transactions because some guy in Russia is doing 
Internet transactions for $14 to Vonage?
    Mr. TALBOTT. I think the challenge of that type of law 
might be overinclusive and uninconclusive at the same time. 
There are so many different variations of that pattern, and we 
all have experienced it, that the industry is actually ahead of 
that and they will notify customers. I get notified frequently, 
so the industry has taken that step. I think a law would be 
difficult to implement.
    Mr. RICE. How difficult is it for somebody--let us say I go 
into a restaurant and a waitress writes down my credit card 
number and expiration date and name. How difficult is it for 
somebody with that information to create a dummy credit card 
and use it in person?
    Mr. TALBOTT. It is actually very simple. The technology for 
your mag strike is about 40 years old. It is the same 
technology used in cassette tapes, if you remember those. So it 
is easy for them to take the information and create a 
counterfeit card. And that is really where chip comes in, is 
that waitress would not be able to use that fake counterfeit 
card in stores. She could use it online, and that is where 
tokenization comes in, but it is actually very simple, which is 
why this step is necessary to end that counterfeit card fraud.
    Mr. RICE. My time is up. Thank you very much. It has been 
certainly educational.
    Chairman CHABOT. Thank you. The gentleman's time has 
expired.
    The gentleman from New Jersey, Mr. Payne, is recognized for 
five minutes.
    Mr. PAYNE. Thank you, Mr. Chairman, and to our ranking 
member. And the gentleman from South Carolina, I tend to agree 
with you. This has been very educational. For some reason I 
have more problems with the cards I use than I have ever wanted 
to imagine.
    Mr. RICE. Mr. Payne, it seems like I agree with you a lot.
    Mr. PAYNE. Absolutely. Let me just ask, and this is for Ms. 
Ericksen or Mr. Weston. I am concerned about that the EMV 
required will affect small banks. In my district I have the 
only African-American owned bank in the State of New Jersey 
and, you know, naturally, it is a small business. Minority 
banks control about $5 billion in assets as compared to say a 
Wells Fargo, that by itself has some $1.7 trillion in assets. 
It is estimated that it costs banks and credit unions 
approximately $3.04 for non-EMV cards, but the cost to produce 
the new EMV cards is almost twice that cost at approximately 
$5.81. How can we ensure that small business banks and credit 
unions are not put at risk because of these requirements?
    Mr. WESTON. Well, speaking from the community banker 
standpoint, I think the best way for smaller issuers to 
participate is through a combined program where we combine the 
buying power of those banks and collectively do processing 
arrangements or purchasing arrangements to bring those costs 
down to what is a more competitive figure to help them out. 
That is certainly what we have been doing at ICBA.
    Mr. PAYNE. Okay.
    Ms. ERICKSEN. Yeah. And from a Visa perspective, we are 
certainly working across the industry to drive down the cost as 
much as possible by streamlining the implementation process, 
streamlining the certification process, so when those banks 
come online to enable their backend system to process that chip 
one-time code through the system, we have done a lot to drive 
down that cost of implementation certification and enabling 
that chip technology to go through the system.
    Mr. PAYNE. Okay. Thank you.
    Ms. Roche, you know, your testimony, you stated that in the 
United Kingdom, online fraud rose 79 percent after their EMV 
transition. Online fraud in the UK has doubled as well. Based 
on these facts, we can presume that the U.S. should soon expect 
a significant spike in online fraud. And with the holiday 
online shopping season quickly approaching, this is a major 
concern. In your testimony you mentioned tokenization and 
cardholder verification technologies as an answer to online 
fraud. When should we expect this transition, and how will it 
work, and how will the liability shift work?
    Ms. ROCHE. So I may yield to one of the other experts at 
the end of the table about when they expect those technologies 
to come into play, but what we think about at our credit union 
is that there is always going to be something else coming down 
the pike. And so the best way to protect the consumer data and 
protect the payment system and keep that fully functioning is 
to have a national security--data security standards in place. 
And that is where the H.R. 2205 becomes important because it 
gets all of us focused on making sure that we are staying ahead 
and keeping up with the latest technologies and play and 
keeping the information secure.
    Ms. ERICKSEN. As it relates to the other technologies, we 
really look at them as a layered security approach in working 
together. So from a chip perspective, as we mentioned earlier, 
there is already more chip cards in the U.S. from an issuance 
perspective than any other country. And on the merchant side we 
are seeing more and more merchants enable chip acceptance every 
day. End-to-end encryption also protects that data when it is 
in a merchant's system. It makes it harder for a criminal to 
break in and get that data, but when we move to more and more 
of the transactions being chip transactions, if a criminal 
breaks in and gets that data, there is a lot less they can do 
with it. They cannot use it for counterfeit fraud, for example. 
So encryption and chip technology work together. Encryption 
secures the data from being accessible and EMV chip data makes 
that data less valuable to a criminal if they get it. And then 
tokenization works well also for the online environment and for 
mobile applications where we are replacing the account number 
with a different number, so that way if the criminal gets that, 
they also cannot use it for anything. They cannot use it for 
counterfeit card fraud and they also cannot use it for online 
fraud either.
    Mr. PAYNE. Thank you. I yield back.
    Chairman CHABOT. Thank you. The gentleman's time is 
expired.
    I will now recognize the ranking member for a statement or 
question.
    Ms. VELAZQUEZ. A last question. Do you expect financial 
firms to phase out magnetic strips in the future?
    Mr. TALBOTT. We are going to have to run two parallel 
systems for a while, but eventually magnetic stripe will drop 
to very small percentages.
    Ms. VELAZQUEZ. Okay. All right. Thank you.
    Chairman CHABOT. I have a quick question and then just a 
final point. I think it was you, Mr. Talbott, that talked about 
when we build the 10-foot wall the bad guys were up an 11-foot 
ladder. I assume that you all are thinking of those things 
relative to this, and if so, would you want to comment on that 
without telling the bad guys what you are up to?
    Mr. TALBOTT. Sure. Here is the secret passcode.
    As we develop these technologies to deal with threats, we 
are also looking to develop, and we are developing other 
technologies, whether it is geolocational, whether it is 
biometrics, whether it is facial or voice recognition. All of 
those are in the works. Thumbprints are already in play in a 
number of mobile phone applications. So we are constantly 
working and committing resources on R&D to develop new types of 
technology, dynamic types of technology to address future 
frauds and to make the system more secure. So we are constantly 
vigilant.
    Chairman CHABOT. Thank you very much.
    Ms. ERICKSEN. We are continuing to invest also in other 
technologies that use the analytics in the system. For example, 
we just announced a few months ago something called Visa 
Transaction Advisor, where we send a code actually to the gas 
station, to the gas pump, that detects whether or not that 
might be fraudulent that would prompt the cardholder to then go 
into the store where the gas station attendant could maybe ask 
for ID to make sure it is really the real person. So we are 
investing not only in point-of-sale technology that helps 
detect fraud and possibly ask for a higher level of 
authentication like an ID, but continuing to invest in those 
predictive analytics that detect fraud patterns as well. So the 
technology is continuing to advance. There is also some work in 
the industry called 3D Secure 2.0 which is going to allow the 
sharing of data, like IP address and billing and shipping 
address matching for Internet or online transactions that will 
help better predict any fraud in the online environment. And so 
there are continuing advancement that are happening there as 
well.
    Chairman CHABOT. Thank you.
    And I think we heard from a number on both sides of the 
aisle, members who indicated that this was very helpful, and I 
think we learned a lot. Hopefully, the public did as well in 
educating people about what is happening here. And as I 
mentioned in my opening statement, it is the Committee's 
intention to have another hearing in a couple of weeks to allow 
all the merchants and small business folks and retailers to 
come in and voice their concerns to the Committee so we can 
delve into this further and make sure we are getting a complete 
picture of what is happening out there.
    And I want to thank our witnesses for participating today. 
I would ask unanimous consent that members have five 
legislative days to submit statements and supporting materials 
for the record. And if there is no further business to come 
before the Committee, we are adjourned. Thank you.
    [Whereupon, at 12:40 p.m., the Committee was adjourned.]
                            A P P E N D I X


                          Statement of

                       Stephanie Ericksen

                 Vice President, Risk Products

                           Visa Inc.

                        House Committee

                               on

                         Small Business

                           Hearing on

                     Transition to EMV Chip

                        October 7, 2015
    Chairman Chabot, Ranking Member Velazquez and Members of 
the Committee, my name is Stephanie Ericksen and I am Vice 
President of Risk Products at Visa Inc. Thank you for the 
invitation to appear before the House Committee on Small 
Business to discuss Visa's ongoing efforts to help transition 
the US to EMV chip technology and what this means for small 
businesses.

    For more than 50 years, Visa has enabled people, businesses 
and governments to make and receive payments across the globe. 
As a global payments technology company, we connect financial 
institutions, merchants and governments around the world with 
credit, debit and prepaid products. Visa works behind the 
scenes to enable tens of millions of daily transactions, 
powered by our core processing network--VisaNet. We make 
digital commerce more convenient, reliable and secure. It's 
important to note that Visa does not issue credit or debit 
cards or set the rates and fees on those products--our 
financial partners do.

    Data breaches in recent years have highlighted that no 
business or industry is exempt from cyber threats, and, 
everyone--from consumers and small businesses to corporations 
and governments--are the targets. In today's connected world, 
it is critical that all those in the payments systems--payment 
networks, merchants, and financial institutions--work together 
to protect sensitive information and continue to drive 
advancements in security. At Visa, nothing is more important 
than maintaining trust in the payment system and we continue to 
place security at the forefront of everything we do.

    Given the current cyber threats, especially those that 
merchants face, we need to move the payments industry away from 
static account information that can be stolen and used for 
fraud, to smarter technologies that make stolen account 
information useless to criminals. Chip is an important part of 
this fundamental change in the payments system, and we're 
committed to helping consumers and businesses make the shift.

    EMV Chip Technology

    This morning, I look forward to sharing with the Committee 
Visa's efforts to encourage the adoption of EMV chip technology 
in the U.S., as well as our work to educate and empower small 
businesses during this important transition period. For those 
who are unfamiliar with chip cards, or smart cards as they are 
often called, let me provide an overview of what they are, how 
they work and how we got to where we are today.

    An EMV chip is a microprocessor that is embedded in a 
payment card or in other form factors such as a mobile phone. 
When a consumer uses a chip card at a chip terminal, a unique, 
one-time-use code, or `cryptogram' is generated for each 
transactions. This type of authentication, which introduces 
dynamic values for each transaction, adds a substantial layer 
of safety. Chip cards effectively prevent counterfeit fraud, 
virtually eliminating one of the common ways criminals use 
stolen payment data. Since chip technology makes it essentially 
impossible to counterfeit cards, which is approximately two-
thirds of the fraud that occurs in stores today, merchants will 
be less attractive targets for criminals.

    Chip technology is also the basis for future payments 
innovation because it enables technologies like near field 
communications (NFC) technology and tokenization. When small 
business owners upgrade to chip-enabled terminals, they aren't 
just investing in payment and data security. They are also 
positioning themselves to accept the next generation of secure 
payment technologies, such as mobile and digital payments.

    The payments system in the US is larger and more complex 
than any other in the world, with thousands of financial 
institutions and millions of businesses accepting electronic 
payments. In August 2011, Visa announced a roadmap to 
transition the US to chip technology through a set of 
milestones intended to encourage both issuers and merchants to 
adopt the chip technology. Visa's EMV chip roadmap is not a 
mandate. Instead, it provides marketplace incentives to 
encourage adoption by financial institutions and merchants--
elements that have proven to be effective in moving other 
markets to deploy chip technology and thereby drastically 
reduce counterfeit fraud.

    As part of the incentive program, Visa rules specify that, 
as of October 1, 2015, liability protection from counterfeit 
fraud on in-store payments is extended to the party that makes 
the investment in chip technology. The party that has not 
implemented chip technology, be it a bank that chooses not to 
issue a chip card or merchant that cannot accept a chip card, 
may bear the loss from any resulting counterfeit fraud. This 
shift applies to in-store, point-of-sale environments. Due to 
the complexities and life cycles of Automated Fuel Dispensers 
(AFDs) and ATMs, their liability shift will take effect October 
1, 2017.

    Education of Small Businesses a Top Priority

    Throughout the ongoing transition to chip, Visa has 
dedicated significant resources to raising awareness and 
providing small businesses with the tools and information they 
need to adopt chip technology. In March, Visa launched our 20-
City Small Business Chip Education Road Show to help business 
owners understand the value of chip card technology and to 
increase chip card acceptance. To date, we've traveled to 16 
cities including Cincinnati, Charlotte, San Francisco, Boston, 
Houston, Miami, New York, Albuquerque, and Denver--to name a 
few. More than 1,000 small businesses owners have turned out to 
learn about chip technology from experts in payment security. 
To amplify our efforts, we are working closely with other 
partners, organizations and clients that provide critical 
resources to small businesses, including the Small Business 
Administration, America's Small Business Development centers, 
Facebook, the National Federation of Independent Business, and 
local chambers of commerce across the country.

    Our efforts to educate small business owners does not stop 
there. On top of our dedicated chip education website--
www.visachip.com--which contains specific information for all 
of our stakeholders, we also created an online toolkit 
specifically for the small business community 
(www.visachip.com/businesstoolkit). With easy-to-use 
navigation, small business owners can quickly access actionable 
information about chip technology including a step-by-step 
guide to adopting chip, videos, and infographics at their 
convenience.

    A key success factor in the transition to chip technology 
is ensuring a seamless checkout experience. To address this, 
our toolkit provides employers with a training module to ensure 
their employees know and understand how to use chip technology; 
it includes decals to place at the point-of-sale alerting 
customers that they accept chip cards, as well as instructions 
on how to complete a transaction with a chip card. Visa is 
making all of these materials available free of charge to 
merchants.

    We have also focused on addressing the most significant 
barrier to adoption small business owners face: cost. Visa has 
worked with the terminal providers to make transitioning to 
chip technology more easily accessible, especially to smaller 
merchants. Low-cost chip terminal options are available for 
less than $100 and, in many cases, the terminal is included in 
the cost of the service. For example, Square, a leading 
merchant processing services provider, recently announced a new 
$49 card reader that accepts EMV chip cards and Apple Pay. 
Square is giving away 250,000 of them for free to small 
business customers and will also take on the risk of 
counterfeit fraud after October 1 if the merchant pre-ordered a 
device.

    And, this is just one example. Other terminal providers 
like Chase, Bank of America Merchant Services, and VeriFone, to 
name a few have several low-cost options available to small 
business owners that bring that help prepare them for the 
future of accepting all payment forms including chip cards and 
mobile payments.

    We know that our efforts to educate and facilitate the 
small business community are gaining traction. In fact, in 
August 2015, nearly 50 percent of the nearly 4 billion dollars 
in Visa chip transaction volume occurred at small businesses.

    Chip Adoption Gaining Momentum

    While we want to encourage a speedy migration to chip 
technology to improve the security of payments everywhere, we 
know that some businesses may take more time to upgrade. Owners 
of small businesses that do not experience significant loss 
from counterfeit fraud, such as dry cleaners, restaurants, or 
hair salons, may decide to upgrade to chip as part of their 
normal terminal replacement cycle. The roadmap was designed 
with this type of flexibility in mind, allowing businesses to 
make the transition on a timetable that meets their needs. Some 
merchants, for example, were ready this summer ahead of the 
liability shift, while others in the coming months.

    In other words, October 1 marked the beginning of a process 
that will ultimately lead to near-universal adoption of chip 
technology in the US. With the milestones achieved to date, the 
US is well-positioned to adopt the next level of payment 
security for consumers, businesses, and financial institutions.

    Where are we today?

    Over the past twelve months we have seen significant 
progress. Today, there are more than 150 million Visa chip 
cards in circulation in the US, an increase of over 655 percent 
in the last year alone. That number eclipses the roughly 129 
million Visa chip cards in Brazil and 124 million Visa chip 
cards in the United Kingdom, making the US the largest chip 
market in the world.

    Retailers, and particularly small businesses, are making 
great strides in implementing chip technology. As of September 
15, chip-enabled devices are in use at more than 314,000 
merchant locations, representing a 470 percent year-over-year 
increase. We are strongly encouraged by the number of small 
businesses that are already using this technology and look 
forward to continuing to encourage their adoption of chip.

    Tokenization

    While EMV technology eliminates in-store counterfeit card 
fraud, it does not prevent all types of fraud--particularly 
fraud that occurs online in the e-commerce environment. To 
mitigate the growing risk of e-commerce fraud, Visa developed 
tokenization.

    Tokenization, which removes the account number from the 
payment process completely, is one of the most promising 
technologies for fighting fraud. Tokenization replaces the 
accountholder's 16-digit account number in a payment 
transaction with a unique digital ``token'' or proxy number 
that is tied to the underlying account. Tokenization can 
enhance transaction efficiency, improve cardholder privacy and 
data security, and may enable new types or methods of payment. 
When fully deployed, tokenization in combination with chip, 
could virtually eliminate the need for merchants, digital 
wallet operators or others to use cardholder account numbers.

    Cardholder Verification Technologies

    Mobile payment applications such as Apple Pay, Android Pay, 
and Samsung Pay each offer enhanced security to consumers and 
merchants by using tokenization solutions to prevent the 
underlying card number from being comprised. And, as some of 
you may know from personal experience, many of the new mobile 
payment devices and applications use biometrics to verify your 
identity--like a thumbprint--before you can complete a 
transaction. At Visa, we believe this type of dynamic 
authentication is the future.

    Today, with expertise gained from years working with 
merchants and issuing banks, Visa supports a variety of 
cardholder verification methods, including signature, PIN, and 
no cardholder verification for low value, low risk 
transactions. However, we see dynamic, or one-time use, 
verification technologies as the way forward. Just as the 
information technology industry is looking to replace the 
static password with more dynamic technologies, the payments 
industry must also replace static technologies in the payments 
ecosystem with more effective protections. I want to share a 
few of these future technologies with you, some of which are 
exist today.

    In February, Visa launched a new opt-in service that uses 
mobile geo-location information to more reliably predict 
whether it is the account holder or an unauthorized user making 
a payment with a Visa account. By matching the location of the 
cardholder through a cell phone or other mobile device to the 
location of the purchase, this service helps improve fraud 
detection and identify unauthorized transactions.

    In addition, Visa introduced a new specification just last 
month to use biometrics with chip and transactions. The 
specification can enable fingerprint, palm, voice, iris, or 
facial biometrics in the authorization of payments. This first-
of-its-kind technology framework is designed to work with the 
EMV chip industry standard to help ensure open, globally 
interoperable solutions for payment security. This product 
addresses increasing demand for biometrics as a more convenient 
and secure alternative to signatures or PINs, especially as 
biometrics technologies become more reliable and available. The 
architecture Visa has designed enables fingerprints to be 
securely accepted by a biometric reader, encrypted, and then 
validated. The specification supports ``match-on-card'' 
authentication where the biometric is validated by the EMV chip 
card and never exposed or stored in any central databases. 
Issuers can optionally validate the biometric data within their 
secure systems for transactions occurring in their own 
environments, such as their own ATMs. This innovative 
technology is just rolling out, but has great promise for 
protecting consumers in years to come.

    Conclusion

    We have come a long way in the past year as the US 
transitions to EMV chip technology, but, we must continue to 
work together to achieve the necessary progress to protect all 
stakeholders in the payments space, including small businesses. 
Visa is committed to continuing our work to drive innovation 
and ensure that EMV chip technology, tokenization, geo-
location, biometric authentication, and other technologies 
evolve to address the needs and threats of tomorrow. This is 
critical for the success of our merchant and financial 
institution clients, and we look forward to working with all 
stakeholders on this important goal.

    Thank you again for the opportunity to testify today. I 
would be happy to answer any questions you may have.
                      Testimony of Scott Talbott,


                   Sr. V.P. for Government Relations,


               Electronic Transactions Association (ETA)


                     House Small Business Committee


                             Hearing on the


           EMV Deadline and What It Means for Small Business


                              Oct. 7, 2015


    Introduction:

    Chairman Chabot, Ranking Member Velazquez, and members of 
the Committee. I am Scott Talbott, Senior Vice President for 
Government Relations of the Electronic Transactions Association 
(ETA). Thank you for inviting ETA to testify on the EMV 
transition and what it means for small business.

    By way of background, ETA is a global trade association 
whose mission is to advance the payments technology. As the 
trade association of the payments industry, the ETA represents 
more than 500 of the world's most innovative payments and 
technology companies, from Fortune 500 financial institutions, 
to small, local sales organizations, to the world's largest 
technology companies. ETA's members are dedicated to providing 
merchants and consumers in our country the safest, most 
reliable, most secure payments system to facilitate commerce 
and power our economy--and the EMV migration is another major 
step forward in this regard.

    The Electronic Payments Ecosystem--Driver of Economic 
Growth:

    To help put the electronic payments industry into context, 
when consumers buy something from a merchant, they often will 
use a form of electronic payment, such as a credit card, debit 
card, gift card, prepaid card. Purchases can be made in person 
with the card or with a mobile device, or remotely, over the 
phone or the Internet. While the transaction is simply and 
securely completed within seconds of a swipe, dip, or tap, it 
involves an enormous and complex electronic payments ecosystem, 
which includes:

           consumer card issuing banks;

           the card brand networks that connect 
        merchants and consumers;

           payment processors that connect merchants 
        with networks of banks (issuing and acquiring) to 
        ensure the transaction is authorized and processed;

           point of sale equipment hardware and 
        software companies;

           program managers that work with consumers 
        and issuing banks to help consumers obtain credit and 
        prepaid cards;

           enablers of payment technology and e-
        commerce;

           merchant acquirers, which provide payment 
        acceptance services;

           independent sales organizations that work 
        directly with merchants to provide access to the 
        payments system;

           sponsor banks, which establish policies for 
        merchant acquirers, sponsor their registration with the 
        card brands, and hold the risk of payment;

           anti-fraud companies that work with 
        providers in the ecosystem to help ensure fraudulent 
        transactions do not occur; and

           security companies that work with all other 
        providers in the ecosystem to protect and secure 
        transactions against intrusion.

    This ecosystem is largely invisible to consumers and 
merchants because it works seamlessly to process billions of 
transactions each year--that's literally thousands of 
transactions every second. Electronic payments are key drivers 
of commerce and economic growth in our country. To put this 
into greater context: 70% of U.S. GDP is attributed to consumer 
spending, and 70% of consumer spending is done electronically. 
Last year, electronic payments surpassed $5 trillion and 
electronic consumer spending will only continue to grow. 
Indeed, my 2017, we project that ETA member companies will 
process $7.3 trillion in consumer spending in the U.S.

    The Electronic Payments Industry's Commitment to Securing 
Customer's Information:

    ETA member companies take seriously their affirmative and 
continuing obligation to protect the confidentiality and 
security of their customers' information. Our payments systems 
are built to detect and prevent fraud--and to insulate 
consumers from any liability. In fact, consumers in the United 
States choose electronic payments over cash and checks in large 
part because they have zero liability for fraud, making 
electronic payments the safest and most reliable way to pay. 
The liability is borne by companies in the payments industry 
due to Federal law and even more stringent payment network 
rules. In light of this financial responsibility and a desire 
to preserve consumer confidence in the security of electronic 
transactions, ETA members have a strong interest in making sure 
fraud does not occur, including through the misuse by criminals 
of consumer data that happens to be compromised through a data 
breach. Towards that end, payments technology businesses are 
bolstered by robust compliance practices--whether their own in-
house policies, or ETA's own carefully crafted industry 
Guidelines, which establish underwriting practices to help 
payments companies detect and eliminate fraud.

    Importantly, for those companies that follow them, self-
regulatory guidelines help ensure that consumer data is secure. 
The Payment Card Industry Data Security Standard (PCI-DSS) 
created by the PCI Security Standards Council, is an example of 
one such successful industry-led, multi-stakeholder program, 
safeguarding personal information that should serve as a model. 
As a point of reference, fraud accounts for less than six cents 
of every one hundred dollars spent on the payments systems--a 
fraction of a tenth of a percent--and the payments industry is 
on the cutting edge of technology to help further limit fraud. 
But inasmuch as we just emerged from 2014, which the media 
dubbed ``the year of the data breach,'' the payments industry 
continues to innovate in order to further combat data breaches 
and protect consumers against increasingly sophisticated cyber 
criminals. It's our highest priority, since our business 
depends on customers entrusting us with their personal and 
financial data.

    An important step in this security upgrade is the 
transition to more secure chip, or ``EMV,'' cards, which use 
smart technology providing enhanced security.

    ETA has long championed adoption of EMV enabled chip cards 
as one protection for consumers. EMV enabled chip cards, which 
can be identified by a conspicuous chip on the card's face, 
currently only make up about 25% of total card circulation in 
the US, but this number is expected to increase to 90-95% 
within the next two years.

    To incentivize more rapid migration to EMV adoption, just 
last week, on Oct. 1, the payments industry implement a long-
planned liability shift for their card transactions, at which 
point any participant in the transaction chain who is not EMV 
compliant became responsible for any resulting fraud. This 
industry-led initiative is an example of how payments companies 
are proactively working to strengthen protection for consumers 
and the payments system.

    To explain further, EMV, which stands for EuroPay, 
Mastercard, Visa, is the global standard for integrated 
circuit, or ``chip'' cards. Today, EMVCo (the body that sets 
that EMV specifications) is owned jointly by American Express, 
Discover, JCB, MasterCard, UnionPay, and Visa, and includes 
other organizations from the payments industry. EMV cards 
feature embedded microprocessor chips that store and protect 
cardholder data--similar to magstripe, but safer. An EMV card 
is superior to a traditional magstripe card because it supports 
dynamic authentication. EMV technology does this by generating 
a unique, or ``dynamic,'' one-time security code for each 
transaction, which makes the card nearly impossible to 
replicate. Counterfeiting such cards is currently far more 
difficult than producing cards with data that is ``skimmed'' 
from the magnetic stripes of genuine cards or stolen from 
stored payments data, such as the high-profile merchant 
breaches of recent months. Because EMV cards generate a dynamic 
security code with each transaction, unlike a magnetic stripe 
card which uses the same static code with every purchase, a 
counterfeit card could not successfully produce the correct 
security code and would not work in a card-present or face-to-
face transaction. Accordingly, EMV is an effective tool to 
combat the manufacture and use of counterfeit cards and card-
present fraud. Because counterfeit card represents the single 
largest type of card fraud in stores in the U.S. today, the EMV 
migration is the most important step we can take. But although 
chip cards reduce the value of compromised data by inhibiting 
the creation of counterfeit cards, they do not stop data 
breaches. Later in my testimony, I will describe other 
initiatives within the industry that further augment the 
protections provided by EMV and will help erect additional 
barriers to bad actors, while simultaneously reducing the value 
of the data they may attempt to obtain.

    Small Business Merchant Perspective

    Of course, EMV-enabled cards are only half the EMV-
migration equation, the other half is whether merchants have 
converted their point of sale terminals to accept them. 
Merchant acceptance of EMV cards is voluntary, and there are 
any number of factors facing individual small business 
merchants at this juncture which may affect their relative 
focus on, and timing for, their respective conversions. For 
instance, the cost of the conversion of terminals for the 
average small business merchant is in the $50-$500 range, and 
the cost and complexity vary depending on whether a small 
business merchant only needs to convert a single terminal, 
versus those with multiple terminals or terminals with 
integrated systems that combine payments functions with other 
functions, like inventory or payroll. For some, conversion to 
new EMV terminals may provide them an opportunity to upgrade to 
near field communication-enabled terminals in order to also be 
able to accept mobile payments, adding additional benefit for 
the merchant to convert sooner rather than later. In addition, 
there is a certification process all merchants must undertake 
in order to ensure compliance with card network rules and 
safeguards. On a much more practical level, we expect merchants 
right now are focusing on the upcoming holiday shopping season, 
but that migration efforts will really resume in 2016 after the 
holidays when many small business merchants renew their 
contracts with the card networks.

    However, given that it was only last week that the official 
EMV liability shift happened, it appears as if the migration 
for some small business merchants will lag behind other 
businesses, especially if a small business merchant is the type 
where the likelihood of fraudster using a fraudulent card is 
low due to the low dollars involved in an average transaction--
like at a dry cleaner or a car wash--and the resulting 
financial exposure to the merchant from the fraudulent 
transaction is, therefore, low. Put another way, a small 
business merchant may view the need to convert to EMV 
terminals--in order to avoid liability for a $16 dry cleaning 
bill or a $10 car wash paid for by a fraudulent card--as a 
relatively low priority. By contrast a small jeweler's risk of 
liability for a fraudulently purchased $6,000 diamond ring 
likely provides a greater incentive to concert to EMV terminals 
as soon as possible. Small businesses will make this risk/
reward calculation, and this will cause variation amongst small 
business merchants in their respective EMV migration rates. At 
the end of the day, in the near term, the migration may require 
small business merchants to teach consumers how to check out 
with their newly-issued EMV cards in the new point of sale 
terminals in order to keep customer transactions flowing 
smoothly, and this will take some effort on the merchant's 
part.

    All of that said, there are any number of payments industry 
financial assistance and incentive programs to assist those 
merchants who many need it, and ETA has an educational website, 
www.sellsafeinfo.org, to assist small business merchants with 
the EMV migration. Additionally, ETA's own Risk and Fraud 
Council recently published materials for small merchants to 
determine what they need to do when a breach occurs.

    Finally, ETA is a participant in the PCI Security Standards 
Council Small Merchant Task Force. The goals and objectives of 
the task force are focused on ensuring that small merchants 
understand their responsibility for protecting payment card 
data and to identify and mitigate areas of risk in their 
environment. The payments industry has, and will continue, to 
educate and assist small business merchants in this regard.

    EMV Chip and Cardholder Verification Methods

    While this hearing specifically focuses on EMV, it is 
important to note that a separate question, independent of the 
EMV migration, has arisen regarding whether consumers should be 
required to use a personal identification number (PIN) for each 
credit card transaction at the point of sale. The EMV chip 
functions as a fraud prevention tool by generating a dynamic 
security code, thus preventing the production of counterfeit 
cards, the single largest (by far) cause of fraud in stores. 
Put another way, this ensures that the card itself is valid. 
The protection provided by EMV cards does not require a PIN. It 
is important to note that a PIN is a method of verifying the 
cardholder's identity (not that the card itself is valid, but 
rather that, in theory, the person presenting the card is the 
actual cardholder). This is referred to as a cardholder 
verification method, or CVM. A CVM prevents a specific type of 
card fraud called ``lost and stolen'' fraud--where a criminal 
has stolen a physical card from a wallet, for example, and then 
attempts to use the card before it has been reported stolen. 
Other methods of CVM include signature end, in some cases, no 
CVM is required, for example, because the transaction is a low 
dollar amount or low risk of fraud, and a CVM would not be 
beneficial to require.

    ETA strongly supports the migration to EMV, and we believe 
that card issuers should be permitted to make the choice that 
is best for their customers as to cardholder verification 
method to accompany the chip cards, whether it be signature, 
PIN, or neither, when authorizing a transaction. Consumers and 
merchants have benefitted from flexibility in cardholder 
verification methods--including speedier checkout times for low 
dollar, low risk transactions. For example, drive throughs, 
quick service restaurants and convenience stores, in 
collaboration with payments companies and card networks, allow 
consumers to move quickly through checkout lines through 
``swipe and go'' transactions that benefit all parties to the 
transaction and help maintain overall consumer satisfaction. 
Similarly, new mobile payments technology replaces traditional 
CVMs with even more secure biometrics that promise both fraud 
protection and consumer convenience at a higher level. An 
important part of the decision of card issuers whether to 
require their customers to use a PIN is whether merchants have 
the capability to accept PIN as a CVM. It should be noted that, 
at present, roughly 2/3 of the nation's merchants do not have a 
PIN pad and thus cannot accept a PIN transaction from their 
customers. For such merchants, consumers who are required to 
use a PIN for a transaction could represent lost customers. It 
could also result in a shift of additional liability for 
fraudulent card transactions to those merchants that do not 
have a PIN pad.

    Similarly, not all mobile payments can use a static PIN 
with the transaction. As merchants and consumers move from 
plastic cards to mobile devices, including mobile phones and 
wearables, this next generation of payments technology must not 
be inhibited by plastic card-era systems. Also, many consumers 
prefer not to have to remember PINs. Indeed, in 1967, the 
inventor of the ATM, John Shepherd-Barron, first envisioned a 
six-digit numeric code for customer authentication, but his 
spouse could only remember four digits, which became the 
commonly used length. Furthermore, the PIN is static and can be 
stored on a card, making it vulnerable to interception or even 
being guessed (there are only 10,000 possible 4 digit PIN 
combinations). As our industry moves to dynamic security, 
biometrics, and other systems that are even more secure, we 
must consider these important factors in making the right 
choice to secure transactions.

    The fact remains that criminals are adaptive and constantly 
probe for vulnerabilities. Focusing on one specific technology 
gives hackers an open invitation to focus their energies on 
that technology and to detect and exploit loopholes in the 
payments system. Strong security involves a multi-layer 
approach which has the ability to evolve in response to the 
changing threat environment, allowing the industry to be as 
nimble as the bad actors it is attempting to thwart. At the end 
of the day, we all need to work continuously and 
collaboratively across banks, payments companies, merchants and 
consumers to find the most effective and efficient security 
mechanisms.

    ETA Members: Fostering other new technology

    As previously mentioned, EMV is one part of the overall, 
multi-layered solution to protecting data, consumers, and the 
payments system. ETA members are simultaneously deploying new 
innovations to further enhance security. For example, another 
technology, tokenization, removes sensitive information from a 
transaction by replacing customer data with a unique identifier 
that cannot be mathematically reversed. In its simplest form, 
it works like a secret code substituting symbols for important 
information like a credit card number. This way, only the bank 
that issued the card knows the real account information. 
Tokenization is designed to work when a consumer pays with 
plastic in person, online or with a mobile phone.

    In a non-tokenized transaction, a consumer's actual account 
number is transmitted and, in some cases, stored by retailers, 
e.g, for purposes of facilitating returns. This trove of 
information is what hackers typically seek in the case of 
retailer data breaches. But in a tokenized environment, actual 
account numbers are replaced by one time-use tokens that 
represent account numbers but cannot be tied back to the actual 
number. If a breach occurs, the criminal only sees the 
tokenized code, which is useless to them because it cannot be 
used to generate a subsequent fraudulent transaction.

    Another layer of protection deployed by ETA member 
companies is the use of point-to-point encryption. Point-to-
point encryption is an advanced risk management tool that helps 
further protect data throughout the transaction lifecycle. With 
point-to-point encryption, card data is encrypted from the 
moment the card is swiped or tapped, while the data is in 
transit, all the way to authorization. This technology 
minimizes opportunities for hackers and criminals to access 
data during a purchase.

    Additionally, many payment companies continue to innovate 
advanced computer systems that monitor transactions and data 
patterns detect unusual activity that may indicate an account 
has been hacked or a card lost or stolen. This monitoring 
occurs in both traditional, card-present as well as in card-
not-present transactions, such as those taking place over the 
Internet or phone.

    Lastly, using a mobile device to initiate a transaction may 
well be as common as swiping a card. Mobile payments and 
digital wallet cloud technology are actively employing new 
security technology that improves on legacy systems. Mobile 
devices provide enhanced security, including passcode 
protection for the phone, biometrics security features like a 
fingerprint, secure chip technology, geo-locational information 
to assist with verification, as well as both device and cloud 
based encryption and tokenization capabilities.

    The payments industry is creating innovative solutions 
today--like voice and facial recognition-to solve tomorrow's 
security threats. This protection ensures the flow of 
information vital to helping consumers access and use 
electronic payments, promotes competition and ensures the free 
flow of commerce, and maintains public confidence. It is 
imperative to find ways to encourage new technologies and 
enterprises, ensuring that the payments revolution will realize 
its maximum potential.

    Conclusion:

    Headline-grabbing events inevitably lead to calls for 
additional government regulations. The members of the ETA are 
the first line of defense for consumers to avoid the fraud 
perpetuated by criminals in the financial systems. As 
described, the payments industry takes seriously this charge 
and works hard every day to detect and deter crime. ETA members 
are deploying multiple layers of protection, including EMV, 
tokenization, encryption, biometrics, and other payments 
technologies that secure systems against criminal intrusions 
and protect consumers and merchants. As the trade association 
of the payments industry, ETA stands ready to assist the 
Committee in its efforts to ensure that merchants, consumers 
and the economy continue to benefit from the safety and 
security of our nation's payments systems.
[GRAPHIC] [TIFF OMITTED] T6854.001

    Chairman Chabot, Ranking Member Velazquez, and members of 
the committee, my name is Paul Weston, and I am President and 
CEO of TCM Bank, N.A. in Tampa, Florida. I testify today on 
behalf of the more than 6,000 community banks represented by 
the Independent Community Bankers of America (ICBA). Thank you 
for convening this hearing on the migration to EMV chip credit 
and debit card technology and what it means for small 
businesses. We're grateful to you for raising the profile of 
this important topic.

    TCM Bank, N.A. is a $178 million asset bank that serves as 
the credit card issuer and ``back office'' for over 650 
community banks that have chosen to outsource the specialized 
function of credit card issuance. TCM Bank community bank 
clients brand and market their credit cards, expand their 
product offerings and customer relationships, and gain access 
to a new revenue stream, without committing financial, 
technical, or personnel resources to the day-to-day 
administration of a credit card program. This arrangement 
allows our community back clients to focus on their core 
lending competencies: small business, consumer, and farm 
lending. TCM operates by the values and standards of service of 
our community bank clients.

    The community bank business model is directly linked to the 
success of their small business customers. Community banks hold 
a disproportionate market share of small business loans--nearly 
50 percent--though they hold less than 20 percent of all 
banking assets. ICBA and its community banks members take a 
keen interest in the migration to EMV chip cards, both as card 
issuers and as partners with the small businesses that are so 
important to the national economy. Locally-managed community 
banks are uniquely positioned to help small businesses make a 
smooth transition to EMV chip cards and are committed to doing 
so. TCM talks with community banks and their small business 
customers every day.

    Before discussing in greater detail the ongoing migration 
to EMV chip and the respective roles of card issuers and 
merchants, I would like to stress that consumers--your 
constituents--are not on the hook for fraud losses as all 
credit cards have zero liability provisions for consumers and 
the Electronic Funds Transfer Act limits consumer liability for 
any fraud on debit cards. This is true whether or not the card 
issuer or the merchant is EMV chip compliant.

    Small businesses that are involved with retail are already 
being presented with payment cards with an EMV chip on the 
front of the card in additional to the familiar magnetic stripe 
on the back of the card. In order to process those cards using 
EMV chip technology at the point of sale, most small business 
merchants will need to upgrade their terminals and train their 
front line staff to assist customers.

    EMV chip cards contain a microprocessor that generates a 
unique, one-time code to authenticate card transactions. If the 
card information is stolen, it is useless to a criminal because 
it cannot be used to conduct another transaction. EMV chip 
cards are much more secure than magnetic stripe cards because 
they are exponentially more difficult to counterfeit. 
Counterfeit cards made with stolen information represent the 
largest portion of fraud in the United States. And while 
consumers are protected against loss, having to replace a 
credit or debit card is inconvenient at best. EMV chip cards, 
together with merchant-provided chip readers at the point of 
sale, will play a critical role in reducing counterfeit fraud 
for both debit and credit cards.

    Community banks are joining other financial institutions in 
the orderly migration to deploy EMV chip technology for debit 
and credit cards. This migration is already underway. A story 
in USA Today last week reported that roughly four in ten 
consumers already have an EMV chip card.

    There is no legal mandate that card issuers adopt EMV chip 
or that retailers invest in EMV chip card readers. However, new 
rules in the card industry took effect on October 1, 2015 that 
will incentivize a shift to EMV chip technology that is in the 
best interest of all parties. The new rule provides that 
liability for fraudulent transactions sits with the party (i.e. 
retailer or bank) that didn't invest in chip technology. In a 
case where the bank doesn't offer chip cards and the merchant 
doesn't have a card reader, the bank will continue to be held 
responsible for covering the cost of the fraud. Similarly, in a 
case where both the bank and the merchant are chip compliant, 
the bank will continue to be responsible for losses incurred 
from fraudulent use. The October 1 liability shift represents a 
change in economic incentives rather than a legal mandate.

    October 1 is not a deadline in any meaningful sense of the 
word. Instead the liability shift serves as a catalyst for 
change. Already, many card issuers and merchants have adopted 
EMV chip. Others will limit their liability exposure by 
adopting EMV chip before year-end. Some will choose to defer 
adoption into 2016 or even 2017 for automated fuel dispensers. 
Each issuing bank and each merchant will decide when to adopt 
EMV chip based on its own business model, vulnerability to 
fraud, and management of risk. The timing to complete each 
bank's reissuance of all cards in chip form will vary. 
Community banks will weigh the implementation and issuance 
costs with potential risk and demand from consumers. The 
migration to full EMV chip card usage will likely take several 
years to accomplish.

    Based on many conversations with community banks and their 
small business customers, I believe that most small businesses 
are taking a very prudent approach to the migration. They are 
not buying from the first terminal salesperson who calls, and 
they are planning to closely follow as larger national 
retailers begin to enable EMV chip at the point of sale.

    To give you a sense of what's involved for community banks, 
the initial costs of issuing EMV chip cards fall broadly into 
three categories:

    1. Card production and deployment- Includes artwork and 
card redesign, acquiring new inventory of card stock, card 
personalization, and postage.

    2. Implementation- Includes programming, software upgrades, 
processor costs, and new authorization techniques. ATMs and 
branch card issuance systems also need to be upgraded.

    3. Training- All parties have to be trained. Community 
banks will focus on educating the cardholders as they adapt to 
a new way of presenting a card for payment at the point of sale 
in addition to training bank personnel and merchants to ensure 
that all parties can assist the consumer, even at the point of 
sale.

    For merchants, the costs involve the purchase, deployment, 
and activation of EMV chip card readers. They must also train 
retail personnel to assist cardholders in the use of an EMV 
chip card. Community banks will serve as an important ally and 
resource to smaller retail businesses making the transition. 
They will help their merchant customers by providing equipment, 
expertise, and education to guide them through this change. 
Since community banks are local, they serve as ``feet on the 
street,'' especially for the small businesses in their 
communities.

    For consumers, the transition will involve relearning a 
process which has become second nature. Instead of swiping a 
card through the magnetic stripe slot, a process that has 
become very well ingrained over many years, using an EMV chip 
card involves inserting the card into an open slot and leaving 
it there for a short time as the transaction is completed. 
Community banks are actively working to educate and reassure 
their customers about these changes coming to the point of 
sale.

    While EMV chip cards are an effective means of reducing 
fraud related to counterfeit cards, they are not a panacea for 
all types of payment card fraud. Multiple layers of security 
technologies are needed in addition to EMV chip to mitigate 
other types of fraud. Card numbers and cardholder information 
must still be protected. The PCI Data Security Standards 
provide requirements for all merchants and processors to 
mitigate data breaches and compromise events that fuel payment 
card fraud. End-to-end encryption should be deployed to protect 
cardholder information while in transit, and newer 
technologies, such as tokenization, should and will be 
developed and deployed to protect online transactions.

    Until this layered approach can be fully implemented, 
consumers should know that banks comply with significant legal 
and regulatory requirements and are subject to rigorous 
examination and supervision of their data security practices 
and procedures.

    Some are touting PIN in combination with EMV chip as the 
only way to eliminate payments fraud. We believe any form of a 
PIN mandate would be misguided for a number of reasons. First, 
PINs only protect against fraud in cases of lost or stolen 
cards, which is a relatively small portion of total fraud. 
Second, as a static data element, PIN is more vulnerable than 
active technologies like EMV chip or tokenization. As PIN use 
becomes more prevalent, it attracts more criminal activity. A 
2012 report by the Federal Reserve Bank of Atlanta found that 
debit PIN fraud rates have increased more than threefold since 
2004.

    Additionally, in order to better protect consumers, all 
participants of the payment system--including merchants--should 
be subject to the same federal data security standards and 
oversight as financial institutions. ICBA supports legislation 
introduced by Reps. Randy Neugebauer (R-TX) and John Carney (D-
DE), the Data Security Act (H.R. 2205), that would apply Gramm-
Leach-Bliley Act-like data security standards for all 
industries that handle sensitive financial information.

    Closing

    Thank you again for the opportunity to testify today. We 
hope that this hearing will help to educate all stakeholders, 
especially small businesses and consumers. The engagement and 
cooperation of all parties is critical for a smooth transition 
to EMV chip which will ultimately reduce fraud and bolster 
confidence in the payments system.
[GRAPHIC] [TIFF OMITTED] T6854.002

                          Introduction

    Good morning, Chairman Chabot, Ranking Member Velazquez and 
Members of the Committee. My name is Jan Roche and I am 
testifying today on behalf of the National Association of 
Federal Credit Unions (NAFCU). I serve as the President and CEO 
of State Department Federal Credit Union (SDFCU), headquartered 
in Alexandria, Virginia, and also serve on the Board of 
Directors of NAFCU. I have over 30 years of experience in 
credit union and financial management.

    State Department Federal Credit Union was chartered in 1935 
through the efforts of eight employees of the Department of 
State. Now, 80 years later, we serve over 67,000 members 
worldwide and have over $1.6 billion in assets. Due to the 
traveling habits and job assignments of many of our members and 
the fact that 8 percent of our membership is located overseas 
at any given time, we were one of the first financial 
institutions in the U.S. to start issuing EMV VISA Credit Cards 
in June, 2012.

    As you are aware, NAFCU is the only national organization 
exclusively representing the federal interests of the nation's 
federally-insured credit unions. NAFCU-member credit unions 
collectively account for approximately 70 percent of the assets 
of all federal credit unions. We appreciate the opportunity to 
appear before you today to talk about the EMV transition 
deadline in the United States and the need for data security 
legislation, including H.R. 2205, the Data Security Act of 
2015.

                  Background on Credit Unions

    Historically, credit unions have served a unique function 
in the delivery of essential financial services to American 
consumers. Established by an Act of Congress in 1934, the 
federal credit union system was created, and has been 
recognized, as a way to promote thrift and to make financial 
services available to all Americans, many of whom may otherwise 
have limited access to financial services. Congress established 
credit unions as an alternative to banks and to meet a precise 
public need--a niche that credit unions still fill today.

    Every credit union, regardless of size, is a cooperative 
institution organized ``for the purpose of promoting thrift 
among its members and creating a source of credit for provident 
or productive purposes.'' (12 USC 1752(1)). While over 80 years 
have passed since the Federal Credit Union Act (FCUA) was 
signed into law, two fundamental principles regarding the 
operation of credit unions remain every bit as important today 
as in 1934:

           credit unions remain wholly committed to 
        providing their members with efficient, low-cost, 
        personal financial services; and,

           credit unions continue to emphasize 
        traditional cooperative values such as democracy and 
        volunteerism.

    Credit unions are small businesses themselves, especially 
when compared to our nation's mega banks and largest retailers, 
facing challenges of meeting the products and service needs of 
their community, while dealing with various laws and 
regulations.

                              EMV

    EMV is the established global standard for ``chip'' cards 
and their compatibility with point of sale terminals. EMV 
stands for ``EuroPay, Mastercard and VISA,'' the three 
companies that created the standard. EMV cards are still 
plastic, but they contain an imbedded microprocessor (or 
``chip'') that stores data and adds additional protection by 
making it harder to produce a counterfeit card that can be used 
at a point of sale terminal. This is because the chip generates 
unique data (a new, random number) for each transaction. If 
that data is stolen, it is not traceable back to the account. 
It is important to understand that it is this EMV ``chip'' 
technology that makes the new cards more secure--not a PIN or 
signature. It is also important to recognize that the EMV 
solution is the new market standard for combating fraud at the 
point-of-sale and assigning liability when a fraudulent credit 
card is used. It is not a ``silver bullet'' solution to the 
broader problem of data security or to combat online identity 
theft.

    EMV is just one step in a larger universe of measures that 
credit unions take to protect the financial data of their 
members (consumers) and the payments system. Credit unions and 
other financial institutions already protect data consistent 
with the provisions of the 1999 Gramm-Leach-Bliley Act (GLBA) 
and are innovators in the ever-developing payments system as 
they strive to protect the financial information of the 101 
million Americans who are credit union members.

    My testimony today will cover how credit unions are 
protecting consumers in the payment system, the impact of the 
EMV transition and what steps are needed to better protect 
consumer financial data moving forward.

  NAFCU's Work in Various Cyber and Data Security Initiatives

    NAFCU is pleased to be an active participant in various 
industry and government payments, cyber and data security 
initiatives, doubling down these efforts as data breaches 
continue to rise and innovations in payments technology make 
the entire ecosystem more complex for financial institutions 
and consumers.

    Specific to payments, NAFCU is a member of the Payments 
Security Task Force, a diverse group of participants in the 
payments industry that is driving a discussion relative to 
systems security. NAFCU also supports many of the ongoing 
efforts at the Financial Services Sector Coordinating Council 
(FSSCC) and the Financial Services Information Sharing and 
Analysis Center (FS-ISAC). These organizations work closely 
with partners throughout the government creating unique 
information sharing relationships that allow threat information 
to be distributed in a timely manner.

    NAFCU also worked with the National Institute of Standards 
and Technology (NIST) on the voluntary cybersecurity framework 
released in 2013 designed to help guide financial institutions 
of varying size and complexity through the process of reducing 
cyber risks to critical infrastructure. The recommendations are 
designed to evolve and will be updated to keep pace with 
changes in technology and threats.

    Earlier this year, NAFCU also participated in President 
Barack Obama's White House Summit on Cybersecurity and Consumer 
Protection at Stanford University which featured leaders from 
across the country--industry, tech companies, law enforcement, 
consumer and privacy advocates, law professors who specialize 
in this field, and students--to collaborate and explore 
partnerships that will help develop the best ways to bolster 
cybersecurity. Credit unions continue to pursue greater data 
security through innovation.

    During the Summit, NAFCU-member First Tech Federal Credit 
Union's recent partnership with MasterCard in the area of card 
security was announced. First Tech is innovative in this area 
and is implementing a new pilot program this year that will 
allow consumers to authenticate and verify their transactions 
using a combination of unique biometrics such as facial and 
voice recognition. This type of innovation is a generation 
beyond EMV, and is not unusual at member-owned and member-
driven credit unions as we take data security seriously. 
Technological innovations like this are a prime example of why 
Congress needs to ignore calls to legislate technological 
solutions, which can soon become out-of-date, rather than 
creating basic standards of data protection.

    NAFCU is also a participant in the Federal Reserve's 
initiative to improve the U.S. payments systems through two 
industry taskforces launched earlier this year: the Faster 
Payments Taskforce and the Secure Payments Taskforce. Through 
the Faster Payments Taskforce, NAFCU is working with the 
Federal Reserve and industry participants to create criteria to 
identify and evaluate alternative approaches for implementing 
safe, ubiquitous, faster payment capabilities. Additionally, on 
the Secure Payments Task Force, NAFCU is providing input to the 
Federal Reserve on payment security matters and is helping 
determine priorities for future action to advance payment 
system safety, security and resiliency.

                       The EMV Transition

    October 1, 2015, was the deadline established by the four 
major U.S. credit card issuers (Mastercard, Visa, Discover and 
American Express) when the liability for the majority of card-
present fraudulent transactions on credit cards is shifted to 
whichever party is not EMV-compliant. Given the nature of our 
field of membership, which includes many State Department 
employees that travel or are stationed overseas in countries 
where the EMV transition has already occurred, SDFCU was an 
early adapter to the U.S. transition, first issuing EMV cards 
in June of 2012 for new cards and replacements for lost and 
stolen cards. Our credit card portfolio of over 28,000 cards is 
now 100% EMV.

    It is important to note that the EMV transition in the U.S. 
is a voluntary one established by the market, and not a 
government mandate. The October 1, 2015, deadline is not the 
endpoint of transition, rather just a step along the road of 
progress when the incentives to be EMV-compliant changed. 
Companies have not been forced to transition (whether it's 
issuing or accepting EMV cards) if they are willing to bear the 
liability. The speed of shifting to EMV is essentially a 
business decision that is dependent on risk-tolerance. It is 
important to note that, whether or not a card or business is 
EMV-compliant, consumers are not liable for fraud losses as all 
credit cards have zero liability provisions for consumers and 
the Electronic Funds Transfer Act limits consumer liability for 
any fraud on debit cards. Consumers remain protected in the new 
system.

    Based on a NAFCU survey of our members, a majority of 
credit unions are ready for the EMV transition and are issuing 
EMV credit cards to their members as they issue new cards or 
replace older magnetic-stripe cards. There is a greater cost 
for an EMV card for credit unions. At SDFCU, the cost (not 
including staff costs, set up and postage) to produce a non-EMV 
card is approximately $3.04 and to produce a new EMV card it is 
approximately $5.81.

    A comprehensive study released September 17, 2015, by the 
Strawhecker Group reported that only 27% of merchants were to 
be EMV-ready by October 1, 2015. In other recent surveys, the 
reasons given by merchants for not being ready include: not 
knowing about the transition (despite it being several years in 
the works), not wanting to pay for an EMV terminal, not being 
concerned about the liability shift and thinking that the EMV 
shift is unfair. Many of these are small and mid-size 
businesses that could find themselves the next targets of data 
thieves that will seek to exploit this vulnerability in the 
payment system as many big box retailers make the conversion. 
We believe that successful protection of the payments system 
requires all parties to be actively involved and hope that 
these businesses will work with the financial services 
community to recognize their role in making the payments system 
safer.

                         The PIN Debate

    Some have argued that the EMV transition should have 
included a PIN mandate to require consumers to enter PINs for 
every transaction. Imposing such a mandate or requirement would 
be unrealistic and would not be a panacea for the problem of 
data security. As I noted earlier, it is the chip technology 
that makes new cards secure, not the PIN or signature. A PIN is 
a static data element that is still vulnerable to theft. If it 
is compromised, a consumer's entire account can be put at risk. 
A 2012 report by the Federal Reserve Bank of Atlanta found that 
PIN fraud rates had increased significantly since 2004. A PIN 
mandate would not have helped prevent recent major consumer 
data breaches such as Target, Home Depot and Michaels.

    A PIN mandate also does not prevent online or mobile fraud, 
often referred to as ``card-not-present'' fraud, which is 
already 45% of card fraud in the U.S. according to the Aite 
Group (at SDFCU in the last year, it was about 40% of our gross 
card fraud). This type of fraud is also expected to rise 
significantly after the EMV transition. Wider use of PINs in 
other EMV countries have done nothing to prevent spikes in 
card-not-present fraud. In the United Kingdom, online fraud 
rose 79% after their EMV transition. In Canada, while card-
present fraud declined after the switch to EMV, card-not-
present fraud more than doubled.

    A truly secure payments system must be one that is 
constantly evolving to meet emerging threats and uses a wide 
range of dynamic authentication technologies--EMV, 
tokenization, encryption, biometrics and more. Many retailers 
today are increasingly moving away from traditional point-of-
sale authentication methods, like PIN or signature, and relying 
on network-based monitoring to identify fraud as it can improve 
the customer experience by reducing time spent in the checkout 
line. Many of you may have experienced transactions where the 
merchant does not request a signature nor PIN with card usage. 
Retailers have demanded this change of the industry to speed 
the checkout process. Because retailers do not have standards 
requiring them to protect consumer data collected at the point 
of sale, they have sometimes prioritized the speed of the 
transaction to increase customer sales at the expense of the 
security of the payment system. This can make retailers a 
vulnerable point of entry to data breaches in the payments 
ecosystem, even with PIN and signature authentication.

      Credit Unions and Consumers Suffer in Data Breaches

    The EMV transition is not a silver bullet to addressing the 
scourge of data breaches. More needs to be done to establish a 
national standard for protecting the financial data of 
consumers. Americans are becoming more aware and more concerned 
about data security and its impact. A Gallup poll from October, 
2014, found that 69 percent of U.S. adults said they frequently 
or occasionally are concerned about having their credit card 
information stolen by hackers, while 27 percent of Americans 
say they or another household member had information from a 
credit card used at a store stolen in the last year. These 
staggering survey results speak for themselves and should cause 
serious pause among lawmakers on Capitol Hill.

    Data security breaches are more than just an inconvenience 
to consumers as they wait for their plastic cards to be 
reissued. Breaches often result in compromised card information 
leading to fraud losses, unnecessarily damaged credit ratings, 
and even identity theft. Symantec's Internet Security Threat 
Report issued earlier this year found that 36% (roughly 74 
million consumers) of the over 205 million individuals 
compromised in retail breaches in 2014 had their financial 
information exposed. That percentage doubled from 18% in 2013. 
More than 23% of the US population had their financial 
identities compromised by a retailer data breach in 2014.

    While the headline grabbing breaches are certainly 
noteworthy, the simple fact is that data security breaches at 
our nation's retailers are happening almost every day. A survey 
of NAFCU member credit unions, found that respondents were 
alerted to potential breaches an average of 164 times in 2014. 
Two-thirds of the respondents said that they saw an increase in 
these alerts from 2013. When credit unions are alerted to 
breaches, they take action to respond to protect
[GRAPHIC] [TIFF OMITTED] T6854.003

                     Credit Unions and GLBA

    As I noted above, credit unions, and all financial 
institutions, are subject to the 1999 Gramm-Leach-Bliley Act, 
GLBA and its implementing regulations have successfully limited 
data breaches among financial institutions and this standard 
has a proven track record of success since its enactment. This 
record of success is why we believe any future requirements 
must recognize and incorporate this existing national standard 
for financial institutions such as credit unions.

    Consistent with Section 501 of the GLBA, the National 
Credit Union Administration (NCUA) established administrative, 
technical and physical safeguards to ensure the (1) security, 
(2) confidentiality, (3) integrity, (4) and proper disposal of 
consumer information and other records. Under the rules 
promulgated by the NCUA, every credit union must develop and 
maintain an information security program to protect customer 
data. Additionally, the rules require third party service 
providers that have access to credit union data take 
appropriate steps to protect the security and confidentiality 
of the information.

    GLBA and its implementing regulations have successfully 
limited data breaches among credit unions. NAFCU believes that 
the best way to move forward and address data breaches is to 
create a comprehensive regulatory scheme for those industries 
that are not already subject to oversight. At the same time, 
the oversight of credit unions, banks and other financial 
institutions is best left to the functional financial 
institution regulators that have experience in this field. It 
would be redundant at best and possibly counter-productive to 
authorize any agency--other than the functional financial 
institution regulators--to promulgate new, and possibly 
duplicative or contradictory, data security regulations for 
financial institutions already in compliance with GLBA.

    There are a number of key elements, requirements and 
definitions of the GLBA that apply to credit unions and are 
outlined below. The GLBA directed regulators to establish 
evolving standards for financial institutions to ensure the 
security and confidentiality of consumer information.

    The GLBA also sets a number of important definitions and 
requirements:

    Sensitive Consumer Information

    Sensitive consumer information is defined as a member's 
name, address, or telephone number in conjunction with the 
member's social security number, driver's license number, 
account number, credit or debit card number, or personal 
identification number or password that would permit access to 
the member's account. Sensitive consumer information also 
includes any combination of components of consumer information 
that would allow someone to log into or access the member's 
account, such as user name and password or password and account 
number. Under the guidelines, an institution must protect 
against unauthorized access to or use of consumer information 
that could result in substantial harm or inconvenience to any 
consumer.

    Unauthorized Access to Consumer Information

    The agencies published guidance to interpret privacy 
provisions of GLBA and interagency guidelines establishing 
information security standards. The guidance describes response 
programs, including member notification procedures, that a 
financial institution should develop and implement to address 
unauthorized access to or use of consumer information that 
could result in substantial harm or inconvenience to a member.

    The security guidelines require every financial institution 
to have an information security program designed to:

           Ensure the security and confidentiality of 
        consumer information;

           Protect against any anticipated threats or 
        hazards to the security or integrity of such 
        information; and,

           Protect against unauthorized access to or 
        use of such information that could result in 
        substantial harm or inconvenience to a member.

    Risk Assessment and Controls

    The security guidelines direct every financial institution 
to assess the following risks, among others, when developing 
its information security program:

           Reasonably foreseeable internal and external 
        threats that could result in unauthorized disclosure, 
        misuse, alteration, or destruction of consumer 
        information or consumer information systems;

           The likelihood and potential damage of 
        threats, taking into consideration the sensitivity of 
        consumer information; and,

           The sufficiency of policies, procedures, 
        consumer information systems, and other arrangements to 
        control for the risks to sensitive data.

    Following the assessment of these risks, the security 
guidelines require a financial institution to design a program 
to address the identified risks. The particular security 
measures an institution should adopt depend upon the risks 
presented by the complexity and scope of its business. This is 
a critical aspect of GLBA that allows flexibility and ensures 
the regulatory framework is workable for the largest and 
smallest in the financial services arena. As the committee 
considers cyber and data security measures, it should be noted 
that scalability is achievable and that it is a misnomer when 
other industries claim they cannot have a federal data 
safekeeping standard that could work across a sector of varying 
size businesses.

    At a minimum, the credit union is required to consider the 
specific security measures enumerated in the Security 
Guidelines, and adopt those that are appropriate for the 
institution, including:

           Access controls on consumer information 
        systems, including controls to authenticate and permit 
        access only to authorized individuals and controls to 
        prevent employees from providing consumer information 
        to authorized individuals who may seek to obtain this 
        information through fraudulent means;

           Background checks for employees with 
        responsibilities for access to consumer information;

           Response programs that specify actions to be 
        taken when the financial institution suspects or 
        detects that unauthorized individuals have gained 
        access to consumer information systems, including 
        appropriate reports to regulatory and law enforcement 
        agencies;

           Train staff to implement the credit union's 
        information security program; and,

           Regularly test the key controls, systems and 
        procedures of the information security program. The 
        frequency and nature of such tests should be determined 
        by the credit union's risk assessment. Tests should be 
        conducted or reviewed by independent third parties or 
        staff independent of those that develop or maintain the 
        security programs.''

    Service Providers

    The security guidelines direct every financial institution 
to require its service providers through contract to implement 
appropriate measures designed to protect against unauthorized 
access to, or use of, consumer information that could result in 
substantial harm or inconvenience to any consumer.

    Third-party providers are very popular for many reasons, 
most frequently associated with cost-savings/overhead 
reduction. However, where costs may be saved for overhead 
purposes, they may be added for audit purposes. Because audits 
typically are annual or semi-annual events, costs savings may 
still be realized but the risk associated with outsourcing must 
be managed regardless of cost. In order to manage risks, they 
must first be identified.

    An institution that chooses to use a third-party provider 
for the purposes of information systems-related functions must 
recognize that it must ensure adequate levels of controls so 
the institution does not suffer the negative impact of such 
weaknesses.

    Response Program

    Every financial institution must develop and implement a 
risk-based response program to address incidents of authorized 
access to consumer information. A response program should be a 
key part of an institution's information security program. The 
program should be appropriate to the size and complexity of the 
institution and the nature and scope of its activities.

    In addition, each institution should be able to address 
incidents of unauthorized access to consumer information in 
consumer information systems maintained by its service 
providers. Where an incident of unauthorized access to consumer 
information involves consumer information systems maintained by 
an institution's service providers, it is the responsibility of 
the financial institution to notify the institution's consumers 
and regulator. However, an institution may authorize or 
contract with its service provider to notify the institution's 
consumers or regulator on its behalf.

    Consumer Notice

    Timely notification to members after a security incident 
involving the unauthorized access or use of their information 
is important to manage an institution's reputation risk. 
Effective notice may also mitigate an institution's legal risk, 
assist in maintaining good consumer relations, and enable the 
institution's members to take steps to protect themselves 
against the consequences of identity theft.

    Content of Consumer Notice

    Consumer notice should be given in a clear and conspicuous 
manner. The notice should describe the incident in general 
terms and the type of consumer information that was the subject 
of unauthorized access or use. It should also generally 
describe what the institution has done to protect consumers' 
information from further unauthorized access. In addition it 
should include a telephone number that members can call for 
further information assistance. The notice should also remind 
members of the need to remain vigilant over the next 12 to 24 
months, and to promptly report incidents of suspected fraud or 
identity theft to the institution.

    Delivery of Consumer Notice

    Notice should be delivered in any manner designed to ensure 
that a consumer can reasonably be expected to receive it.

                   Preventing Future Breaches

    While financial institutions are subject to the robust 
standards of the GLBA outlined above, retailers and others who 
handle financial data are not subject to the same type of 
national standard. NAFCU has long argued that protecting 
consumers and financial institutions by preventing future data 
breaches hinges on establishment of strong federal data 
safekeeping standards for retailers and merchants akin to what 
credit unions already comply with under the GLBA. NAFCU has 
developed a number of key principles that should be considered 
and incorporated in the data security debate (Appendix A). 
Unfortunately, merchants have attempted to use the EMV and PIN 
debate to stop any meaningful discussion about data security 
legislation--thus not addressing the real issue of the broader 
responsibility of merchants to protect consumers' financial 
data.

    The time has come for Congress to enact a national standard 
on data protection for consumers' personal financial 
information. Such a standard must recognize the existing 
protection standards that financial institutions have under the 
GLBA and ensure the costs associated with a data breach are 
borne by those who incur the breach.

    While some have said that voluntary industry standards 
should be the solution, the recently released Verizon 2015 
Payment Card Industry Compliance Report found that 4 out of 
every 5 global companies fail to meet the widely accepted 
Payment Card Industry (PCI) data security standards for their 
payment card processing systems. In fact, Verizon found that 
out of every data breach they studied over the past 10 years, 
not one single company was in compliance with the PCI standards 
at the time of the breach. This should cause serious pause 
among lawmakers as failing to meet these standards, exacerbated 
by the lack of a strong federal data safekeeping standard, 
leaves merchants, and therefore consumers, more vulnerable to 
breaches.

    One basic but important concept to point out with regard to 
almost all cyber and data threats is that a breach may never 
come to fruition if any entity handling sensitive information 
limits the amount of data collected on the front end and is 
diligent in not storing sensitive personal and financial data 
in their systems. Enforcement of prohibition on data retention 
cannot be over emphasized and it is a cost effective and 
commonsense way to cut down on emerging threats. If there is no 
financial data to steal, it is not worth the effort of cyber 
criminals.

                     Legislative Solutions

    NAFCU believes that the best legislative solution on the 
issue of data security that has been introduced in this 
Congress is the bipartisan legislation introduced by 
Representatives Randy Neugebauer and John Carney, H.R. 2205, 
the Data Security Act of 2015. This legislation creates a 
national data security standard that is flexible and scalable, 
does not mandate static technology solutions and recognizes 
those who already have a working standard under the GLBA. We 
support this legislation and would urge you to support it as 
well.

                           Conclusion

    Cyber and data security, ensuring member safety, and 
incentivizing data safekeeping in every link of the payments 
chain is a top challenge facing the credit union industry 
today. A truly secure payments system must be one that is 
constantly evolving to meet emerging threats and uses a wide 
range of dynamic authentication technologies--EMV, 
tokenization, encryption, biometrics and more. When it comes to 
EMV, what matters most is the chip technology that makes the 
cards more secure. Requiring additional measures such as PIN 
usage does not make substantial improvements to the system. 
While credit unions are largely ready for the EMV transition, 
wider adoption of EMV technology by others in the payment 
system, such as retailers, will only strengthen the system. 
Still, more needs to be done.

    Consumers will only be protected when every sector of 
industry is subject to robust federal data safekeeping 
standards that are enforced by corresponding regulatory 
agencies. It is with this in mind that NAFCU urges Congress to 
modernize data security laws to reflect the complexity of the 
current environment and insist that retailers and merchants 
adhere to a strong federal standard in this regard. Enacting 
H.R. 2205, the Data Security Act of 2015, would be an important 
step toward this goal.

    Thank you for the opportunity to appear before you today on 
behalf of NAFCU. I welcome any questions you may have.
                           Appendix A

              NAFCU's Key Data Security Principles

     Payment of Breach Costs by Breached Entities: 
NAFCU asks that credit union expenditures for breaches 
resulting from card use be reduced. A reasonable and equitable 
way of addressing this concern would be to require entities to 
be accountable for costs of data breaches that result on their 
end, especially when their own negligence is to blame.

     National Standards for Safekeeping Information: It 
is critical that sensitive personal information be safeguarded 
at all stages of transmission. Under the GLBA, credit unions 
and other financial institutions are required to meet certain 
criteria for safekeeping consumers' personal information. 
Unfortunately, there is no comprehensive regulatory structure 
akin to the GLBA that covers retailers, merchants and others 
who collect and hold sensitive information. NAFCU strongly 
supports the passage of legislation requiring any entity 
responsible for the storage of consumer data to meet standards 
similar to those imposed on financial institutions under the 
GLBA.

     Data Security Policy Disclosure: Many consumers 
are unaware of the risks they are exposed to when they provide 
their personal information. NAFCU believes this problem can be 
alleviated by simply requiring merchants to post their data 
security policies at the point of sale if they take sensitive 
financial data. Such a disclosure requirement would come at 
little or no cost to the merchant but would provide an 
important benefit to the public at large.

     Notification of the Account Servicer: The account 
servicer or owner is in the unique position of being able to 
monitor for suspicious activity and prevent fraudulent 
transactions before they occur. NAFCU believes that it would 
make sense to include entities such as financial institutions 
on the list of those to be informed of any compromised 
personally identifiable information when associated accounts 
are involved.

     Disclosure of Breached Entity: NAFCU believes that 
consumers should have the right to know which business entities 
have been breached. We urge Congress to mandate the disclosure 
of identities of companies and merchants whose data systems 
have been violated so consumers are aware of the ones that 
place their personal information at risk.

     Enforcement of Prohibition on Data Retention: 
NAFCU believes it is imperative to address the violation of 
existing agreements and law by merchants and retailers who 
retain payment card information electronically. Many entities 
do not respect this prohibition and store sensitive personal 
data in their systems, which can be breached easily in many 
cases.

     Burden of Proof in Data Breach Cases: In line with 
the responsibility for making consumers whole after they are 
harmed by a data breach, NAFCU believes that the evidentiary 
burden of proving a lack of fault should rest with the merchant 
or retailer who incurred the breach. These parties should have 
the duty to demonstrate that they took all necessary 
precautions to guard consumers' personal information but 
sustained a violation nonetheless. The law is currently vague 
on this issue, and NAFCU asks that this burden of proof be 
clarified in statute.
[GRAPHIC] [TIFF OMITTED] T6854.004

                    Statement for the Record

                  American Bankers Association

                  Committee on Small Business

             United States House of Representatives

                        October 7, 2015

    The members of the American Bankers Association, who serve 
small businesses across the Nation, deeply appreciate Chairman 
Chabot's and Ranking Member Velazquez's decision to hold this 
important hearing on the EMV chi card upgrade. The ABA is the 
voice of the nation's $15 trillion banking industry, which is 
composed of small, mid-size, regional and large banks that 
together employ more than 2 million people, safeguard $12 
trillion in deposits and extend more than $8 trillion in loans.

    Every day, ABA's thousands of members, found primarily on 
the Main Streets of America, have the privilege to work with 
the millions of American small businesses who form the bedrock 
of our economy. Most banks are small businesses themselves, 
with the median sized-bank having 42 employees and four 
branches. In fact, the Small Business Administration considers 
80 percent of banks to be small businesses. Providing small 
businesses with credit and payment services is the bread and 
butter of banking.

    As the Committee is aware, the banking industry is leading 
a major payment card security upgrade, with ``EMV'' credit and 
debit chip cards being issued to protect consumers and brick-
and-mortar merchants from criminals who engage in card 
counterfeiting.\1\ This change is all about security--the chips 
are almost impossible to copy or counterfeit. Banks have been 
moving quickly to put this security upgrade into consumers' 
wallets. Most people have at least one chip card in their 
wallet now, and we estimate that 575 million chip cards will 
have been issued by the end of 2015.
---------------------------------------------------------------------------
    \1\ EMV stands for ``Europay, MasterCard, Visa,'' which were the 
original chip developers, but chip cards can be used on all major U.S. 
card networks, including American Express, Discover, MasterCard, and 
Visa.

    Consumers will start seeing more point-of-sale terminals 
that are ready to accept their chip cards. This is critical, of 
course, as the benefit of this advanced chip technology can 
only be realized if merchants have chip-card readers in their 
stores. This will be a gradual process--which really began in 
2011 with the announcement of the move to EMV in the U.S.--but 
the incentives changed on October 1 to encourage both banks and 
merchants to adopt the new advanced EMV standard as soon as 
possible. Whichever party has not updated to the EMV standard 
would be liable for any fraud losses. This was not a government 
mandate, nor a deadline, but rather a private sector joint 
effort--banks, networks, and merchants--to enhance payment 
---------------------------------------------------------------------------
security for all our customers.

    Banks have worked closely with small businesses throughout 
this upgrade process to ensure that they are prepared. Several 
banks and merchant services companies have offered incentives 
to offset costs involved in upgrading terminals, making them 
free in some cases.

    Since this is a gradual process, consumers do not have to 
worry about their current card being accepted after October 1--
their chip card will still have a magnetic stripe that will 
work at stores without a chip terminal. It is also important to 
emphasize that consumers will continue to enjoy the same 
protections for fraud--zero liability in most cases.

    EMV chips are an important innovation that better protect 
consumers' financial data, but they are part of the greater 
effort being made by banks and networks to combat hackers. 
Other innovations are on the horizon and will play an important 
role fighting future threats. Tokenization technologies that 
replace account numbers with a random number at the point of 
purchase rendering them useless to thieves (like Apple Pay and 
Samsung Pay) are becoming more common. Point-to-point 
encryption scrambles data at every point of the transaction. In 
addition to today's sophisticated neural networks which spot 
fraud at the point of sale, these new technologies will be 
layered on top of EMV and create multiple dynamic layers of 
security necessary to fight increasingly sophisticated forms of 
fraud. We do not know what thieves might do next, which is why 
dynamic security features are so critical and why mandating a 
static technology approach to security (such as Personal 
Identification Numbers, PINs), as some advocate, is a mistake.

    There are three key points we would like to make in the 
remainder of this statement:

          > Banks are committed to secure payment solutions for 
        small businesses;

          > EMV chip cards confront counterfeit card fraud, 
        helping customers, merchants and banks; and

          > Banks and small businesses must partner to assure a 
        safe payment system for our customers.

    I. Banks are Committed to Secure Payment Solutions for 
Small Businesses

    Banks have always acted as a trusted payment intermediary, 
facilitating confidence in commerce. Unlike much of the world 
(including most of Europe), the United States has benefited 
from a truly network-based, electronic payment card system for 
many decades. While these other countries were still developing 
the telecom infrastructure to support real-time card payments, 
Americans were able to have transactions authorized in seconds. 
Fortunately, this real-time card technology has largely become 
the global standard. That adoption speaks to the leadership 
role that American banks, networks, and others play in 
providing the most secure and reliable solutions to our 
customers. We understand the seriousness of this trust to 
operate a payment system that is transparent, efficient, and 
most importantly, secure for all participants.

    Banks are committed to protecting small businesses from 
fraud. When payment fraud occurs, there are three parties who 
are indisputable victims of crime: consumers, merchants, and 
financial institutions. We all share the sense of violation 
when a credit or debit card is misused by thieves intent on 
obtaining ill-gotten gains. In a world where criminals are 
working full-time to steal from consumers, it falls upon 
financial institutions to be sentinels of the consumer's 
financial security. It is often a banker who takes the first 
call in these situations, and usually the banker who must relay 
the news to a card customer that they also have been a victim 
of a crime. Many times, ABA's members detect and stop these 
crimes in progress.

    ABA's members accept this duty and demonstrate it by 
investing billions of dollars a year in security measures, and 
by making consumers whole through no-hassle liability 
protection policies that almost always exceed legal 
requirements. In an era where criminals are constantly changing 
their tactics, the payments industry is not sitting still.

    II. EMV Chip Cards Confront Counterfeit Card Fraud

    Despite all this progress, there has been an uptick in a 
certain kind of fraud, known as card counterfeiting, which 
makes up the vast majority of in-person card fraud today. As 
its name implies, card counterfeiting involves creating a fake 
card using information gleaned from a real card.

    It used to be that counterfeit cards were made from 
criminals using skimmers to strip the data from the magnetic 
strip (``magstripe'') and make duplicate cards--a very labor-
intensive process. Criminals, like water, always seek paths of 
less resistance, which is why a second route of counterfeit 
fraud is increasingly important: big retailer data breaches. 
The prospect of being able to access millions of card numbers 
at once, from a great distance away, makes hacking into 
retailers' systems their new preferred way to steal customer 
information.

    Recent high-profile data breaches at retailers like Target 
and Home Depot underscore the critical need for stronger and 
more innovative security solutions that protect consumers. The 
damage done by these breaches is well-known and affected 
perhaps more victims than any other financial crime in American 
history.

    In the wake of these breaches, card-issuing banks made 
consumers whole quickly, often wiping fraudulent charges off 
their account immediately upon being notified. Through 
proactive steps on the part of banks, most affected customers 
did not see any fraudulent activity, although the disruption of 
card reissuance was real for both consumers and businesses.

    These high-profile retail breaches added urgency to the 
efforts already underway to fight counterfeit fraud that would 
make it harder to monetize stolen card data. Moving from the 
magstripe (which stores unencrypted information) to the EMV 
standard was one of those, and that process had begun in 
earnest in 2011 in the U.S. Some have questioned why the U.S. 
was slower than Europe to adopt chip technology. The answer 
lies in the fact that EMV was originally designed to solve a 
European payments problem: Europe lacked the advanced telecom 
infrastructure that was allowing U.S. retailers to authorize 
card transactions in real time.

    While American businesses routinely sent card information 
across phone lines to obtain authorization from card-issuing 
banks, European retailers found telecom rates too expensive to 
make a call for every transaction. The solution was to issue 
Europeans cards with microchips which contained information 
like credit limits and fraud indicators, which would have been 
kept on the issuing bank's computer in the U.S. system. Instead 
of processing transactions ``over the wires'' (as in the U.S.) 
EMV chips and terminals allowed European card transactions to 
be processed without an immediate connection to the payment 
network. Transaction data would be stored in the terminal until 
the merchant terminal contacted the bank to settle the day's 
transactions.

    This ``offline'' approach had obvious limitations (mainly 
that transactions were not checked through a central system at 
each sale) and disadvantages compared to the U.S. system of 
live authorizations. Fortunately, these European systems have 
been upgraded over the years.

    In contrast, the U.S. EMV introduction combines the 
security benefits of EMV chips and the real-time authorization 
of transactions through the bank's computers. From the outset, 
EMV chips in the U.S. are running software that produces a one-
time code which is sent across the network during each 
transaction and is required for authorization by the bank 
computer on the other end. Neural network and live 
authorizations, which spot and shut down suspicious 
transactions, form the basis for dynamic security for U.S. 
transactions. A crucial distinction is that EMV chip cards' 
anti-counterfeiting properties are found in the chip itself and 
are unrelated to the use of a Personal Identification Number 
(PIN). Simply put, the chip is what makes the difference, not a 
PIN.

    The EMV chip that was built to meet the challenge is 
serious security equipment. For starters, the chips are 
inherently counterfeit-resistant hardware, making it virtually 
impossible to create a fake chip. A core security feature of 
EMV is a one-time, non-reusable code that the chip produces for 
each transaction. Called a ``cryptogram,'' this code is the 
result of advanced mathematical algorithms which cannot be 
entirely observed by hackers. The code can only be used once, 
so it is useless for future transactions if stolen. If a 
criminal attempts to use the code, the payment systems will 
recognize that it has already been used and will not authorize 
the transaction. This one-time code is an additional layer of 
security that rides on top of other card data.

    The ``Liability Shift'' Gives Banks and Merchants 
Incentives to Employ the Best Technology

    In 2011, one of the card payment networks announced that it 
would begin supporting EMV in the U.S. This was a major step in 
combatting counterfeit fraud. However, this upgrade would not 
happen overnight. Of course, banks would have to issue hundreds 
of millions of new cards, at several times the price of 
magstripe cards. Card-accepting businesses would incur costs 
and require transition time as well. EMV cards can only be read 
by EMV-enabled terminals (``dipping'' the card and letting it 
stay in a terminal through the entire transaction replaces 
``swiping'' a magstripe).

    That network set October 1, 2015 as the date on which 
merchant or bank liability for fraudulent counterfeit 
transactions would depend on whether either party was using EMV 
technology. ATMs and gas stations were given later incentive 
dates, to allow their owners more time to address technical 
issues which are specific to those applications.

    This ``liability shift'' has sometimes been 
mischaracterized and we want to ensure that the Committee has 
an accurate understanding of what it means. Today banks absorb 
less from in-person use of counterfeit cards at merchants. 
After October 1, 2015, banks will still absorb these losses if 
a counterfeit card of any kind is used at an EMV-enabled 
merchant. This includes magstripe cards used at an EMV-enable 
merchant. Simply put, if the merchant has upgraded to an EMV-
enabled terminal and is using it, nothing changes for them--the 
issuing bank will still be liable. However, if the bank has 
issued an EMV card and the merchant does not have a terminal to 
accept the chip (forcing consumers to use the more easily 
counterfeited magstripe part of the card), the merchant is 
liable for the resulting fraud, because they have failed to use 
the latest technology available to them.

    The October 1, 2015 date was a private sector incentive to 
get consumers protected as soon as possible. It was most 
certainly not a ``deadline'' or government mandate. Small 
businesses which did not accept EMV cards on that day did not 
see their card terminals turned off or see the experience 
change for their customers. It was a contractual change that 
only became relevant in the case of criminals using counterfeit 
cards.

    It is important to note that the security benefits of EMV 
deployment in the U.S. are more powerful than in the original 
introductions of the technology in other countries. Since U.S. 
cardholders already conduct real time transactions, they are 
already protected by a complex series of seen and unseen 
security systems (including neural networks which spot and shut 
down suspicious transactions). The EMV chip technology is 
another layer that fits in well with these other measures. The 
EMV chips used in the U.S. contain security software, which 
work with the security systems at the payment network and 
issuing bank to further protect transactions. The 
microprocessor in the chip can run this software whenever a 
transaction occurs. These security checks happen in the 
background, sometimes triggering a ``pause'' in the transaction 
to obtain further verification from the person presenting the 
card. The EMV chip is built on a flexible standard, which is 
also capable of facilitating data encryption and can be 
customized for emerging security paradigms.

    By deploying EMV cards in the U.S. and combining this chip 
technology with the real-time transaction capabilities which 
Americans are used to, the payment industry was able to 
leverage more than the original security features of EMV. Not 
only do American consumers benefit from a card that is 
difficult to counterfeit, but transactions are also protected 
by cutting-edge fraud prevention measures.

    III. Banks and Businesses Must Partner to Ensure a Safe 
Payment System for Our Customers

    From the beginning of the EMV upgrade effort in 2011, the 
financial services sector has been focused on ensuring that the 
upgrade would be accessible to small businesses. Recognizing 
that there are costs involved, several banks and merchant 
services companies have incentives to upgrade terminals, making 
them free in some cases. These free terminals are often 
provided in the context of an ongoing relationship between the 
merchant and a payment services company. Many terminals have 
been ``turned over'' into EMV terminals during routine register 
hardware changes, meaning little to no marginal costs to 
merchants to upgrade. Payment services companies have 
proactively engaged their business customers to inform them 
about the October 1, 2015 incentive date and offer hardware and 
software solutions to help them become part of the upgrade. An 
``in the market'' survey of options available in the market 
demonstrates that a basic terminal can be obtained for about 
$200 and more sophisticated systems cost a few hundred dollars 
more, but include helpful features like inventory tracking and 
customer relationship features, which many retailers will find 
useful. For mobile merchants or those using tablet-computer 
based points of sale, Square sells an EMV-reading accessory 
that cost $29.

    This upgrade is also an opportunity for many businesses to 
grow their acceptance of emerging payments which consumers are 
demanding. Although not mandatory, EMV terminals which come 
equipped with NFC (``near field contactless'') capabilities 
provide a shorter route to accepting Apple Pay, Samsung Pay and 
similar mobile wallets. Some of these ancillary options contain 
powerful security mechanisms like ``tokenization'' and strong 
encryption. These newer terminals also have upgradable 
software, meaning that merchants can likely ``keep up'' with 
consumer trends for several years before having to upgrade 
again. These are all choices that merchants can make with the 
help of their merchant services company. It all means that EMV 
upgrades at the register are the gateway to the future of 
payments.

    This dynamic, open approach to payment innovations is the 
vision that the banking industry has for the future of payment 
security. Fortunately, the global EMV standard has shown itself 
to be flexible enough to be adapted from the chip to mobile 
devices.

    Although news coverage may focus most on how businesses 
accept chip cards, we must remember that businesses are also 
cardholders themselves. They deserve payment cards that are 
reliable and safe. As the EMV upgrade progresses, businesses 
that use credit cards for purchases will likely find that 
fraud-related card deactivations and reissuances become rarer. 
This will eliminate disruptions to business operations for the 
large number of firms that have turned to card payments as a 
way to manage risk and streamline purchasing.

    Conclusion

    The banking industry continues to take its role as sentinel 
of consumer payments seriously. Importantly, we recognize that 
payments are only secure when all stakeholders guard data and 
participate in the upgrades that are developed to protect 
consumers. Every day, Americans are receiving new chip cards in 
the mail and retailers are plugging in their new terminals (or 
attaching them to their mobile phones). EMV is gradually 
becoming a way of life for shoppers and its security benefits 
are being realized more with each passing day. Soon, using EMV 
cards will be second nature for consumers, and we fully expect 
that small businesses will be able to claim a large share of 
the credit for making this transition successful.

    But EMV is not the endpoint of card security, no more than 
physical cards are the endpoint for payments. Like the many 
cumulative measures introduced before EMV, this technology is 
one more layer of protection introduced in a long line of 
security upgrades. In a world of emerging security threats, 
there is always more that can be done to protect consumer 
payment information. This is why banks continue to urge large 
retailers to upgrade their data security to match the levels 
that our industry must meet under federal law.

    For our part, banks will continue to innovate to put 
criminals on the defensive and protect legitimate commercial 
actors, including small businesses. In the battle against 
modern criminals, the EMV upgrade continues to be an 
opportunity for a positive story about collaboration between 
America's small businesses and the bankers who have the 
privilege to serve them.
                        STATEMENT FOR THE RECORD


                            BY LYLE BECKWITH


                              ON BEHALF OF


             THE NATIONAL ASSOCIATION OF CONVENIENCE STORES


                                FOR THE


             HEARING OF THE HOUSE SMALL BUSINESS COMMITTEE


                            OCTOBER 7, 2015


      ``THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES''

    My name is Lyle Beckwith. I am the Senior Vice President, 
Government Relations for the National Association of 
Convenience Stores (NACS) and I appreciate this opportunity to 
present NACS' views regarding the implications of the EMV chip 
deadline for small businesses.

    NACS is an international trade association representing 
more than 2,200 retail and 1,800 supplier company members in 
the convenience and petroleum retailing industry. NACS member 
companies do business in nearly 50 countries worldwide, with 
the majority of members based in the United States. In 2014, 
the industry employed more than two million workers and 
generated $696.1 billion in total sales, representing 
approximately 4.0 percent of the United States' GDP-or one of 
every 25 dollars spent. The majority of the industry are small, 
independent operators. More than 70 percent of the industry is 
composed of companies that operate ten stores or fewer, and 63 
percent of them operate a single store.

    The process of transitioning to EMV--a process dictated by 
the major card companies without input from retailers, 
consumers, or banks--has been and will continue to be onerous 
and very expensive for merchants. On top of that, the full 
security and consumer protection benefits of the transition 
will not be realized. By the card companies' choice--and unlike 
what has been done in other parts of the world--Visa and 
MasterCard are having the U.S. transition to chip technology 
without the use of Personal Identification Numbers (``PIN''), 
rather than the chip-and-PIN technology that has a proven track 
record of success. Below we offer more detailed comments on the 
transition, its impact on small businesses, and the lost 
opportunity for substantially reducing fraud in the payment 
card system.

    I. The card companies' justification for this mandatory 
transition is flawed.

    Beginning October 1, 2015, any merchant that is not 
equipped and certified by the major card companies to accept 
EMV or ``chip'' cards will have liability for fraudulent credit 
and debit card transactions involving chip-embedded cards. The 
card companies claim they are requiring merchants to transition 
to EMV to increase security in card transactions, and so they 
and the banks will no longer have to pay for losses caused by 
fraud. This rationale does not make sense for multiple reasons.

    First, merchants pay for the majority of fraud losses 
today, not card companies or banks.

    Second, the card companies have intentionally chosen not to 
transition to the most secure payment method available. If the 
card companies were legitimately interested in minimizing fraud 
losses, they would require chip and PIN, not just chip (as 
discussed in further detail below).

    And third, the card companies themselves, not merchants, 
have delayed bringing new technologies and security measures to 
the U.S. payment card industry.

    Notwithstanding the foregoing, NACS strongly believes that 
something must be done to reduce fraudulent transactions. Our 
commitment to improving card security stems from the fact that 
merchants currently pay the majority of fraud costs, which are 
spiraling out of control. In 2014, global credit and debit card 
fraud topped $16.3 billion across all industries--$7.6 billion 
of that fraud occurred in the U.S.\1\ Despite banks' claims 
that they provide a ``payment guarantee,'' merchants are 
absorbing the vast majority of the costs associated with 
fraudulent transactions.\2\
---------------------------------------------------------------------------
    \1\ Skowronski, Jeanine, US coming back to credit cards, Bankrate 
(May 28, 2015), available at http://www.bankrate.com/financing/credit-
cards/u-s-coming-back-to-credit-cards/; see also, Global Card Fraud 
Losses Reach $16.31 Billion--Will Exceed $35 Billion in 2020 According 
to The Nilson Report, Business Wire (Aug. 4, 2015), available at http:/
/www.businesswire.com/news/home/20150804007054/en/Global-Card-Fraud-
Losses-Reach-16.31-Billion#.VgGWMd9VhBc.

    \2\ Press Release: U.S. Retailers Face $191 Billion in Fraud Losses 
Each Year, LexisNexis Risk Solutions (Nov. 9, 2009) (highlighting 
findings of LexisNexis and Javelin Strategy & Research ``True Cost of 
Fraud Benchmark Study''), available at http://www.lexisnexis.com/risk/
newsevents/press-release.aspx?Id=1258571377346174; ``House of Cards: 
Why your accounts are vulnerable to thieves,'' Consumer Reports, June 
2011.

    While chip-embedded cards are harder to counterfeit or 
copy, without a PIN number, they do not help reduce many types 
of fraud. For example, chip cards and card numbers can still be 
stolen and used by someone who is not the account holder. 
Stolen chip card numbers can be used online. And counterfeit 
chip cards can still be made, but when someone presents a card 
with a non-functioning chip, the card's magnetic stripe will be 
used or the card's number will be entered to complete the 
fraudulent transaction. Requiring PIN would help in all of 
---------------------------------------------------------------------------
these scenarios. Simply put, chip without PIN is not enough.

    The fraud-reduction benefits of requiring chip and PIN--or 
even just PIN on old magnetic strip technology--are far greater 
than requiring chip alone. It is no wonder that chip and PIN 
technology has been the standard in Europe for almost 20 years; 
or that the technology is already used in virtually every other 
industrialized country. Use of outdated magnetic strip 
technology in the U.S. has been the only option because the 
card companies have not, until now, provided chip and PIN in 
this market, despite the urging of retailers, consumer 
advocates, and cyber security experts.

    Thus, before considering the cost to small businesses of 
completing the mandatory transition to EMV, it is worth 
questioning the card companies' justification and motivation 
for this particular mandate. For instance, it is worth asking: 
why mandate the transition to EMV--with all of its attendant 
effort and cost--without requiring PIN? Why would anyone choose 
not to maximize fraud prevention benefits with this costly 
transition? And why, after years of delay in bringing EMV 
capability to the U.S. market, impose an arbitrary and 
inflexible deadline on merchants, despite implementation 
challenges beyond their control?

    II. The transition is costly for merchants and especially 
difficult for small businesses to implement.

    The cost to businesses to become EMV-ready is substantial. 
There are approximately 152,000 convenience stores in the U.S. 
and it will cost approximately $3.9 billion--$26,000 per 
store--to make them EMV capable. To put those figures in 
perspective, about 60 percent of convenience stores belong to 
single-store owner/operators and the average profits for a 
convenience store per year are $47,000. So the initial upfront 
cost--not even counting future maintenance and update costs--is 
more than half of an average store's profits. On top of that, 
on-going maintenance and upgrade expenses are expected to be 
upward of $2,240 per year, per store.

    The transition to EMV necessitates the purchase by 
merchants of specialized hardware and software, along with 
numerous other steps. According to one survey of U.S. 
retailers, ordering new terminals can take 6 to 16 weeks. Then 
retailers and payment card processors must program the new 
equipment according to card company specifications, which can 
take months. In fact, it has been very difficult for small 
businesses to get the programming help they need given the high 
demand for these services. Notably, the card networks did not 
release the debit specifications necessary to program terminals 
to accept those cards until March 2015. That delay did not 
leave enough time for many merchants to program their systems 
and accept EMV by October 1st, and it added to the bottle-neck 
of demand for programming services.

    Following the programming phase, retailers must conduct 
internal testing and trouble-shooting, and then obtain 
certification by the card companies. Visa, MasterCard, American 
Express and Discover each require a separate certification. On 
top of that, separate certifications are required for credit, 
PIN debit, and signature debt. This has been another source of 
delay--particularly for small businesses. The card networks 
simply have not deployed the resources necessary to get 
merchants that want EMV operating on time. Finally, after the 
new technology is certified, stores must conduct store-level 
staff training and roll out the new system (from initial pilot 
programs to taking the entire system live).

    All in all, under a best-care scenario, it can take 
merchants a full year--working after hours to avoid 
inconveniencing customers--to install and operate new EMV 
terminals. And a lot of small businesses are not facing the 
best-case scenario with respect to this transition. The card 
companies' certification requirements are especially 
problematic because there is a shortage in the industry of 
trained personnel capable of conducting the certifications. 
Even large retailers are experiencing severe delays because of 
this capacity shortage. Small businesses, despite their best 
efforts to meet the deadline, are at the back of the line and 
are having to wait even longer--years in some cases--to 
complete the EMV transition process.

    The U.S., with over 12 million payment terminals and about 
1.2 billion cards, is the largest single-market deployment of 
EMV to date. It is no small undertaking. Notably, banks have 
been given additional time to get their ATMs EMV-ready; a full 
two years longer, in fact, than merchants have received. But 
small businesses have not been extended the same assistance, 
despite the difficulties--beyond their control--with getting 
their equipment programmed and certified.\3\
---------------------------------------------------------------------------
    \3\ It is little wonder that this process entails substantial costs 
and unreasonable timeliness for retailers. The transition process has 
been dictated entirely by the card companies without input from 
businesses, consumers, or even banks. In Canada, by contrast, the 
process of transitioning to EMV had broad stakeholder participation 
throughout. Their transition to EMV, which was first announced in 2003 
(as opposed to 2011 in the U.S.), took 10 years to deploy, even though 
Canada's network is 1/10th the size of the U.S. network.

    III. Fraud prevention benefits are lost without an 
---------------------------------------------------------------------------
accompanying PIN requirement.

    Not only is the transition process expensive and onerous 
for small business owners, but businesses and consumers will 
not even get full fraud-prevention benefits from it. Making 
every card PIN-enabled and allowing merchants to require a PIN 
on their transactions would substantially reduce fraud. 
Statements Visa and MasterCard have made in other countries 
suggest they agree with that assessment. Merchants are truly 
dedicated to effective fraud prevention because they pay the 
bulk of costs associated with card fraud. The card networks, on 
the other hand, are standing in the way of achieving maximum 
fraud reduction in the payment card system. Perhaps this should 
not be a surprise given that those networks do not shoulder any 
of the losses from fraudulent transactions.

          A. Using PIN is the best way to reduce fraud.

    Today, the U.S. card payment system is a fraud magnet. Even 
though the U.S. market accounts for about one quarter of global 
card volume, almost half of all global credit card fraud occurs 
in the U.S. Allowing merchants to require PIN numbers for their 
transactions would dramatically help this situation.

    According to the Federal Reserve Board, PIN authentication 
is six times more secure than signature authentication.\4\ When 
a PIN is required, it protects against fraud in instances where 
a card number or the card itself is stolen. Chip without PIN, 
on the other hand, cannot do anything to prevent fraud on 
stolen cards or prevent online fraud with stolen card numbers. 
And, chip without PIN may not do much of anything to protect 
against fraud when card numbers are stolen--which is supposed 
to be the benefit of the chip. That is because all chip cards 
will still have a magnetic stripe and a static account number. 
Fraudsters know they can make a fake card with a fake (non-
functioning) chip and it will get run through the magstripe 
reader as a back-up when the ``chip'' doesn't work. So, for 
chip-without-PIN cards, we remain exposed to all forms of 
fraud.
---------------------------------------------------------------------------
    \4\ Federal Reserve Board, Debit Card Interchange Fees and Routing, 
77 Fed. Reg. at 46,261 (Aug. 3, 2010), available at http://www.gpo.gov/
fdsys/pkg/FR-2012-08-03/pdf/2012-18726.pdf.

    Chip and PIN authentication, on the other hand, has a 
proven track record of significantly decreasing fraud. In fact, 
Visa advertises these benefits on its own website, noting that 
in the United Kingdom, fraud related to lost and stolen payment 
cards has decreased by more than half since chip and PIN was 
---------------------------------------------------------------------------
adopted there in 2004.\5\

    \5\ The Benefits of Chip and PIN for Merchants, available at http:/
/www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last visited 
Sept. 21, 2015).

    Chip without PIN will enable fraud perpetrators to easily 
shift targets. According to a recent article in the Washington 
Post, ``security experts sa they widely expect credit card 
fraud to move online, where thieves can still use the card 
number and expiration date to make fraudulent purchase.'' \6\ 
Requiring a PIN, however, would address that scenario. And 
despite card companies' claims to the contrary, PINs can be--
---------------------------------------------------------------------------
and already are--used online.

    \6\ Marte, Jonnelle, Get Ready to Dip, Not Swipe, Your Credit 
Cards, Washington Post (Sept. 30, 2015), available at http://
www.washingtonpost.com/news/get-there/wp/2015/09/30/get-ready-to-dip-
not-swipe-your-credit-cards/.

    In sum, there is simply no legitimate reason for the card 
companies to move toward a PIN-less path when PIN (with or 
---------------------------------------------------------------------------
without a chip) has proven so effective at reducing fraud.

          B. Visa and MasterCard agree that PIN increases 
        transaction security

    In 2013, Visa and MasterCard jointly petitioned the 
Australian Competition and Consumer Commission for 
authorization to require PIN authentication on transactions 
involving their cards.\7\ In their application, they made 
numerous statements in support of requiring PIN at the point of 
sale, including:

    \7\ See generally, Visa and MasterCard--Authorisations--A91379 & 
A91380, available at http://registers.accc.gov.au/content/
index.phtml?itemId=1120516.

          ``The Applicants' view is that chip and PIN is a 
        significantly more secure form of [customer 
---------------------------------------------------------------------------
        verification method] than signature.''

          ``Based on the experience of the introduction of 
        mandatory PIN@[Point of Sale] is overseas markets (in 
        the UK, Canada, Europe and elsewhere), the Applicants 
        expect that certain types of card present fraud will 
        decline in Australia as a result of the introduction of 
        mandatory PIN@POS in Australia.''

          ``The Applicants note that overseas experience has 
        shown that fraud will move to jurisdictions where there 
        are lower security measures in place and in particular 
        jurisdictions that do not use EMV and PIN security. For 
        example, the UK experience has been that the countries 
        where fraud on UK-issued cards occurs has changed with 
        fraudsters focusing on countries without `chip and 
        PIN,' such as the United States. There has been a 
        similar experience in Europe. Card fraud is highly 
        mobile and is often internationally organized. The 
        coordinated introduction of mandatory PIN@POS in 
        Australia will increase card security in Australia and 
        make it a less attractive jurisdiction for 
        fraudsters.''

          ``The Applicants believe that mandatory PIN@POS is an 
        important step in the right direction, in terms of 
        reducing credit card fraud in Australia.''\8\

    \8\ Submission of Visa Worldwide, Visa AP (Australia), and 
MasterCard Asia/Pacific to the Australian Competition & Consumer 
Commission in support of Authorisations A91379 & A91380 (Aug. 30, 
2013), ``Security of Chip and PIN vs. Signature,'' pp. 1-2, available 
at http://registers.accc.gov.au/content/
index.phtml?itemId=1120516&display=submission (last visited Sept. 21, 
2015).

    Despite their representations to the Australian authorities 
and their affirmative recognition that the use of PIN does 
improve transaction security, Visa and MasterCard have declined 
to advance the use of PIN here in the U.S. Instead, they have 
opted to incentivize chip-without-PIN cards--a move that simply 
---------------------------------------------------------------------------
cannot be justified given their own experience and data.

    IV. Merchants are committed to reducing fraud because they 
pay for most of it.

    Unlike the card companies, merchants are 100 percent 
committed to reducing fraudulent transactions and minimizing 
fraud losses because they currently bear the brunt of an 
unsecure payments system. We are not opposed to making 
investments in effective security measures. Unfortunately, this 
very costly transition to EMV will not reduce fraud nearly as 
much as it could and should, and merchants will not see the 
relief that they could under a chip and PIN system.

    According to an annual report by LexisNexis and Javelin 
Strategy & Research on the ``True Cost of Fraud,'' in 2009, 
retailers suffered fraud losses 10 times higher than financial 
institutions. The report found that half of retailers' fraud 
losses came from unauthorized transactions and card 
chargebacks--both of which would be significantly reduced by 
PIN authentication.\9\ The Mercator report has estimated that 
merchant fraud losses of tens of billions of dollars a year 
dwarf card-issuer losses.\10\ And merchants have no way to 
remedy this situation. While the card companies give banks the 
option of requiring PIN at ATMs--and every bank we are aware of 
does so--they will not allow merchants to do the same. Under 
the card companies' operating rules, retailers are prohibited 
from requiring customers to enter a PIN when accepting debit 
cards. Ultimately, merchants are at the mercy of the card 
companies' policies, which, like this EMV transition, are not 
designed to maximize consumer protection or card transaction 
security.

    \9\ Visa recognizes this fact on its Canadian website. In fact, it 
promotes to retailers:

        ``Whatever your retail size or specialty, accepting Visa Chip & 
PIN cards can result in enhanced security and convenience, helping to 
improve efficiency and reduce the frequency of chargebacks due to 
fraud. Businesses that accept Chip & PIN cards have benefited from . . 
. Increased protection against fraud - A PIN is used for cardholder 
verification and the embedded Chip in the Visa card is virtually 
impossible to copy. Together these features provide you and your 
customers with increased protection against fraud, which can result in 
fewer chargebacks.''

    ``The Benefits of Chip and PIN for Merchants,'' available at http:/
/www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last visited 
Sept. 21, 2015).

    \10\ Cited in ``House of Cards: Why your accounts are vulnerable to 
thieves,'' Consumer Reports, June 2011.

---------------------------------------------------------------------------
    V. Consumers want PIN.

    Card companies and banks argue that American consumers do 
not want PIN. Often, they claim that consumers oppose PIN 
because consumers will not or cannot remember and use a 4-digit 
code, or consumers do not want to be inconvenienced by entering 
a PIN. That argument is belied by consumer research and our 
everyday experience with ATMs, smart phones, and other devices 
requiring secure access codes.

    In a recent survey commissioned by the National Retail 
Federation, 62 percent of consumers stated that they would 
prefer to use chip-and-PIN cards rather than chip-and-signature 
cards.\11\ Visa's own statements on this issue are telling. 
Visa advertises to consumers on its website in Canada (where 
chip and PIN has been implemented), in a section titled ``The 
Importance of PIN,'' that ``PIN transactions are easy.''\12\ On 
the same website, Visa advertises to merchants that businesses 
that accept chip and PIN cards ``have benefited from increased 
checkout speed and improved customer service--using a PIN is 2 
to 4 seconds faster than obtaining a signature . . . .'' \13\ 
It is difficult to fathom that the ease and convenience of PIN 
for consumers and merchants is so much different between Canada 
and the U.S.
---------------------------------------------------------------------------
    \11\ See NRF Survey, available at https://nrf.com/sites/default/
files/Documents/Chip-and-Pin%20Consumer%20Survey%20One-Pager%2009-16-
2015%20REV.pdf.

    \12\ ``The Importance of PIN,'' available at http://www.visa.ca/
chip/cardholders/importance-of-pin/index.jsp (last visited Sept. 21, 
2015).
    \13\ ``The Benefits of Chip and PIN for Merchants,'' available at 
http://www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last 
visited Sept. 21, 2015).

---------------------------------------------------------------------------
                                  ***

    In conclusion, the mandated transition to EMV is flawed in 
several respects. The transition process, which was developed 
by the card companies with no other stakeholder input, is very 
expensive for businesses, contains unreasonable timelines, and 
is especially difficult for small retailers to implement. To 
make matters worse, the transition will not achieve the 
consumer protection and fraud-prevention benefits it easily 
could. NACS strongly supports effective and meaningful efforts 
to improve card security, protect consumers, and reduce fraud 
losses. Unfortunately, this transition is not one of those 
efforts and it will do more harm than good to small businesses.
[GRAPHIC] [TIFF OMITTED] T6854.005

[GRAPHIC] [TIFF OMITTED] T6854.006

[GRAPHIC] [TIFF OMITTED] T6854.007

[GRAPHIC] [TIFF OMITTED] T6854.008

[GRAPHIC] [TIFF OMITTED] T6854.009

[GRAPHIC] [TIFF OMITTED] T6854.010

    The EMV Deadline and What It Means for Small Businesses

          Statement of the National Retail Federation

                        October 7, 2015

    The National Retail Federation submits this statement for 
the record with respect to the House Small Business Committee 
October 7, 2015 hearing regarding the ``EMV Deadline and What 
it Means for Small Businesses.'' By way of background, the 
National Retail Federation is the world's largest retail trade 
association, representing discount and department stores, home 
goods and specialty stores, Main Street merchants, grocers, 
wholesalers, chain restaurants and Internet retailers from the 
United States and more than 45 countries. Retail is the 
nation's largest private sector employers, supporting one in 
four U.S. jobs--42 million working Americans. Contributing $2.6 
trillion to annual GDP, retail is a daily barometer for the 
nation's economy. NRF's This is Retail  campaign highlights the 
industry's opportunities for life-long careers, how retailers 
strengthen communities, and the critical role that retail plays 
in driving innovation. Thousands of our retail members, and 
millions of merchants of all types, whether small retailers or 
other operations, such as doctors' offices, tax drivers, or dry 
cleaners, will be affected by the subject of the hearing.

    It is important to note at the outset that the EMV deadline 
at issue is neither legislatively established, nor is it in 
fact a true deadline. Rather, it is an arbitrary date, imposed 
by a consortium of card companies and banks who have, for many 
years, collectively exerted near monopoly power over the 
business community. This ``deadline'' is for the financial 
benefit and convenience of those companies and banks. The 
relationship between those powerful entities and small 
businesses is purely contractual; albeit largely compulsory in 
effect, since retailers and other small businesses are subject 
to the substantial combined market power of the financial 
institutions.

    A second important note is that the standard in question, 
EMV, is purely a propriety technology of the largest card 
companies and banks. EMV Co. is essentially the creation of 
MasterCard and Visa. Visa and MasterCard in turn are the 
collective creations of the thousands of banks and credit 
unions who formed them, originally as trade associations, to 
advance their card products and other interests. When Visa and 
MasterCard set suggested fees that businesses must remit from 
their gross sales to financial institutions, with virtually no 
exceptions, every bank and credit union simultaneously imposes 
those fees. There is no competition. And the fees are very 
high. For many small businesses, card fees are their second 
largest expense after labor.

    These collective entities also impose a multitude of 
complex rules on small businesses. The rules govern not only 
what business may say or do in their stores and at their cash 
registers, but also dictate steps that businesses may or may 
not take to prevent fraud. It has been known for several years 
that the cards U.S. consumers carry in their wallets are fraud-
prone. The rules ensure that businesses, not the card-issuing 
banks, pay for the majority of that fraud. For example, 
businesses are either primarily or totally responsible for 
disputed transaction fraud and Card-Not-Present fraud (such as 
Internet transactions), among other categories. The financial 
institutions are responsible, in some instances, for 
authenticating their cards. But beyond those limited 
circumstances the burden of fraud has been shifted by card 
company rules onto businesses. What's more, businesses are told 
they must pay for fraud ``up front'' in the form of ever rising 
swipe fee for the privilege of accepting cards.

    Secure, PIN-protected cards (computer chips were primarily 
added for other purposes) were long ago introduced in Europe 
and elsewhere to combat fraud; however, the card issuing 
collective rejected both measures in the U.S. for two decades. 
So long as fraud was effectively being absorbed by small 
businesses and others, it apparently was not a serious concern 
of the card issuing consortium. The sensitive card numbers 
remained exposed, not only on the magnetic stripe, but embossed 
on the face of the card itself. Nearly a decade ago, NRF 
strongly encouraged the card industry to remove the raw card 
numbers from common circulation. The card industry rejected 
that suggestion.

    Rather than jointly work with the businesses community to 
encrypt or tokenize card numbers and thus make them less 
valuable to thieves, the card companies instead created yet 
another entity (PCI Co.) to impose additional rules on business 
of all sizes. It basically demanded that everyone attempt to 
build even higher walls within their systems to ``protect'' the 
card companies' numbers. Of course, if one builds eight foot 
walls, cyber thieves will bring ten foot ladders. And they did. 
Aided by ever more powerful computers, hacks on processors, 
banks, merchants and networks escalated.

    Fraud has increased. The type of fraud for which banks are 
initially responsible has also increased. Consequently, they 
and the card companies have belatedly sought to introduce into 
the U.S. cards that would reduce fraud, much as they did in 
Europe and Canada years ago. But they have ignored the lessons 
of those countries. Rather than introduce U.S. cards with PINs 
(which reduce all types of fraud), abetted by Chips (which help 
reduce just in-store, counterfeit fraud), they are introducing 
Chip without PIN cards; i.e. partially protective cards.

    In turn, the card industry is demanding that the entire 
merchant community spend between $30 and $35 billion dollars to 
install Chip and PIN terminals, but, with precious few 
exceptions, banks are only willing to undertake the expense of 
introducing Chip without PIN cards. These new cards do not 
reduce fraud across the board. They only reduce the particular 
type of fraud for which the banks are primarily responsible. 
Installation costs vary dramatically, from a few hundred 
dollars to thousands of dollars per terminal. The only 
``incentive'' merchants are given to purchase and install the 
expensive new systems is the threat that merchants will be 
forced to absorb not only the fraud banks already make 
businesses shoulder, but also to pay the full measure of the 
banks' fraud exposure if small businesses do not comply with 
the consortium's mandate.

    While the new cards make it somewhat more difficult for 
criminals to use stolen card numbers, they do not actually 
prevent numbers from being stolen in the first place, and 
stolen numbers can still be used for online and other types of 
fraud.

    The new EMV equipment does not stop breaches. Indeed, in 
many cases it provides no significant benefits either to the 
business or to the business' regular customers. It is merely an 
additional expense small businesses are being told to bear as 
part of the card companies' efforts to extend their growing 
monopoly over the payment system. If businesses can be forced 
to quickly install, at significant expense, the kinds of 
equipment that is most compatible with EMV Co.'s and the card 
companies' future business plans (EMV Card Personalization; 
Chip-based contact specifications--near field communications 
technology, etc.) then competitive alternatives, such as new 
mobile platforms (e.g. Starbucks-style payment programs) may 
effectively be locked out of the market.

    These are important considerations that businesses of all 
sizes must carefully ponder. It would be inappropriate to 
prejudge their decision-making and stampede businesses into the 
adoption of solutions less protective for businesses and 
consumers than has existed throughout the industrialized world 
for more than a generation.