[House Hearing, 111 Congress]
[From the U.S. Government Printing Office]




     DO THE PAYMENT CARD INDUSTRY DATA STANDARDS REDUCE CYBERCRIME?

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON EMERGING
                        THREATS, CYBERSECURITY,
                       AND SCIENCE AND TECHNOLOGY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 31, 2009

                               __________

                           Serial No. 111-14

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________


                  U.S. GOVERNMENT PRINTING OFFICE
52-239 PDF                WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001







                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California          Peter T. King, New York
Jane Harman, California              Lamar Smith, Texas
Peter A. DeFazio, Oregon             Mark E. Souder, Indiana
Eleanor Holmes Norton, District of   Daniel E. Lungren, California
    Columbia                         Mike Rogers, Alabama
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Henry Cuellar, Texas                 Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania  Paul C. Broun, Georgia
Yvette D. Clarke, New York           Candice S. Miller, Michigan
Laura Richardson, California         Pete Olson, Texas
Ann Kirkpatrick, Arizona             Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey
Emanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
Vacancy
                    I. Lanier Avant, Staff Director
                     Rosaline Cohen, Chief Counsel
                     Michael Twinchek, Chief Clerk
                Robert O'Connor, Minority Staff Director
                                 ------                                

   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND 
                               TECHNOLOGY

                 Yvette D. Clarke, New York, Chairwoman
Loretta Sanchez, California          Daniel E. Lungren, California
Laura Richardson, California         Paul C. Broun, Georgia
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
Mary Jo Kilroy, Ohio                 Peter T. King, New York (Ex 
Bennie G. Thompson, Mississippi (Ex      Officio)
    Officio)
                      Jacob Olcott, Staff Director
       Dr. Chris Beck, Senior Advisor for Science and Technology
                       Carla Zamudio-Dolan, Clerk
               Coley O'Brien, Minority Subcommittee Lead












                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Yvette D. Clark, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on Emerging 
  Threats, Cybersecurity, and Science and Technology.............     1
The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Ranking Member, Subcommittee 
  on Emerging Threats, Cybersecurity, and Science and Technology.     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security..............................................     6

                               Witnesses

Ms. Rita M. Glavin, Acting Assistant Attorney General, Criminal 
  Division, Department of Justice:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Robert Russo, Director, Payment Card Industry Data Security 
  Standards Council:
  Oral Statement.................................................    24
  Prepared Statement.............................................    26
Mr. W. Joseph Majka, Head of Fraud Control and Investigations, 
  Global Enterprise Risk, Visa, Inc.:
  Oral Statement.................................................    30
  Prepared Statement.............................................    32
Mr. Michael Jones, Senior Vice President and Chief Information 
  Officer, Michaels Stores, Inc.:
  Oral Statement.................................................    35
  Prepared Statement.............................................    37
Mr. David Hogan, Senior Vice President, Retail Operations, and 
  Chief Information Officer, National Retail Federation:
  Oral Statement.................................................    40
  Prepared Statement.............................................    42

                             For The Record

Submitted for the Record by Chairwoman Yvette D. Clarke:
  Statement of Andrew R. Cochran, Founder and Co-editor, The 
    Counterterrorism Blog........................................    18
  Statement of Kirsten Trusko, on Behalf of the Network Branded 
    Prepaid Card Association.....................................    20

                                Appendix

Questions Submitted by Chairwoman Yvette D. Clarke...............    51

 
     DO THE PAYMENT CARD INDUSTRY DATA STANDARDS REDUCE CYBERCRIME?

                              ----------                              


                        Tuesday, March 31, 2009

             U.S. House of Representatives,
                    Committee on Homeland Security,
      Subcommittee on Emerging Threats, Cybersecurity, and 
                                    Science and Technology,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:11 p.m., in 
Room 311, Cannon House Office Building, Hon. Yvette D. Clarke 
[Chairwoman of the subcommittee], presiding.
    Present: Representatives Clarke, Richardson, Lujan, 
Thompson [ex officio], and Lungren.
    Ms. Clarke. The subcommittee will come to order. The 
subcommittee is meeting today to receive testimony on whether 
the payment card industry data standards reduce cybercrime.
    Good afternoon. In recent years, a number of well-known 
companies have experienced massive data breaches in their 
internal computer networks, resulting in the compromise of 
sensitive customer data. The criminals who perpetrated these 
intrusions targeted the credit and debit card account 
information held by merchants or third-party data processors as 
the result of retail transactions.
    With a thriving black market that rapidly packages and 
sells stolen cardholder data, the information compromised 
during these breaches may ultimately aid a number of criminal 
organizations. We know that some percentage of the fraudulent 
charges and illicit businesses from these activities is used to 
fund terrorist activity throughout the world.
    In his 2002 autobiography, the Bali nightclub bomber 
specifically referred to on-line credit card fraud and carding 
as a means to fund terrorist activities and encouraged his 
followers to use this method to obtain financing.
    More recently, a British case involving three jihadis, 
alleged that the men used stolen credit card numbers obtained 
through fishing scams and Trojan horses to make more than 3.5 
million in fraudulent charges. The jihadis reportedly used the 
numbers at hundreds of on-line stores to purchase equipment and 
other items, including prepaid cell phones and airline tickets, 
in order to aid jihadi groups in the field.
    The subcommittee is holding this hearing today to voice our 
concern about the growing number of data breaches and to 
understand what is being done to curb this activity and to 
suggest that both merchants and the pay card industry have 
significant work ahead to meet our expectations. The payment 
card industry--Visa, MasterCard, Discover, American Express, 
and JCB--requires every business that stores, processes, or 
transmits computer data to comply with specific data security 
standards. The intent of these standards is to reduce the 
likelihood of successful data security breaches. On an annual 
basis, these merchants must certify that they are compliant 
with the payment card industry data security standards known as 
PCI standards.
    The PCI standards contain a number of security controls 
that businesses must implement. The PCI standards allow smaller 
businesses to self-certify compliance, while larger merchants 
must be validated by a qualified security assessor. Enforcement 
comes through the card companies themselves who can levy fines 
and/or prohibit noncompliant merchants from using their 
services.
    To be clear, the PCI standards are not Government 
regulations and are not enforced by the Government. This 
committee supports industry-created and -managed security 
standards as long as they are strong and effective.
    In light of the rising number of publicly reported data 
breaches, Chairman Thompson launched an investigation to 
determine whether the PCI standards have been effective in 
reducing cybercrime. The results of this investigation suggest 
that the PCI standards are of questionable strength and 
effectiveness.
    The effort to become PCI-compliant is a daunting challenge 
for merchants whose core competency is the selling of 
merchandise rather than expertise in security. The cost for the 
largest merchants can be as high as $18 million a year. Many 
believe that if they complete this arduous task, they will be 
rewarded with a secure system. But the committee's 
investigation confirms what many analysts have known for years. 
In the words of one credit card company, full compliance with 
the PCI standard does not guarantee that the merchant or vendor 
will not be the victim of a data breach.
    Take last year's data breach of Hannaford Brothers Company, 
for example. Hackers installed malicious code on servers to 
every one of the grocery stores in the Hannaford chain. The 
malware intercepted the data stored on the magnetic stripe of 
payment cards as customers used them at the checkout counter. 
Hannaford received certification that they were PCI-compliant 
on February 28, 2008. But on February 27, 2008, according to 
the documents obtained by the committee, Hannaford was notified 
that a number of the credit card numbers from its network were 
stolen and being used on the black market. In other words, 
Hannaford was being certified as PCI-compliant while an illegal 
intrusion into its network was in progress.
    I do not believe that PCI standards are worthless. In the 
absence of other requirements they do serve some purpose, but I 
do want to dispel the myth, once and for all, that PCI 
compliance is enough to keep a company secure. It is not. The 
credit card companies acknowledge that.
    The bottom line is that if we care about keeping money out 
of the hands of terrorists and organized criminals, we have to 
do more, and we have to do it now. Specifically, we must 
improve our policies and our technology.
    First, the standards have to be better because they are 
inadequate to protect against the methods being used by modern 
hackers and attackers. Despite what the credit card companies 
say, for millions of small and large businesses out there, the 
PCI standards are the ceiling and not the floor. The bar must 
be raised. In this dynamic threat environment, attackers are 
constantly ahead of defenders, and yet the PCI standards are 
updated only by unanimous consent every 2 years.
    But part of the problem is that the standards do not 
require more frequent penetration testing. The only way to 
reduce breaches is by continuously testing and attacking a 
system through penetration testing and timely mitigation.
    Second, the payment card industry and issuing banks need to 
commit to investing in infrastructure upgrades here in the 
United States. In a response to the committee's investigation, 
one breached company noted that the effectiveness of data 
security standards is inherently limited by the technology base 
of U.S. credit and signature debit card processing networks. 
Credit and signature debit transactions are not protected by 
encrypted PINs. Implementation of encrypted PINs for all debit 
and credit transactions could be useful.
    Countries in Europe and Asia are deploying new technologies 
like Chip and PIN to fight fraud that could lead to organized 
crime and terrorism and it is working. According to the U.K. 
Payments Association, 3 years after beginning the migration to 
chip-card technology, losses on transactions had reduced by 67 
percent, from 219 million pounds in 2004 to 73 million pounds 
in 2007. However, despite card fraud dropping 32 percent 
domestically between 2006 and 2007, overall counterfeit card 
fraud affecting U.K. customers was up 46 percent.
    Why? The cards were being used by malicious actors in 
countries that had not yet implemented the technology. The 
United States is being blown away by security investments 
overseas and our 1950s-era system is making us a weak link in 
the security chain.
    Magnetic stripe-based technology is outmoded and inherently 
less secure when compared to smart cards or other developing 
technologies. While I am deeply concerned about our security, 
the payment card industry and issuing banks should be ashamed 
about the current state of play and doing everything possible 
to immediately institute improvements in infrastructure.
    I know that our witnesses care about keeping financial 
information out of the hands of terrorists and other organized 
crime elements and I know that the payment card industry cares. 
I know that the merchant community cares. But the time for 
waiting is over. The time for shifting risk is over. Today, the 
responsibility is yours to make this situation better.
    This is the first step in the committee's review of the 
payment card industry's efforts, a review that I believe the 
Chairman plans to continue. We look forward to hearing about 
your plans to improve America's cybersecurity posture and 
working with you in all the weeks and months ahead.
    The Chairwoman now recognizes the Ranking Member of the 
subcommittee, the gentleman from California, Mr. Lungren, for 
an opening statement.
    Mr. Lungren. Thank you very much, Madam Chairwoman. I want 
to compliment you for scheduling this important data security 
hearing. It is an issue that most people are aware of, but few 
seem to understand the full extent of this threat or the 
remedies required to eliminate it as much as possible.
    The new Information Age created by computers, the internet, 
and instant communication offers many benefits to the Nation, 
particularly our economy. Transacting business on the internet 
is one of the key benefits of the Information Age.
    Utilizing, obviously, credit cards today is the way people 
normally transact business. It is the new currency of our age. 
A lot of people don't even carry cash around anymore. In fact, 
sometimes you try to pay with cash and people look at you, 
trying figure out what scam you have going on.
    I was at one place where I actually had a 50-cent piece 
that I was trying to utilize and the woman would not recognize 
it as an American currency. I was trying to explain to her the 
image on the surface, and she just evidently missed that 
history lesson about that President.
    The internet has acted as a powerful economic engine for 
the U.S. economy. Unfortunately, these new business 
opportunities carried via the internet have also transformed 
the landscape for the criminal, making available a wider array 
of new methods that identity thieves can use to access and 
exploit the personal and financial information of others.
    Today's skilled computer hackers are capable of 
perpetrating large-scale data breaches that leave tens of 
millions of individuals at risk of identity theft. I recall my 
wife and I were at dinner one night, I gave the card to the 
waiter. After 5 minutes, the waiter came back kind of 
embarrassed and said, well, Mr. Lungren, this card doesn't seem 
to be working. So I turned to my wife and said, Why don't you 
give them the card? She gave them the card with the same 
account. They came back later and said it is not working. 
Luckily my wife had another card.
    If I had been in Chicago, changing planes, and needed to 
stay overnight there, I would have been up the creek without a 
paddle, as we say. I went home that night, called in to the 
credit card company and they informed us there had been a 
credit card compromise. Our account had been compromised. They 
would tell us nothing more than that. My wife went on-line to 
see what our account was at that point in time. There was no 
such account. It was as if it had vanished.
    The point I am making is we were never notified by the 
credit card company. We have a number of automatic payments 
that are made against the card and we tried to track every one 
of them, and missed one of them and got a notice that we had 
not paid that month for something.
    So we are putting a tremendous obligation on the entire 
industry in this case. One is to try and secure things. The 
other one is when there is a breach, what is your requirement 
to notify people? Under what circumstances do you notify 
people? If you are not giving that information to those of us 
who are the consumer, is that information being given to law 
enforcement to follow up in all circumstances? Those are just 
some of the questions.
    The key to this internet economic engine running smoothly 
is data security. There is no doubt about it. If we are unable 
to secure our on-line financial transactions from financial 
criminals, even those not involved in terrorism, then our 
economic growth will be jeopardized, and actually we have 
fulfilled the terrorist dreams of pulling down our country 
through an economic attack. Customers will reject on-line 
purchases if they can't be assured that their payment card 
transactions are protected. Without consumer or customer 
confidence in the safety of the payment card transaction, 
internet commerce would dry up and we could have problems with 
people just using the card when they are actually at brick-and-
mortar stores.
    We know it was a huge problem in the early days of the 
internet when it was an unknown frontier. Unchecked criminal 
activity will bring back those wild west days, undermine 
customer confidence, and cripple internet commerce. I applaud 
the payment card industry for investing their resources and 
personnel to develop and promote a universal data security 
standard. As was mentioned, it is voluntary. We understand 
that. A lot of work has gone into it. We understand that there 
is always the challenge. It is easy for those of us in 
Government to say we can do a better job. Thank God we haven't 
had any security breaches on the part--excuse me--I guess we 
have had a couple of them here and there. All that points out 
is it is a real challenge to stay ahead of the bad guys.
    I mean, you have got mischievous hackers, you have got 
individual criminal hackers, you have got criminal enterprise 
hackers, you have got transnational organization hackers, you 
have got nation-state hackers and, frankly, you have got to try 
to protect against all of that.
    The PCI Security Standards Council that includes all of the 
major card brands has at least understood that there is a need 
for a set of comprehensive requirements for enhancing payment 
account security. One of the questions I would ask: Is there 
any place for the retailers to be involved in discussion of 
those standards and part of that? Another question I would ask 
is: I know you have some flexibility within the standards as 
they exist now. But is it still too much of one size fits all? 
In other words, I know you have a demarcation between mom-and-
pop stores and the big retailer, but in between does it make 
sense? Are the standards flexible enough to be effective on the 
one hand and at the same time allow for different business 
models to operate in a reasonable fashion for them?
    So I realize that the first standard was developed in 2006 
to improve the standard security in the payment card industry. 
It has improved the situation. More needs to be done. We are 
trying to identify those areas that need to be done. We have 
trying to make sure all the parties are brought to bear on the 
question. We are looking to see if Government regulation is 
needed.
    The last thing I would say is this. The challenge for us in 
Government is to try to ensure that we don't interfere with the 
ingenuity of the private sector in being able to put the fixes 
into the security system that are necessary. If you can help us 
in that regard, not only will you benefit, we will benefit as 
well. Thank you very much, Madam Chairwoman.
    Ms. Clarke. The Chairwoman now recognizes the Chairman of 
the full committee on Homeland Security, the gentleman from 
Mississippi, Mr. Thompson, for an opening statement.
    Mr. Thompson. Good afternoon. Thank you, Madam Chair, for 
holding this very critical hearing on the effectiveness of the 
PCI standards.
    From our personal computers to Government networks to our 
critical infrastructure, the United States is under attack in 
cyberspace. This adversary ranges in skill from unsophisticated 
to highly capable, from loan hackers to organized crime and 
nation-states. Their intent ranges from nuisance and disruption 
to theft, espionage, and warfare. Their successes are varied.
    From every hacker that we have caught and prosecuted, 
thousands continue to work unabated. In December 2008, the 
Center for Strategic and International Studies concluded that 
the battle for cyberspace is one that we are not winning.
    Willy Sutton was rumored to have said he robbed banks 
because that is where the money is. In today's world of payment 
card transactions, the money is now located on computer 
networks. On any given day, billions of dollars float back and 
forth between merchants and payment card networks which process 
credit card numbers for transactions in an area that is ripe 
for hackers to exploit, and they are taking advantage of 
weaknesses in the system.
    We are here today to learn about the private sector's 
efforts to combat data breaches and cybercrime and to assess 
the quality of the payment card industry data security 
standards. The standards have been around for several years, 
but massive on-going data breaches at some of America's largest 
merchants suggest that the standards are inadequate to prevent 
breaches.
    The essential flaw with the PCI standards is that it allows 
companies to check boxes, but not necessarily be secure. 
Checking boxes makes it easier to assess compliance with the 
standard, but compliance does not equal security. We have to 
get beyond check-box security. It provides a false sense of 
security for everyone involved, and it is ineffective in 
reducing the real threats. Companies need to understand that 
even if 100 percent compliance with PCI standards is achieved, 
hackers will continue to develop techniques to exploit the 
computer systems of companies holding cardholder data. You are 
not safe unless you continually test your systems.
    Today we are calling for change. I call on the payment card 
industry, and the thousands of merchants and vendors who have 
to comply with the standards, to rededicate themselves to the 
goal of securing their networks. For the payment card industry 
and the issuing banks, this is going to mean significant 
investment in the infrastructure upgrades. As the Chairwoman 
has pointed out, these investments are already on-going 
overseas.
    I am puzzled and disappointed that we are not seeing 
similar upgrades here domestically, and I hope our witnesses 
can explain why the card industry appears not to be moving 
quickly to address these issues. I am also deeply troubled by 
the testimony that suggests credit card companies are less 
interested in substantially improving their product and 
procedures than they are in reallocating their fraud costs. The 
payment card industry's efforts to shift risk appears to have 
contributed to our current state of insecurity, and I am 
concerned that as long as the card industry is writing the 
standards, we will never see a more secure system.
    We in Congress must seriously consider whether we can 
continue to rely on industry-created and -enforced standards, 
particularly if they are inadequate to address the on-going 
threats.
    I look forward to working with my colleagues on both sides 
of the aisle and across committee lines to further explore 
whether Government action is necessary to protect against these 
threats. One thing is certain: The current system is not 
working.
    Madam Chairwoman, I thank you for your work in this area, 
and I look forward to the testimony of both panels.
    Ms. Clarke. Thank you very much, Mr. Chairman. Other 
Members of the subcommittee are reminded that under the 
committee rules, opening statements may be submitted for the 
record.
    We are going to take a break right now for votes. They have 
come up and we are scheduled for three votes, which puts us at 
about 25 minutes. Well, now it is less than 25 minutes, maybe 
about 15. So please excuse us as we go and recess for votes.
    [Recess.]
    Ms. Clarke. I welcome our only panelist on the Federal 
panel, Ms. Rita Glavin, Acting Assistant Attorney General, 
Criminal Division, Department of Justice. In June 2008, Ms. 
Glavin joined the Criminal Division as the Acting Principal 
Deputy Assistant Attorney General. Ms. Glavin began her service 
to the Department in 1998 through the Department's honors 
program as a trial attorney in the public integrity section 
where she worked until 2003. Since 2003, Ms. Glavin has been an 
assistant U.S. attorney with the United States Attorneys Office 
for the Southern District of New York.
    Without objection, this witness' full statement will be 
inserted into the record. I now ask you to introduce yourself 
and summarize your testimony for 5 minutes.

STATEMENT OF RITA M. GLAVIN, ACTING ASSISTANT ATTORNEY GENERAL, 
            CRIMINAL DIVISION, DEPARTMENT OF JUSTICE

    Ms. Glavin. Good afternoon, Chairwoman Clarke, and thank 
you for the invitation to address the subcommittee. As you 
know, identity theft is not a new problem. However, in recent 
years, identity thieves have begun to capitalize on a variety 
of new methods to access and exploit the personal information 
of others. Skilled hackers are now capable of perpetrating 
large-scale data breaches that leave hundreds of thousands of 
individuals and, in some cases, millions of individuals at risk 
of identity theft.
    The Department of Justice, along with our law enforcement 
partners, has been aggressively investigating and prosecuting 
these data breaches and other criminal activity associated with 
them. We are committed to continuing our efforts. We have 
historically had tremendous success in identifying, 
investigating, and prosecuting the perpetrators of these acts. 
But as always, we can and we will do more.
    To that end, the continued and improving coordination with 
our partners in the international community and in the private 
sector will be critical to ensuring our success. We are glad to 
have this opportunity to discuss these issues with your 
subcommittee.
    The Department has responsibility for the investigation and 
prosecution of a wide range of cybercrime cases. But large-
scale breaches are of significant concern to us because their 
effects can be amplified exponentially when criminals use the 
internet to quickly and widely distribute vast quantities of 
information stolen during these breaches.
    The threat we face is wide and it is varied, ranging from 
very sophisticated individual hackers to international criminal 
organizations. The resulting losses, as you know, can be 
devastating and the criminals perpetrating these acts may be 
motivated by any number of factors, including personal 
financial gain and the desire to use this illegal activity to 
fund and facilitate other dangerous crimes.
    The Department's benchmark prosecutions of large-scale data 
breaches and the criminal activity that results from such 
breaches highlight the range of our efforts that we have been 
using to address the growing problem. I want to give you a 
couple of examples. Most recently, the FBI announced the 
results of a 2-year undercover operation that targeted members 
of the on-line carding forum known as Dark Market. At its peak, 
the Dark Market Web site had over 2,500 registered members 
around the world. This operation has resulted in 60 arrests 
worldwide and it has prevented what we estimate to be 
approximately $70 million in economic loss.
    In another example, in August 2008, the Department 
announced the largest hacking and identity theft case ever 
prosecuted, in which charges were brought against 11 members of 
an international hacking ring. Now, these various defendants 
who were from the United States, Estonia, the Ukraine, Peoples 
Republic of China, Belarus, were charged with, among other 
things, the theft and sale of more than 40 million credit and 
debit card numbers obtained from various retailers.
    Another example, in 2004 the U.S. Secret Service and 
several components of the Justice Department coordinated the 
search and arrest of more than 28 members of the Shadow Crew, a 
criminal organization located in eight States in the United 
States and six foreign countries. Members of the group were 
later charged in a 62-count indictment with trafficking in at 
least 1.5 million stolen credit and bank card numbers that 
resulted in losses in excess of $4 million. The Shadow Crew Web 
site was disabled, which we believe prevented hundreds of 
millions of dollars in additional losses to the credit card 
industry. This was known as Operation Firewall, and this early 
effort paved the way for our more recent successes in this 
area.
    Now, while investigation and prosecution are important, 
prevention and detection are key elements in the fight against 
this criminal activity. Keeping credit, debit, and other 
financial account information out of the hands of criminals in 
the first place is an essential step in reducing the frequency 
and minimizing the impact of large-scale data compromises. We 
suggest that all entities that store, process, or transmit 
credit, debit, and other financial account information should 
take steps, including complying with the payment card industry 
data security standards, to improve the security of their 
computer systems and to decrease the vulnerability of the 
information they handle.
    Of course, even 100 percent compliance with the PCI DSS, if 
that were achieved, it is likely that hackers will continue to 
develop techniques to exploit the computer system of companies 
holding cardholder data. For instance, in those instances where 
the hackers have succeeded, efforts by the Department and 
efforts by investigative agencies to look into and prosecute 
and punish those hackers and carders have been critical to 
deterring future criminals.
    For us to have continued success on this front, it is 
imperative that, No. 1, victim companies embrace new measures 
to swiftly detect data breaches and system compromises. No. 2, 
that the victim companies immediately and consistently report 
detected data breaches to law enforcement. Finally, that the 
United States builds on its existing relationships with our 
international partners to strengthen law enforcement 
cooperation channels internationally. Thank you.
    Ms. Chairwoman, I am prepared to answer your questions.
    Ms. Clarke. I thank you for your testimony.
    [The statement of Ms. Glavin follows:]
                  Prepared Statement of Rita M. Glavin
                             March 31, 2009
    Good morning, Chairwoman Clarke and Ranking Member Lungren. Thank 
you for your invitation to address the committee. The Department of 
Justice welcomes this opportunity to testify about our commitment to 
combating large-scale data breaches and the payment card fraud that 
results from such breaches.
    As you know, identity theft is not a new problem. However, in 
recent years, the information age has transformed the landscape in 
which criminals operate, making available a wide array of new methods 
that identity thieves can use to access and exploit the personal 
information of others. Criminals have capitalized on these new and far-
ranging opportunities. Skilled hackers are now capable of perpetrating 
large-scale data breaches that leave hundreds of thousands--and in many 
cases, tens of millions--of individuals at risk of identity theft. 
Today's criminals now have the opportunity to remotely access the 
computer systems of Government agencies, universities, merchants, 
financial institutions, credit card companies, and data processors, to 
steal large volumes of personal information, including individuals' 
financial information, made available simply by virtue of everyday acts 
like making credit and debit card retail transactions. Reflecting this 
trend, there are currently over 2,000 active cases related to identity 
theft pending in the U.S. Attorney's Offices (USAOs), and there has 
been a 138.2% increase in identity theft convictions by USAOs between 
fiscal year 2004 and fiscal year 2008. The Department of Justice, 
through its Criminal Division, the Federal Bureau of Investigation 
(FBI), the USAOs, and other components, along with our partners at the 
U.S. Secret Service (USSS) and the U.S. Postal Inspection Service, has 
been aggressively investigating and prosecuting these data breaches and 
other criminal activity associated with them, and we are committed to 
continuing our efforts. Historically, the Department has had tremendous 
success in identifying, investigating, and prosecuting the perpetrators 
of these acts. But as always, we can and will do more. To that end, the 
continued and improved coordination with our partners in the 
international community and the private sector will be critical to 
ensuring our success, and we are glad to have this opportunity to 
discuss these issues in particular with you.
                         the ``carder'' threat
    The Department has responsibility for the investigation and 
prosecution of a wide range of cyber crime cases, but large-scale 
breaches are of significant concern to us because their fallout can be 
amplified exponentially when criminals harness the power of the 
internet to quickly and widely distribute for future fraudulent use the 
vast quantities of information stolen during these breaches. For 
example, international organized crime is currently one of the fastest-
growing threats in the computer intrusion arena, and these groups--who 
are continuing to expand and become more sophisticated--along with 
hosts of other cyber criminals, have made large-scale data breaches one 
powerful part of their profile.
    Through activity known as ``carding,'' large volumes of data are 
stolen, resold, and ultimately used by criminals to commit fraud. In 
recent years, the problem of ``carding'' has grown. ``Carding'' means 
not only the unauthorized use of credit and debit card account 
information to fraudulently purchase goods and services, but also a 
growing assortment of related activities including computer hacking, 
phishing, cashing out stolen account numbers, re-shipping schemes, and 
internet auction fraud. I will describe some of these schemes in more 
detail in a moment.
    The internet provides a unique venue in which ``carders'' can 
advertise and sell stolen data to the highest bidder and self-organize 
to facilitate their activities. For example, carders often become 
members of Web site forums designed to provide an active marketplace 
for the sale of, among other contraband, stolen credit and debit card 
numbers; compromised personally-identifiable information, including an 
individual's address, phone number, social security number, personal 
identification numbers (PINs), credit history report, and mother's 
maiden name; and false identification documents.
    Once stolen identity information is sold, the purchasers frequently 
engage in fraudulent activity including, among other things, the use of 
stolen credit card information to make purchases on-line and in person, 
and ``cashing,'' which refers to the act of obtaining money--rather 
than retail goods and services--with the unauthorized use of stolen 
financial information. In recent years, criminal carding organizations 
engaged in what is known as ``PIN cashing'' have developed 
sophisticated ``cash-out networks'' in which stolen financial 
information is immediately disseminated to designated groups of 
criminals who withdraw money from ATMs all over the world within a 
short time period. In one example, PIN cashers made 9,000 withdrawals 
worldwide totaling $5 million in less than 48 hours from four 
compromised prepaid debit card accounts.
               the link between carding and other crimes
    In addition to the financial fraud perpetrated by carders, the 
Department focuses on criminals who engage in carding activities with a 
motivation other than personal financial gain. We know, for example, 
that drug traffickers engage in identity theft for the purpose of 
financing their activities.
    Similarly, there is a well-documented connection between identity 
theft--in particular as it relates to obtaining fraudulent 
identification documents, but also as it may relate to credit card 
fraud--and terrorism. As one example, a convicted terrorist in 
Indonesia, Imam Samudra, wrote about the use of credit card fraud and 
carding as a means to fund terrorist activities in his 280-page 
autobiography. Samudra sought to fund the 2002 Bali nightclub bombings, 
of which he was convicted, in part through on-line credit card fraud.
    Also illustrative of the connection between terrorism and credit 
card fraud, three British men were convicted in 2007 of inciting 
terrorist murder via the internet under the United Kingdom's Terrorism 
Act of 2000. Younes Tsouli, Waseem Mughal, and Tariq Al-Daour were 
participants in a network of extremist Web sites and communication 
forums through which al Qaeda statements were issued and which 
disseminated videos of beheadings, suicide bombings in Iraq, and other 
jihadi propaganda. The three men also pleaded guilty to conspiracy to 
defraud banks and credit card companies. Tsouli was sentenced to 16 
years in prison, Mughal was sentenced to 12 years in prison, and Al 
Daour was sentenced to 10 years in prison. Al-Daour and his associates 
used stolen credit card numbers obtained through phishing scams to make 
more than $3.5 million in fraudulent charges in order to purchase 
equipment, prepaid cell phones, airline tickets, and other items, to 
support jihadi groups in the field. Tsouli and Mughal also used stolen 
credit card numbers to set up and host jihadi Web sites. Significantly, 
the investigation revealed that these individuals were members of 
carding organizations.
            the department's investigations and prosecutions
    The Department of Justice plays a critical role in combating 
payment card breaches and the fraud and other criminal activity that 
results. United States Attorney's offices throughout the country 
actively prosecute these cases. Within the Criminal Division, the 
Computer Crime and Intellectual Property Section (CCIPS) also 
investigates and prosecutes large-scale data breaches and coordinates 
prosecutions that involve multiple USAOs and foreign countries. In 
addition, the Fraud Section of the Criminal Division recently 
established the Payments Fraud Working Group (PFWG), which it co-chairs 
with the Board of Governors of the Federal Reserve System. The PFWG is 
an inter-agency cooperative effort between law enforcement and the bank 
regulatory agencies designed to examine issues related to various 
payments systems and establish initiatives to protect payments systems 
against fraud and other misuse. The Department also helped to lead the 
Identity Theft Task Force, which also addressed many of these issues. 
Finally, the Office of International Affairs in the Criminal Division 
supports international cooperation efforts by implementing mutual legal 
assistance treaties (MLATs) and international conventions that have 
yielded significant evidence for use in U.S. and foreign prosecutions 
and by marshaling efforts to extradite international fugitives.
    The combined force of all of these efforts, along with the efforts 
of the FBI and the Department's other law enforcement partners, has 
resulted in a number of benchmark prosecutions that highlight the range 
of the Department's efforts to address the growing problem of large-
scale data breaches and associated criminal activity.
Recent Successes
    The Department, in coordination with its various USAOs, has worked 
with investigative agencies including the USSS, the FBI, and the United 
States Postal Inspection Service to combat carding and associated 
crimes, with great success:
   Dark Market carding forum.--Most recently, on October 16, 
        2008, the FBI announced the results of a 2-year undercover 
        operation, conducted in conjunction with CCIPS, targeting 
        members of the on-line carding forum known as Dark Market. At 
        its peak, the Dark Market Web site had over 2,500 registered 
        members around the world. This operation has resulted in 60 
        arrests worldwide and prevented an estimated $70 million in 
        economic loss.
   International hacking ring.--In August 2008, the Department 
        announced the largest hacking and identity theft case ever 
        prosecuted, in which charges were brought by the USAOs in the 
        District of Massachusetts, the Southern District of California, 
        and the Eastern District of New York against 11 members of an 
        international hacking ring, including Maksik, discussed later. 
        The various defendants--who were from the United States, 
        Estonia, Ukraine, the People's Republic of China, and Belarus--
        were charged with, among other things, the theft and sale of 
        more than 40 million credit and debit card numbers obtained 
        from various retailers including TJX Companies, BJ's Wholesale 
        Club, OfficeMax, Boston Market, Barnes & Noble, Sports 
        Authority, Forever 21, Dave & Buster's, and DSW.
   Operation CardKeeper.--Operation CardKeeper, led by the FBI 
        and the USAO for the Eastern District of Virginia, resulted in 
        the arrests of 13 individuals in Poland and eight in the United 
        States. International cooperation was required to execute 
        search warrants in the United States and in Romania. 
        Significantly, Operation CardKeeper resulted in the U.S. 
        conviction of an individual known on-line as ``John 
        Dillinger.'' This defendant was sentenced in 2007 to 94 months 
        in Federal prison for his carding activity, including 
        aggravated identity theft, access device fraud, and conspiracy 
        to commit bank fraud. Computers seized from him revealed more 
        than 4,300 compromised account numbers and full identity 
        information for over 1,600 individual victims.
   ``Iceman''.--In late 2007, a major supplier of tens of 
        thousands of credit card accounts to carding forums was 
        indicted for wire fraud and identity fraud; he is currently 
        awaiting trial. Max Ray Butler, known on-line as ``Iceman,'' 
        was the co-founder and administrator of the carding forum 
        Cardersmarket. This case is being prosecuted by the United 
        States Attorney's Office for the Western District of 
        Pennsylvania.
   ``Maksik'' and ``Lord Kaisersose''.--Maksym Yastremskiy, 
        known on-line as ``Maksik,'' believed to be one of the top 
        traffickers in stolen account information, was arrested for his 
        carding activity in Turkey in 2007. He was also indicted in 
        several U.S. districts as the result of the Department's 
        prosecution of the international hacking ring I discussed 
        earlier. Maksik allegedly sold hundreds of thousands of credit 
        and debit card numbers. One of his customers, an infamous 
        carder known on-line as ``Lord Kaisersose,'' was previously 
        searched and arrested in France as the result of a joint 
        investigation conducted by the USSS and the French National 
        Police. He is currently awaiting sentencing.
``Operation Firewall''
    Much of this successful investigative work has its roots in some of 
the Department's early efforts to dismantle highly-organized carding 
enterprises. As just one example, in 2004, as part of an undercover 
investigation known as Operation Firewall, the U.S. Secret Service 
(USSS) and several components of the Department of Justice coordinated 
the search and arrest of more than 28 members of the ``Shadowcrew'' 
criminal organization, located in eight States in the United States and 
six foreign countries. Members of the group were later charged in a 62-
count indictment with trafficking in at least 1.5 million stolen credit 
and bank card numbers that resulted in losses in excess of $4 million. 
As part of this takedown, the USSS disabled the Shadowcrew Web site. We 
believe that had the organization not been interrupted, the credit card 
industry could have faced hundreds of millions of dollars in additional 
losses. Instead, the Shadowcrew criminal organization's activity 
stopped, and to date, with the exception of two fugitives, all of the 
domestic Shadowcrew defendants have pleaded guilty and received 
sentences of up to 90 months in prison. This prosecution was the first 
of its kind--by prosecuting top-tier members of the organization for 
conspiracy, it held individuals responsible for the criminal offenses 
facilitated through the carding forum by virtue of their leadership 
role in a criminal organization that operated solely on-line. Operation 
Firewall enabled many of our more recent successes. In addition, the 
investigation into the Shadowcrew organization also revealed that the 
defendants were conspiring internationally to commit specific carding-
related crimes, including bank fraud, and enabled us to successfully 
prosecute individuals for that conduct separately.
    Operation Firewall, like many of the examples I have mentioned 
today, also illustrates how we can effectively respond to the 
increasingly global nature of carding organizations. With the 
cooperation of law enforcement agencies in the United Kingdom, Canada, 
Bulgaria, Belarus, Poland, Sweden, the Netherlands, and Ukraine, 
foreign searches and arrests went smoothly, and foreign individuals 
were successfully indicted in the United States. In addition, the 
United Kingdom pursued a separate domestic prosecution of Shadowcrew 
members, which has led to a number of guilty pleas.
                  prevention, detection, and response
    Keeping credit, debit, and other financial account information out 
of the hands of criminals in the first place is an essential first step 
in reducing the frequency, and minimizing the impact, of large-scale 
data compromises. Merchants and processors who hold individuals' 
sensitive financial information are prime targets for hackers and 
carders. To address this vulnerability, the credit card associations 
developed a set of security standards, known as the Payment Card 
Industry Data Security Standards (PCI DSS), for merchants and third-
party processors. We suggest that all entities that store, process, or 
transmit credit, debit, and other financial account information should 
ensure that they comply with all requirements of the PCI DSS in order 
to improve the security of their computer systems.
    As is well understood throughout the security community, however, 
perfect security is impossible. Therefore, even if 100% compliance with 
PCI DSS were achieved, it is likely that hackers will continue to 
develop techniques to exploit the computer systems of companies holding 
cardholder data. For instances in which those hackers succeed, efforts 
by the Department and investigative agencies to investigate, prosecute, 
and punish hackers and carders are critical to deterring future 
carders, learning more about the nature of these crimes, and punishing 
offenders. For continued success on these fronts, it is imperative 
that: (1) Victim companies embrace measures to swiftly detect data 
breaches and system compromises; (2) victim companies report data 
breaches to law enforcement; and (3) the United States builds upon its 
existing relationships with international partners to strengthen law 
enforcement cooperation channels internationally.
Early Detection
    Early detection plays two important roles in efforts to combat 
carding activity. First, it can assist in mitigation of potential 
damage. When victim companies are notified by law enforcement, credit 
card companies, or other entities about a potential compromise to their 
system, they should take all reasonable measures to determine whether a 
compromise did indeed occur. Successful detection empowers victim 
companies to take steps to address the vulnerability, fortify their 
systems, and notify individual victims as necessary. But to date, it 
has been our experience that following notification, victim companies 
can not and do not always do enough to determine the scope and severity 
of data breaches of their computer networks.
    Moreover, law enforcement faces continued investigative challenges 
as a result of delayed detection and response. Often, victim companies 
detect compromises to their system weeks, months, or years after they 
occur, and as a result, meaningful investigative leads may have 
disappeared by the time the compromise is reported to law enforcement, 
if it is reported at all. Private entities must have the capabilities 
to identify compromises more quickly. To accomplish this, we recommend 
that all entities that store, process, or transmit credit, debit, and 
other financial account information implement security mechanisms 
designed to detect system breaches, such as tracking and monitoring all 
access to network resources and cardholder data.
Breach Reporting
    Immediate reporting of incidents to law enforcement is also vital 
to law enforcement's ability to investigate large-scale data breaches. 
Immediate reporting necessarily relies upon each potential victim 
company's capacity to promptly detect an incident, but we know from 
experience that prompt detection will not itself result in a report 
from the victim company. For a variety of reasons, data breaches are 
significantly underreported, and as a result, law enforcement efforts 
to bring criminals to justice are significantly hampered. If law 
enforcement never learns of the incident, we will not investigate it; 
if we hear about it too late, we may be unable to preserve critical 
evidence or identify the perpetrators. On the other hand, several 
recent successes in tracking down the perpetrators of high-profile data 
breaches are the direct result of immediate information from victim 
companies on how the hackers entered and exited their systems, 
including the specific IP addresses used in the attack. For example, in 
the Dave & Busters case, which was a part of the international hacking 
ring prosecuted in 2008, when Dave & Busters became aware of 
intrusions, they took measures to log access to their computers, block 
the intruder's further attempts to collect credit and debit card data, 
and identify for law enforcement the intruder's IP address.
    While companies like VISA require by policy that all entities that 
suspect or have confirmed that a security breach occurred must contact 
Federal law enforcement, few laws require the victim company to notify 
law enforcement. In its April 2007 Strategic Plan, the Identity Theft 
Task Force recommended the establishment of a national standard 
requiring entities that maintain sensitive data to provide timely 
notice to law enforcement in the event of a breach. Because only a 
handful of State laws currently require reporting to law enforcement 
and because private sector rules are neither universal nor consistently 
enforced across the various companies, we urge Congress to consider 
requiring security breach reports to Federal law enforcement using a 
mechanism that ensures that the USSS and FBI have access to the 
reports.
International Law Enforcement Cooperation
    As illustrated by the array of cases I have mentioned, carders 
operating in carding forums on the internet reside in different 
countries, collaborate freely across borders, and can immediately and 
widely distribute stolen identity information around the globe. In 
addition, on-line carding forums provide networking opportunities for 
criminals interested in joining together to perpetrate other financial 
fraud or criminal activity on a global scale. As a result, coordination 
and cooperation from foreign law enforcement is vital to the success of 
carding investigations and prosecutions. In this regard, the Identity 
Theft Task Force's Strategic Plan also recommended that the Department 
of Justice and other departments and agencies take specific steps to 
improve coordination and evidence sharing with foreign law enforcement 
agencies.
    We believe that on this front, the United States should continue to 
press other nations to accede to the Convention on Cybercrime (2001), 
which will improve cooperation between law enforcement agencies. The 
Convention, which the United States ratified in 2006, assures that 
other countries enact suitable domestic legislation criminalizing 
identity theft, in part to facilitate information-sharing under MLATs 
and the extradition of criminal defendants. In addition, the United 
States should continue to work closely with multilateral organizations 
to urge other countries to review their criminal codes and criminalize 
identity-related criminal activities where appropriate. This has 
historically proven effective. Last month, for example, the G-8 Roma/
Lyon Group approved for further dissemination a paper that examines the 
criminal misuse of identification information and identification 
documents within the G-8 States and proposes ``essential elements'' of 
criminal legislation to address identity-related crime. The Identity 
Theft Task Force's Strategic Plan also directs the U.S. Government to 
identify countries that are safe havens for identity thieves and to use 
appropriate diplomatic and enforcement mechanisms to encourage those 
countries to change their practices. The Department of Justice has 
begun this process, gathering information from a range of law 
enforcement authorities. Finally, only by assisting foreign authorities 
can we expect them to reciprocate with critical evidence for our own 
investigations. The United States can improve international 
cooperation, in certain cases, by ensuring that our legislation 
provides U.S. authorities with the tools to assist foreign 
investigations effectively.
                               conclusion
    As I have attempted to outline for the subcommittee, the Department 
has been at the forefront of groundbreaking and historic efforts to 
identify, prosecute, and punish the perpetrators of large-scale data 
breaches and the associated identity theft and fraud following from 
those breaches. In light of the growing sophistication and global scope 
of the threat, we are committed to continuing and improving our efforts 
to address this conduct. Thank you for the opportunity to provide the 
subcommittee with a brief overview of the Department's role in 
combating these crimes and the primary issues we must focus on as we 
press ahead.
    Madam Chairwoman, this concludes my remarks. I would be pleased to 
answer any questions that you or other Members of the subcommittee may 
have.

    Ms. Clarke. I will remind each Member that he or she will 
have 5 minutes to question the panel. I will now recognize 
myself for questions.
    Are we seeing more massive data breaches today, or is the 
media simply reporting more?
    Ms. Glavin. I think you have a little bit of both. The 
media is reporting on it, but what we have seen over the last 
several years and in some of the operations specifically I have 
referred to in our testimony, including the Shadow Crew 
organization, is hundreds of thousands, if not millions, of 
personal financial information and identity thefts occurring.
    The Operation Firewall, which was both the Shadow Crew 
organization and the Carder Market Forum, should demonstrate 
that for a number of years this type of data breach has been 
happening and that there are hackers all over the world that 
are looking to get into systems and slowly take the information 
out. It can be over a course of months, if not over a course of 
years.
    So, yes, the data breaches are occurring and we know that 
because of undercover operations we have done and because of 
the publicly reported takedowns that we have done that I 
mentioned in my testimony. Yes, the media is reporting on those 
breaches.
    Ms. Clarke. Ms. Glavin, to what extent does the fact that a 
company is PCI-compliant help to mitigate criminal activity? 
How effective are PCI standards in lowering the risk of being 
breached?
    Ms. Glavin. Having any security system and uniform 
standards are going to help, all right? It is a floor, and it 
is a way to begin the process of preventing breaches. That 
said, what we look at in terms of those PCI set standards is 
you have got to do continual monitoring and you have to do the 
testing, because you may have adopted those standards, but 
people may already be in your computer system by the time you 
have adopted those standards. It is the monitoring and the 
testing that is going to help companies see where they have 
been breached. We know that hackers are always coming up with 
new ways to get into your system. So it is going to be the 
monitoring and the testing.
    The second thing that the Department would suggest is that 
there should be notification through Federal law enforcement 
when breaches occur. I know is that something that has been 
under subject of much discussion. But that would be an 
effective way of dealing with the data breaches on a number of 
levels, because we have a sense from our investigations and 
prosecutions around the country as to the means that the 
hackers used to do this. If we get early reporting, it helps us 
get a sense of what is going on such that we can stop it. We 
can stamp out, you know, Web sites that are doing this and help 
get in front of the problem.
    Ms. Clarke. Ms. Glavin, how successful do you think that 
the Department of Justice's efforts to combat credit card fraud 
will be in the long run if neither improved standards nor 
technology and infrastructure changes are realized and there is 
no reduction in the amount of cardholder data being lost or 
stolen?
    Ms. Glavin. This is going to have to be an on-going 
partnership. Law enforcement has been there and we are always 
going to be there. It is not just within the prosecution of the 
Department of Justice. The FBI is always looking at this. The 
Secret Service is always looking at this. We are working with 
our international partners around the world to have an 
international presence such that we are sharing information. We 
can't do that alone, and having help from private industry when 
they know there have been breaches and reporting that to us, it 
is going to help everybody in the long run.
    So we can do what we do in terms of watching the 
technology, trying to stay on top of the hackers, continually 
looking out for these Web sites and carding forums. But we 
can't do everything alone. To the extent we get help from the 
private sector to stay on top of that, that is important. I 
think that the industry that has adopted the PCI DDS, that is a 
laudable effort. The question is: Can they continue to evolve 
from there?
    Ms. Clarke. Just finally, can you please explain the roles 
of the Secret Service, FBI, and ICE in investigating 
cybercrime, and what are the distinctions between those 
investigative units?
    Ms. Glavin. Sure. The Secret Service has always been 
involved in looking at financial crimes and hackers. What the 
FBI brings to the table in addition to the Secret Service is 
that they have your counter-intelligence databases, which the 
Secret Service may not have. So they can be also checking, on a 
much more international level, what is going on around the 
world. They also have a presence through their legal attaches 
in other countries. So the Secret Service and the FBI both play 
critical roles and they both bring different tools to the law 
enforcement effort.
    Ms. Clarke. Well, thank you very much. I now recognize one 
of our new Members on the committee, new Member to the 
Congress, the gentleman from New Mexico, Mr. Lujan, for his 
questions at this time.
    Mr. Lujan. Thank you very much, Madam Chairwoman. Ms. 
Glavin, thank you very much for being with us today.
    Ms. Glavin. Thank you.
    Mr. Lujan. In your testimony you highlight many instances 
where there are projects or programs, recent success, 
investigations that the Department of Justice has engaged in, 
Dark Market carding forum, international hacking ring, 
Operation Card Keeper, Iceman, Operation Firewall.
    With that being said and with the level of concern that the 
Department of Justice has with the level of crime that is 
taking place, in this case cybercrime, what standards exist 
today for keeping this data secure?
    Ms. Glavin. In terms of private industry, the standards 
that are out there are the PCI DSS, plus whatever State laws 
there are. I mean, a number of States have consumer 
notification laws that require financial entities to report 
data breaches. Some have law enforcement notification laws.
    In terms of Federal regulation, there is not a lot, other 
than you are speaking to someone from the Criminal Division, 
and I know we have the Title 18 criminal statutes that we use 
to prosecute. But in terms of standards across the industry 
Federally, such that people are required by law to comply with 
a certain set of standards, that is not out there.
    Mr. Lujan. So it sounds like what States have done, they 
have a reporting mechanism that when there is a breach in 
security and data is compromised, that they are required to 
notify the consumer that may have been impacted. But with that 
being said, in your opinion, are these standards working the 
way they are being put together today?
    Ms. Glavin. Which industries?
    Mr. Lujan. The industry standards.
    Ms. Glavin. In terms of whether or not they are working, we 
know what reports we get when there has been data breaches and 
when industry chooses to tell us; or sometimes we learn about 
it from our own investigations and we choose to tell them. 
Whether or not they are working, I think the industry 
representatives are in the best position to tell you that.
    What I can say from the Department's perspective is that if 
we are going to do criminal investigations, there is going to 
have to be some cooperation between us and private industry so 
we can do those investigations, get a sense of the data 
breaches and to have cooperation such that they let us know 
what is going on.
    We have a sense of how it happened, what is out there, and 
who may be responsible. As for whether or not they are working, 
I think they are a great bottom line to start with. But you 
have to be constantly watching, testing them, checking them to 
make sure they work, because the hackers are sophisticated 
people and they try to stay one step ahead of the industry. The 
industry tries to get one step ahead of them, and it is in 
everyone's interest that you keep moving ahead.
    Mr. Lujan. Ms. Glavin, did I hear you correctly? Did you 
say that sometimes the Department of Justice will notify the 
companies that there has been a breach, as opposed to the other 
way?
    Ms. Glavin. Yes. But sometimes that can happen--you know, 
if we get information that they may not have, that we may have 
access to through the course of our criminal investigations. It 
could be a company that may be PCI-compliant, but there was 
always something in the system before they got brought up to 
compliance.
    But, yes, there have been instances that I know of, 
investigations where we have learned about information and that 
we have informed the company about, that you may want to check 
X, Y, and Z.
    Mr. Lujan. Thank you very much, Ms. Glavin.
    Madam Chairwoman, I know we had a lot of briefings and 
discussions with the committee as a whole and the various 
subcommittees on the importance and attention that is needed 
when it comes to data breaches, especially with the attacks 
that we know that are occurring on a regular basis, national 
security, as well as financial institutions.
    I think that in the same regard, when we are talking about 
what the expectations are of the American public with feeling 
secure about the data that could exploit them and expose them 
to these types of crime, often times without them ever knowing, 
is something that we have to take seriously.
    So I thank you very much, Madam Chairwoman and Chairman 
Thompson, for bringing this to the attention and allowing us to 
have a hearing on this today.
    Ms. Clarke. Thank you very much, my colleague. I just want 
to correct the record, at least vocally, that my colleague's 
name is Mr. Lujan.
    Mr. Lujan. Thank you very much.
    Ms. Clarke. Very well. Some of your responses to my 
colleague's questions were a bit troubling to me. The fact that 
it could take some time before there is communication around a 
vulnerability that is existing within the system, and in that 
amount of time transactions can take place that can lead to 
financial support for criminal endeavors is something we should 
always be concerned about. Time is of the essence, right? If 
you are not getting the level of transparency, for whatever 
reasons, from the private side--in other words, maybe someone 
is ashamed that they met these PCI standards and now they have 
found a vulnerability. As you said, it couldn't have been one 
that existed there prior to them coming up to code. It is still 
important for that information to be shared, notwithstanding 
whatever reasons may inhibit someone from doing so. Because, 
again, these transactions take place so quickly.
    What would you say could expedite the transfers of 
information? What do you think would open up private enterprise 
to really working with law enforcement on a much more timely 
basis, once something is detected, to address it? Do you think 
that perhaps some introspection about the PCI standards would 
help put them on a higher platform for detection?
    Ms. Glavin. The PCI DSS standards--again, as I said before, 
I think one of the key components of those standards is going 
to be the regularly monitoring and testing. Sometimes these 
breaches aren't readily apparent and are hard to detect.
    As I have had it described to me, the breaches can 
sometimes occur such that the best analogy could be that the 
front door of your house gets open and you don't know it. 
Slowly over a period of time, someone may take, piece by piece, 
all of your house. It could happen over a course of months, and 
an entity may not be aware of it.
    So immediate notification could be hard in that type of 
instance. But regularly monitoring and testing, we hope, would 
be a way that they detect it sooner.
    In terms of the information sharing, we support an effort 
such that there be some type of notification to Federal law 
enforcement. How that is done and what particular entity that 
is reported to is something that we are happy to work with this 
committee on, such that it can happen faster and it gets to the 
law enforcement entities that have been in the forefront of 
this, such as the FBI and the Secret Service. But it is 
immediate notification when you see the data breach. Yes, that 
is something that we would like. But sometimes it is not always 
easy that you are going to find that data breach right away.
    Ms. Clarke. Ms. Glavin, I want to thank you for sharing 
with us your perspective on the PCI standards and the payment 
card industry and its relationship to cybercrime. I want to 
thank you for sharing your expertise with us. We look forward 
to working with you further as we look for ways to strengthen 
this part of our concern with regards to the threats that 
exist, the vulnerabilities that may exist within the payment 
card industry. Thank you very much.
    Ms. Glavin. Chairwoman Clarke, thank you very much. We look 
forward to working with you.
    Ms. Clarke. Thank you. I would like to acknowledge the 
work, Ms. Glavin, of your senior counsel, Kim----
    Ms. Glavin. Kim Paretti.
    Ms. Clarke [continuing]. Kim Paretti in this field, and I 
would like to thank her and her colleagues for their service.
    Ms. Glavin. They have done excellent work.
    Ms. Clarke. We appreciate it.
    The Members of the subcommittee may have additional 
questions for the witness and we will ask you all to respond in 
writing to those questions.
    At this time, the first panel is dismissed and the 
Chairwoman calls out the next panel.
    I welcome the second panel of witnesses. Our first witness 
is Robert Russo, Director of the Payment Card Industry Data 
Security Standards Council. Welcome.
    Our second witness is Joseph Majka, Head of Fraud Control 
and Investigation, Global Enterprise Risk for Visa.
    Our third witness is Michael Jones, Chief Information 
Officer for Michaels Stores.
    Our fourth witness is Dave Hogan, Senior Vice President and 
Chief Information Officer for the National Retail Federation. I 
thank you all for being here today.
    Without objection, the witnesses' full statements of Andrew 
Cochran, an expert on terrorism financing, and Kirsten Trusko 
on behalf of the Network Branded Prepaid Card Association will 
be inserted into the record. Hearing no objection, so ordered.
    [The information follows:]
 Statement for the Record Submitted by Andrew R. Cochran, Founder and 
                  Co-editor, The Counterterrorism Blog
                             March 31, 2009
    Chairwoman Clarke, Ranking Member Lungren, and Members of the 
committee, I appreciate the opportunity to submit a written statement 
on the subject of terrorists' use of credit cards for this important 
hearing. I am the founder and co-editor of The Counterterrorism Blog, 
the first multi-expert internet-based center dedicated solely to 
reporting and analyzing terrorist attacks and counter-terrorism 
policies. Now in its fifth year of operation, The Counterterrorism Blog 
is a highly respected source of objective information and analysis in 
the counter-terrorism community. Our Contributing Experts work in non-
governmental organizations and private businesses worldwide, and 
include over 20 noted experts, including Evan Kohlmann, Douglas Farah, 
Dennis Lornel, Walid Phares, Animesh Roul, Farhana Ali, and Matthew 
Levitt. In addition to earning the plaudits of law enforcement, 
intelligence officials, Members of Congress, and the news media, our 
credibility is evidenced by the fact that al Qaeda attacked us by name 
on Al-Ekhlaas, one of its central messaging forums, last April.\1\ You 
can find us on the internet at http://counterterrorismblog.org/, and 
you can e-mail me.
---------------------------------------------------------------------------
    \1\ ``Al Qaeda Officially Hates The Counterterrorism Blog,'' April 
16, 2008, at http://counterterrorismblog.org/2008/04/
al_qaeda_officially_hates_the.php.
---------------------------------------------------------------------------
    Our Contributing Experts have reported often on terrorists' use of 
stolen credit card information, and they speak often about the subject. 
On February 29, 2008, I chaired a special panel, ``Meta-Terror: 
Terrorism and the Virtual World,'' with two Contributing Experts (Evan 
Kohlmann and Roderick Jones) and the senior vice president and chief 
technology officer of VeriSign.\2\ During that event, our discussion 
included how a senior al Qaeda operative financed operations through 
the use of stolen credit card information. Dennis Lormel, who founded 
and ran the Terrorist Financing Operations Section at the FBI and 
investigated the financing of the 
9/11 attacks, has several posts on terrorists' use of credit cards.\3\ 
Matthew Levitt and Contributing Expert Michael Jacobson cited the use 
of credit card fraud to finance two deadly attacks in a New Republic 
article this year.\4\ I invite the committee to review the cited works 
in detail, and I will quote from and/or summarize their main points for 
the committee's consideration as follows:
---------------------------------------------------------------------------
    \2\ Complete transcript at http://counterterrorismblog.org/2008/03/
event_transcript_and_related_l.php.
    \3\ ``Terrorists and Credit Card Fraud . . . a Quiet Epidemic,'' 
February 29, 2009, at http://counterterrorismblog.org/2008/02/
terrorists_and_credit_card_fra.php, and ``Credit Cards and 
Terrorists,'' January 16, 2008, at http://counterterrorismblog.org/
2008/01/credit_cards_and_terrorists.php.
    \4\ Summarized in ``Drug Wars,'' Michael Jacobson, January 27, 
2009, at http://counterterrorismblog.org/2009/01/drug_wars.php.
---------------------------------------------------------------------------
    1. Credit cards are extremely vulnerable to fraud and are used 
        extensively by terrorists. The internet not only serves as a 
        learning tool for terrorists but also functions as a mechanism 
        to steal credit card information through hacking, phishing, and 
        other means. In many instances, when terrorist operatives are 
        apprehended, they have multiple identifications and credit 
        cards in a variety of names in their possession.
    2. The terrorists who executed the devastating 2004 Madrid train 
        bombings, which killed almost 200 people, and who carried out 
        the deadly July 7, 2005, attacks on the transportation system 
        in London were self-financed, in part through credit card 
        fraud.
    3. Imam Samudra was a key operative of the al Qaeda-linked 
        terrorist group Jamaah Islamiah in Indonesia, and was the 
        mastermind behind the Bali nightclub bombings in 2002 which 
        killed over 200 people. While in prison in 2004, he wrote a 
        jailhouse manifesto, with a chapter, entitled ``Hacking, Why 
        Not.'' In it, he urged fellow Muslim radicals to take holy war 
        into cyberspace by attacking U.S. computers. Samudra described 
        America's computer network as being vulnerable to hacking, 
        credit card fraud, and money laundering. Samudra discussed the 
        process of scanning for Web sites vulnerable to hacking and 
        then discussed the basics of on-line credit card fraud and 
        money laundering. Interestingly, in 2004, Indonesian police 
        asserted that Indonesia had more on-line credit card fraud than 
        any country in the world.
    4. Younes Tsouli, aka ``Terrorist 007,'' and his two associates, 
        Waseem Mughal and Tariq al-Daour, used computer viruses and 
        stolen credit card accounts to set up a network of 
        communication forums and Web sites that hosted everything from 
        tutorials on computer hacking and bomb making to videos of 
        beheadings and suicide bombing attacks in Iraq. They raised 
        funds through credit card information theft and fraud, which 
        were used to support the communications, propaganda, and 
        recruitment for terrorists worldwide, as well as to purchase 
        equipment for Jihadists in the field. One expert described 
        their activities as ``operating an on-line dating service for 
        al Qaeda.'' The three men pled guilty to inciting terrorist 
        murder via the internet.
    Set forth below is a snapshot of the extent of credit card 
information theft and fraud they were responsible for:
   Stolen credit card numbers and identities were used to buy 
        Web hosting services. At least 72 stolen credit card accounts 
        were used to register more than 180 Web site domains at 95 
        different Web hosting companies in the United States and 
        Europe.
   On one computer seized from al-Daour's apartment, some 
        37,000 stolen credit card numbers were found. Alongside each 
        credit card record was other information on the identity theft 
        victims, such as the account holder's address, date of birth, 
        credit balances, and limits.
   More than $3.5 million in fraudulent charges were made using 
        credit card accounts stolen via on-line phishing scams and the 
        distribution of ``Trojan horses.''
   The men purchased sophisticated equipment needed by 
        jihadists in the field and other operational resources, 
        including hundreds of prepaid cell phones, and more than 250 
        airline tickets using 110 different credit cards at 46 airlines 
        and travel agencies.
   They laundered money through on-line gambling sites, using 
        accounts set up with stolen credit card numbers and victims' 
        identities. The trio conducted 350 transactions at 43 different 
        on-line wagering sites, using more than 130 compromised credit 
        card accounts.
    The terrorists apparently obtained some stolen data through 
contacts with Russian-based criminal gangs, and they traded this 
information with criminal syndicates. In the 1990's, al Qaeda would 
steal a handbag to get one credit card to raise funds. Now they will 
just buy this data on-line and get thousands of credit card details. 
Once credit card information winds up in the hands of criminal 
syndicates, it can be easily transmitted to terrorists.
    5. The Liberation Tigers of Tamil Eelam (LTTE), a.k.a. the ``Tamil 
        Tigers,'' use credit card fraud as an international means of 
        financing terrorist activities. Four men, believed to be 
        associated with the Tigers, were arrested this year in Toronto 
        on charges of debit and credit card fraud for possessing 
        numerous gift cards containing bank account and debit 
        information from individuals in the United Kingdom. Further 
        investigation found laptop computers and memory sticks 
        containing bank information for thousands of U.K. bank 
        customers. A massive credit and debit card fraud case in the 
        United Kingdom, involving up to 200 British gasoline stations, 
        is apparently another Tamil Tigers operation. The alleged 
        subjects obtained credit and debit card information at gasoline 
        pumps through the use of skimming machines, with the loss was 
        estimated to be as much as $72,000,000.
    I look forward to reviewing the committee's review into the 
effectiveness of the PCI standards to reduce data breaches, identity 
theft, and the potential funding of terrorism, and I stand ready to 
assist the committee in that mission.
                                 ______
                                 
Statement for the Record Submitted by Kirsten Trusko, on Behalf of the 
                Network Branded Prepaid Card Association
                             March 31, 2009
    Chairwoman Clarke and Members of the subcommittee, I am Kirsten 
Trusko, President and Executive Director of the Network Branded Prepaid 
Card Association (``NBPCA'' or Association''). We are a non-profit 
trade organization, which seeks to serve consumers, businesses, and 
Government through unique applications of network branded prepaid 
cards, and in doing so supports the growth and success of network 
branded prepaid cards. We represent the common interests of the many 
players in this new and rapidly growing payment category. The NBPCA's 
members include banks and financial institutions, the major card 
networks, processors, program managers, marketing and incentive 
companies, card distributors and law firms. For additional information 
about our organization, may we suggest you visit our Web site, 
www.NBPCA.com. I am delighted to submit factual information that we 
hope will help to address your questions on a topic that is of utmost 
importance to our members: accurately understanding and mitigating the 
potential risks posed by network branded prepaid cards.
    This document is designed to outline the following topics, at a 
high level. Should you have follow-up questions, please let us know.
    1. What is a network branded prepaid card and how does it differ 
        from other cards?
    2. Why is this card type growing and popular (including quotes from 
        the Federal Reserve and Office of the Comptroller)?
    3. What are the facts to correct misperceptions about network 
        branded prepaid cards?
    4. How are NBPCA's members working with legislators, regulators, 
        and law enforcement to mitigate the potential for misuse of the 
        cards?
             i. what are ``network branded prepaid cards''?
    We hope to clarify some misconceptions by being clear about the 
facts.
   First, there are many types of plastic, magnetic-striped 
        cards that are all called ``prepaid.'' That is, before one uses 
        the card to make a purchase, one must pre-pay the funds, which 
        are held by a bank. The cardholder uses the cards to gain 
        access to the funds. You cannot spend a $50 gift card, for 
        example, until the $50 has been paid in advance.
   However, not all prepaid cards are ``network branded.'' 
        Network branded cards (sometimes referred to as ``open loop'' 
        or ``open system'' cards) are issued by regulated financial 
        institutions, carry the brand of a major card network (such as 
        American Express, Discover, MasterCard or Visa) on the front of 
        the card, and are generally \1\ usable anywhere that brand is 
        accepted. Some network branded prepaid cards are also usable at 
        ATMs to obtain cash for limited daily amounts.
---------------------------------------------------------------------------
    \1\ We say ``generally'' because some network branded prepaid cards 
have specialized usage which creates some limitations. For example, 
``teen cards'' are designed so that they cannot be used in liquor 
stores, and health cards may have restrictions to health-only merchants 
and/or purchases.
---------------------------------------------------------------------------
   Although many network branded prepaid cards display the word 
        ``DEBIT'' on the front of the card, they are not ``debit 
        cards'' in the classic sense of the word. That is, network 
        branded prepaid cards are not linked to an individual's 
        personal checking, savings, or other bank account. Instead, the 
        funds are held in pooled bank accounts with data that links 
        each card to the cardholder's funds. This distinction enables 
        the under-banked population to use these cards to receive child 
        support, unemployment, and other funds that are essential to 
        daily life, transaction that are very difficult to administer 
        on a cash-only basis.
   Network branded prepaid cards are also separate and distinct 
        from ``retailer gift cards'' (sometimes referred to as ``closed 
        loop'' cards). Retailer gift cards are not issued by a 
        financial institution and can only be used at one location (or 
        at one chain of affiliated locations). Retailer gift cards are 
        issued by a restaurant, store, hotel, or other retail service 
        provider solely for use to purchase goods or services at the 
        issuing retailer's establishment.
   Attached to this testimony are pictures of some popular 
        network branded prepaid cards issued by our members.*
---------------------------------------------------------------------------
    * The information referred to has been retained in committee files.
---------------------------------------------------------------------------
     ii. why have network branded prepaid cards become so popular?
    Network branded prepaid cards are a relatively new and growing 
product, largely developed in response to market needs not being met by 
other card types. They enable electronification of payments and the 
supporting data trail, to capture what was previously transacted with 
check or cash. They support specific applications by customer need 
(e.g. the under-banked consumer as mentioned earlier) and help to 
reduce costs and provide a better accounting/data trail for businesses 
and Government than when using cash or checks.
    The popularity of network branded prepaid cards is attributable to 
their unique ability to address cardholder needs in a variety of 
situations including health care, disaster relief operations, payroll, 
Government benefit payments, and gifting.
    The benefits that network branded prepaid cards provide was noted 
in an article published by the Philadelphia Federal Reserve Bank's 
Payment Card Center:

``The benefits that open-system prepaid cards offer for consumers, 
providers, and issuing banks contribute to the increased adoption of 
these payment applications. Consumers use these cards to pay bills, 
make purchases, and access cash from ATM networks. Prepaid cards can 
also be used to secure car rentals and to make hotel and air travel 
reservations. At the same time, holders of prepaid cards need not 
secure a traditional banking relationship nor gain approval for a 
deposit account or revolving credit. Prepaid card providers may be 
nonbank third parties, such as employers and payroll processing 
companies, that can use prepaid cards as a means to convert paper 
disbursements, such as payroll checks, benefit claims forms, travel 
checks, gift certificates, and government checks, to less costly 
electronic payments. Finally, bank card issuers have an opportunity to 
serve a broader set of consumers. By offering prepaid cards, issuing 
banks may meet the financial needs of consumers who may not otherwise 
qualify for more traditional banking products, and these banks may do 
so with a card-based electronic payment application that essentially 
eliminates credit risk for the bank. (Cheney and Rhine, Prepaid Cards: 
An Important Innovation in Financial Services, Philadelphia Federal 
Reserve Bank Payment Center (Originally published in conjunction with 
the American Council on Consumer Interests (ACCI) (July 2006)).''

    Additionally, the Office of the Comptroller of the Currency, in a 
July 2005 report, (http://www.occ.treas.gov/cdd/payrollcards.pdf) 
compared the cost of network branded prepaid payroll cards versus the 
alternatives available to the under-banked, noting the following 
benefits:
Benefits to Employers
   Reduced bank processing fees and check handling fees;
   Reduced check printing costs;
   Reduced likelihood of check fraud;
   Reduced check reconciliation costs;
   Increased employee productivity (e.g., not needing time off 
        during work to cash or deposit paycheck);
   Reduced lost/stolen check replacement costs.
Benefits to Employees
   Reduces or eliminates check cashing fees;
   Offers ability to make purchases using credit card networks;
   Offers 24-hour access to funds via ATMs; no need to wait in 
        lines;
   Reduces the need to carry a lot of cash;
   Makes money transfers more easily available to families;
   Provides a pseudo-bank account--funds do not need to be 
        withdrawn entirely as with using a check casher;
   Please refer to Table 5 in the OCC report as it documents 
        their comparison of consumer costs across Payroll card, Check 
        Casher, and Basic Bank account, reflecting Payroll card as the 
        option least costly to the consumer.
   iii. misunderstandings/myths about network branded prepaid cards.
    Despite the many benefits of network branded prepaid cards, aspects 
of these products are misunderstood. This may be because organizations 
not typically associated with financial products are sometimes involved 
in the creation and distribution of network branded prepaid cards. For 
example, some network branded prepaid cards are available through non-
traditional distribution channels such as supermarkets and drug stores. 
Misconceptions about network branded prepaid cards, which have gained 
currency through repetition, have the potential to affect the industry 
negatively--particularly with respect to issues relating to money 
laundering risks. My testimony today addresses several major 
misconceptions by providing factual information that supports a fair 
and accurate assessment of money laundering risks associated with 
network branded prepaid cards. Here are some misunderstandings about 
network branded prepaid cards:
    Myth No. 1: Prepaid cards are unregulated or loosely regulated.--
Every network branded prepaid card (i.e., those carrying the logo of 
American Express, Discover, MasterCard, or Visa) is issued by a highly 
regulated financial institution or other regulated organization. As 
such, network branded prepaid cards are subject to exam, review, and 
oversight. For example, the FFIEC BSA/AML Bank Examination Manual (July 
2006) sets forth specific requirements for examining banks regarding 
their ``electronic cash'' products (which encompasses ``stored value'') 
including OFAC screening, transaction testing, and monitoring for 
suspicious activity. In addition, many prepaid card program managers, 
distributors, and organizations that perform specific functions 
relating to processing or distributing network branded prepaid cards, 
are regulated by State banking departments as money transmitters or 
check sellers. As such, they also are subject to exam, review, and 
oversight. State regulators are increasingly requiring money 
transmitters to:
    (1) Register as Mobs with FinCEN,
    (2) Have AML policies that address customer due diligence, OFAC 
        screenings, and suspicious activity monitoring, and
    (3) Have independent reviews of their AML policies.
    Altogether, there are over 50 laws/regulations that apply to 
network branded prepaid cards. The applicability of these laws/
regulations depends on a number of factors including the charter of the 
financial institution issuer.
    Myth No. 2: Prepaid cards are ``ideal'' for money laundering.--
Network branded prepaid cards are actually less useful for money 
laundering than many other payment products for the following reasons:
   The value associated with network branded prepaid cards 
        issued in the United States consists of funds held in a bank 
        account in the United States. These funds can--at any time--be 
        frozen by the card issuer and/or forfeited entirely. Unlike 
        ``bearer instruments'' or chip-based cards, where whoever holds 
        the product also holds the value, network branded prepaid cards 
        keep the value separate, making the products less attractive to 
        criminals.
   All network branded prepaid cards are processed through an 
        on-line system that requires electronic authorization from the 
        payment network prior to completing a purchase transaction at 
        the point of sale or obtaining cash from an ATM.
   The system enables card issuers to decline an authorization 
        and/or to cancel the ability to use a prepaid card. The ability 
        of the card issuer to terminate a card's usefulness, without 
        requiring possession of the card, is critical--and is a feature 
        not shared by most traditional payment products. The on-line 
        system tracks and records every use of every network branded 
        prepaid card. Unlike paper payment products (such as checks, 
        travelers checks, money orders, and cash), network branded 
        prepaid cards leave a traceable trail of use including place, 
        time, date, amount, and often the nature of the transaction. 
        This trail has already assisted law enforcement in tracking 
        illicit activity through use of prepaid cards.
   If a network branded prepaid card issuer identifies unusual 
        or suspicious activity, the card can be blocked from further 
        use. Card programs routinely monitor card activity and, as 
        appropriate, file suspicious activity reports (SARs) or notify 
        law enforcement.
    Myth No. 3: Network branded prepaid cards can be both anonymous and 
permit ATM access, with liberal load limits or no limits on the amount 
of cash that can be accessed.--Today, ``anonymous'' (meaning that no 
identifying information is obtained from the purchaser and verified) 
network branded prepaid cards are limited to the gift or reward card 
category (although many network branded gift/reward cardholders are 
identified and verified as well). Such anonymous gift/reward cards have 
significant restrictions that minimize risk of misuse such as a 
relatively low maximum dollar value, no ability to access cash through 
ATMs, and no ability to load additional funds after the initial funds 
are depleted. In addition, some issuers restrict usage of anonymous 
cards to the United States.
    Myth No. 4: Prepaid card issuers do not require Customer 
Identification Programs (CIP) nor OFAC screening for individual prepaid 
cardholders.--Reloadable, cash-accessible network branded prepaid cards 
are not available anonymously. Issuers routinely subject individuals 
purchasing such cards to CIP and OFAC screening, to the same extent as 
is required for financial institutions opening ``accounts'' under the 
Bank Secrecy Act. These verification and screening procedures are 
identical to those conducted when any on-line bank account is opened.
    Myth No. 5: A consumer can use cash to purchase a high-value, 
reloadable network branded prepaid card from a j-hook and use it 
anonymously.--When a consumer purchases a reloadable network branded 
prepaid card from a j-hook in a retail location, a process called 
``activation'' is typically required before the cardholder may use the 
card for a purchase or to access cash. In other words, although the 
consumer may purchase the card without identity verification, he/she 
may not use the card until the identity verification process is 
complete. The activation process typically involves the cardholder 
telephoning the card issuing financial institution (or a specialized 
organization with which the issuer has contracted) and providing 
personal identification information. The financial institution then 
verifies various elements of customer information including name, 
address, Social Security Number, and/or date of birth using a third-
party authentication system such as Experian, Lexis-Nexis, or Equifax--
just as they would a bank account. The issuer also screens customers 
against the OFAC Specially Designated Nationals list. If the cardholder 
does not ``pass'' this process, the card is either not usable or not 
reloadable.
      iv. the nbpca's anti-money laundering recommended practices
    In February 2008, the NBPCA released its ``Recommended Practices 
for Anti-Money Laundering Compliance for U.S.-based Prepaid Card 
Programs.'' The document provides recommendations for all network 
branded prepaid card industry participants to support compliance with 
the U.S. Bank Secrecy Act (BSA) anti-money laundering (AML) program 
requirements. It recommends how to implement internal controls, monitor 
and manage third parties involved with prepaid card processes and 
mitigate risks associated with money laundering.
    To ensure the document addresses the questions and concerns of law 
enforcement and Government agencies, the NBPCA has and will continue to 
maintain an open dialogue with Federal, State, and local regulatory 
agencies as well as law enforcement officials. The document address 
risks identified through information sharing between the industry and 
critical agencies that monitor financial crime. ``Recommended Practices 
for Anti-Money Laundering Compliance for U.S.-based Prepaid Card 
Programs'' is a practical guide to setting up, implementing, and 
auditing a compliance program. It covers the following areas:
    1. How to conduct a risk assessment.
    2. How to establish a set of internal controls to achieve 
        compliance with AML program requirements of the BSA.
    3. Federal reporting requirements and red flags to look for with 
        respect to suspicious activity.
    4. Adopting and implementing programs to comply with know your 
        customer requirements.
    5. Reducing risk when working with non-financial institutions, 
        third-party agents, and processors.
    6. How to implement independent compliance testing.
    7. Training program guidelines for key personnel.
    The NBPCA has made ``Recommended Practices for Anti-Money 
Laundering Compliance for U.S.-based Prepaid Card Programs'' available 
to anyone in the prepaid card industry. The report, which can be 
downloaded from the NBPCA Web site at www.nbpca.com, has been widely 
praised and was well-received both by Government and private entities.
   v. the nbpca's role on the bank secrecy act advisory group (bsaag)
    In 2008 the NBPCA was selected for membership in the Bank Secrecy 
Act Advisory Group (BSAAG), a group made up of industry 
representatives, regulators, and law enforcement, implemented by an act 
of Congress. BSAAG's role is to advise the Department of Treasury's 
Financial Crimes Enforcement Network (FinCEN) on matters related to 
anti-money laundering risks and Bank Secrecy Act compliance. In 
addition to its role on BSAAG, the NBPCA co-chairs the Stored Value 
Subcommittee, a subcommittee focused on the potential risks presented 
by prepaid cards and the ways to mitigate those risks.
             vi. risks presented by data security breaches
    Data security breaches and the misuse of consumer account 
information by criminals and money launderers is an increasing problem 
for the U.S. payment system. Because network branded prepaid cards use 
the same card payment infrastructure as credit cards, prepaid 
cardholders can be victims of such data security breaches. However, 
because prepaid cards are not connected to an individual's bank account 
or credit card accounts, the risks posed by such data breaches tend to 
be far less for prepaid card issuers than they are for credit and debit 
card holders. This is one of the reasons consumers who also use credit 
and debit cards, are attracted to prepaid card use as any breach of the 
card limits access to only the balance available on the card. And of 
course, like credit and debit cardholders, most network branded prepaid 
card holders are protected against losses from unauthorized use, thanks 
to the card brands' ``zero liability'' policies which are incorporated 
into the payment network operating regulations governing issuers.
                            vii. conclusion
    Network branded prepaid cards are a new and valuable payment 
product for consumers, businesses, and Government. As with any payment 
product, network branded prepaid cards can be misused by the criminal 
element. Nevertheless, the NBPCA has long encouraged practices that 
reduce the opportunities for prepaid cards to be used in illicit 
activities. Prepaid cards are vital and important products which serve 
a substantial number of people, including those that are under-banked 
and would have no other connection to the banking infrastructure so 
critical to daily life in the United States. The NBPCA continues to 
support national and international efforts to combat money laundering, 
terrorist financing, and financial crime. We are also committed to 
ensuring that our products are available to help consumers and 
businesses maintain access to the payment system, have secure and 
protected payment products, and reduce costs and inefficiencies for 
consumers, businesses, and government.

    Ms. Clarke. I now ask each witness to introduce yourself 
and summarize your statement for 5 minutes beginning with Mr. 
Russo.

STATEMENT OF ROBERT RUSSO, DIRECTOR, PAYMENT CARD INDUSTRY DATA 
                   SECURITY STANDARDS COUNCIL

    Mr. Russo. Thank you, Chairwoman Clarke. Thank you for the 
opportunity to testify on the critical issue of payment card 
data security. Payment card fraud concerns every American and, 
in a global economy, every consumer worldwide. The payment card 
system is one that manages billions of transactions 
representing trillions of dollars moving across a global 
network. Reducing payment card fraud and constantly innovating 
to stay ahead of it is a critical challenge.
    The PCI Security Standards Council was formed in 2006 just 
for that purpose. Our mission is to protect cardholder data 
from criminal elements who constantly manufacture new and 
inventive ways to compromise security systems.
    At the center of our efforts to do this are three 
standards. Let me tell you about each.
    First, the PCI Data Security Standard, or the DSS, is a set 
of 12 security practices based on six core principles. The DSS 
covers everything from securing applications, to networks, to 
their perimeters, to maintaining an incident response plan.
    Second, our payment application data security systems is 
designed to ensure that payment applications, which are found 
in many retailers, are not storing sensitive payment card data.
    Third, the PIN security requirements ensure that the PIN 
entry devices, devices that you may see at a checkout line to 
enter your PIN number, have been designed to properly encrypt 
the customer's PIN and are tamper-proof.
    But new threats continue to emerge. That is why development 
and review of the PCI standards is a critical process and why 
the PCI Security Standards Council takes it seriously. We 
engage our community of participating organizations, more than 
500 merchants, processors, financial institutions, technology 
companies, Government, academia, and trade associations 
worldwide to ensure our standards meet the latest threats, and 
when new threats emerge we have mechanisms to take swift 
action.
    These include regular updates to our testing procedures, 
monthly Webinars with both assessors and merchants; flash 
bulletins on emerging threats; as well as on-going updates to 
the standards themselves.
    Our goal is simple: To have every organization that stores, 
processes or transmits cardholder data do so in accordance with 
the PCI standards. I have no doubt that compliance with the PCI 
standards is an entity's best line of defense against payment 
card data compromise. In fact, we have never found a breached 
entity to have been in full compliance with the PCI standards 
at the time of a breach.
    But we also recognize that the dynamic nature of any 
organization can render a validated system noncompliant almost 
immediately after a satisfactory compliance report has been 
issued. Effective security is not a one-time snapshot, but 
really a full-length feature film where the organization is 
compliant at each and every frame.
    No standard is perfect. But the PCI security standards have 
proven to be the most effective means of preventing data 
breaches and protecting consumers.
    One final point. In order to assist organizations with 
maintaining and achieving compliance with our standards, the 
Council provides a wide range of resources. For example, the 
on-going training, approval and quality assurance of qualified 
security assessors; a worldwide network of professionals that 
conduct on-site compliance assessment; the validation of a 
worldwide network of approved scanning vendors who do remote 
scanning of networks, secure them against network threats; and 
finally, an education program that includes printed materials, 
on-line resources, Webinars and face-to-face training sessions.
    Payment card fraud is a serious concern demanding a 
serious, continuous and vigorous response. The PCI Security 
Standards Council has made its sole mission the securing of 
cardholder data.
    Thank you and I look forward to answering your questions.
    Ms. Clarke. Thank you for your testimony.
    [The statement of Mr. Russo follows:]
                   Prepared Statement of Robert Russo
                             March 31, 2009
                              introduction
    Chairwoman Clarke, Ranking Member Lungren, Members of the 
subcommittee, thank you for the opportunity to testify on the important 
issue of payment card data security.
    My name is Bob Russo and I am the general manager of the PCI 
(Payment Card Industry) Security Standards Council. The Council is an 
industry standards body responsible for developing security standards 
that merchants (such as retailers, transportation companies, hotels, 
etc.) and payment card transaction processors use to protect customers' 
payment card data as it is stored, processed, or transmitted from the 
point of sale to the card issuer for authorization and subsequent 
processing.
    Payment card fraud is something that concerns all of us, both 
businesses and consumers alike--from the pizza shop down my street to 
the country's largest retailers; from a single parent who manages the 
household finances to the businesswoman who conducts trade globally. 
For the consumer, having one's card data stolen can be an inconvenient 
and stressful experience, even though here in the United States the 
consumer normally bears no liability for any ensuing fraudulent 
transactions. It is also very costly for financial institutions that 
have to mitigate the damage associated with a payment card compromise, 
and for businesses that can lose customer confidence and suffer damage 
to their reputations. Data theft impacts everyone in the payment 
stream.
    The PCI Security Standards Council was formed with the intent of 
providing tools and resources to protect payment card data from all 
threats, regardless of motivation. In the less than 3 years since our 
formation, we have made tremendous strides toward this goal--and our 
efforts continue. We welcome the subcommittee's interest in the topic 
of payment card data protection, and appreciate the Government's on-
going commitment to understanding and exploring the initiatives 
underway to contain and reduce fraud for consumers and businesses 
globally. We look forward to working with the subcommittee to continue 
to reduce payment card data compromise and invite the subcommittee to 
use the Council as a resource as it develops policies to combat 
cybercrime.
    My testimony today will cover the background and history of the 
Council, how we came about, what we seek to do and with whom we work to 
develop and maintain the standards in a dynamic security environment. I 
will also detail some of the tools and resources we have made available 
to the market to enable businesses to secure payment card data wherever 
it is processed, stored, or transmitted.
                about the pci security standards council
    The PCI Security Standards Council, LLC is a global forum for the 
on-going development, enhancement, dissemination, and implementation of 
security standards for payment card data protection.
    The Council was founded in September 2006 by the five major payment 
card brands: American Express, Discover, JCB, MasterCard, and Visa. 
Together, these five brands represent the vast majority of payment card 
transactions both Nation-wide and globally. In coming together, these 
organizations agreed to work together to develop and recognize one set 
of data security standards to protect payment card data that is stored, 
processed, or transmitted.
    Prior to the formation of the Council, each of the payment card 
brands developed their own set of requirements to ensure that the data 
of those carrying their respective cards was maintained in a secure 
fashion. Consequently, retailers and other merchants expressed 
frustration at the challenges of securing payment card data in a way 
that was not universally recognized by all the payment card brands with 
which they did business. Organizations involved in the payment process 
also highlighted their desire for a mechanism to contribute to the 
payment card data security agenda and to provide input and gain insight 
into the security standards they would be using. It is for this reason 
that broad participation and transparency are core tenets of the 
Council's operating principles.
    The Council is but one example of the hundreds of private sector-
based entities that have been formed to develop voluntary consensus 
standards across virtually all branches of industry to serve new needs 
as they arise, thereby helping to ensure that businesses can conduct 
their operations responsibly at home, and competitively around the 
globe. This private sector role in standards development was mandated 
by Congress in 1995 by its enactment of the National Technology 
Transfer and Advancement Act (Pub. L. 104-113) (``the Act''). The Act 
requires Government agencies to dramatically decrease the creation and 
use of ``Government-unique'' specifications in their procurement 
activities, and instead rely on voluntary consensus and private sector 
standards whenever possible, as well as to report, via the National 
Institute of Standards and Technology, their compliance with this 
directive. In 1998, the Office of Management and Budget (OMB) updated 
Circular A-119 to provide additional guidance to the Federal agencies 
on implementing the Act. Under the Act, Government agencies are 
requested to participate in developing voluntary consensus private 
sector standards to the extent that their resources allow. Consistent 
with this mandate, several governmental entities participate in the PCI 
Security Standards development process.
                         the council's mission
    The mission of the PCI Security Standards Council is to enhance 
payment card data security by developing and maintaining appropriate 
security standards and related tools, and driving education and 
awareness of the critical importance of data security. Even though the 
Council is a business-focused organization, this mission has at its 
heart the protection of consumers. The Council works to provide the 
necessary tools and resources that organizations should use to protect 
their customers' payment card data successfully.
    As discussed below, the Council achieves this end by enabling a 
sophisticated, global security infrastructure based upon five highly 
specialized and important mechanisms:
    1. Standards for implementation by both those that store, process, 
        and transmit payment card data, as well as those that sell the 
        devices and other equipment that access and transmit such data.
    2. Approval, training, and on-going quality assurance of a 
        worldwide network of ``Qualified Security Assessors'' (QSAs) 
        that conduct on-site assessments to determine whether those 
        with access to payment card data are in compliance with 
        applicable Council standards.
    3. Approval, training, and on-going quality assurance of a 
        worldwide network of ``Approved Scanning Vendors'' (ASVs) that 
        conduct remote scanning of networks to determine whether those 
        networks are secure against most network-based attacks.
    4. Training and approval of laboratories that can in turn approve 
        certain products to be in adherence with applicable Council 
        standards.
    5. Training and education of payment process participants through 
        classroom sessions, collateral material and webinars, so they 
        are aware of the importance of protecting payment card data 
        from emerging threats and can actively participate in 
        protecting themselves and their customers from attacks.
    how the council differs from other parties in the payment chain
    As a standards body, the Council is responsible for developing and 
maintaining the security standards and other tools necessary to protect 
payment card data within the payment process. The Council publishes 
these standards for anyone to access but specifically for the payment 
card industry's use in security and compliance programs. It is 
important to distinguish between this role as standards custodian and 
industry body from those organizations that may validate compliance or 
enforce compliance through rules, rewards, or actions against parties 
not yet compliant with applicable security standards.
    The Council does not validate the compliance of any entity or 
vendor with its core standard, the PCI Data Security Standard (``PCI 
DSS''). Indeed, like any other organization that develops voluntary 
consensus standards, it does not have the authority or mechanisms to 
enforce compliance to its standards. Consequently, the Council does not 
run standards compliance programs. Instead, each payment card brand 
maintains its own compliance programs based upon the Council's 
standards, adding their own stipulations and requirements for 
demonstrating compliance for those businesses that must comply. 
Therefore, the Council has no direct business relationships with those 
entities that store, process, or transmit payment card data, and does 
not have the responsibility or contractual right to validate 
compliance, enforce, or levy fines for non-compliance with the security 
standards that it publishes. Each of these roles is performed by the 
payment card brands.
                       the council's stakeholders
    In order to be certain that the Council's standards are as clear 
and comprehensive as possible, we seek input from a wide range of 
stakeholders as part of the standards development process. For 
instance, the Council's Participating Organization program is open to 
any organization involved in the payment chain--merchants, banks, 
processors, Government, and academia. To date, more than 500 leading 
national, regional, and global players are part of this effort.
    Participating Organizations provide the Council with real world 
insight and experience in deploying security standards in the field, 
and have deep understanding of the challenges and threat vectors that 
security standards must address. Together, these Participating 
Organizations represent the people who are responsible for securely 
handling and defending consumers' payment card data against attack on a 
daily basis, and therefore provide a valuable resource in feeding 
front-line threat information into the Council.
    From among the Participating Organizations, a smaller group of 21 
representatives are seated as the Council's Board of Advisors every 2 
years through an open election and appointment process. Two-thirds of 
the Board of Advisors are elected, with the remainder appointed to 
ensure adequate geographical and industry representation. These 
organizations act as spokespersons for their respective industries and 
regions and ensure that the Council is able to partner with industry at 
a very detailed and actionable level in the standards-setting process. 
The Board of Advisors is a critical enabler in our mission to secure 
businesses' payment processes and consumers' payment card data 
globally.
    Our current Board of Advisors is composed of leaders in their 
respective industries such as Wal-Mart Stores, Inc., Microsoft, PayPal, 
First Data Corporation, and British Airways. The Board has worked 
tirelessly with the Council over the past 2 years to highlight areas of 
need in the market, and to devise educational resources that are of 
immediate benefit to organizations looking to improve their security.
    I want to recognize here for the record the hard work of our 
Participating Organizations and Board of Advisors, all of whom 
contribute to the Council's security standards in an entirely voluntary 
capacity.
    In addition to our Participating Organizations, the Council's QSA 
and ASV communities, together numbering more than 250 companies 
worldwide, provide valuable insight from the front lines of examining 
merchants and processors systems. QSAs and ASVs are able to provide 
feedback on where the implementation challenges lay and when common 
security vulnerabilities appear. The Council is in constant two-way 
communication with this group through webinars, newsletters, and, of 
course, the Council's annual QSA and ASV retraining and examination 
processes.
                       the pci security standards
    The Council's security standards--the tools it makes available for 
use by public and private sector entities to secure payment card data--
are designed to protect specific parts of the payments process. The 
Council is constantly looking for new ways to secure the payment 
process and maintains a dialogue with its Board of Advisors and other 
industry stakeholders to bring new resources to the market to further 
protect consumer's payment card data. As a result, since its inception 
in 2006, the Council has assumed management responsibility for several 
payment security standards in addition to the more-well known PCI DSS, 
with the mission of increasing payment card data security. I'd like to 
give a brief overview of the standards the Council currently manages 
and updates:
PCI Data Security Standard
    The PCI Data Security Standard is a set of 12 detailed requirements 
designed around six principles fundamental to securing payment card 
data. At the heart of this standard is the requirement that 
organizations do not store sensitive payment cardholder information 
typically contained in the magnetic stripe on the back of the payment 
card. This is the information that criminals want to steal to create 
counterfeit cards. The fundamental principle of the PCI DSS is that 
organizations must not store sensitive data. Where information such as 
the Primary Account Number (PAN) or expiration date is stored, it must 
be rendered unreadable. This generally means that it must be truncated, 
hashed, or encrypted, so that unauthorized access to such data will be 
of limited use to a criminal.
    Along with these fundamentals, the very detailed requirements of 
the PCI DSS cover areas ranging from securing applications, networks, 
and perimeters to maintaining up-to-date security patches and anti-
virus software, to things like developing and maintaining an incident 
response plan and processes for an organization to follow in the event 
of a breach.
The Payment Application Data Security Standard (PA-DSS)
    The Council developed this standard after feedback from our 
Participating Organizations and member brands indicated that software 
applications represented a point of weakness in the payment chain. 
These payment applications range from touchscreen applications you 
might see used in a restaurant, to point-of-sale software used in 
ticketing kiosks in museums and theme parks. Unless otherwise required 
by the customer demanding PA-DSS compliance, some of these payment 
applications may be designed to store sensitive payment card data 
thereby undermining an organization's efforts to comply with the PCI 
DSS. The Council introduced a process that enables payment applications 
to be tested in laboratories to determine whether they are secure, not 
storing payment card data, and whether they are capable of helping, 
rather than hindering, an organization's efforts to comply with the PCI 
DSS. The Council maintains a list on our Web site of validated payment 
applications that have been tested in and approved by laboratories for 
merchants to use in assessing their own applications and making 
informed purchasing decisions.
The PIN Entry Device Security Requirements
    The PIN Entry Device security requirements have the same underlying 
principle as the PA-DSS. They are designed to enable organizations to 
protect consumer's payment card data and ensure that PIN Entry Devices 
have been designed not to store payment card information, thus 
jeopardizing organizations' PCI DSS compliance efforts. As a PIN Entry 
Device is a physical object, these requirements cover not just ensuring 
that a device does not store sensitive data, but also that it is 
tamperproof, and that, should the device be compromised, its contents 
will self-destruct.
    The Council maintains a list at its Web site of approved devices 
that have been successfully tested in Council-approved laboratories for 
merchants to cross-reference against their own devices and to assist 
them in making informed purchasing decisions. The Council is currently 
working to expand the scope of this program to include a broader array 
of device types, including unattended payment terminals such as ticket 
kiosks and self-service machines.

    Development and review of the PCI standards is a continuous 
process. In the case of the PCI DSS, the Council follows a defined 24-
month life-cycle process that incorporates a feedback period from 
stakeholders and allows for periods of review by the Council's Board of 
Advisors, Participating Organizations, QSAs, and ASVs.
    While a planned life-cycle process is important, it is equally 
important that the Council be responsive to emerging threats. As a 
result, we have several mechanisms for on-going communications with 
assessors (QSAs and ASVs), merchants and other stakeholders to provide 
guidance as new threats emerge. These include:
   Errata to the DSS itself;
   Flash bulletins on emerging threats;
   A monthly newsletter to the Assessor community with the 
        latest threat information & corresponding changes required to 
        the assessment process;
   Regular updates to the ASV test scanning environment to 
        reflect new threats emerging ``in the wild'';
   Monthly Webinars with both assessors and merchants;
   Updates to the Council's on-line searchable FAQ and training 
        materials to ensure they include the latest information on the 
        threat landscape.
           the nature of the compliance challenge and process
    Validation of compliance with the PCI Data Security Standard can 
only represent a snapshot in time that coincides with information 
shared with and interpreted by a QSA during the assessment period. 
Unfortunately, the dynamic nature of any organization's systems and 
network environments can result in a wide variety of actions or 
inactions that can render a validated system noncompliant almost 
immediately after a satisfactory compliance report has been issued. As 
a result, effective compliance is a full-length feature film where the 
organization is ``compliant'' at each and every frame of that film. For 
that reason, the Council believes achieving and maintaining compliance 
with PCI DSS and continuous vigilance regarding other security 
practices is an on-going process that must systematically be integrated 
into every organization's development and operational practices and 
policies in order to serve as the best line of defense against a data 
breach.
    The evidence of data breaches demonstrates that criminal elements 
continue to manufacture new and inventive ways to compromise security 
systems, and we can assume that this will continue to be true. The 
Council, its members and others are working diligently to secure 
payment card data against increasingly experienced and organized 
criminals. In spite of the severity of this continually dynamic threat 
landscape, the Council believes achieving and maintaining compliance 
with the PCI DSS is the best line of defense against data breaches.
    It is important to note that the members of the Council report that 
they have never found an entity that has been subject to a data breach 
that was also in full compliance with the PCI DSS at the time of the 
breach. Nonetheless, there is no such thing as perfect security. An 
organization could very well be compliant on the day its QSA wrote its 
assessment report, but noncompliant thereafter, at the time of a data 
breach. Many things can cause the protection to break down--logging 
rules not being followed, delaying installation of software patches, 
installing untested software, etc. Any of these examples (and many 
more) may cause a previously validated company to no longer be 
compliant, and therefore vulnerable to attack. Organizations must not 
take solely a checklist approach to security, or rely on periodic 
validation on a specific day as their security goal, but must instead 
exercise continuous vigilance and maintain a strict security program 
that ensures constant and ongoing PCI DSS compliance.
        the future of the council's efforts and payment security
    To succeed in the fight against cybercriminals who target our 
payment systems will require the continued vigilance and work of all 
parties involved in the payment chain. No system is perfect, and while 
breaches can be expected to continue to occur, through our efforts and 
the pervasive adoption of the Council's standards and the best 
practices it advocates, the work of these thieves will remain as 
difficult as possible.
    When breaches do occur, the Council works with its member brands, 
forensics investigators and, at times, through direct outreach to seek 
information from breached entities, to determine the root causes of the 
breach. If a need to strengthen the Standards or the Council's 
Assessment programs is identified, we have mechanisms in place for 
taking swift action.
                               conclusion
    Once again, I want to thank Chairwoman Clarke, Ranking Member 
Lungren and the subcommittee Members for their oversight of this issue 
and for providing me the opportunity to testify on the important issue 
of payment card data security. We hope that those entities that handle 
payment card data take from this hearing the understanding of their 
responsibilities to consumers, shareholders, and society at large to 
increase focus on their payment security efforts. Using the PCI 
Security Standards should act as a baseline for their doing so. We also 
hope that many more of them will join us as Participating 
Organizations, willing to help shape the future of payment security 
standards based on their own experience of defending payment data 
against attack on a daily basis.

    Ms. Clarke. I now recognize Mr. Majka to summarize his 
statement for 5 minutes.

    STATEMENT OF W. JOSEPH MAJKA, HEAD OF FRAUD CONTROL AND 
       INVESTIGATIONS, GLOBAL ENTERPRISE RISK, VISA, INC.

    Mr. Majka. Chairwoman Clarke and Members of the committee, 
my name is Joe Majka. I am head of Fraud Control and 
Investigations for Visa, Inc. I have been with Visa for over 12 
years, and I have over 28 years of experience in corporate 
security investigations and law enforcement, specializing in 
the area of financial crimes.
    I want to thank the committee for this opportunity to 
appear at today's hearing and to explain who Visa is in our 
role as a leader in global data security. It is important to 
note that Visa's fundamental role is to facilitate transactions 
between millions of consumers and businesses. Visa is not a 
bank and we do not issue payment cards. Visa is a network that 
connects 1.6 billion global payment cards, 29 million worldwide 
merchants, and over 16,000 financial institutions in 170 
countries.
    Through electronic payment networks like Visa, the entire 
economy benefits from a more transparent, cost effective, and 
secure commercial activity.
    I am pleased to be here to talk with you about data 
security and about the payment card industry data security 
standard in particular. In our view, the best way to secure 
payments is by applying two core principles.
    First, security must be a shared responsibility among all 
relative parties--law enforcement, payment companies, 
regulatory agencies, retailers, and others. Only together can 
we protect all parts of our shared system.
    Second, we must collectively apply multiple layers of 
security to protect the system. That includes measures applied 
at the card level such as card verification values or 
transaction alerts, and includes measures applied at the point 
of sale, such as standards for secure devices and best 
practices for data storage, and it includes measures applied at 
the network level, including neural networks and fraud 
monitoring.
    One of the most effective layers we have collectively 
applied to date is the PCI Data Security Standard. Visa 
acquires all entities that store transmitter Visa card data to 
comply with the standards. To our knowledge, no organization 
that is fully implemented and maintained compliance with the 
standard has been a victim of a data compromise event. We 
believe full compliance with the standard is a valuable 
component of a comprehensive security program and greatly 
reduces the risk of data compromise.
    While there have been a few instances where an entity that 
previously validated compliance was a victim of a compromise, 
in all cases our review concluded gaps in the compromised 
entity's PCI DSS controls were major contributors to the 
breach.
    Approximately 90 percent of the U.S. merchants and 80 
percent of third-party processors have validated PCI 
compliance. These organizations, like Michaels, deserve credit 
to enhancing their security practices to meet the minimum 
industry standard and for validating their compliance on at 
least an annual basis.
    This month in Washington, DC, Visa held our third Global 
Security Symposium, a symposium on payment security where Visa 
called on system participants for continued industry 
investment, collaboration, and innovation to keep the 
electronic payment system secure for the future. At this summit 
we heard from numerous individuals and organizations who 
reaffirmed the importance of on-going compliance with the PCI 
standards.
    Visa has maintained a long-standing relationship with law 
enforcement agencies over the years, supporting efforts to 
investigate and prosecute criminals committing payment card 
fraud. This relationship continues and is stronger than ever 
today as Visa and law enforcement agencies work together to 
combat cybercriminals in today's high-tech world.
    Visa was a founding member of the U.S. Secret Service 
Electronic Crimes Task Force in San Francisco and continues to 
actively participate in U.S. Secret Service task force groups. 
Visa also works closely with the FBI Cyber Division, U.S. 
Postal Inspection Service, State attorneys general, and the 
Department of Justice Computer Crime and Intellectual Property 
Section.
    In 2004, Visa provided investigative support to law 
enforcement which resulted in the indictment and extradition of 
Roman Vega, one of the most significant high-level 
cybercriminals at the time. Visa continues to support high-
profile investigations, including the arrests of criminals 
responsible for hacking into Dave and Busters and T.J. Maxx. 
Visa values our partnership with law enforcement and is 
committed to continuing to work closely with law enforcement to 
bring cybercriminals to justice.
    Protecting card holders is always a primary goal in 
responding to data compromise incidents. After learning of a 
data compromise, Visa immediately begins to work with the 
compromised entity, law enforcement, and the affected client 
financial institutions to prevent card-related fraud.
    In closing, securing consumer data within the U.S. economy 
is a shared responsibility, and every industry should deploy 
focused resources to protect consumer information within its 
care. We look forward to working with all participants to 
continue to develop tools to minimize the risk and the impact 
of data-compromise events.
    Thank you for the opportunity to be here today. I would be 
happy to answer any questions.
    Ms. Clarke. Thank you for your testimony.
    [The statement of Mr. Majka follows:]
                 Prepared Statement of W. Joseph Majka
                             March 31, 2009
                              introduction
    My name is Joe Majka. I am the head of Fraud Control and 
Investigations for Visa Inc. I have been with Visa for over 12 years 
and have over 28 years of experience in corporate security, 
investigations, and law enforcement, specializing in the area of 
financial crimes. I want to thank the committee for this opportunity to 
appear at today's hearing and explain who Visa is and our role as a 
leader in global data security. Visa plays a unique role in the 
financial system, facilitating commerce among millions of consumers and 
businesses here and around the globe. It is important to note that 
Visa's fundamental role is to facilitate transactions between consumers 
and businesses. Visa is not a bank. We do not issue payment cards 
(credit, debit, or prepaid), make loans to consumers, or set the 
interest rates or fees associated with card usage or acceptance. Visa 
is a network that serves as the connection point between 1.6 billion 
global payments cards, 29 million worldwide merchants, and 16,600 
financial institutions in 170 countries. In making these connections, 
Visa helps create significant value for each of the participants in our 
system. Consumers receive a more convenient, secure, and widely 
accepted way to make payments. Retailers benefit from the speed, 
efficiency, security, and reliability that only electronic payments can 
provide. They also receive guaranteed payment and can avoid the need to 
extend credit directly to their own customers. In fact, the entire 
economy benefits from electronic payments through more transparent, 
secure, and cost-effective commercial activity. The Visa Payment System 
plays a pivotal role in advancing new payment products and 
technologies, including initiatives for protecting cardholder 
information and preventing fraud.
    We're pleased to be here to talk with you about data security in 
the payment card industry and about the Payment Card Industry Data 
Security Standard in particular. But, I want to put this discussion in 
the context of a multi-layered approach to security that includes fraud 
control measures from the card, to the terminal, through to the Visa 
network. Visa understands that we must protect each link within our 
control and work with others to preserve the trust in every Visa 
payment. Visa is keenly focused on ensuring that payment products are 
not used to perpetrate identity theft or other criminal activity. Our 
goal is to protect consumers, merchants, and our client financial 
institutions from fraud by preventing fraud from occurring in the first 
place. To that end, Visa employs multiple layers of security, of which 
the PCI standard is an important one, but only one of many. We have 
taken a leading role in promoting cardholder information security 
within the payments industry. Visa and our participating financial 
institutions also provide solutions to prevent fraud and protect 
cardholders in the event of a data compromise. These include real-time 
fraud monitoring, identity theft assistance, consumer alerts, and zero 
liability for cardholders on fraudulent transactions. Visa provides 
sophisticated neural networks that enable our client financial 
institutions to block authorization transactions where fraud is 
suspected. Thanks to massive investments and innovative solutions, 
compromise events rarely result in actual fraud and fraud rates in the 
payments industry remain near all-time lows.
    The payment card industry, regulatory agencies, and law enforcement 
have individually and collectively taken extensive measures to prevent 
and mitigate the effects of consumer information compromises. In this 
regard, Visa has required all entities that store, transmit, or process 
Visa card data to comply with PCI DSS standards, has implemented 
incentives to encourage payment participants to make the significant 
investments needed to attain compliance, and has taken numerous steps 
to minimize the amount of cardholder data stored by system 
participants.
              payment card industry data security standard
    PCI DSS was the first security standard adopted by the PCI SSC, but 
it has not been a static standard. The PCI Security Standards Council 
is charged with reviewing and updating the standard to ensure that it 
remains effective to protect card data, by incorporating input from 
stakeholders as well as technological developments in the evolution of 
the standard over time. Visa recognizes that no set of standards can 
provide an absolute guarantee of security in a changing world, and PCI 
DSS is not an exhaustive list of all the security practices that may be 
effective to safeguard card data. To our knowledge, however, no 
organization that has fully implemented and maintained compliance with 
the PCI DSS has been the victim of a data compromise event. Therefore, 
we believe that full compliance with the standard is a valuable 
component of a comprehensive security program and greatly reduces the 
risk of data compromise. We also believe that PCI DSS controls are 
highly effective in mitigating the impact of data compromise events.
    Validating PCI DSS is a major milestone, but achieving and 
maintaining compliance requires companies to make an on-going 
commitment to keeping consumers' data safe--24 hours a day, 7 days a 
week, 365 days a year. While there have been a few instances where an 
entity that previously validated compliance was the victim of a 
compromise, in all compromise cases our review concluded that gaps in 
the compromised entity's PCI DSS controls were major contributors to 
the breach. As such, Visa continues to believe that standards 
validation is a valuable process that drives organizations to undertake 
the minimum steps necessary to protect cardholder data. While it is 
easy to focus on the failures that some entities have had with on-going 
compliance, we believe it is likely that many compromises have been 
prevented as a result of the strenuous efforts of merchants and 
processors to maintain compliance with PCI DSS.
                       visa security initiatives
    Visa leads the payment industry in providing merchants and service 
providers with incentives to validate and comply with PCI DSS in order 
to ensure that they properly protect cardholder data. In particular, 
Visa launched a Compliance Acceleration Program offering $20 million in 
incentive payments to promote compliance among the largest U.S. 
merchants that account for more than two-thirds of Visa annual 
transactions. Visa's combination of incentive payments and potential 
fines ultimately drove the vast majority of large U.S. merchants to 
validate their initial compliance with PCI DSS and to revalidate 
annually thereafter. At this time, approximately 90 percent of large 
U.S. merchants have validated PCI DSS compliance. Visa also publishes a 
list of service providers that have validated compliance with the PCI 
DSS, which has been the principal incentive in driving 80 percent of 
U.S. service providers to validate their compliance on an annual basis. 
These organizations, like Michaels, deserve credit for enhancing their 
security practices to meet the minimum industry standard and for 
validating their compliance on at least an annual basis.
    Visa has also made considerable strides toward eliminating the 
storage by merchants and processors of authorization data, which 
criminals covet to perpetrate fraud. This ``prohibited'' data includes 
full magnetic stripe information, the CVV2 or ``Card Verification Value 
2'' and PIN. Visa has executed a ``drop the data'' campaign over the 
past 3 years to encourage merchants to discontinue storage of 
prohibited data and reduce overall cardholder data storage. 
Additionally, Visa developed security standards for payment application 
vendors to support merchants in their security efforts by driving 
vendors to reduce data storage and provide more secure payment 
application products.
    Visa has executed a robust data security educational campaign to 
engage payment system participants in the fight to protect cardholder 
information. This campaign includes training for financial 
institutions, merchants, and service providers. Most large merchants, 
including Michaels, have attended one of Visa's security training 
seminars. Visa is also committed to educating system participants on 
emerging security threats and publishes regular security alerts and 
bulletins, and holds seminars focused on data security and fraud 
mitigation. Visa has partnered with organizations like the National 
Retail Federation to promote data security among its members and 
commends the NRF and Michaels for their data security efforts. Visa 
outreach also extends to participation in industry forums on data 
security, media campaigns, and partnerships with other industry groups 
made up of merchants, such as the U.S. Chamber of Commerce. This month 
in Washington, DC, Visa held our third Global Security Summit, a 
symposium on payment security where Visa called on system participants 
for continued industry investment, collaboration, and innovation to 
keep the electronic payment system secure for the future. The Global 
Security Summit reaffirmed the importance of on-going compliance with 
security standards and highlighted opportunities to actively engage 
consumers in the process of fraud prevention through Visa's transaction 
alerts and notifications service which can not only help consumers 
track and manage their accounts, but also provide an early warning of 
potentially fraudulent activity.
                   collaboration with law enforcement
    Visa has maintained a long-standing relationship with law 
enforcement agencies over the years, supporting efforts to investigate 
and prosecute criminals committing payment card fraud. This 
relationship continues and is stronger than ever today, as Visa and law 
enforcement agencies work together to combat cyber criminals in today's 
high-tech world. In 2002, Visa was a founding member of the U.S. Secret 
Service San Francisco Electronic Crimes Task Force and continues to 
actively participate in U.S. Secret Service task force groups in San 
Francisco, New York, and Los Angeles. Visa also works closely with the 
Federal Bureau of Investigation's Cyber Division, United States Postal 
Inspection Service, State Attorneys General and the Department of 
Justice Computer Crime and Intellectual Property Section.
    In 2004, Visa provided investigative support to Federal law 
enforcement, which resulted in the indictment and subsequent 
extradition to the U.S. of Roman Vega, known on-line as ``Boa''. Roman 
Vega was allegedly one of the most significant high-level criminals 
specializing in the on-line sale of stolen payment card data at the 
time. Visa has continued with our investigative support on other high-
profile investigations, including the Federal prosecution of Max Ray 
Butler known on-line as the ``Iceman'', arrested by Federal agents in 
2007 and the 2008 arrest of Albert Gonzales, Maksym Yastremskiy, and 
Aleksandr Suvorov for their scheme in which they hacked into Dave & 
Busters, Inc. restaurants. Visa also works closely with local law 
enforcement agencies and local retailers in supporting their effort to 
investigate and prosecute street level criminals using payment cards to 
commit fraud. Visa values our partnership with law enforcement and is 
committed to continuing to work closely with law enforcement to bring 
cyber criminals to justice.
                        recent compromise events
    After learning of data compromise events, Visa immediately begins 
working with the compromised entity, law enforcement, and affected 
client financial institutions to prevent card-related fraud. Visa 
notifies all potentially affected card-issuing institutions and 
provides them with the necessary information so that they can monitor 
the accounts and, if necessary, advise customers to check closely all 
charges on their statements or cancel or reissue cards to their 
customers. Visa card-issuing institutions have the direct 
responsibility and relationship with cardholders, and because of Visa's 
zero liability policy for cardholders, bear most of the financial loss 
if fraud occurs. Visa financial institutions can best determine the 
appropriate action for each customer that might have been affected.
    Based on Visa's findings following recent compromise events at 
Heartland Payment Systems and RBS WorldPay, we have taken the necessary 
step of removing both companies from our on-line list of PCI DSS-
compliant service providers. In addition, we are activating our account 
data compromise recovery programs, which are in place to protect our 
system and help issuers recoup some of their losses from compromise 
events. Visa is committed to working with these processors so they can 
be reinstated to this list upon successfully revalidating their 
compliance and Visa is not penalizing merchants that continue to 
utilize these processors. Protecting our cardholders was, and remains, 
Visa's primary goal in responding to this incident.
                               conclusion
    In closing, securing consumer data within the U.S. economy is a 
shared responsibility, and every industry should deploy focused 
resources to protect consumer information within its care. In this 
regard, the payment card industry has done more than any other to 
provide stakeholders with the tools and guidance that they need to 
properly secure the data they are trusted to protect. Visa has led the 
industry in protecting cardholder data and stands ready to continue to 
support industry participants in our collective fight against the 
criminals that perpetrate card fraud. We look forward to working with 
all participants to continue to develop tools to minimize and 
eventually eliminate the risk of data compromise in our economy. Thank 
you for the opportunity to present this testimony today. I would be 
happy to answer any questions.

    Ms. Clarke. I now recognize Mr. Jones to summarize his 
statement for 5 minutes.

  STATEMENT OF MICHAEL JONES, SENIOR VICE PRESIDENT AND CHIEF 
           INFORMATION OFFICER, MICHAELS STORES, INC.

    Mr. Jones. Good afternoon, Madam Chairwoman, Members of the 
committee.
    I have been in retail for 30 years, 20 in retail IT, the 
last 4 with Michaels, a $4 billion merchant. I wish I could say 
that attempting to follow the PCI mandates made me confident 
that credit card data is completely safe, but unfortunately 
that is not the case. This is because the mandates have been 
developed from the perspective of the card companies rather 
than from those who are expected to follow them.
    The PCI data and security standards are an extraordinarily 
complex set of requirements; they are very expensive to 
implement, confusing to comply with, and ultimately subjective 
both in their interpretation and in their enforcement. The 
program is rife with ambiguity and complexity. As an example, 
must every company associate acknowledge the security policy of 
a company? All 40,000 of our associates, or just those involved 
with credit transactions? This one PCI mandate has been imposed 
by compliance vendors differently at retailers all across the 
country.
    We have been questioned by customers, legislators, and even 
the credit card companies themselves, why do you keep credit 
card information at all? One reason we keep the information is 
related to another credit card company procedure designed to 
protect their banks from loss. It is called a chargeback. It 
can be initiated by a bank on its own, or it can be initiated 
at the request of the bank's customer.
    For example, if a customer spots a charge on their credit 
statement that they don't recognize, they can initiate a 
chargeback by contacting the issuing bank. The retailer is then 
charged with retrieving sales media by card number. If the 
retailer is unable to produce that sales media, or something on 
that sales media does not match, the retail sale is reversed, 
and the cost of the transaction is charged back against the 
retailer. This is true even if the transaction may have 
actually been made. This could have been fairly easily solved 
using a unique approval ID for each transaction, thus 
eliminating the need for credit card number storage by the 
retailer.
    PCI states that all credit card data must be encrypted. 
There is an exception to this requirement, however; PCI states 
that data traveling over a private network need not be 
encrypted. While a private network is more secure, I still 
would not choose to send credit card numbers through this 
number unencrypted. Why? Because it adds unnecessary risk. 
However, the credit card companies' financial institutions do 
not accept encrypted transactions.
    We at Michaels have asked, for the past 3 years, for the 
ability to send encrypted information to the bank. To date, 
this has not happened. Why is this an issue? One might ask the 
consumers affected by the Heartland Payment Systems data 
breach, or TJX Corporation, for that matter. It has been 
suggested that methods used in those breaches capitalized on 
this flaw.
    What can be done to improve this situation? First, many of 
the PCI requirements are covered by the Sarbanes-Oxley audits. 
This causes a lot of duplicative work around proof of 
compliance and is, arguably, unnecessary.
    Second, the requirements are one-sided against the 
merchants. The very financial institutions that impose them are 
not subject to the mandates themselves.
    Third, the PCI Data Security Standards Council was 
allegedly spun off from the credit card companies and set up as 
an independent governing body of credit card company, bank, and 
merchant representatives. In fact, the council is set up so 
that credit card companies and banks retain all power over the 
ultimate mandates, fines, and anything else connected to PCI. 
It is not an industry standards body.
    When a breach occurs, and card data is stolen, clearly the 
consumer potentially suffers the most inconvenience. 
Fortunately, the law provides that promptly reporting consumers 
must be held financially harmless. However, the largest 
financial impact is on the retailer, especially if the credit 
card company's data--which, by and large, we do not want--is 
seized from a retail location. The retailer is in the press, 
the retailer is demonized, the retailer is threatened with 
damages and sanctions. The retailer pays the cost of the 
fraudulent transactions. All of this arises from rules that 
initially grew from a card monopolist that we have no choice 
but to do business with or risk the loss of a large portion of 
our business.
    We do not need more laws. The existing, sometimes 
misguided, enforcement and the proliferation of State 
regulations around these issues have created a difficult, if 
not impossible, environment for retailers.
    In conclusion, I am proud to report that Michaels has never 
had evidence of a breach of consumer data. Regardless of the 
outcome here, we will continue to do what is necessary to keep 
card data safe, but in the future we would be more secure, and 
the risks to us all far lower, were the card companies to take 
greater responsibility for the inadequate system of payment 
they have created and asked us to use.
    Thank you. I am happy to answer any questions.
    [The statement of Mr. Jones follows:]
                  Prepared Statement of Michael Jones
                             March 31, 2009
    Good afternoon, Madam Chairwoman, fellow committee Members, and 
distinguished panel members. I am Michael Jones; I serve as the senior 
vice president and chief information officer (CIO) for Michaels Stores, 
Inc. reporting to the chief executive officer. Thank you for inviting 
me to discuss the security aspects of credit cards as they impact 
consumers at retail locations and especially at Michaels.
    Michaels Stores, Inc. is the largest specialty retailer of arts and 
crafts. With more than 1,000 stores in the United States and Canada, 
the company carries a wide selection of arts and crafts merchandise. 
Michaels also operates specialty stores under different brand names, 
including Aaron Brothers and Artistree manufacturing facility. We have 
annual revenues approaching $4 billion.
    I have been with Michaels Stores in my current role for 4\1/2\ 
years. I held the CIO position at Hollywood Video prior to Michaels for 
over 3 years. Prior to that I spent over 12 years at Kmart, and Kmart-
related companies, in various leadership positions in retail 
technology. I have been in the retail and restaurant industry since 
graduate school, and indeed, since my sixteenth birthday.
    I appreciate the committee's invitation to provide a retailer's 
view of the state of credit card security. In addition to my own 
experience I often communicate about this issue with my peers at 
retailers, restaurants, and other establishments that take credit cards 
from consumers as a form of payment. My comments today are informed by 
those discussions as well.
    At Michaels the customer is at the center of everything we do. Her 
loyalty and patronage of our stores is something we can not afford to 
lose for any reason. We always want her to feel safe and secure when 
she is in our stores, with the products we sell, and with the payment 
mechanism she chooses: Whether that be cash, checks, debit cards, gift 
cards, travelers checks, or credit cards. For many years we have 
implemented security standards and processes to protect our customers 
and their important financial information, with our preference always 
being to keep the least amount necessary to satisfy the payment 
process. Losing the trust of our customers because we can not safeguard 
their information is a risk we would not take, regardless of what 
mandates are imposed on us by an outside organization.
    Michaels Stores, Inc. is a PCI-certified organization and has been 
almost since the initial imposition of the standard (i.e., prior to the 
date where fines were threatened for non-compliance).
    I wish I could say that attempting to follow the PCI mandates made 
me confident that one could say customers' credit card data is 
completely safe, but unfortunately that is not the case. That is 
because the mandates seem to have been developed from the perspective 
of the card companies, rather than from that of those who are expected 
to follow them.
    The PCI Data Security Standards are an extraordinarily complex set 
of requirements. They are very expensive to implement, confusing to 
comply with, and ultimately subjective, both in their interpretation 
and in their enforcement. It is often stated that there are only twelve 
``requirements'' for PCI compliance. In fact there are over 220 sub-
requirements; some of which can place an incredible burden on a 
retailer and many of which are subject to interpretation.
    For example, one of the requirements is that all company associates 
must annually acknowledge the company security policy. Michaels has an 
average of 40,000 associates at any given time. In any one week we 
could have more then 1,000 changes in associates. Well, as you might 
expect, many of our associates are getting trained on the range of our 
merchandise, the operation of the registers, fire safety protocols, and 
other important procedures to assist our customers and protect our 
operations. So do we also need to get every associate to learn and sign 
a written statement of our understanding of the credit card companies' 
security policy? Or do we just need to get associates that may deal 
with credit cards to sign? This one little PCI mandate has been imposed 
by compliance vendors differently at retailers across the country both 
because of its subjective interpretation, and the inability for any 
large merchant to meet the standard in its most literal form.
    We have often been questioned by customers, legislators, and even 
the credit card companies themselves: ``Why do you keep credit card 
information at all?'' It would seem with the risk of a breach from the 
outside or from within, we would be better served not to keep the data 
at all. We agree completely. As a retail CIO, I would like nothing 
better than to not store a single credit card number anywhere in our 
network of systems.
    The reason we must still keep credit card information is related to 
the results of another credit card company procedure designed to 
protect their banks from loss. It is called a chargeback. It can occur 
in a number of different ways. It can be initiated by a bank on its 
own, or it can be initiated at the request of a bank's customer. For 
example, if a customer spots a charge on his bill that he does not 
recognize he might initiate a chargeback by contacting his card issuing 
bank. The card-issuing bank asks the merchant's bank to retrieve 
documentation proving that the purchase took place. The merchant's bank 
then requires the retailer to produce the underlying documentation for 
the sale--typically sales media showing the customer's credit card 
number, signature, and date of purchase. The merchant's bank forwards 
the information back to the card-issuing bank. Often, once the customer 
sees the underlying documents he remembers the purchase and the matter 
is closed. (Confusion might occur, for example, if the formal name of 
the business on the customer's monthly statement--e.g. the XYZ Medical 
Complex--is different from the name of the business where the customer 
received services--The Offices of Dr. MDA.)
    However, if the retailer is unable to produce the sales media, the 
sale is reversed and the cost of the transaction is ``charged back'' 
against the retailer. This is true even if the transaction were 
actually made. As I mentioned, banks can also initiate retrieval 
requests for documentation on their own--it does not have to be 
triggered by a customer. If the retailer cannot produce the underlying 
data, the cost of the purchase is taken from the retailer and credited 
back to the card-issuing bank.
    We have a department in Michaels dedicated to handling chargebacks. 
Chargebacks may be for a single transaction or an entire block of 
transactions. Card-issuing banks file retrieval requests that come to 
us. We must first look up the charge on our systems to match the 
transaction and identify the store location where the transaction took 
place (this is what we need the credit card number for). We then 
initiate a request to the store to ``pull'' the receipt for that 
transaction. Since we do not have an electronic signature system we 
have to get the paper receipt. We then submit that back to the bank 
along with the original request. If the bank/credit card company 
determines that the charge was not made by the customer (this is pretty 
much at their discretion and we have little effective recourse), then 
we are charged back the amount of the transaction, plus a processing 
fee.
    Thankfully at Michaels, chargebacks are not a very large problem, 
but my brethren at big ticket companies are not so lucky, as I know 
from my previous work experience. We could choose to take the hit and 
just accept the chargebacks as a cost of doing business so we would not 
need the credit card number stored but, over time, as word of our 
vulnerability spreads among the unscrupulous, this would likely cause 
an increase in chargebacks to the point where we could no longer 
sustain the losses.
    This could have been fairly easily solved and saved retailers 
hundreds of millions of dollars by having the credit card companies 
send retailers a unique approval ID back for each approval transaction. 
We could store that ID and a signature, and if there were a question on 
the transaction the unique approval ID would indicate how we locate the 
transaction. This would eliminate the need for us to store the credit 
card number, but still enable us to respond to retrieval requests. This 
method would have required changes for retailers, credit card 
companies, and the banks, but the overall expenditure would have been 
much less and the consumer data would be much safer.
    PCI states that all credit card data must be encrypted. This is a 
very important component of any data security standard, and one we use 
for sensitive data all across our organization. There is an exception 
to this requirement, however. PCI says that data traveling over a 
``private network'' need not be encrypted. It does not state that it 
can't be, just that it need not be. I have been told that in theory a 
private network is ``more secure'' than one that is not private. Well, 
there is no question about that. A land-line data communication 
connection that is direct between two organizations is certainly more 
secure then one that traverses the internet or a wireless network. 
Michaels has a private network between our stores and corporate 
headquarters. This network is also isolated from our other networks in 
the headquarters and the internet. Access is extremely limited. It is 
private and secure, and we continually look for ways to make it more 
secure; after all this is the network millions of our customers' credit 
card numbers traverse every year. The security of this network is 
paramount and probably at least two-thirds of the PCI requirements deal 
with this very subject.
    Yet I would still not choose to send my customers' credit card 
numbers through this network unencrypted. Why? They are encrypted at 
the pin pad or register by mandate of the standard. It only makes sense 
that we would keep this information encrypted through our entire 
network.
    Unfortunately this is where the system breaks down. The credit card 
companies' financial institutions, the very organizations that have 
created and are mandating this rigorous and highly complex standard, do 
not accept encrypted transactions. We must decrypt the credit card 
number at our corporate headquarters prior to sending to the merchant 
bank for approval!
    The transaction is then returned to us un-encrypted and we then re-
encrypt it to send back to the store. We, at Michaels, have asked for 
the past 3 years for the ability to send encrypted information to the 
bank. To date, this has not happened. We have heard various ancillary 
responses to the request such as, ``It is too expensive to implement''; 
``If you (i.e. the retailer) are willing to pay the costs (i.e. the 
credit card banks' cost) to implement it we will consider it''; to ``It 
would be too difficult to implement a standard encryption routine in 
the industry.''
    Why is this the case? One might ask all the consumers affected by 
the Heartland Payment systems data breach, or TJX Corporation for that 
matter. It has been suggested that methods used in those breaches 
capitalized on that flaw. The criminals used a ``Trojan Horse'' that 
read the credit card data ``in flight.'' This is not the stored data I 
spoke of earlier, but rather the numbers that were flowing through the 
communication channel for approval. One reason thieves could capture 
this data is because it was not encrypted. Had it been encrypted they 
would most likely not have been able to read the data.
    Now there are several requirements in the PCI standards for 
``scanning'' systems that look for these types of Trojan Horses. But 
this is not an ordinary virus that is written and sent to millions of 
PCs via e-mail. These are incredible technical programs often designed 
by organized crime syndicates with technical resources that dwarf those 
of the average company. And with just one inside source in a company 
they can be made virtually invisible. So why take the chance?
    So, are the PCI standards bad? No, however there are some major 
issues with both the program and the way in which it is implemented.
    First, many of the requirements of PCI are already covered in many 
companies' Sarbanes-Oxley audits. This causes a lot of duplicative work 
around proof of compliance, and is arguably unnecessary.
    Second, the requirements are one-sided against the merchants. The 
very financial institutions that impose them are not subject to all the 
mandates themselves. The idea that these organizations don't ``need'' 
to be audited because they are already held to an audited examination 
standard is inconsistent with the arguments they make to us (i.e., 
Sarbanes-Oxley).
    Third, The PCI Data Security Standards Council was allegedly spun 
off from the credit card companies and set up as an independent 
governing body of credit card company, bank, and merchant 
representatives. In fact, the council is set up so that the credit card 
companies and banks retain all power over the ultimate mandates, fines, 
and anything else connected to PCI. Because of this, the mandates do 
not represent what is the ``best'' security, but rather what is best 
for the credit card companies and their financial institution partners.
    When a breach occurs and card data is stolen, clearly the consumer 
potentially suffers the most inconvenience. Fortunately, the law 
provides that promptly reporting consumers must be held financially 
harmless.
    However, the largest financial impact is on the retailer, 
especially if the credit card companies' data (which by and large we 
don't want) is seized from a retail location. We are the ones in the 
press; we are the ones who are demonized; we are the ones States' 
attorneys general and others threaten with damages and sanctions. 
Consumers may make decisions not to shop at a breached retailer not 
realizing that it was the card company processes that caused the data 
to be placed at risk.
    The retailers pay the costs of the fraudulent transactions, either 
through chargebacks or credit card company-imposed fees and penalties. 
All of this arises from rules that initially grew from a card 
monopolist that we have no choice but to do business with, or risk the 
loss of a large portion of our business. It would be impossible for a 
retailer like Michaels to survive without taking Visa. So we, like 
other retailers, swallow the tens of millions we have spent to become 
PCI-compliant, in many cases unnecessarily spent, which both reduces 
profitability and increases the costs of everything we, the merchant, 
sells.
    Is credit card data any safer now than it was before PCI was put in 
place? Yes. Would it be had PCI not been put in place? Probably. Could 
the consumers' data be safer then it is right now? Most definitely!
    But we do not need more laws. The existing (sometimes) misguided 
enforcement and the proliferation of State regulations around these 
issues have created a difficult, if not impossible, environment for 
retailers to effectively meet the legal requirements imposed on them 
should a breach of information occur.
    Madam Chairwoman, committee Members, and distinguished panel and 
guests, if I can leave you with but one message, it is that the 
precepts underlying the massive dissemination of credit card data need 
to be rethought. As a CIO, I was informed by one of the top security 
officers of a major credit card company that based on their analysis 
our company credit card data had been breached. Although I thought this 
unlikely, they told me that they had never been wrong. After an 
agonizing week of internal research, twice daily ``all hands on deck'' 
calls, many, many dollars and hours spent, the voice at the other end 
of the line went dead. The next day a breach of over 40 million credit 
card numbers was announced at a bank processor. Our ``incident'' 
apparently showed that the card company's analysis at that time had not 
counted on breaches of such magnitude, since we were later told that 
the data which had triggered all of our activity was more likely a 
subset of ``another issue'' they were dealing with.
    I am proud to report that Michaels has never had evidence of a 
breach of consumer data. Regardless of the outcome here we will 
continue to do whatever is necessary and prudent to keep the loyalty of 
our customers for, without that, we cease to exist. But the future 
would be more secure and the risks to us all far lower were the card 
companies to take greater responsibility for the inadequate system of 
payment they have created and asked us to use.
    Thank you. I am happy to answer any questions you may have.

    Ms. Clarke. Thank you for your testimony.
    I now recognize Mr. Hogan to summarize his statement for 5 
minutes.

    STATEMENT OF DAVID HOGAN, SENIOR VICE PRESIDENT, RETAIL 
  OPERATIONS, AND CHIEF INFORMATION OFFICER, NATIONAL RETAIL 
                           FEDERATION

    Mr. Hogan. Thank you, Chairwoman Clarke and Members of the 
committee, for this opportunity to appear on behalf of National 
Retail Federation, the world's largest retail association. I 
have been with the NRF for almost 7 years and have spent my 
entire 25-plus-year career in retail information technology.
    Whether it be by cash, check, or plastic, the payment 
mechanism is really just a means of accomplishing business. 
Retailers accept credit cards for payment, in part because they 
have been assured by the credit card companies that if they 
follow a limited number of steps, they will be given a 
guarantee of payment. Most retailers are not in the payment-
acceptance business any more than their customers are in the 
payment-delivery business.
    There have been two big developments in the last decade or 
so that have changed the playing field. The first has been the 
rapid proliferation of general purpose credit cards. With over 
80 percent of the market share, Visa and MasterCard are two 
primary examples, these cards issued broadly by banks in the 
hope that each card will generate income for them.
    The second change has been society's increased 
computerization. Globally there have been numerous instances of 
hackers from outside of our borders accessing computer systems, 
stealing credit card information, and then using this data to 
commit fraud. In several cases these have targeted companies 
that process or store credit card data.
    As with the growth of on-line shopping fraud, these 
developments presented the card industry with a challenge. In 
response, they introduced what they call the Payment Card 
Industry Data Security Standard, also called PCI.
    PCI is an attempt to prevent large stockpiles of credit 
card data from getting into the wrong hands. However, the PCI 
guidelines are onerous, confusing, and constantly changing. 
Indeed, PCI is little more than an elaborate patch.
    The premise behind PCI, that millions of retail 
establishments will systemically keep pace with ever-evolving 
sophistication of today's professional hacker, is just not 
realistic. Our industry has spent billions on compliance 
programs related to data security. PCI protocols have required 
many merchants to scrap good existing data security programs 
and replace them with different security programs that meet PCI 
rules that aren't necessarily any better. Even companies that 
have been certified as PCI-compliant have been compromised.
    Unfortunately, the economic incentives for the card 
companies to remedy these flaws in their system have been 
diminished. It appears to our industry that the credit card 
companies are somewhat less interested in improving their 
product and procedures than they are in reallocating their 
fraud costs. In our view, if you peel back the layers around 
PCI, you will see it for what it really is, a tool to shift 
risk off the banks and credit cards' balance sheets and place 
it on others. It is their payment card system, and retailers, 
like consumers, are just users of their system. What is really 
ironic here is that merchants are forced to store and protect 
credit card data that many don't want to keep anyway. The 
credit card companies' own rules around retrieval requests 
essentially require merchants to keep credit card data for 
extended periods of time.
    As I mentioned, all of us, merchants, banks, credit card 
companies and our customers, want to eliminate credit card 
fraud, but if the goal is to make credit card data less 
vulnerable, the ultimate solution is to stop requiring 
merchants to store credit card data in the first place. In 
fact, we proposed such changes to the PCI Security Standards 
Council back in 2007. The card industry dismissed our proposal 
without addressing its merits.
    There have been numerous suggestions made over the years 
that would significantly reduce the chances of major data 
breaches, but none of them have been adopted yet. Here are just 
a few.
    First, go on record and stop requiring merchants to store 
credit card data and eliminate any penalties they impose for 
not doing so.
    Another, change the system and allow consumers to enter in 
a pin or personal identification number for credit card 
transactions, just like you do with debit card transactions.
    Third, quickly develop and roll out the next generation of 
credit card and give merchants the hardware and software 
necessary to handle these new products.
    In conclusion, once the payment system itself becomes a 
burden, commerce inevitably suffers. We believe any one of 
these recommendations will significantly reduce credit card 
fraud.
    Thank you for the opportunity for appearing in front of 
this committee. I will be happy to answer any of your 
questions.
    [The statement of Mr. Hogan follows:]
                   Prepared Statement of David Hogan
                             March 31, 2009
    Thank you Chairwoman Clarke, Members of the committee. My name is 
Dave Hogan. I am senior vice president, chief information officer for 
the National Retail Federation.
    By way of background, the National Retail Federation (NRF) is the 
world's largest retail trade association, with membership that 
comprises all retail formats and channels of distribution including 
department, specialty, discount, catalog, internet, independent stores, 
chain restaurants, drug stores, and grocery stores as well as the 
industry's key trading partners of retail goods and services. NRF 
represents an industry with more than 1.6 million U.S. retail 
establishments, more than 24 million employees--about one in five 
American workers--and 2008 sales of $4.6 trillion. As the industry 
umbrella group, NRF also represents more than 100 State, national, and 
international retail associations.
    I have been with NRF for almost 7 years and have spent my entire 
career in retail information technology. Prior to joining NRF I was a 
business unit CIO for The Limited and most recently CIO for 
international retailer, Duty Free Americas. During that time I became 
familiar with the broad array of issues confronting retail CIOs, 
including matters related to data security. Both in my prior positions, 
as well as during my time at NRF I have helped design and upgrade the 
systems that protect my companies' core records.
    Currently, I also work with the NRF's CIO Council. The Council is 
made up of more than 50 well-known retailers who meet regularly to 
study, share, and discuss best practices and challenges inherent in 
ever more sophisticated retail technology programs. As a result of that 
work I have become familiar with many of the issues involved with the 
Payment Card Industry Data Security Standards.
    Credit card security is not, however, a new issue for retail. For 
years many retailers managed their own in-house credit programs. 
Companies such as Sears and JCPenney offered proprietary retail credit 
through cards issued in all 50 States. They were known as proprietary 
programs because for most of their history, the cards were owned by the 
retailer and used exclusively for the purchase of a retailer's 
merchandise. Beyond credit programs, many companies maintain 
information about their most valuable customers, often gleaned through 
loyalty programs. Those programs are used to encourage our customers to 
shop and to serve them better when they do. All of this information was 
valuable and proprietary.
    For this reason retailers developed programs to secure their data. 
Each retailer's program was commensurate with the sensitivity of the 
data it sought to keep. Certainly, as to their cards, for example, no 
retailer wanted its credit card programs to be appropriated by thieves. 
Therefore, we retailers developed systems designed to minimize losses 
to us and inconvenience to our customers.
    There have been two big developments in the last dozen or so years 
that have scrambled the playing field. The first has been the rapid 
proliferation of what are known in the industry as third-party, general 
purpose credit cards. Visa and MasterCard are two examples. These cards 
are not issued by retailers, but rather are issued by independent banks 
under a particular card brand's name. Thus you might have a Citibank 
MasterCard or a Chase Visa or a Citibank Visa. Consistent with their 
internal standards, the banks issue the cards as broadly as possible, 
in hopes that each card will generate income for the bank.
    The other big change has been increasing computerization and the 
related growth of the internet. As you all know computers are now 
ubiquitous. And many of our governmental, commercial, and personal 
activities are greatly dependent upon access to the Web. Unfortunately, 
the same processes that give us access also are available to the 
unscrupulous. Scams that would have been difficult to accomplish, or 
been limited in scope if they were attempted on a face-to-face, 
individual-by-individual basis, such as eliciting banking account 
information from individuals, can be much more efficiently accomplished 
on-line by ``phishing,'' for example, among those who engage in banking 
from their home computers.
    In a brick-and-mortar environment, retailers accept a variety of 
forms of payment: Cash, checks, credit cards, gift certificates, and 
other script. Retailers accepted credit cards for payment, in part, 
because they had been assured by the card companies that if the 
merchant followed a limited number of steps (e.g., confirming the 
card's presence; checking the signature; obtaining an approval; and 
keeping a copy of the completed charge media) they would be given a 
guarantee of payment. Whether it be by cash, check, or otherwise, the 
payment mechanism is really just a means of accomplishing business. 
Most retailers are not in the payment acceptance business any more than 
their customers are in the payment delivery business. The form of 
payment simply facilitates the underlying business to be done. (The 
consumer is searching for something to wear; the merchant is seeking to 
find and display attractive merchandise that customers desire wearing.)
    A few years back, outside of the brick-and-mortar environment, in 
the then newly developing world of internet shopping, it soon became 
apparent to the credit card companies that they should take additional 
steps to minimize losses from the use of their card products for on-
line purchases. Through a combination of rules and new security 
requirements the card companies were largely able to achieve that goal. 
They adopted special security requirements for on-line merchants 
(Visa's program was called CISP: Customer Information Security 
Program). They also declared that the then-growing number of internet 
merchants who accepted a credit card for payment on-line would be 100% 
liable for any losses if charges were challenged, either by the 
cardholder or by the bank. As a practical matter, for on-line 
merchants, there was little or no payment guarantee.
    Over time, however, the card companies realized that the number of 
fraudulent purchases was continuing to rise. And this was true not just 
on-line. Thieves and others learned that if they could obtain the data 
on the credit card companies' cards, they could accomplish a few fake 
transactions (on-line) or even create fake cards and accomplish many 
fraudulent transactions in a wide variety of brick-and-mortar 
locations.
    The growth of computerization facilitated these breaches. Globally, 
there have been numerous instances of hackers accessing computer 
systems, stealing credit card information, and using this data to 
commit fraud. It has been reported that many of these hackers are 
operating out of Eastern Europe and some of the former Soviet states. 
In several cases they have targeted retailers' computer systems that 
process or store credit card data. But the thieves are really looking 
for the data anywhere they can find it.
    As with the growth of on-line shopping fraud, these developments 
presented the card industry with a challenge. In response, they 
introduced what they call the Payment Card Industry Data Security 
Standards, commonly called PCI. Since its inception, PCI has been 
plagued by poor execution by Visa, MasterCard and the other credit card 
overseers of the program. The PCI guidelines are onerous, confusing, 
and are constantly changing. Many retailers say that basic compliance 
is like trying to hit a rapidly moving target.
    As I mentioned, retailers take data security very seriously. 
Indeed, merchants, banks, the major card brands and the vendor 
community that supplies our industry with hardware and software all 
want to reduce the incidence of credit card fraud. PCI is an attempt to 
prevent large stockpiles of credit card data from getting into the 
wrong hands. But the premise of PCI, that hundreds of thousands or even 
millions of merchants will systematically keep pace with the ever-
evolving sophistication of professional hackers, is unrealistic.
    PCI is little more than an elaborate patch. While PCI can reduce 
some fraud, at extraordinary cost, it is not nearly as effective as a 
redesign of the card processes themselves. Since its inception, our 
industry has spent billions on compliance programs and related data 
security systems. PCI protocols have required many merchants to scrap 
good, existing data security programs and replace them with different 
security programs that meet PCI rules but aren't necessarily any 
better. Retailers have been required to take extraordinary steps to 
ensure that somewhere, somehow, data is not inadvertently being 
retained by software. However, what is ironic in this scenario is that 
the credit card companies' rules require merchants to store, for 
extended periods, credit card data that many retailers do not want to 
keep.
    To many NRF members, it appears that the credit card companies are 
less interested in substantially improving their product and procedures 
than they are with reallocating their fraud costs. In our view, if you 
peel off all the layers around PCI Data Security Standards, you will 
see it for what it is--in significant part, a tool to shift risk off 
the banks' and credit card companies' balance sheets and place it on 
others. It is their payment card system and retailers--like consumers--
are just users of their system.
    As I mentioned, all of us--merchants, banks, credit card companies, 
and our customers--want to eliminate credit card fraud. But if the goal 
is to make credit card data less vulnerable, the ultimate solution is 
to stop requiring merchants to store card data in the first place.
    For example, rather than requiring that merchants keep reams of 
data--currently required under card company rules in order to satisfy 
card company retrieval requests--credit card companies and their banks 
should provide merchants with the option of keeping nothing more than 
the authorization code provided at the time of sale and a truncated 
receipt. The authorization code would provide proof that a valid 
transaction had taken place and been approved by the credit card 
company, and the signed sales receipt would provide validation for 
returns or poof of purchase. Neither would contain the full account 
number, and would therefore be of no value to a potential thief. Any 
inquiries about a credit transaction would be between the cardholder 
and the card-issuing bank.
    If all merchants took advantage of this option, credit card 
companies and their member banks would be the only ones with large 
caches of data on hand, and could keep and protect their card numbers 
in whatever manner they wished. The bottom line is that it makes more 
sense for credit card companies to protect their data from thieves by 
keeping it in a relatively few secure locations than to expect millions 
of merchants scattered across the Nation to lock up their data for 
them.
    In fact, we proposed such changes to the PCI Security Standards 
Council in 2007. The card industry dismissed our proposal without 
addressing its merits but have yet to offer a viable alternative.
    Once the payment system itself becomes a burden, commerce 
inevitably suffers. The NRF, with direction from our CIO Council, has 
engaged the PCI Security Standards Council directly and highlighted 
flaws with the existing ``standard'' and ``governance'' of the PCI 
Security Standards Council. There have been numerous suggestions made 
over the years that would significantly reduce the chances of major 
data breaches, but none have been adopted.
    In conclusion, we believe any of our suggestions would be more 
effective and efficient approaches to protecting credit card data and 
preventing a continuation of the data breaches that have been seen in 
recent years.
    Thank you for the opportunity to appear before the committee today, 
I would be happy to answer any questions.

    Ms. Clarke. I thank the witnesses for their testimony.
    I will remind each Member that he or she will have 5 
minutes to question the panel. I will now recognize myself for 
questions.
    My first question goes to both Mr. Russo and Mr. Majka. 
Since the PCI standards have become mandatory, there has been 
no shortage of massive data breaches. Is there any hard 
evidence to suggest that the standards have reduced the number 
of data breaches or the amount of credit card fraud? What 
metrics are in place to judge the effectiveness of these 
standards?
    Mr. Russo. Chairwoman Clarke, let me answer first.
    The council's purview does not include keeping statistics 
on breaches, on who is compliant, as we do not have that 
relationship with the merchants. I can tell you, as I stated 
earlier, that based on what we have seen in forensics and what 
we have seen our information has given us by reaching out to 
these breached entities, that they were, in fact, not compliant 
at the time of the breach. Very similar to Ms. Glavin, who 
mentioned locking your doors, you don't lock your doors on 
Monday, Wednesday, and Friday and not on Tuesday, Thursday, 
Saturday, and Sunday. So it is constant vigilance that must be 
there when it comes to protecting this data. It is everyone's 
responsibility, including the merchant, including the consumer, 
to be looking after their own data.
    Mr. Majka. Madam Chairwoman, I would like to say that entry 
into these data systems, while the criminal is very complex, we 
found that the entry methods have been very simple, and they 
would have been addressed by the PCI data security standard in 
all cases. Even those entities where they have had validated 
compliance, our review of those incidents found that either 
they hadn't maintained compliance, and there were significant 
gaps that allowed the breach to occur.
    I would also like to say that the standard itself has been 
improved over the years. One of the success stories of the 
standard is the removal of prohibitive data from merchants' 
servers. This has led to incidents where we no longer have a 
breached entity who has been storing data for 3, 4, or 5 years 
that the criminals can access 5 years' worth of data. So those 
are things that the standard itself has addressed and has 
helped.
    I would also like to say that I think that we don't know 
how many breaches have been prevented by those entities that 
have, in fact, gone as far as implementing and maintaining the 
standard properly.
    Ms. Clarke. I think that is really at the core of the issue 
here is that we can't get some tangible evidence of how 
effective this is in actually eliminating the breaches. It is 
clear that if people aren't following the protocols, that opens 
them up in terms of more vulnerability. But it would seem to me 
that as a part of the build-out of the floor of the PCI 
standards, that we would develop some sort of metric that gives 
us an ability to objectively judge the effectiveness of these 
standards. Are you saying that those don't exist right now?
    Mr. Russo. No, Madam Chairwoman. They do exist in various 
entities, those entities being the acquiring banks, as an 
example, which own the relationships with the merchants. They 
require PCI compliance, they track PCI compliance, they have 
those numbers. Again, the council does not have any input into 
that or any view into that because we do not have the 
relationships with the merchants. The banks, the acquirers have 
the relationship with the merchants. But there are tens of 
thousands, hundreds of thousands that are going through 
programs every day and validating their compliance on a regular 
basis.
    Ms. Clarke. Mr. Russo, do you have a relationship with the 
banks?
    Mr. Russo. The council does not have a relationship with 
the banks other than to put its standard out there and make 
sure that they are creating awareness among their constituents 
that they need to be compliant with the standard.
    Ms. Clarke. Thank you.
    The next question then is both to you, Mr. Russo, and Mr. 
Majka. The PCI standards include requirements for encrypting 
data at rest and data that travels over the internet. But the 
Heartland breach, for instance, involved data in transit 
between terminals and hosts on nonpublic networks.
    As Mr. Jones notes in his testimony, there are no PCI 
standards for this. Is this a fundamental weakness in the 
standards? Why doesn't PCI require end-to-end encryption, 
including internal encryption? How are you going to address 
this?
    Mr. Russo. There are provisions within the standard now 
that address this data and address the inside network that 
should, in fact, either stop this from happening, or at least 
give you a warning that something is happening so that you can 
immediately stop it and cut the breach off. We do go out to, as 
I mentioned, all of our participating organizations--one of 
whom is sitting at the table with me today, the NRF--and we do 
ask them for their feedback on the standard and what needs to 
be done.
    One of the things that we are in the process of doing right 
now is that we have issued a proposal to a number of technology 
companies to give us an independent study on what we are 
calling emerging technologies, one of which is end-to-end 
encryption, another of which is tokenization, another of which 
is chip and PIN. So we are looking at these technologies and 
how they make the standard more robust. But it is important to 
the say that there really is no silver bullet here.
    Ms. Clarke. I am a bit over my time, but I would like to 
get Mr. Jones' and Mr. Hogan's response to this end-to-end 
encryption dilemma.
    Mr. Jones. First, I think on encrypted, I am not sure I 
would call it an emerging technology; it has been around for 
some time. Obviously, since it is a requirement for anything 
traveling outside the private network, I think that not having 
it as part of something that travels on your internal network 
was something originally to reduce some of the costs involved 
with implementing the standards, because it costs money to 
implement encryption end-to-end, and that would have involved a 
lot of cost to merchant banks all across the country, as well 
as retailers. Every retailer would have had to implement 
encryption on their side. But we have already had to do it 
from--and most retailers do transact across the internet in one 
way or another, so we have had to do that.
    So I would separate that out from a chip and PIN discussion 
as far as what we should be looking at going forward. As far as 
whether it should be in the standard or not, I feel that it 
should have been in the standard long ago as part of something 
simply because there are things that may have caught the 
Heartland Payment thing. But when we talk about very 
sophisticated thieves, the Heartland Payment software that was 
used was so sophisticated that it was virtually impossible for 
highly technical, highly sophisticated people to pick up. Most 
of the existing scanning technologies would not have even 
picked it up, but had it been encrypted, it wouldn't have 
mattered. I think that is the way of looking. So why not lock 
your front door? Why leave it open?
    Ms. Clarke. Mr. Hogan, do you concur?
    Mr. Hogan. Yes, I do concur. I think it is very interesting 
that the merchants, universities, doctors' offices, anybody who 
accepts credit cards and processes credit card data has to go 
through extraordinary hoops to adhere to a PCI standard; 
however, when it is convenient, the information is sent open in 
the free and clear, when it is transmitted to the banks, so on 
and so forth.
    So I think you have a double standard going on here where 
in one case you have to adhere to a standard, and spend a lot 
of time, effort, and money to do it, and then all of a sudden 
you send it back out wide open that anybody could potentially 
read unencrypted downstream.
    Ms. Clarke. Thank you. My time is expired.
    Let me now acknowledge the gentleman from New Mexico, Mr. 
Lujan.
    Mr. Lujan. Thank you, Madam Chairwoman. I know we have some 
votes we have to get to, if I am not mistaken, so I will try to 
keep this brief.
    Mr. Russo, what recommendations of standards have been made 
that have not been implemented by those that follow your 
standards?
    Mr. Russo. Congressman, we have a feedback process in 
place, which Chairwoman Clarke mentioned a little earlier--
actually, I am a little perplexed because Mr. Hogan earlier 
said that this is constantly changing, yet Chairwoman Clarke 
indicated it was a 2-year process that we go through. We go 
through two feedback periods where we get feedback from all of 
those participating organizations, again, one of which is the 
NRF, and we then discuss all of this information at two 
community meetings that we have on a yearly basis, one in North 
America and one in Europe. That information is then taken back 
from what we are getting again at that community meeting and 
gone through another feedback period before a new standard is 
released.
    I might also mention that the difference between the 
initial standard that we came out with in 2006 and the 1.2 
version, which we came out with in October, was not that 
different. There were clarifications, there were documentation 
changes, more guidance information was put in to make it easier 
to understand the intent and, in fact, comply with it. These 
were all recommendations from these participating 
organizations, from our board of advisors. There are things 
that we put out on a regular basis based on their input. We do 
not create this standard in a vacuum. This is something that 
the entire group of participating organizations and the 
assessment community and our board of advisors advise us on.
    Mr. Lujan. Let me narrow the question a little bit.
    Mr. Russo, there was some discussion about end-to-end 
encryption for its databases. Isn't that a recommendation that 
was made by the Heartland Payment Systems CEO?
    Mr. Russo. After the breach it absolutely was, after the 
breach. We agree that encryption is a good thing--again, not a 
silver bullet. Encryption is a good thing. As the gentleman 
from Michaels mentioned, encryption is an expensive 
proposition. If we make this mandatory in the standard, there 
will be a number of merchants who will not be able to afford 
this immediately. There are provisions within the standard that 
actually affect what happens there. So the need for end-to-end 
encryption within the internal network is really not there. If 
you are following the standard religiously, the need is not 
there. Why put these people through the expense?
    That being said, we are now investigating it from an 
independent third party, and we will present that information 
in the form of feedback to our entire community and get their 
feeling on whether or not they actually want this to be part of 
the standard.
    Mr. Lujan. Mr. Russo, you said something earlier that I 
found interesting, that you have never found PCI not to be in 
compliance at a time of breach, meaning that at a time of 
breach, there may have been some break in compliance. But with 
the system that we have today, who is responsible for 
monitoring compliance?
    Mr. Russo. The merchant himself. Basically what we do is we 
take a snapshot--let me give you a brief example, if I have a 
minute or so. If you need fire insurance on your house, and you 
come to me and ask me as the insurance company to give you fire 
insurance, I send an inspector out, and you have everything in 
place--smoke detectors that work, fire extinguishers, 
sprinklers, and such. Three months later, your house burns 
down. I send an inspector out again, only to find out that 
there was no pressure on the sprinklers at that time, all of 
the batteries weren't working in your smoke detectors, and so 
on. This is the responsibility not only of the council to make 
sure that you are compliant, but it is your responsibility as a 
merchant, your responsibility to the consumers to make sure 
that you are doing this on a regular basis.
    Mr. Lujan. Mr. Russo, if I could interrupt, I think that 
that example is a perfect illustration, because I would ask 
that the regulator that was responsible for monitoring the fire 
suppressant system, if you come back after there was a fire, 
and you found out that my fire suppressant system wasn't 
adequate to be able to protect my home or my place of business, 
then the regulator wasn't doing their job. But in this case, 
there is no one overseeing this. It is, here is a set of rules; 
if you want to be able to utilize our product, please follow 
them. In the case if there is a breach, we depend on the 
Department of Justice to step in, often times informing a group 
of people that maybe there was a breach.
    Madam Chairwoman, I know that my time is expired, but this 
is really interesting to see, when we talk about a set of 
standards, to truly see how we can work together to look to see 
where the weak points are. But also from a compliance 
perspective, I know that there aren't compliance efforts moving 
forward to truly work with the retailers if it is their 
responsibility to be held in compliance. But it seems to me 
that the system that we have today, I think we all agree, from 
different sides, that it is not working.
    Ms. Clarke. Thank you very much for your observations, Mr. 
Lujan. Thank you for your responses.
    We are in the process of votes right now, but I would like 
to get in one final question for this panel, and this question 
is for the entire panel actually.
    A large part of the data theft problem is the amount of 
valuable data stored in the system. Mr. Hogan and Mr. Jones 
testified that the credit card companies are actually requiring 
merchants to keep more data than they would otherwise prefer. 
Can the panel please explain what requirements exist for 
merchants to store credit card data in their systems, and why 
did the credit card companies dismiss the suggestion from NRF 
that these requirements be changed?
    Mr. Majka. Madam Chairwoman, if I may start by answering 
that question. Visa does not require merchants to retain card 
holder data. We embarked on a campaign about 3 years ago to 
educate merchants on what data they absolutely need to 
maintain, and the campaign was called Drop the Data. In those 
cases, they are not required to retain the account number.
    We have found that some merchants do, in fact, retain the 
account number, customer name, maybe the expiration date, and 
in those cases, should a merchant choose to maintain that data, 
they do have to secure it properly. But all merchants have the 
ability to work with their acquiring merchant bank to not store 
that data, and use whether it is an authorization code or 
transaction ID as a reference number to then research a 
transaction that may be in question. So from a Visa 
perspective, we do not require storage of that data.
    Ms. Clarke. Mr. Hogan.
    Mr. Hogan. That statement is quite interesting, because we 
hear from numerous, numerous merchants, restaurants, hotels 
that if they don't keep some credit card data for a period of 
time to handle the retrieval or chargeback request process, 
they will be fined and penalized. So I would love to have 
somebody go on record here from Visa or so on and so forth that 
would basically make a statement that, again, retailers and 
merchants do not need to store any credit card data at all, 
just keep an authorization code, and they will not be penalized 
at all in context of the chargeback or retrieval request 
process. Maybe that could be a question you could pose back.
    Ms. Clarke. I find this discrepancy to be very troubling, 
very troubling.
    Mr. Jones.
    Mr. Jones. I think we have to look at two entities, too. As 
the question was being answered, there was Visa does not 
require. Then the second part was, we recommend they work with 
their acquiring merchant bank to understand what data they need 
to keep or don't need to keep.
    Visa is not the person that we work with on a day-to-day 
basis. We work with our merchant bank. If your merchant bank 
cannot provide you back the information for you to look up 
among your thousands, tens of thousands, hundreds of thousands, 
or millions of transactions which we deal with on a basis to 
pull that transaction--and we have to physically pull a receipt 
again; we go from the point of we get a piece of paper with a 
card number on it, and we have to get to a point where we pull 
a receipt within a certain time period, otherwise we lose that 
transaction. So it is not a requirement. We could not do that. 
We could say that is a cost of doing business. By doing that, 
then, we would just automatically lose those dollars.
    My brethren in places like Best Buy or Big Ticket, it would 
cost them a fortune. Places like Marriott, or a hotel or a car 
reservation where you hold a reservation with a credit card 
number, or they put a $400 charge on your credit card where it 
is being held but not charged yet, they do have to keep that; 
otherwise they have no way to charge you after.
    So I think we are dealing with which organization is 
requiring versus PCI doesn't require you, they are not a credit 
card organization. Visa just transports it; the merchant bank 
is something else. The retailer is left holding the bag and has 
no input or say, but yet is paying the transaction fee, is the 
one who pays for the transaction when the customer says that 
they are not responsible for it and has no say in it.
    There is a solution out there, but there has been no 
interaction, there has been no partnership to really develop 
that solution, I think.
    Ms. Clarke. Well, let me just close by saying that this is 
something that we have to fix. Mr. Majka, I look forward to 
speaking with you further about this.
    To all of you, thank you very much for your testimony 
today. This has been very interesting, very enlightening. I 
think we have got a lot of work to do, as I said in my opening 
statement. Certainly I think some things have come to light 
here today that should concern all of us and that we should be 
working together as a team to make sure that we address.
    I thank the witnesses for their valuable testimony and the 
Members for their questions. The Members of the subcommittee 
may have additional questions for the witnesses, and we will 
ask you to respond expeditiously in writing to those questions.
    Hearing no further business, the subcommittee stands 
adjourned.
    [Whereupon, at 3:15 p.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

  Questions From Chairwoman Yvette D. Clarke of New York for Rita M. 
     Glavin, Acting Assistant Attorney General, Criminal Division, 
                         Department of Justice
    Question 1. How do you prosecute criminals in cyberspace when it is 
virtually impossible to identify and attribute attacks to specific 
individuals?
    Answer. Response was not received at the time of publication.
    Question 2. What attraction does card fraud have for criminals and 
terrorists?
    Answer. Response was not received at the time of publication.
    Question 3. Would you say that card fraud is the financing method 
of choice for terrorists?
    Answer. Response was not received at the time of publication.
    Question 4. How many people and man-hours are devoted to 
investigations and prosecutions related to card fraud, including both 
data breaches and the criminal activity card fraud underwrites?
    Answer. Response was not received at the time of publication.
    Question 5. You testified that by disabling Shadow Crew's Web site, 
the Department of Justice believed they ``prevented hundreds of 
millions of dollars in additional losses to the credit card industry.'' 
Is it the Department's understanding that the fraudulent charges that 
are the result of a data breach are a financial liability to the card 
brands, issuing banks, or acquiring banks?
    Answer. Response was not received at the time of publication.
   Questions From Chairwoman Yvette D. Clarke of New York for Robert 
 Russo, Director, Payment Card Industry Data Security Standards Council
    Question 1. Why aren't penetration tests required on a quarterly 
basis? Why don't they conform to NIST standards?
    Answer. The PCI DSS requirement for penetration testing is not 
based exclusively on time intervals. Tests are also required after any 
significant changes to a data system environment that has been 
validated as compliant with the PCI DSS--as frequently as that may 
occur, which may be more frequently than quarterly. The Council's 
information supplement regarding penetration tests is attached as 
Exhibit A.* This is in addition to the annual validation of static 
controls. It is also important to note that penetration tests are only 
a small part of the comprehensive set of controls and layers of 
security identified in the PCI DSS.
---------------------------------------------------------------------------
    * Attachments referred to have been retained in committee files.
---------------------------------------------------------------------------
    Vulnerability assessments, which share many of the characteristics 
of penetration tests by identifying the same threats, are required, at 
a minimum, quarterly. Penetration tests are additive to, rather than 
substitutes for, the standards promulgated by the National Institute of 
Standards and Technology (NIST), which are also a critical part of the 
process that our Approved Scanning Vendors (ASVs) utilize to identify 
vulnerabilities in networks. Indeed, all ASVs rely on the NIST National 
Vulnerability Database (http://nvd.nist.gov/), a U.S. Government 
repository of standards-based vulnerability management data and each 
entity must receive a passing score quarterly to be considered 
compliant with the PCI DSS.
    Question 2. Given the prevalence of insider attacks (both physical 
and virtual), which have grown by 55% according to the intelligence 
community, why has two-factor authentication not been required of all 
users who access payment data within networks as well as all system 
administrators' who have privileged rights?
    Answer. The PCI DSS requires two-factor authentication (Requirement 
8.3) as a mechanism for external access (internet/remote) into 
cardholder data environments. The primary focus of PCI DSS Requirement 
8.3 is to prevent unauthorized access from the outside, focusing on 
protecting from external intrusion, not internal access.
    For internal threats with respect to unauthorized authentication 
attempts, the PCI DSS provides a layered security approach that 
requires numerous other controls to minimize risks within the internal 
network. Two-factor authentication is one method for meeting this 
layered approach. Other approaches that address the internal risk of 
user account takeover include prohibiting the use of risky protocols 
that expose user names and passwords (Telnet and FTP) and requiring 
passwords to be encrypted/hashed during transmission and storage within 
the internal network. There are also numerous user account management 
and password controls (Requirement 8), along with logging and 
monitoring requirements (Requirement 10) that address internal controls 
to help mitigate internal risks including two-factor authentication.
    Question 3. How are Qualified Security Assessors trained?
    Answer. Because the quality of PCI DSS validation assessments can 
have a tremendous impact on the consistent and proper application of 
security measures and controls, the Council's QSA qualification 
requirements are exacting and detailed, involving both the security 
companies themselves as well as the individual employees involved in 
assessments.
    In broad terms, prospective QSA companies must:
   Apply for qualification in the program;
   Provide documentation adhering to the Validation 
        Requirements for Qualified Security Assessors v. 1.1, a copy of 
        which is attached as Exhibit B;*
---------------------------------------------------------------------------
    * Attachments referred to have been retained in committee files.
---------------------------------------------------------------------------
   Qualify individual employees to perform the assessments, 
        which requires annual training and testing of those employees, 
        and;
   Execute an agreement with the Council governing performance 
        of validation assessments.
    In turn, each individual QSA employee who will be performing and/or 
managing on-site PCI DSS assessments:
   Must attend annual PCI DSS training provided by the Council, 
        which includes training in Scoping a PCI DSS Assessment, PCI 
        DSS v1.2 Requirements, and Compensating Controls;
   Must pass all examinations conducted as part of training;
   Has access to face-to-face feedback sessions with the 
        Council every 6 months;
   Has access to the numerous fact sheets, information 
        supplements, frequently asked questions, and webinars that the 
        Council makes publicly available at its Web site at 
        www.pcisecuritystandards.org/education.
    Our management of QSAs does not end with training. In 2008, the 
Council launched a Quality Assurance program to promote consistency of 
both services and results provided by the security assessment 
community. This program specifies eight guiding principles QSAs must 
commit to and outlines a number of criteria QSAs must adhere to in 
order to provide a more uniform experience for merchants and other 
customers. The criteria include evaluating QSAs based on consistency of 
the opinions rendered, competency of the professionals, credibility of 
the organizations, and business ethics. To staff this program, the 
Council has also invested in a dedicated team responsible for assessor 
performance monitoring.
    Each assessor is required to use the template report associated 
with the PCI DSS (attached as Exhibit C*) as the framework for 
reporting validation to the standard. Each requirement contains one or 
more testing procedures that must be evaluated by the assessor and 
appropriately documented to demonstrate that the control has been 
tested by the QSA and is operating correctly. The quality assurance 
team reviews these reports to confirm that all testing procedures in 
the framework are completed and documented, indicating consistency of 
practice in the assessor community.
    The Council's quality assurance team evaluates trends among Report 
of Compliance documents in an effort to identify common inconsistencies 
and reports findings to the Council in order to consider and implement 
appropriate curative actions. Any such actions are communicated to the 
assessors via training, newsletters, and webinars. This information is 
also shared with the Council's Technical Working Group for future 
consideration and possible adjustment of the PCI DSS.
    Question 4. Mr. Jones of Michaels Stores stated that ``Many of the 
PCI requirements are covered by the Sarbanes-Oxley audits.'' Could you 
report to the committee on the redundancies between the Sarbanes-Oxley 
audits and the PCI Council's own requirements?
    Answer. The Sarbanes-Oxley Act of 2002 (``Sarbanes-Oxley'') applies 
exclusively to publicly traded companies in the United States, 
addresses a host of concerns and is not primarily concerned with data 
security. Sarbanes-Oxley instead focuses primarily on addressing 
accounting standards and practices. The provisions of Sarbanes-Oxley 
are not intended, nor would they be adequate, to enable the marketplace 
to achieve and maintain data security, particularly with respect to 
payment card data. The Council does not believe there is extensive 
overlap between Sarbanes-Oxley and PCI Standards.
    The PCI Standards are specifically designed to protect payment card 
data. They apply to both public and private companies of all sizes, 
both inside and outside the United States. Further, they are far more 
detailed and specific in the way they address data security issues: for 
example, the PCI DSS has over 225 requirements and 525 testing criteria 
specific to data security.
    Given the specific nature of the PCI DSS and the absence of similar 
specific controls in Sarbanes-Oxley, we are unclear about precisely 
what redundancies Mr. Jones is referring to.
    Question 5. You testified that the PCI council does not develop or 
use metrics to evaluate the effectiveness of the council's standards. 
How then does the council weigh proposals to the PCI standards if they 
cannot measure the costs and benefits of past and future additions to 
the standards?
    Answer. There are a number of readily available industry metrics 
that the Council uses to track the effectiveness of the standard. For 
example, the Nilson Report is a widely used industry publication with 
extensive metrics on payment card fraud and a wide range of other data 
security issues.
    Moreover, the payment card brands regularly receive and assess 
forensic information regarding the cause of payment card data breach 
incidents. This type of data provides critical information regarding 
where the PCI Standards may need to be strengthened or modified. This 
guidance is provided by the payment card brands as members of the 
Council's technical working group.
    Proposed changes to the PCI Standards are shared with our 
Participating Organizations, which represent over 500 companies, all of 
which have first-hand experience in implementing standards and 
protecting payment card data on a daily basis. A formal feedback 
process enables the Council to receive robust feedback from this group. 
This feedback ensures additions and changes to the PCI Standards are 
weighed by those with a front-line perspective on what measures are 
most beneficial to protect payment card data.
    One example of how this broad industry feedback has directly 
resulted in changes to the PCI Standard is in the case of wireless 
security. In 2007, forensic investigators indicated that insecure 
wireless implementations were at the core of a number of breaches. As a 
result of that, the Council started investigating wireless security 
with its stakeholder community--making it a key agenda item for 
discussion at our first Community Meeting. Feedback from that 
discussion led to changes in version 1.2 of the PCI DSS. Finally, in 
order to help organizations meet the new requirements, our stakeholders 
suggested creating a Wireless Special Interest Group--comprised of 
representatives from dozens of our Participating Organizations--to 
examine implementation issues. That group is expected to release an 
implementation guide on meeting the new wireless requirements in the 
coming weeks.
    It is broad participation such as this--coupled with the knowledge 
that the payment brands bring to the table--that gives us confidence in 
our ability to measure the cost and benefits of future additions to the 
standard.
    Question 6. You stated in your testimony that ``no standard is 
perfect. But the PCI security standards have proven to be the most 
effective means of preventing data breaches and protecting consumers.'' 
Given that the Council has not developed or applied any metrics to 
measure the effectiveness of the PCI standards or to compare their 
resulting security to other payment technologies, how have the PCI 
security standards proven to be effective at all?
    Answer. Necessarily, evidence demonstrating that a particular 
standard is effective in preventing a particular outcome must be 
inferential. However, it is noteworthy that with more than 10,000 
payment card transactions per second worldwide (Source: American 
Bankers Association, March 2009) and the usage of payment cards 
steadily increasing, payment card fraud rates are at historic lows. The 
Council believes that the PCI Standards have been an integral driver of 
this trend, and industry data supports that conclusion.
    Question 7. You stated that the council does not have a 
relationship with banks ``other than to put the standard out there and 
make sure that they are creating awareness among their constituents.'' 
Since it is the banks which, according to you, monitor compliance and 
the effectiveness of the standards, should not they be central to the 
drafting process?
    Answer. My statement pertained to lack of a direct contractual 
business relationship between the Council and the banks. It was not 
intended to suggest that banks are not intimately involved in data 
security standards. Any suggestion to the contrary was inadvertent.
    Banks are a pivotal part of our organization. Over 40 financial 
institutions worldwide--including such leading U.S. banks as Bank of 
America, Capitol One, and Wells Fargo--have joined the Council as 
Participating Organizations. These organizations receive draft copies 
of the PCI Standards for comment prior to publication and have the 
opportunity to contribute feedback during the drafting process. 
Financial institutions also comprise nearly one-quarter of the 
Council's elected Board of Advisors.
    Question 8. Merchants who have experienced data breaches also face 
significant class action lawsuits. What liability exists for the 
payment card industry and the assessors if a PCI-compliant company is 
breached?
    Answer. The PCI Standards do not assign liability to any party in 
the event there is a data breach. Any liability from a data breach 
would arise from agreements between participants in a network and/or 
applicable law.
    Consistent with its role as a standards development organization, 
as discussed above, the Council does not impose any liability 
allocation requirements between assessors and merchants, nor does it 
have knowledge of the contractual terms entered into between individual 
payment card brands (who are competitors of each other) and their 
industry partners. Consequently, the Council does not have special 
insight into how any liability for payment card breaches is allocated.
    Question 9. In response to the committee, JCB said that they expect 
the PCI standards will continue to ``become even more stringent in 
future iterations.'' Is this also your expectation? What changes will 
the next iteration likely have?
    Answer. At this point in our standards lifecycle process, we are 
not in a position to predict what specific changes will be included in 
the next major iteration of the PCI Standards--our open comment period 
for the most recent release starts in July. This comment period is a 
pivotal part of a rigorous, end-to-end review undertaken within a 2-
year lifecycle process that includes input and feedback periods for our 
Participating Organizations. Any changes introduced to meet new and 
evolving threats will be debated with all of our stakeholders before 
release.
    In order to address interim threats, as previously noted in my 
written testimony, the Council maintains on-going two-way 
communications with its assessors, merchants, and other stakeholders, 
and has the ability to issue errata to the PCI DSS, flash bulletins on 
emerging threats, monthly newsletters to the Assessor community, 
regular updates to the ASV test scanning environment, monthly webinars 
with both assessors and merchants, and updates to the Council's on-line 
searchable FAQ and training materials.
    Question 10. Currently, requirements of notification of breaches 
vary from State to State. Given that the Department of Justice stressed 
the importance of notification, both of law enforcement and consumers, 
has or will the Council consider mandating notification as part of its 
standards? How would or could that be enforced?
    Answer. As a standards body, the Council has no direct contractual 
power that would enable it to mandate or enforce such notification by 
retailers or processors when they suffer a breach. Although we do not 
have the power to require notification, each of our members feels 
strongly that notification of law enforcement and affected consumers is 
an important component in a security breach response plan.
    In fact, PCI DSS Requirement 12.9.1(b), which addresses Incident 
Response, requires entities to have a communication and contact 
strategy in the event of data compromise as well as an analysis of 
legal requirements for reporting compromises.
    Question 11. You stated in your testimony that ``in fact, we have 
never found a breached entity to have been in full compliance with the 
PCI standards at the time of a breach.'' Can you please explain the 
discrepancy between that statement and the statement of Ellen Richey, 
Chief Enterprise Risk Officer at Visa, Inc., that Heartland had 
validated PCI compliance ``but it was a lack of ongoing compliance and 
ongoing vigilance in maintaining security that left them vulnerable to 
attack''. Can you please explain exactly how Heartland was not in full 
compliance with the PCI standards?
    Answer. These two statements are consistent. As noted in my written 
testimony, validation of compliance with the PCI DSS only represents a 
snapshot in time that coincides with information shared with and 
interpreted by a QSA during the assessment period. No entity that has 
custody of customer data can afford to gear up for an assessment, and 
then relax its vigilance thereafter. While assessment is a useful tool 
to uncover vulnerabilities, stakeholders across the payment chain must 
realize that data security, and not passing assessments, is the goal of 
an effective compliance program. The 2009 Data Breach Investigations 
Report from Verizon Business (attached as Exhibit D*) found that 
effective tracking and monitoring of network access was not in place at 
95% of breached entities at the time of compromise. This provides a 
good example, because the tracking and monitoring requirement is a 
security practice that requires on-going compliance to be effective. 
Its value is severely limited if it is in place only during validation 
of compliance to the PCI DSS.
---------------------------------------------------------------------------
    * Attachments referred to have been retained in committee files.
---------------------------------------------------------------------------
    Unfortunately, the dynamic nature of any organization's complex 
information technology systems and network environments, as well as 
turnover of human resources, can require the taking of a wide variety 
of actions that, absent appropriate steps to restore system integrity 
can render a validated system noncompliant quickly after a satisfactory 
compliance report has been issued. To use an analogy, effective 
compliance should be viewed as equivalent to a full-length feature film 
where an organization must be ``compliant'' at each and every frame of 
that film. In contrast, validation of compliance is determined by a QSA 
only in a single, specific frame of that film.
    Question 12. Mr. Majka of Visa stated in his testimony that 
``security must be a shared responsibility among all relative parties--
law enforcement, payment companies, regulatory agencies, retailers and 
others.'' How is the financial risk and liability shared between these 
parties?
    Answer. The Council is not involved in the allocation of risk 
within a particular network. This question is better directed to 
participants in the respective networks, including the networks 
themselves.
    Question 13. Mr. Majka of Visa stated that ``we must collectively 
apply multiple layers of security to protect the system. That includes 
measures applied at the card level such as card verification values.'' 
It is the committee's understanding that not all issuing banks are 
required to support CVVs and not all transactions are required to 
include CVVs. Can you explain how the Council develops and enforces 
standards for the card brands and issuing and acquiring banks?
    Answer. It is important to recall, as noted above, that the Council 
manages and develops--but does not enforce--the PCI Standards, nor does 
it enforce operational regulations imposed by the payment brands. 
Instead, it makes standards available to the market as tools to be used 
in order to protect the payment card data of any entity that stores, 
transmits, or processes payment card data. Members of the payment chain 
then individually decide which industry partners must comply with the 
PCI Standards, define required compliance validation mechanisms, and 
manage any enforcement programs that may exist.
    Requirements that exist between individual card brands and their 
issuing and acquiring banks are not within the Council's purview.
    Question 14. According to Mr. Jones' testimony, PCI states that all 
credit card data must be encrypted, with the exception that it need not 
if the data travels over a private network. Nonetheless, Mr. Jones says 
in spite of that his company does not send this information over their 
own private network unencrypted. Surprisingly, he notes, ``The credit 
card companies' financial institutions, the very organizations that 
have created and are mandating this rigorous and highly complex 
standard, do not accept encrypted transactions. We must decrypt the 
credit card number at our corporate headquarters prior to sending to 
the merchant bank for approval!'' And Mr. Jones' company has to re-
encrypt this data when it is sent back to its stores. As a result of 
his company's strong objection to this policy, it has asked for the 
past 3 years for the ability to send encrypted information to the banks 
but nothing has happened. One reason given is that it is too expensive 
to implement. Mr. Jones has been told if the retailers ``are willing to 
pay the costs (i.e., the credit card banks' cost) to implement it, we 
will consider it.''
    How important is the cost to the credit card banks in your 
analysis?
    Answer. Cost to all stakeholders, including merchants is one of 
many factors that are taken into account in considering changes to the 
PCI Standards. Effective data security must be affordable to the 
millions of participants in the payment chain that must invest in it or 
they cannot be expected to act quickly and effectively enough to meet 
on-going threats. Any effective security stance must therefore 
realistically take cost into account. For example, our Participating 
Organizations, and particularly our merchant Participating 
Organizations, have told us that internal encryption would be 
extremely--even prohibitively--expensive, and have urged us to pursue 
more affordable, alternative ways to make further security advances in 
this area.
    Question 15. Can you explain your process for evaluating Mr. Jones' 
3-year effort to be able to encrypt information to the banks? Also, who 
has opposed this suggestion?
    Answer. Until our introduction at the hearing, Michaels Stores, 
Inc. (``Michaels'') had not presented its opinions regarding this issue 
to the Council. Moreover, Michaels is not a Participating Organization 
and so to date has not attended any of our community meetings or 
feedback sessions in the almost 3 years since the Council's inception. 
The Council had therefore not had any prior opportunity to evaluate the 
Michaels suggestion, nor is it aware of who may or may not be 
supportive of this suggestion. The Council would welcome Michaels as a 
Participating Organization so that its views could be heard and debated 
among our stakeholder community.
    Question 16. A large part of the data theft problem is the amount 
of valuable data stored in the system. What requirements exist for 
merchants to store credit card data in their systems? Please explain 
how the chargeback/retrieval process affects what kinds of data can or 
should be stored on a merchant's system.
    Answer. The Council is not involved in the assessment of the 
chargeback and retrieval process. Those processes are dictated by 
participants in the payment network and those participants are 
therefore in a better position to respond to the question, and speak to 
the necessity of various kinds of data in connection with the 
chargeback/retrieval process.
    To more broadly answer the question of what data merchants are 
required or permitted to retain, the fundamental premise of PCI DSS is 
``if you don't need it, don't store it.'' That is why requirement 3.1 
of the PCI Data Security Standard stipulates that organizations should 
only retain data that is required for business, legal and/or regulatory 
purposes. In other words, the PCI DSS does not itself mandate that 
merchants retain any specific kind of data. To the extent card data 
must be stored for legitimate purpose, it must be stored in a secure 
manner.
    Question 17. Why do card brands require merchants to retain 
cardholder data for the purpose of chargebacks? Since this is such 
vulnerability for merchants and cardholders, why not mandate that no 
cardholder data be retained and provide transaction IDs for the purpose 
of chargebacks?
    Answer. As noted above, the Council is not involved in the 
chargeback process.
    Question 18. Why does the PCI Council not mandate PINs for credit 
card transactions?
    Answer. What data is presented in a transaction is part of the 
authorization format used by the payment systems. Since the Council is 
a security standards body, we are focused on providing standards to 
secure payment data within the current payment system. The Council has 
nothing to do with authorization format requirements or the 
authentication of a transaction at the point of sale. The Council does 
not run a payment network, nor do we have influence over vendors' 
product platforms.
    If the system evolves to mandate PINs for all transactions, the 
Council will then address the issue of how to best provide the market 
with any necessary standards to secure this process. For example, the 
Council already maintains a comprehensive standard for PIN Entry 
Devices. This standard lists requirements that address physical and 
logical requirements for devices that process PIN transactions and 
would likely be an integral part of securing PINs if they were to be 
used more broadly in authentication.
    Question 19. The basic design and security model of credit cards 
has not changed since the 1950s. What major investments would be 
required for a large scale migration to a different payment technology? 
Who would make those investments? For example, if we were move to a 
chip and PIN system?
    Answer. The design and security model of payment cards has changed 
extensively since the 1950s. Advances have included advanced hologram 
technologies, on-line authorizations, Card Verification Codes, 3-D 
Secure, address verification, real-time heuristic fraud detection 
solutions, on-line PIN and off-line chip & PIN. This is just a sample.
    However, any migration decisions are driven by the underlying value 
proposition, which may differ from market to market and vary by payment 
brand. The Council in its role as a standards body does not have 
insight into these elements.
    Question 20. Your responses to the committee concerning adopting 
technological changes to the PCI standards, such as the end-to-end 
encryption embraced by other witnesses, seems to be: (1) We have 
addressed this issue [``there are provisions within the standard now 
that address this data, address the inside network that should, in 
fact, . . . stop this from happening . . . '']; or (2) it's unnecessary 
to address this issue [``so the need for end-to-end encryption within 
the internal network is really not there.'']; or (3) we are considering 
addressing this issue [``we have issued a proposal to a number of 
technology companies to give us an independent study on what we are 
calling emerging technologies, one of which is end-to-end 
encryption.'']. Given the skepticism toward Visa and the PCI Security 
Standards Council expressed by the other members of the panel, can you 
point to specific actions you are taking that will reassure this 
committee that you are approaching the adoption of end-to-end 
encryption and other security-enhancing solutions with the degree of 
urgency and level of seriousness warranted by the current threat?
    Answer. The introduction of any new technology--whether it is end-
to-end encryption or other security enhancing solutions such as 
virtualization and tokenization--is a matter of utmost importance to 
the Council and is treated as a high priority. We are constantly 
evaluating the potential uses of new technologies to improve the 
security of payment card data. As noted in your question, we have 
issued a proposal to a number of technology companies to research and 
submit to us an independent study of emerging technologies, one of 
which is end-to-end encryption. As discussed further in the response to 
Question 21 below, we expect to commission that study in the coming 
weeks. The issuing of this technology study demonstrates the Council's 
commitment to examining the relevance on an on-going basis of 
technologies such as encryption to the PCI Standards.
    It is important to note, however, that the message from our 
stakeholders regarding end-to-end encryption has been mixed. During the 
last feedback period in 2007, we received input from more than 350 
organizations. It is noteworthy that not a single organization 
requested that end-to-end encryption be mandated or even examined. Our 
Board of Advisors has similarly not requested an examination of end-to-
end encryption.
    Question 21. What technology companies are providing these 
``independent'' studies of emerging technologies? Mr. Jones testified 
that end-to-end encryption is not an ``emerging'' technology. If that 
is correct, what do these companies need to study with regard to end-
to-end encryption?
    Answer. The Council conducted an RFP process for selecting a vendor 
to assist in the technology study. We are currently in the negotiation 
process with the finalist--one of the major public accounting firms. 
Our RFP asked vendors to examine the impact that emerging 
technologies--including end-to-end encryption as well as technologies 
such as virtualization and tokenization--might have on the PCI 
Standards, and how broad adoption of these technologies might serve to 
simplify the process of securing payment card data.
    To Mr. Jones' point, while encryption itself is not a new 
technology, no standard currently exists on how to apply end-to-end 
encryption in a comprehensive data security framework.
    Question 22. Visa asserts that consumers bear zero legal liability 
for fraudulent use of credit cards. How is this policy financed?
    Answer. Council members understandably avoid discussing any matters 
that might in any way relate to the pricing and financing models of the 
individual payment brands, and the Council accordingly does not address 
such areas. This question is best directed to Visa, but we do note, 
that U.S. Pub. Law 93-495 (commonly referred to as ``Reg E'') protects 
a consumer against fraud in excess of $50.
    Again, I appreciate the opportunity to assist the committee in this 
matter, and support its goal of reducing the number and impact of data 
security breaches. The Council remains available to provide the 
committee with information to more fully understand and address 
cybersecurity concerns as they relate to the PCI DSS and other payment 
chain-related standards for which the Council has responsibility.
 Questions From Chairwoman Yvette D. Clarke of New York for W. Joseph 
  Majka, Head of Fraud Control and Investigations, Global Enterprise 
                            Risk, Visa, Inc.
    Question 1. The PCI requirements are directed solely at merchants 
and retailers. Why shouldn't there be a prescriptive security mandate 
for Visa or other payment card brands to secure your own networks?
    Answer. The PCI Data Security Standard (PCI DSS) applies to all 
entities that store, process, or transmit payment cardholder data, 
including financial institutions, processors, third party service 
providers, and merchants. Visa, Inc. has validated and maintained on-
going PCI DSS compliance on an annual basis using an independent 
qualified security assessor (QSA) since the creation of the PCI DSS in 
2006. In addition, Visa, Inc. adheres to more rigorous security 
measures to protect the overall Visa payment system. Visa is subject to 
oversight by U.S. regulatory bodies under the auspices of the Federal 
Financial Institution Examination Council (FFIEC) and undergoes regular 
reviews by the FFIEC.
    Question 2. Given the central role the card brands play in the 
American economy, what responsibilities do you believe they have to 
consumers and to the Nation?
    Answer. Securing consumer data within the U.S. economy is a shared 
responsibility, and every industry should deploy focused resources to 
protect consumer information within its care. In this regard, the 
payment card industry has done more than any other to provide 
stakeholders with the tools and guidance needed to properly secure the 
data they are trusted to protect. Visa has led the industry in 
protecting cardholder data and stands ready to continue to support 
industry participants in our collective fight against the criminals 
that perpetrate card fraud. Thanks to massive investments and 
innovative solutions, compromise events rarely result in actual fraud 
and fraud rates in the payments industry remain near all-time lows.
    Question 3. Is a breached company (whether compliant with the PCI 
Standards or not) subject to increases in interchange rates?
    Answer. Visa does not increase or modify the interchange rate 
structure that applies to an entity that is breached. In fact, since 
October 1, 2007, to encourage and provide incentives for stronger 
protection against data breaches, acquiring financial institutions have 
been able to qualify transactions for lower interchange rates under the 
``tiered'' interchange rate system by, among other best practices and 
volume requirements, ensuring that their merchant customers comply with 
the PCI DSS. Acquirers of merchants that have been compromised and are 
found not to have been in compliance with the PCI DSS may therefore 
lose the benefit of these incentive-based ``tiered'' interchange rates, 
until they demonstrate that they have come into compliance.
    Question 4. In responses to the committee's investigation, you 
stated that ``while there have been a few instances where an entity 
with previously validated PCI DSS compliance was the victim of a 
compromise, in all compromise cases our review concluded that gaps in 
the compromised entity's PCI DSS controls were major contributors to 
the breach.'' What gaps are normally found in a victim's security 
controls after they have been certified PCI compliant, but later found 
to be out of compliance?
    Answer. In all compromised cases within Visa's purview, third-party 
investigations concluded that gaps in the compromised entity's PCI DSS 
controls were major contributors to the breach. Gaps commonly include 
failures to secure and monitor non-payment-related systems that are 
connected to the payment environment, which are then targeted to gain 
access to the network. Corporate Web sites are an example of non-
payment-related systems commonly targeted by criminals through 
Structured Query Language (SQL) injection attacks. Another common gap 
is insufficient monitoring of logs for firewalls, anti-virus, intrusion 
detection systems, as well as monitoring of privileged user accounts. 
The PCI DSS requires that not only should there be mechanisms in place 
to monitor for intrusions, but also that the organization regularly 
monitors the logs generated to identify and investigate anomalous 
activity.
    Visa works with its acquiring financial institutions, through its 
compliance programs to ensure merchants and their service providers 
achieve and maintain PCI DSS compliance. It is the responsibility of 
the acquiring financial institution, which deals directly with their 
merchants and their service providers, to ensure these entities 
continue to eliminate unnecessary risk to the overall payment system. 
To determine overall success of these measures, Visa actively requests 
frequent reporting from its acquiring financial institutions on the 
status of the PCI DSS compliance of their merchants and service 
providers. In support of these compliance programs, Visa has actively 
communicated, since 2006, common vulnerabilities and corresponding 
mitigation measures that merchants and service providers mistakenly 
leave susceptible to attack on their systems. In addition, Visa 
provides other data security alerts, bulletins and webinars to payment 
system participants, all publicly available at www.visa.com/cisp.
    Validating PCI DSS is a major milestone, but achieving and 
maintaining compliance requires companies to make an on-going 
commitment to keeping all consumers' data safe, including cardholder 
data--24 hours a day, 7 days a week, 365 days a year. For any standard 
to be effective, however, organizations must rigorously ensure that 
they comply with each of its requirements on an on-going basis. Verizon 
Business' 2009 Data Breach Investigations Report affirms similar 
findings, ``The majority of breaches still occur because basic controls 
were not in place or because those that were present were not 
consistently implemented across the organization.'' Further, the report 
specifically attributes non-compliance to PCI DSS requirements as major 
factors contributing to breaches. Verizon cites PCI DSS Requirements 3 
(protect stored cardholder data), 6 (develop and maintain secure 
systems and applications), and 10 (track and monitor access to network 
resources and cardholder data) as the least compliant across their 
caseload, saying, ``This trio of deficiencies factored heavily into 
many of the largest breaches investigated by our team over the past 
five years.''
    Question 5. Mr. Russo of the PCI Council stated in his testimony 
that ``in fact, we have never found a breached entity to have been in 
full compliance with the PCI standards at the time of a breach.'' Can 
you please explain the discrepancy between that statement and the 
statement of Ellen Richey, Chief Enterprise Risk Officer at Visa, that 
Heartland had validated PCI compliance ``but it was a lack of on-going 
compliance and on-going vigilance in maintaining security that left 
them vulnerable to attack''. Can you please explain exactly how 
Heartland was not in full compliance with the PCI standards?
    Answer. In all compromise cases within Visa's purview and as stated 
by Mr. Russo, despite any validation that may have been completed by a 
QSA, the breached entity was not found to have been in full compliance 
at the time of the breach. Based on compromise event findings, Visa 
removed Heartland from its list of PCI DSS compliant service providers. 
Information related to Heartland's PCI DSS compliance status was 
provided to Visa under the obligations of a confidentiality agreement. 
As such, Visa suggests contacting Heartland directly for specifics.
    Question 6. You stated in your testimony that Visa looks forward to 
``working with all participants to continue to develop tools to 
minimize the risk and the impact of data-compromise events.'' Does Visa 
understand the committee's concern about a fraud prevention strategy 
that minimizes fraudulent charges only to the extent that card brands 
and issuing banks remain solvent when fraudulent charges finance 
criminal activities?
    Answer. Visa's goal is to prevent both card data compromises and 
the subsequent potential for fraudulent transactions. Visa has been 
executing a multi-layered security strategy working with all payment 
system participants to prevent data compromises around the world as 
well as the fraud that may result there from. Visa invests substantial 
resources and leads innovation in the industry with measures to stay 
ahead of criminals and prevent them from obtaining financing through 
the payment system. This includes, for card-based solutions (e.g., EMV-
chip, contactless), data-based measures (e.g., PCI DSS), and network-
based technologies (e.g., Advanced Authorization, neural networks, 
Address Verification Service). In addition, participants in the Visa 
system should strictly adhere to the EFT Act and Reg. E, the Truth in 
Lending Act and Reg. Z, as well as numerous other Federal regulations 
that protect consumers from the consequences of data breaches and 
fraud. Additionally, Visa is currently working to empower cardholders 
to play a more active role in protecting their information through 
innovations such as transaction alerts. Armed with this kind of 
information, cardholders can help monitor usage on their accounts and 
identify potential fraud. All of these measures are designed to prevent 
criminals from obtaining card data, and to prevent them from using it 
to commit fraud.
    Question 7. Merchants who have experienced data breaches also face 
significant class action lawsuits. What liability exists for the 
payment card industry and the assessors if a PCI-compliant company is 
breached?
    Answer. Parties that experience data breaches may be subject to the 
liabilities determined through the court system. Visa is aware of a 
number of class action lawsuits related to major data breaches in the 
United States. However, Visa cannot speculate about facts and outcomes 
in potential or pending class action lawsuits. To our knowledge, no 
organization that has fully implemented and maintained compliance with 
the PCI DSS has been the victim of a data compromise event. These 
breaches damage consumer trust in the overall electronic payment 
system, including Visa and its brand.
    Question 8. In response to the committee, JCB said that they expect 
the PCI standards will continue to ``become even more stringent in 
future iterations of the PCI standards.'' Is this also your 
expectation? What changes will the next iteration likely have?
    Answer. The PCI SSC is charged with reviewing and updating the PCI 
DSS to ensure that it remains effective to protect card data, by 
incorporating input from stakeholders as well as technological 
developments in the evolution of the standard over time. Since its 
creation, the PCI DSS has been formally updated three times, with 
considerable input from over 500 participating organizations, including 
merchants, banks, and service providers from around the world, in order 
to meet the evolving threats to the system, changing technologies and 
the increased sophistication of hackers. The updates introduced in 
version 1.1 and 1.2 of the PCI DSS have been relatively minor changes, 
most of which served as clarifications to help entities better 
understand the intent of a requirement. We expect the standard will 
continue to evolve to address new threats as they materialize and add 
further specificity where participating organizations, including many 
global merchants, provide feedback.
    Question 9. Currently, requirements of notification of breaches 
vary from State to State. Given that the Department of Justice stressed 
the importance of notification, both of law enforcement and consumers, 
has or will the Council consider mandating notification as part of its 
standards? How would or could that be enforced?
    Answer. PCI DSS Requirement 12.9.1 addresses incident response and 
requires entities to have a communication and contact strategy in the 
event of data compromise. Additionally, in the event of a compromise 
Visa advises entities to follow all State and Federal disclosure 
requirements. Visa also works closely with the Federal Bureau of 
Investigation's Cyber Division, United States Secret Service, United 
States Postal Inspection Service, State attorneys general and the 
Department of Justice Cybercrime and Intellectual Properties Unit in 
criminal cases of data compromises.
    Question 10. You stated that ``security must be a shared 
responsibility among all relative parties--law enforcement, payment 
companies, regulatory agencies, retailers and others.'' How is the 
financial risk and liability shared between these parties?
    Answer. Financial institutions have the direct responsibility and 
relationship with cardholders, and because of Federal law and Visa's 
zero liability policy for cardholders, bear most of the financial loss 
if fraud occurs. Visa's Account Data Compromise Recovery program allows 
issuing financial institutions to receive reimbursement for counterfeit 
fraud losses and a portion of their operating expenses incurred as a 
result of data compromise events from the financial institution 
responsible for the compromised entity in the Visa system.
    Question 11. Mr. Jones of Michaels Stores stated in his testimony 
that ``credit card companies' financial institutions do not accept 
encrypted transaction.'' The committee is concerned that the PCI 
Council is not applying the same standards to its members that it 
applies to merchants and processors. Is Visa planning to move forward 
with securing the communications channel between merchants and 
financial institutions?
    Answer. Visa accepts encrypted data transmissions from its 
processing endpoints and many processors also accept encrypted data 
transmissions for merchant transaction submissions. Visa is also 
mandating use of stronger encryption for protection of PINs at every 
point of sale globally, specifying use of Triple Data Encryption 
Standard (TDES) for PIN accepting entities. While the PCI DSS requires 
encryption over public networks including the internet, it does not 
require the use of encryption over private networks, such as a 
merchant's internal network or a private connection between a merchant 
and processor. Encrypting cardholder data in-transit over private 
networks is encouraged. It should be noted, however, that while 
encryption can add an additional layer of security, the data is still 
at risk if transactions must be decrypted at any point within the 
private network--for example, for transaction processing--and must 
still be properly protected. As such, many organizations have 
determined that the costs and number of system and software 
modifications needed outweigh any incremental security benefit. The 
requirements outlined currently in the PCI DSS, when implemented 
properly, should effectively prevent a criminal from obtaining access 
to a business' private network and detect any unauthorized access.
    Question 12. The basic design and security model of credit cards 
has not changed since the 1950s. What major investments would be 
required for a large-scale migration to a different payment technology? 
Who would make those investments? For example, if we were move to a 
chip and PIN system?
    Answer. In the 50 years since the beginning of the card industry, 
Visa has evolved from credit card roots to become one of the world's 
leading global retail electronic payments networks. Today, the Visa 
network connects cardholders, merchants, and financial institutions 
around the world with products and services that are designed to make 
payments faster, more convenient, more reliable, and more secure. At 
the heart of Visa's business is VisaNet, our centralized processing 
platform and one of the world's largest transaction and information 
processing networks. Nearly 92 billion authorization, clearing, and 
settlement transactions were processed through VisaNet in calendar year 
2008. On this platform, Visa has been able to build capabilities that 
provide secure, reliable, and scalable processing, including 
innovations such as Advanced Authorization to risk-score transactions 
in real time. Other examples of technological improvements include the 
introduction of magnetic stripe technology, CVV2 (three-digit code on 
the back of a Visa card), address verification service and contactless 
cards with dynamic data technology. There have also been anti-
counterfeit measures such as holograms, ultra-violet marks, and micro 
text, to name a few. Fraud rates today are at historic lows, much lower 
than they were decades ago when we did not fully benefit from the power 
of the Visa network to be able to analyze and authorize transactions in 
real time.
    Visa supports chip technologies around the world, including in the 
United States where we are beginning to see adoption in mobile and 
contactless payments. Chip technology--both contact and contactless--
can add an important security layer, introducing dynamic data into 
transactions which can reduce the incidence of fraud. However, we 
recognize that there are different needs, threats, and infrastructures 
in different parts of the world, and there is no one-size-fits-all chip 
solution. In some other countries around the world, the market has 
driven the adoption of chip technology based on these factors. To the 
extent chip adoption can meet the needs of the payments industry in the 
United States, Visa is ready to support migration as it has in other 
markets. Where chip technology has been implemented broadly in a 
market, it should be noted that migration takes time. The costs have 
been shared by all parties--payment networks, financial institutions, 
and merchants. Generally, the card brands make investments in the 
network upgrades and consistent standards and financial institutions 
and merchants typically bear the increased cost of card technology and 
the upgraded payment terminals.
    Question 13. A large part of the data theft problem is the amount 
of valuable data stored in the system. What requirements exist for 
merchants to store credit card data in their systems? Please explain 
how the chargeback/retrieval process affects what kinds of data can or 
should be stored on a merchant's system.
    Answer. Visa does not require merchants to store complete card 
numbers. To the contrary, Visa encourages merchants to limit retention 
to truncated account numbers and has executed a ``drop the data'' 
educational campaign in partnership with the U.S. Chamber of Commerce 
over the past 3 years to encourage merchants to reduce data storage 
(www.dropthedata.com). A merchant may work with their acquiring 
financial institution to implement the necessary chargeback processes 
that do not rely upon the merchant's storage of the account number. For 
example, a signed point-of-sale terminal receipt with a truncated 
account number and the accompanying authorization log is valid 
fulfillment and will remedy a fraud chargeback. As such, a merchant may 
mitigate their risk by storing only truncated account numbers. In many 
cases, merchants decide to store cardholder data for marketing, loyalty 
programs, or customer service purposes. In those instances, Visa 
requires that stored data is protected in accordance with the PCI DSS.
    Question 14. In responses to the committee, Discover stated that it 
is currently making changes to processes to provide merchants with the 
option of receiving masked data for disputes (like retrievals and 
chargebacks) as well as settlement reports. Is Visa doing something 
similar? Would this cut back on the amount of data stored that could be 
subject to breach?
    Answer. Visa does not require merchants to store complete card 
numbers. Visa continues to work with those financial institution 
clients that may be requesting card numbers for dispute resolution to 
eliminate this practice and adopt the use of truncated account numbers. 
While Visa strives to eliminate any practices that may lead to the 
storage of cardholder data, there are likely many other reasons 
merchants have made a business decision to store this data, including 
processing returns and loyalty programs. In addition to our efforts to 
limit retention of complete account numbers, Visa has made considerable 
strides toward eliminating the storage by merchants and processors of 
authorization data, which criminals covet to perpetrate fraud. This 
``prohibited'' data includes full magnetic stripe data, the CVV2 or 
``Card Verification Value 2'' and PIN.
    Question 15. Visa asserts that consumers bear zero legal liability 
for fraudulent use of credit cards. How is this policy financed?
    Answer. Visa card-issuing financial institutions are responsible 
for complying with Federal law and honoring Visa's zero liability 
policy for cardholders and, as a result, bear most of the financial 
loss if fraud occurs.
    In closing, Visa is acutely focused on ensuring that payment 
products are not used to perpetrate criminal activity and has taken a 
leading role in promoting cardholder information security and 
innovation within the payments industry. I appreciate the opportunity 
to assist the committee in this matter.
  Questions From Chairwoman Yvette D. Clarke of New York for Michael 
 Jones, Senior Vice President and Chief Information Officer, Michaels 
                              Stores, Inc.
    Question 1. How much does it cost you to comply with the PCI 
standards, and are they effective in keeping out intruders?
    Answer. Response was not received at the time of publication.
    Question 2. Are retailers bearing a disproportionate burden of 
costs in data security?
    Answer. Response was not received at the time of publication.
    Question 3. Do you agree that the effectiveness of data security 
standards is inherently limited by the technology base of U.S. credit 
and signature debit card processing networks? How could this technology 
base be improved, and what obstacles exist that would prevent this from 
happening?
    Answer. Response was not received at the time of publication.
    Question 4. Have you ever notified the Council of assessors trying 
to sell their own products or services?
    Answer. Response was not received at the time of publication.
    Question 5. The basic design and security model of credit cards has 
not changed since the 1950s. What major investments would be required 
for a large-scale migration to a different payment technology? Who 
would make those investments? For example, if we were move to a chip 
and PIN system?
    Answer. Response was not received at the time of publication.
    Question 6. A large part of the data theft problem is the amount of 
valuable data stored in the system. What requirements exist for 
merchants to store credit card data in their systems? Please explain 
how the chargeback/retrieval process affects what kinds of data can or 
should be stored on a merchant's system.
    Answer. Response was not received at the time of publication.
    Question 7. Visa asserts that consumers bear zero legal liability 
for fraudulent use of credit cards. How is this policy financed?
    Answer. Response was not received at the time of publication.
Questions From Chairwoman Yvette D. Clarke of New York for David Hogan, 
    Senior Vice President, Retail Operations, and Chief Information 
                  Officer, National Retail Federation
    Question 1. Are retailers bearing a disproportionate burden of 
costs in data security?
    Answer. Response was not received at the time of publication.
    Question 2. Do you agree that the effectiveness of data security 
standards is inherently limited by the technology base of U.S. credit 
and signature debit card processing networks? How could this technology 
base be improved, and what obstacles exist that would prevent this from 
happening?
    Answer. Response was not received at the time of publication.
    Question 3. Have you ever notified the Council of assessors trying 
to sell their own products or services?
    Answer. Response was not received at the time of publication.
    Question 4. The basic design and security model of credit cards has 
not changed since the 1950s. What major investments would be required 
for a large-scale migration to a different payment technology? Who 
would make those investments? For example, if we were move to a chip 
and PIN system?
    Answer. Response was not received at the time of publication.
    Question 5. A large part of the data theft problem is the amount of 
valuable data stored in the system. What requirements exist for 
merchants to store credit card data in their systems? Please explain 
how the chargeback/retrieval process affects what kinds of data can or 
should be stored on a merchant's system.
    Answer. Response was not received at the time of publication.
    Question 6. Visa asserts that consumers bear zero legal liability 
for fraudulent use of credit cards. How is this policy financed?
    Answer. Response was not received at the time of publication.