[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                    PROTECTING CONSUMERS: FINANCIAL
                      DATA SECURITY IN THE AGE OF
                            COMPUTER HACKERS

=======================================================================

                                HEARING

                               BEFORE THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 14, 2015

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 114-23

                 
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]               



_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, gpo@custhelp.com.  
                
                 
                 
                 
                
                 
                 
                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
SCOTT GARRETT, New Jersey            GREGORY W. MEEKS, New York
RANDY NEUGEBAUER, Texas              MICHAEL E. CAPUANO, Massachusetts
STEVAN PEARCE, New Mexico            RUBEN HINOJOSA, Texas
BILL POSEY, Florida                  WM. LACY CLAY, Missouri
MICHAEL G. FITZPATRICK,              STEPHEN F. LYNCH, Massachusetts
    Pennsylvania                     DAVID SCOTT, Georgia
LYNN A. WESTMORELAND, Georgia        AL GREEN, Texas
BLAINE LUETKEMEYER, Missouri         EMANUEL CLEAVER, Missouri
BILL HUIZENGA, Michigan              GWEN MOORE, Wisconsin
SEAN P. DUFFY, Wisconsin             KEITH ELLISON, Minnesota
ROBERT HURT, Virginia                ED PERLMUTTER, Colorado
STEVE STIVERS, Ohio                  JAMES A. HIMES, Connecticut
STEPHEN LEE FINCHER, Tennessee       JOHN C. CARNEY, Jr., Delaware
MARLIN A. STUTZMAN, Indiana          TERRI A. SEWELL, Alabama
MICK MULVANEY, South Carolina        BILL FOSTER, Illinois
RANDY HULTGREN, Illinois             DANIEL T. KILDEE, Michigan
DENNIS A. ROSS, Florida              PATRICK MURPHY, Florida
ROBERT PITTENGER, North Carolina     JOHN K. DELANEY, Maryland
ANN WAGNER, Missouri                 KYRSTEN SINEMA, Arizona
ANDY BARR, Kentucky                  JOYCE BEATTY, Ohio
KEITH J. ROTHFUS, Pennsylvania       DENNY HECK, Washington
LUKE MESSER, Indiana                 JUAN VARGAS, California
DAVID SCHWEIKERT, Arizona
FRANK GUINTA, New Hampshire
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
BRUCE POLIQUIN, Maine
MIA LOVE, Utah
FRENCH HILL, Arkansas

                     Shannon McGahn, Staff Director
                    James H. Clinger, Chief Counsel
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    May 14, 2015.................................................     1
Appendix:
    May 14, 2015.................................................    63

                               WITNESSES
                         Thursday, May 14, 2015

Dodge, Brian A., Executive Vice President, Communications and 
  Strategic Initiatives, the Retail Industry Leaders Association 
  (RILA).........................................................     8
Moy, Laura, Senior Policy Counsel, New America's Open Technology 
  Institute......................................................    13
Orfei, Stephen W., General Manager, PCI Security Standards 
  Council........................................................    11
Oxman, Jason, Chief Executive Officer, the Electronic 
  Transactions Association (ETA).................................     9
Pawlenty, Hon. Tim, President and Chief Executive Officer, the 
  Financial Services Roundtable..................................     6

                                APPENDIX

Prepared statements:
    Hinojosa, Hon. Ruben.........................................    64
    Dodge, Brian A...............................................    67
    Moy, Laura W.................................................    74
    Orfei, Stephen W.............................................    90
    Oxman, Jason.................................................    96
    Pawlenty, Hon. Tim...........................................   110

              Additional Material Submitted for the Record

Hensarling, Hon. Jeb:
    Written statement of the American Council of Life Insurers...   120
    Written statement of the National Association of Federal 
      Credit Unions..............................................   121
    Written statement of the National Association of Insurance 
      Commissioners..............................................   123
Capuano, Hon. Michael:
    Written statement of the Office of the Attorney General of 
      the Commonwealth of Massachusetts..........................   132
Fincher, Hon. Stephen:
    Comments for the record submitted by the Secure ID Coalition.   138
Foster, Hon. Bill:
    Written responses to questions for the record submitted to 
      Jason Oxman................................................   141
    Written responses to questions for the record submitted to 
      Hon. Tim Pawlenty..........................................   142
Luetkemeyer, Hon. Blaine:
    Written statement of the Credit Union National Association...   144
Stivers, Hon. Steve:
    Written statement of the National Retail Federation..........   149

 
                    PROTECTING CONSUMERS: FINANCIAL
                      DATA SECURITY IN THE AGE OF
                            COMPUTER HACKERS

                              ----------                              


                         Thursday, May 14, 2015

             U.S. House of Representatives,
                   Committee on Financial Services,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 10:01 a.m., in 
room 2128, Rayburn House Office Building, Hon. Jeb Hensarling 
[chairman of the committee] presiding.
    Members present: Representatives Hensarling, Royce, Lucas, 
Garrett, Neugebauer, Pearce, Posey, Fitzpatrick, Westmoreland, 
Luetkemeyer, Huizenga, Duffy, Hurt, Stivers, Fincher, Stutzman, 
Mulvaney, Hultgren, Ross, Pittenger, Barr, Rothfus, Messer, 
Schweikert, Guinta, Tipton, Williams, Poliquin, Love, Hill; 
Waters, Maloney, Sherman, Meeks, Capuano, Hinojosa, Clay, 
Lynch, Scott, Green, Cleaver, Moore, Ellison, Perlmutter, 
Himes, Carney, Sewell, Kildee, Murphy, Delaney, Beatty, and 
Vargas.
    Chairman Hensarling. The Financial Services Committee will 
come to order.
    Without objection, the Chair is authorized to declare a 
recess of the committee at any time.
    Today's hearing is entitled, ``Protecting Consumers: 
Financial Data Security in the Age of Computer Hackers.''
    Members, welcome home. I assume many of our colleagues are 
furiously running here from HVC-210 as we speak. For our 
witnesses and for the audience, we have been nomads since the 
beginning of the year.
    So you will notice a few changes in the room. This 
renovation was caused by an upgrade of the audiovisual systems. 
Although I did not specifically request it, I now notice there 
are twice as many microphones in our hearing room as before. I 
wish to notify Members that that does not mean they can speak 
for twice as long. That doesn't go along with the microphones.
    In addition, you will notice that our witnesses are quite a 
ways away, and that we have less room for the public. As 
hearing rooms are renovated, they must be made and should be 
made compliant with the Americans with Disabilities Act (ADA). 
This room complies with the ADA statute, which means that every 
row has been enlarged. This means that we have lost part of our 
gallery, but the overflow room is still alive and well.
    In addition, for those who have ever moved into a new home 
or new apartment, there is such a thing known as a ``punch 
list.'' And so, for some of the subcommittees, you may be 
kicked out of this room over the next 5 to 7 days as that punch 
list is completed.
    Another change in our committee room: If you will look over 
my left shoulder, you will see the portrait of our most recent 
chairman, Spencer Bachus. For those who have some tenure on the 
committee, including myself and the ranking member, to have 
Barney over one shoulder and Spencer over the other kind of 
seems like old times.
    We certainly know of Barney's fierce intellect and 
tenacity, but I also hope that Members will remember Spencer's 
gentle and kind leadership of this committee. And sometimes 
when emotions and passions start to run high, let's remember 
the example he set for us with respect and decency and, yes, 
humor.
    Somehow, at any moment, I expect these two to carry on one 
of their classic debates. We will see if that actually happens 
or not.
    I believe that is all I need to say about the hearing room 
at the moment, in which case the Chair now recognizes himself 
for 3 minutes for an opening statement.
    At today's hearing, we will be focused on protecting 
consumers and their private financial information in an age of 
computer hackers.
    The world has experienced a technology revolution, one that 
has brought remarkable benefits to consumers and the broader 
economy, but has also increased risks on consumers by making 
the theft of personal financial information a profitable 
enterprise for cyber criminals and computer hackers.
    In the era of big data, large-scale security breaches are 
unfortunately all too common. And every breach leaves consumers 
exposed and vulnerable to identity theft, fraud, and a host of 
other crimes. We have certainly all read about the high-
profile, headline-grabbing breaches at Target and Home Depot. 
According to the Identity Theft Resource Center, there were 783 
U.S. data breaches in 2014, an increase of more than 27 percent 
over the prior year. The Center for Strategic and International 
Studies and McAfee Security estimate that such attacks cost the 
U.S. economy $100 billion--that is ``billion'' with a ``B''--
annually.
    American consumers rightfully expect their personal 
information to be protected by their financial institutions, 
and by retailers, card networks, payment processors, and, yes, 
their Federal Government. Consumers shouldn't be left to simply 
hope and pray their personal information will be safe every 
time they swipe their debit or credit card or enter their 
information online. They deserve protection.
    So today the committee will hear from representatives of 
organizations whose members constitute the major participants 
in the payment system. We welcome their expertise and insight.
    My hope is that this hearing affords Members on both sides 
of the aisle an opportunity to better understand what security 
measures are currently in place to prevent data breaches, how 
consumers are notified following a breach, what types of 
emerging technologies will help reduce the frequency and 
severity of breaches, what steps are being taken by the 
merchants and financial services communities to address the 
problem, and where additional Federal legislation may be 
warranted.
    I further hope that the committee will engage in a 
thoughtful and constructive dialogue on a bipartisan basis. 
And, in that regard, I wish to thank Chairman Neugebauer and 
the gentleman from Delaware, Mr. Carney, for starting this 
bipartisan dialogue off on the right foot by introducing a 
bipartisan bill to address this important problem.
    I will now yield back the balance of my time and recognize 
the ranking member for 3 minutes.
    Ms. Waters. Thank you, Mr. Chairman.
    Americans are increasingly reliant on electronic means to 
communicate, shop, and manage their finances. While new 
technologies bring substantial opportunity, they also bring a 
range of new vulnerabilities for consumers. Massive attacks on 
some of our Nation's largest retailers and financial 
institutions are impacting virtually every sector of our 
economy and our national security.
    Consumers are not the only ones who pay the price of a 
breach. The cost of recovering losses by retailers and card 
issuers can be extensive and weigh particularly heavy on small 
community banks and credit unions.
    We all know companies face a number of challenges in 
determining how best to secure customers' financial and 
personally identifiable information. In addition, we know that 
there are significant costs to complying with various State 
laws and providing notice after a breach.
    However, as we consider setting national standards for 
safeguarding consumers' personal information and ensuring 
timely notification, we must again acknowledge the good work of 
those States that for years have been at the front lines of 
this fight. I believe that any Federal preemption should 
complement States' protections and ensure at a minimum that 
State attorneys general continue to play an important role in 
enforcement and notification standards.
    In setting minimum standards, we need to be careful not to 
hamstring our State and Federal regulators' ability to continue 
adapting and strengthening protections for consumers. 
Otherwise, we will limit regulators' ability to keep up with 
technological change.
    And we must preserve a private right of action for 
consumers and for financial institutions to ensure that 
affected entities and breach victims have legal recourse.
    Further, consumers must be consistently provided with clear 
disclosures of the rights and remedies available to them so 
that they remain aware of the various ways in which they can 
protect themselves from identity theft, fraud, and other cyber 
crimes.
    Mr. Chairman, efforts to guard against cyber threats are 
critically important and shouldn't devolve into the same 
partisan fault lines we have seen on far too many other issues 
before this committee, such as the baseless attacks on 
watchdogs like the CFPB, and blocking efforts to reauthorize 
the charter of the Export-Import Bank, which expires in just 22 
legislative days.
    With that, I look forward to hearing from the witnesses 
today, and I yield back the balance of my time.
    Chairman Hensarling. The gentlelady yields back.
    The Chair now recognizes the gentleman from Texas, Mr. 
Neugebauer, chairman of our Financial Institutions 
Subcommittee.
    Mr. Neugebauer. Thank you, Mr. Chairman.
    We live in a world where the global marketplace is 
supported by a global payments system. It delivers payment 
services to consumers in the blink of an eye. Immense amounts 
of sensitive consumer information is transferred and processed 
and stored in any one transaction.
    The security of the system is only as strong as its weakest 
link, and today I look forward to learning more about new 
payment technologies that continue to facilitate payment 
efficiency, speed, and security. I am hopeful we can have a 
robust policy discussion about what new data security standards 
are needed to level the playing field.
    This month, Congressman Carney and I introduced bipartisan 
legislation which builds on the work of Senators Carper and 
Blunt. Our starting point was to look at Gramm-Leach-Bliley, 
which laid out a robust data security framework for financial 
institutions. Almost 16 years later, this framework has worked 
very well.
    The data security standards in H.R. 2205 are based on 
certain core principles.
    First, because we have a global payment system, we need a 
national data security standard and a national breach 
notification standard. This standard must minimize regulatory 
requirements but must carry with it a strong Federal 
enforcement mechanism.
    Second, the data security standard must be technology-
neutral and process-specific. It must reasonably identify 
certain core elements in the absence of an FTC rulemaking.
    Third, it is absolutely necessary that the data security 
standard is scalable based on the size of the business, the 
scope of the operation, and the type of information that it 
holds. Legislation must recognize that the corner market cannot 
and should not have the same standard as the largest retailer 
operating in 50 States.
    While I am confident in our bipartisan legislation, I am 
open to working with any member of the interested groups to 
minimize unintended consequences and to continue tailoring this 
legislation. We have a shared interest in seeing this 
legislation signed into law, giving consumers the safest 
payment system possible.
    And with that, I want to thank our panel for being here 
this morning. Based on my review of the testimony that has been 
submitted, I think this is going to be very informative for our 
Members. And I think it is good that we have these different 
interests at the table today.
    And so, Mr. Chairman, I look forward to a very informative 
hearing.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Delaware, Mr. 
Carney, for 2 minutes.
    Mr. Carney. Thank you, Mr. Chairman.
    Mr. Chairman, over the last decade alone, data breaches 
have compromised nearly a billion records containing sensitive 
consumer financial information. Experts estimate that when a 
data breach occurs in the United States, it directly costs 
consumers an average of $290 per victim. Studies show that 
cyber criminals are costing U.S. companies approximately $100 
billion a year.
    One thing is clear: The current patchwork of 47 different 
State data breach laws is failing to protect American 
consumers. That is why Mr. Neugebauer and I have worked 
together on a bipartisan effort to develop a data security and 
breach notification framework within which all relevant 
stakeholders can operate. We think consumers and the companies 
that handle their personal financial data should all know the 
rules of the road when it comes to the standard for protecting 
this data.
    Our bill, H.R. 2205, the Data Security Act, builds off the 
efforts by Senators Carper and Blunt across the Capitol. The 
bill implements a strong national data breach notification 
standard. It requires companies to enact a data security 
program that is robust and scalable and with the goal of 
protecting consumers' personal information from breaches. And 
it sets reasonable standards for accurate and timely notice to 
consumers when a breach occurs.
    Importantly, the bill's requirements avoid a one-size-fits-
all approach and allow companies of varying sizes and 
complexity to find a program that is tailored and effective for 
their business.
    As with any comprehensive piece of legislation, our bill 
can always be improved. The example clarifying that the 
preemption provision does not have unintended consequences 
outside the issues covered in this bill merits further 
attention. I am looking forward to working with my colleagues 
on both sides of the aisle to make improvements to this 
legislation where necessary.
    The fact is, though, that the White House, Congress, and 
the private sector and consumers all agree that the status quo 
is not acceptable. And I am encouraged that this committee is 
having this hearing today and that we are moving forward to 
protect consumers, businesses, and the American economy.
    I would like to thank Mr. Neugebauer for his leadership on 
this issue, and I look forward to hearing the witnesses' 
testimony and feedback in this hearing.
    Thank you. I yield back.
    Chairman Hensarling. The gentleman yields back.
    And, indeed, it is time to hear from our witnesses. We 
welcome each and every one of them to the panel.
    The Honorable Tim Pawlenty is the president and chief 
executive officer of The Financial Services Roundtable, and a 
former Governor of the State of Minnesota.
    Mr. Brian Dodge is the executive vice president of 
communications and strategic initiatives at the Retail Industry 
Leaders Association.
    Mr. Jason Oxman is the chief executive officer of the 
Electronic Transactions Association.
    Mr. Stephen Orfei is the general manager at PCI Security 
Standards Council.
    And last but not least, Ms. Laura Moy is a senior policy 
counsel at New America's Open Technology Institute.
    Several of you have testified before Congress before; I am 
not certain about all of you. So we have a rather simple 
lighting system. Green means go. Yellow means hurry up because 
the red light is soon to follow. And red means stop. The yellow 
light comes on with 1 minute to go.
    Each of you will be recognized for 5 minutes to give an 
oral presentation of your testimony. And without objection, 
each of your written statements will be made a part of the 
record.
    And since we are brand-new in our refurbished space--in the 
old hearing room, you had to pull these microphones very close 
to you. I think now you can keep them a somewhat comfortable 
distance from your mouth.
    Governor Pawlenty, you are about to be our guinea pig on 
the new sound system. And, Governor Pawlenty, you are now 
recognized for your testimony.

 STATEMENT OF THE HONORABLE TIM PAWLENTY, PRESIDENT AND CHIEF 
      EXECUTIVE OFFICER, THE FINANCIAL SERVICES ROUNDTABLE

    Mr. Pawlenty. Good morning, Chairman Hensarling, Ranking 
Member Waters, and members of the committee. Thank you for the 
opportunity to share a few thoughts with you this morning about 
one of the most pressing issues facing our country, and that is 
the emerging, growing, and exponentially threatening cyber 
warfare that is taking place both commercially and otherwise 
across the globe and being visited upon American businesses and 
consumers in ways that I think deserve the Congress' attention.
    Just to give you a sense of a few measures of what we are 
up against in this regard, 80 percent of the companies that 
were breached in 2014 did not know they were breached until 
somebody else told them, a third party told them--sometimes the 
government, sometimes a vendor, but a third party. And the 
average length of time between the breach actually happening 
and the discovery was months after the fact.
    In addition, here is another interesting fact. Over half of 
the adult American population had their personal data exposed 
last year, according to a CNN published report.
    And the list goes on, including that we now know through 
public and confirmed reports that this is no longer college 
kids in their basements having some fun trying to get into some 
systems. These are nation-state actors, including--or semi-
state-nation actors, including China, North Korea, Iran, 
Russia, and former Soviet Union-sponsored states and 
individuals and enterprises associated with them, and very 
sophisticated international crime syndicates.
    If one of those entities triangulates on a company, it is 
likely not going to end well for that company or their 
customers. So we need a more robust, more muscular response to 
these threats. And we appreciate very much the fact that this 
committee is paying attention to these issues.
    And, Mr. Chairman, thank you to the House for passing on 
more than one occasion threat information legislation, CISA and 
CISPA legislation. We hope the Senate does the same. And, 
again, we are not talking about sharing personal information, 
but that threat-information-sharing bill is very helpful to 
this cause and making the country more prepared to defend 
against these threats.
    As it relates to the financial services sector and the 
payment system, our sector, as the chairman mentioned, has been 
dealing with these issues in a regulated context for quite some 
time. The Gramm-Leach-Bliley Act passed in 1999. Part of that 
Act, of course, was to visit upon this industry data security 
standards and enforcement mechanisms, including part of the 
examination process.
    That, I think, has served the industry well. As you look at 
the percent of breaches that have taken place in recent years, 
our sector has the lowest breach incident rate. We still have a 
lot of work to do, but compared to other major sectors, that is 
progress. And that is because of some of the good work that has 
been done since Gramm-Leach-Bliley and otherwise.
    We are about to launch some more secure top-level domains, 
dot-bank and dot-insurance, which should help with these 
issues. We have been involved in an information sharing and 
analysis center, one of the first in the country that is most 
robust, the FS-ISAC, and more.
    As it relates to the payment system, it is about to get a 
lot better. We are going to move, as a next step, to the chip-
enabled cards. It is already happening. The networks have said, 
look, if you want to avoid fraud liability, you have to make 
this transition towards the end of 2015. There are some saying, 
``Look, we are not ready. It is going to take a little 
longer.'' But over the course of the next couple of years, 
almost all cards are going to be chip cards, and that is going 
to help.
    But don't be focused just on that. That is technology from 
the 1960s. Magnetic strips were invented in the 1960s. PINs 
were invented in the 1960s; chips, of course, more recently. 
But it is moving well beyond that discussion. The new 
technologies that are coming forward and being actively 
considered include voice recognition, facial recognition, 
biometrics, location confirmation, gesture recognition, and a 
lot more. So this space is evolving extremely rapidly and is 
going to continue to evolve as new technology emerges.
    As to the legislation that is before you, Congressman 
Neugebauer, Congressman Carney, thank you very much. We 
strongly support H.R. 2205. We think it is an excellent piece 
of work. May need some modifications, as Congressman Carney 
mentioned, but it does some important things.
    It creates for all sectors, not just the healthcare sector 
or the financial services sector, a data security standard, 
which is really important. And it is flexible. We are only as 
strong as the weakest link in the chain. If we have strong 
standards but one of the other links in the chain doesn't, the 
whole system is exposed. So thank you for putting the marker 
down on a strong national data security standard. We strongly 
support that.
    Another important piece of the bill is a uniform data 
breach notification law. Many States, including my own, have 
strong laws in this regard, but as you think about cyberspace 
and how commerce gets conducted now, it doesn't make a lot of 
sense to have 50 different standards, 50 different approaches, 
50 different responses to a breach and the notification 
relating to it.
    And, in closing, as you think about this, we are not asking 
for any current State initiatives to be diluted. We think, if 
you set a standard, set it high. Make it nation-leading.
    And I am out of time. Mr. Chairman, again, thank you for 
the chance to be here this morning. Thank you to Congressmen 
Neugebauer and Carney for their leadership on these issues. We 
strongly support what you are trying to do.
    [The prepared statement of Mr. Pawlenty can be found on 
page 110 of the appendix.]
    Chairman Hensarling. Thank you, Governor.
    Mr. Dodge, you are now recognized for 5 minutes for your 
testimony.

    STATEMENT OF BRIAN A. DODGE, EXECUTIVE VICE PRESIDENT, 
 COMMUNICATIONS AND STRATEGIC INITIATIVES, THE RETAIL INDUSTRY 
                   LEADERS ASSOCIATION (RILA)

    Mr. Dodge. Thank you, and good morning.
    Chairman Hensarling, Ranking Member Waters, and members of 
the committee, my name is Brian Dodge, and I am an executive 
vice president with the Retail Industry Leaders Association. 
Thank you for the opportunity to testify today about data 
security and the steps the retail industry is taking on this 
important issue and to protect consumers.
    RILA is the trade association of the world's largest and 
most innovative retail companies. Retailers embrace innovative 
technology to provide American consumers with unparalleled 
services and products. While technology presents great 
opportunities, nation-states, criminal organizations, and other 
bad actors are also using it to attack businesses, 
institutions, and governments.
    As we have seen, no organization is immune from attacks. 
Retailers understand that defense against cyber attacks must be 
an ongoing effort. As leaders in the retail community, we are 
taking new and significant steps to enhance cybersecurity 
throughout the industry.
    To that end, last year RILA formed the Retail Cyber 
Intelligence Sharing Center, or R-CISC, in partnership with 
America's most recognized retailers. The Center has opened a 
steady flow of information-sharing between retailers, law 
enforcement, and other relevant stakeholders.
    Also, the R-CISC has recently established a formal working 
relationship with the Financial Services ISAC, a move that 
will, among other things, ensure collaboration across the 
payments ecosystem on these issues.
    RILA applauds the House for passing cyber information-
sharing legislation, and we hope the Senate will quickly take 
up and adopt H.R. 1560's flexible approach to electronic 
sharing.
    While I expect we will discuss many cybersecurity topics 
today, one area of security that needs immediate attention is 
payment card technology. The woefully outdated magnetic stripe 
technology used on cards today is the chief vulnerability in 
the payments ecosystem. Retailers are estimated to be investing 
more than $8.6 billion to upgrade card terminals to accept chip 
cards by later this year. However, the new cards will not be 
issued with PINs.
    Chip and PIN technology has proven to dramatically reduce 
fraud when it has been deployed elsewhere around the world. In 
contrast, chip and signature technology falls short of 
providing American consumers the best security available today.
    Retailers believe that the two-factor authentication 
enabled through chip and PIN will prevent criminals from 
duplicating cards with ease and devalue the data that retailers 
collect at the point of sale. Ultimately, these steps have been 
proven to substantially reduce the economic incentive for cyber 
criminals to launch these kinds of cyber attacks.
    Before I discuss what RILA believes are important data 
breach policy considerations, I will briefly highlight the 
significant data security and data breach notification laws 
with which retailers currently comply.
    Forty-seven States, the District of Columbia, Guam, Puerto 
Rico, and the U.S. Virgin Islands have adopted data breach 
notification laws. In addition, retailers are subject to robust 
data security regulatory regimes. The Federal Trade Commission 
has prosecuted more than 50 cases against businesses that it 
charged with failing to maintain reasonable data security 
practices. These actions have created a common law of consent 
decrees that clearly spell out the data security standards 
expected of businesses.
    Additionally, inadequate data security measures for 
personal information can lead to violations of express State 
data security laws. Also, many States have so-called ``little 
FTC acts'' that can be used to enforce against what attorneys 
general deem to be unreasonable data security practices.
    Finally, retailers voluntarily and by contract follow a 
variety of security standards, including those maintained by 
PCI, NIST, and ISO.
    While retailers diligently comply with this range of data 
breach notice and data requirements, a carefully crafted 
Federal data breach law can clear up regulatory confusion and 
better protect and notify customers. RILA supports Federal data 
breach legislation that is practical and proportional and sets 
a single national standard.
    RILA supports data breach legislation that creates a single 
national notification standard that allows businesses to focus 
on quickly providing affected individuals with actionable 
information; that ensures that targeted notice is required only 
when there is an actual risk of identity theft, economic loss, 
or harm; that ensures that the responsibility to notice is that 
of the entity breached but provides flexibility for entities to 
contractually determine the notifying party; that establishes a 
precise and targeted definition for ``personal information;'' 
and that recognizes that retailers already have robust data 
security obligations and that security must be able to adapt 
over time.
    I thank the committee for inviting me today, and I look 
forward to answering your questions.
    [The prepared statement of Mr. Dodge can be found on page 
67 of the appendix.]
    Chairman Hensarling. Mr. Oxman, you are now recognized for 
5 minutes for your testimony.

    STATEMENT OF JASON OXMAN, CHIEF EXECUTIVE OFFICER, THE 
           ELECTRONIC TRANSACTIONS ASSOCIATION (ETA)

    Mr. Oxman. Thank you, Mr. Chairman, Ranking Member Waters, 
and members of the committee for the opportunity to be here 
today.
    I am Jason Oxman, the CEO of the Electronic Transactions 
Association. ETA is the trade association of the payments 
industry. Our more than 500 member companies are focused on 
providing the world's most secure, reliable, and functional 
payment systems to American merchants and consumers.
    Electronic payments in the United States are largely 
invisible to consumers because, simply put, they just work. 
U.S. consumers carry 1.2 billion credit, debit, and prepaid 
cards in their wallets, and they can use those cards to pay 
electronically at more than 8 million merchants in the United 
States. Indeed, ETA member companies process more than $5 
trillion in U.S. consumer spending every year. That means 
thousands of transactions are moving across our network every 
second.
    Now, consumers enjoy a wide variety of ways to pay 
electronically, including in person, with a card or a mobile 
device or a watch, or remotely via phone or over the Internet. 
And from the moment that a consumer initiates a payment, the 
transaction is securely transmitted, authorized, and processed 
within a matter of seconds. ETA member companies take very 
seriously the obligation to protect the security of their 
customers' information.
    Consumers in the United States choose electronic payments 
because they benefit from zero liability for fraud, making 
electronic payments the safest and most secure way to pay. 
Today, criminal fraud amounts to less than 6 cents of every 
$100 processed in transactions. It is a fraction of a tenth of 
1 percent.
    Now, even though fraud represents a tiny percentage of 
overall transaction volume, we are deploying cutting-edge new 
technology and using self-regulatory industry guidelines to 
bolster the fight against fraud. I would like to highlight 
three concrete steps our industry is taking to protect consumer 
information and prevent data breach.
    First, ETA members are deploying EMV-enabled chip cards to 
fight the number one cause of card fraud: counterfeit cards. 
Counterfeit cards represent about two-thirds of card-present 
fraud in the United States today. Chip cards prevent cards from 
being counterfeited. They don't stop data breaches, but they do 
make it harder for criminals to reap the rewards of those data 
breaches.
    Chip migration happening now in the United States is the 
most complicated overhaul of our payments technology system in 
the 40 years since the magnetic stripe card was introduced. Our 
banks need to replace more than 1 billion cards. Merchants need 
to upgrade point-of-sale equipment at more than 10 million 
locations. But we are working together, and we are getting it 
done.
    Second, our industry is deploying new tokenization 
technology that replaces card information with a one-time-use 
token. Even if intercepted by criminals, these tokens cannot be 
used to generate fraudulent transactions. Think of a token as a 
mathematical cryptogram that can't be reproduced.
    One well-known implementation of tokenization is in mobile 
payments, where the customer's phone or watch generates that 
token for use. Tokens can also be used in card environments, as 
well. And we are working with our merchant partners to deploy 
tokenization technology at both brick-and-mortar and online 
retail.
    Third, ETA members are helping merchants secure the point 
of sale by deploying new encryption technologies. Point-to-
point encryption is a way to secure all entry points against an 
attack. It denies cyber criminals the access they need to 
install malware and other cyber hacking tools.
    As our industry deploys all of these layered technologies, 
I also want to affirm ETA's strong support for legislation that 
creates uniform national data standards and data protection 
breach standards as well. Such standards must be industry-
neutral, and they must be preemptive of State law. And this is 
the approach set out in H.R. 2205, which ETA strongly supports. 
We applaud Chairman Neugebauer and Mr. Carney for engaging in 
this important dialogue with this legislation.
    ETA also supports legislation to promote information-
sharing. Sharing of information across government and across 
technology and manufacturing companies will support prevention 
of and investigation of breaches and ensure against cyber 
attacks.
    Cyber criminals are increasingly sophisticated, they are 
global in scope, and we are working proactively to address 
every threat. We must not forget that these data breaches of 
merchants and consumers make them victims of crime. We share a 
desire to stamp out fraud, and we take seriously our 
responsibility to all of our customers to do so.
    Thank you for the opportunity to be here, and I look 
forward to your questions, Mr. Chairman.
    [The prepared statement of Mr. Oxman can be found on page 
96 of the appendix.]
    Chairman Hensarling. Mr. Orfei, you are now recognized for 
your testimony.

 STATEMENT OF STEPHEN W. ORFEI, GENERAL MANAGER, PCI SECURITY 
                       STANDARDS COUNCIL

    Mr. Orfei. Thank you, Mr. Chairman.
    Good morning. My name is Steven Orfei. I am the general 
manager of the PCI Security Standards Council. I have the 
privilege of leading a talented and deeply committed membership 
organization that is responsible for the developing and 
maintaining of the global data security standards for the 
payment card industry.
    Our approach combines people, process, and technology. 
Continuous effort in applying our standards is the best line of 
defense against organized crime, state-funded actors, and 
criminals who threaten our way of life and attempt to undermine 
our confidence in the financial system. Everyone has been 
victimized by these criminals, and we know the very real harm 
caused by breaches.
    Developing standards to protect payment card data is 
something the private sector and specifically PCI is uniquely 
qualified to do. Consumers are understandably upset when their 
payment card data is put at risk. The Council was created to 
proactively protect consumers' payment card data.
    Our community of over 1,000 of the world's leading 
businesses is tackling data security challenges, from simple 
issues--for example, the word ``password'' is still one of the 
most commonly used passwords--to complex issues like 
encryption.
    Our standards are a solid foundation for a multilayered 
security approach. We aim to remove payment card data if it is 
no longer needed. Simply put, if you don't need it, don't store 
it. If it is needed, then protect it, and reduce the incentives 
for criminals to steal it.
    And here is how we do that. The data security standard is 
built on 12 principles, covering everything from logical to 
physical security and much more. It is updated regularly 
through feedback from our global community. We manage eight 
other standards that cover card production, PIN-entry devices, 
payment applications, and much, much more. We work on 
technologies, best practices, and provide market guidance. We 
have laboratories to vet solutions that we list on our Web 
site. All of our information is free. Our mission is to 
educate, empower, and protect.
    Now, our end-game strategy is to devalue the data so that 
it is useless in the hands of the bad guys. We have three 
technologies that will allow us to do so: EMV at the point of 
sale; point-to-point encryption; and tokenization. When bundled 
and implemented properly, the data becomes useless; then there 
is no reason to break in.
    That is why the Council supports adoption of the EMV in the 
United States through organizations such as the EMV Migration 
Forum, and our standards support EMV today in other worldwide 
markets.
    But EMV chip is not a silver bullet. Additional controls 
are needed to protect the integrity of payments online and in 
other channels. This includes encryption, tamper-resistant 
devices, malware protection, network monitoring, and more. All 
are vital parts of the PCI standards.
    Effective security requires more than just standards, for 
standards without supporting programs are just tools, not 
solutions. The Council's training and certification programs 
have educated tens of thousands of security professionals and 
make it easier for businesses to choose products that have been 
lab-tested, certified as secured.
    Finally, we conduct global campaigns to raise awareness of 
payment card security.
    The committee's leadership on this critical issue is 
important, and there are clear ways in which the Federal 
Government can help--for example, by leading stronger 
cooperative law enforcement efforts worldwide, by encouraging 
stiff penalties for these crimes, and recent initiatives on 
information-sharing are also proving to be invaluable.
    The Council is an active collaborator with government. We 
work with NIST, DHS, Treasury, the Secret Service, and many 
other government entities, including global law enforcement 
such as Interpol and Europol.
    In conclusion, payment card security is complex. Silver-
bullet solutions do not exist. Unilateral action is usually a 
disappointment. Alliances, partnerships, information-sharing, 
and collaboration between the public and private sector is 
critical.
    The PCI Council stands ready and willing to do more to 
combat global cyber crimes that threaten our way of life and 
confidence in the financial systems of the world. We thank the 
committee for taking a leadership role and seeking solutions to 
one of the largest security concerns of our time.
    Thank you.
    [The prepared statement of Mr. Orfei can be found on page 
90 of the appendix.]
    Chairman Hensarling. Thank you.
    And Ms. Moy, you are now recognized for your testimony.

 STATEMENT OF LAURA MOY, SENIOR POLICY COUNSEL, NEW AMERICA'S 
                   OPEN TECHNOLOGY INSTITUTE

    Ms. Moy. Thank you. Thank you so much, Chairman Hensarling. 
And thank you, Ranking Member Waters, and members of the 
committee. Thank you so much for your commitment to addressing 
data security and data breaches and for the opportunity to 
testify on this important issue.
    Consumers today share tremendous amounts of information 
about themselves. Consumers benefit from sharing information, 
but they can be harmed if that information is compromised.
    For the most part, the States are actively dealing with 
this issue in ways tailored to address the needs of their own 
residents but with a large body of common elements. At least 29 
States have introduced or are considering breach notification 
bills or resolutions this year alone. Bills in 27 of those 
States would amend existing laws to account for changing needs 
and changing threats.
    Only three States have no breach notification law on the 
books, and two of those States have considered bills this year 
to change that.
    Consumers would therefore be best served by a Federal bill 
on this subject that sets a floor for disparate State laws, not 
a ceiling. But to the extent Congress seriously considers broad 
preemption, any new Federal standards should strengthen or at 
least preserve important protections that consumers currently 
enjoy at both the State and Federal levels.
    Because any broadly preemptive Federal bill would bring an 
end to the rich legislative activity on the issue taking place 
in State legislatures, it would also need to provide a 
similarly agile mechanism for quickly adjusting the law in the 
future to match developing technology and new threats.
    Unfortunately, a number of recent legislative proposals 
would actually diminish consumer protections in a number of 
ways by replacing strong and broad State protections with a 
weaker Federal standard. In addition, a number of the bills do 
not provide the flexibility we need to make sure consumers' 
personal information remains protected as the information 
landscape changes.
    Don't get me wrong. Most of the bills we have seen would 
certainly offer some new benefits for consumers, but many 
consumer and privacy advocates, myself included, question 
whether those new benefits outweigh the potential harm to State 
jurisdictions and to consumers' existing protections.
    I will therefore focus today on four potential shortcomings 
of Federal legislation that would need to be addressed in order 
to ensure that any new bill represents a net gain for all 
consumers.
    First, Federal legislation should not ignore the serious 
physical, emotional, and other nonfinancial harms that 
consumers could suffer as a result of misuses of their personal 
information. A bill that would both preempt State laws and 
condition breach notification on demonstrated risk of financial 
harm could actually reduce consumer protections in 33 States 
and the District of Columbia, where the existing law either has 
no harm trigger or has one that is not limited to financial 
harm.
    Second, Federal legislation should not eliminate data 
security and breach notification protections for types of data 
that are currently protected under State or Federal law. Some 
current legislative proposals feature a narrow class of 
protected information along with broad preemption. Such 
legislation would eliminate protections consumers currently 
rely on at the State and sometimes Federal level. For example, 
many bills would eliminate protections in 10 States for health 
information or eliminate Federal protections for 
telecommunications, cable, and satellite records.
    Third, Federal legislation should provide a means to expand 
the range of information covered by the bill as technology 
develops. The 10 State breach notification laws that now cover 
health information represent a clear trend, as States are 
currently updating existing consumer protections to respond to 
the growing threat of medical identity theft.
    We can't always forecast the next big threat years in 
advance, but, unfortunately, we know that there will be one. 
Federal legislation on this topic must provide flexibility to 
meet new threats, whether by continuing to allow States to 
protect classes of information that fall outside the four 
corners of the bill or by establishing agency rulemaking 
authority on the definition of ``personal information.''
    Fourth, and finally, Federal legislation should include 
enforcement authority for State attorneys general. Thousands of 
data breaches are reported each year, many of which affect only 
a small number of consumers. Federal agencies are well-equipped 
to address large data security and breach notification cases, 
but they could be overwhelmed if they lose the complementary 
support of State AGs, especially when it comes to handling 
smaller cases, providing guidance to small businesses, and 
providing resources for local consumers.
    I and many of my fellow privacy stakeholders are not 
unequivocally opposed to the idea of Federal data security and 
breach notification legislation, but any such legislation must 
strike a careful balance between preempting existing laws and 
providing consumers with new protections. The Open Technology 
Institute therefore appreciates your close examination of this 
issue, and I am looking forward to your questions.
    Thank you.
    [The prepared statement of Ms. Moy can be found on page 74 
of the appendix.]
    Chairman Hensarling. The Chair now yields himself 5 minutes 
for questioning.
    So, based on my unofficial survey of the good folks in the 
Fifth District of Texas, whom I have the privilege of 
representing, data breach, although they don't typically use 
that phrase, certainly make their top 20 anxiety list and 
probably their top 10 when they think of identity theft, other 
forms of theft, or privacy loss.
    So it is a very serious matter, but, as Ms. Moy was 
positing in her testimony, there is a cost and a benefit 
associated with anything we do around here. To state the 
obvious, we are lawmakers. And there was a law made about 15 
years ago, Gramm-Leach-Bliley, that dictated standards. There 
has been a lot of innovation since Gramm-Leach-Bliley was 
written into law.
    Let's start with you, Governor Pawlenty. What exactly is 
broken? What needs fixing here? Where does Gramm-Leach-Bliley 
work? Where doesn't it work?
    Mr. Pawlenty. Mr. Chairman, thank you. It is a great 
question.
    If you just step back from how individuals might 
characterize it and ask them this question: How is the current 
system working? Half of the adult American population has their 
personal data exposed in one year. It is not a stretch of the 
imagination to think somebody could get into the electrical 
grid and shut it down in a big part of the country, not for a 
day but for a month or months on end. You do that, and you lose 
electricity in your district, lose pressure for natural gas 
pipelines, points of sales go down, you can't transact anything 
electronically. You have a very--not existential but very 
dramatic impact on the country.
    So it requires, I think, a sense of urgency and a sense of 
understanding regarding the magnitude of the threat.
    As to Gramm-Leach-Bliley, it works. It is flexible; it 
makes accommodations for the size of the business. But it says, 
given the importance of this infrastructure to the country, if 
the payment system doesn't work, if it is stalled or people 
lose confidence in it, you are going to have a big piece of the 
economy grind to a halt.
    There are trillions of dollars of payments that flow 
through the northeastern United States per day. If that gets 
shuts down or disrupted or interrupted, you have a material, I 
would say bordering on existential, threat to the economy of 
the country.
    So this is an urgent deal. It is growing in terms of its 
concern exponentially. Gramm-Leach-Bliley works. However, no 
institution is immune. We have some of our biggest institutions 
that have been breached. The best in the world, the NSA, by 
everybody, 10 out of 10 in terms of world-class capabilities in 
this regard, breached by an insider threat.
    So there is much more work to be done on all fronts. And we 
are the best of class. Financial services gets breached from 
time. We manage it. People get their money back. It is 
convenient. But the other sectors that don't have these kind of 
standards and capabilities need to up their game, and you can 
help lead that effort.
    Chairman Hensarling. Mr. Oxman, you, in your testimony, I 
think, were lauding the elements of the legislation by Mr. 
Neugebauer and Mr. Carney, about preemption and national 
standards. It seems to be an open question in Ms. Moy's mind 
regarding preemption and perhaps national standards. So why do 
you consider preemption and national standards to be so 
important?
    Mr. Oxman. Mr. Chairman, as a number of witnesses noted, we 
all share an interest in ensuring that consumers and merchants 
are protected. But when something does go wrong, we also need 
to make sure that we get the word out as quickly and 
efficiently as possible and make sure those protections that 
are available under law kick in.
    The reason consumers use electronic payments is because 
they are 100 percent protected against any liability for fraud, 
but we still need to get information out to them.
    There are 47 different regimes that companies have to 
subscribe to. And it is not just the payments industry; it is 
every company in the country that has to subscribe to these 47 
different regimes. They all appoint different time, place, and 
manner for the notification. They all have different triggers 
for what kind of notification has to take place.
    Some of them are even contradictory. There is one State 
that actually requires the breach notification to include 
detailed information about the breach itself. There is another 
State that makes it illegal to include any information about 
the breach itself. So, in some cases, they are contradictory.
    If we had a uniform national standard, it would allow 
everyone in the ecosystem to work together toward the same 
goal, which is to provide that reasonable notice that needs to 
be provided as quickly as possible.
    Chairman Hensarling. In my remaining time, Governor 
Pawlenty, back to you. Our colleagues on the Energy and 
Commerce Committee have reported a piece of legislation with 
regard to a national breach notification law that only impacts 
retailers. Should this committee not act, from your vantage 
point, what does the world look like if that Energy and 
Commerce bill becomes law?
    Mr. Pawlenty. Mr. Chairman, I know time is short. Don't let 
the perfect get in the way of the good. We would like to have 
these standards apply across-the-board, otherwise, their effect 
is diluted.
    We can be really good, but if our partner in payments has a 
flawed, outdated, weak system at a point of sale or in a back 
room at, say, fill-in-the-blank retailer or a different sector, 
the whole chain of events gets compromised.
    So it is only as good as the whole chain. And if you just 
do one piece, you are missing a very important part or 
opportunity to up the game of the whole system. It is an 
ecosystem. It has to be addressed holistically, or the whole 
system is compromised.
    Chairman Hensarling. My time has expired.
    The Chair now recognizes the ranking member for 5 minutes.
    Ms. Waters. Thank you very much, Mr. Chairman.
    First, I would like to thank Mr. Carney and Mr. Neugebauer 
for the work that they have done on this legislation.
    I believe that both sides of the aisle are concerned about 
getting a strong piece of legislation that will protect our 
consumers. This is a bipartisan issue, and we should not spend 
a lot of time fighting about some aspects of this initiative, 
but, rather, we should work out whatever the differences may 
be.
    From what I understand, there are those who believe that 
the Federal law should be a floor rather than a ceiling. And 
there are those who believe that, where you have States who 
have stronger laws, we should not preempt those States.
    As I understand it, despite the fact that we have varying 
laws in our States now, they all have similarities. And so, 
rather than thinking about this as States with such different 
laws that would somehow cause great complications, let's think 
about this in terms of the fact that we want our State 
attorneys general to be involved. We want them to be involved 
in enforcement. I think that is very important.
    So let us take a look at what I think is the biggest 
obstacle to us getting the best legislation and deal with the 
preemption question and think about States like California.
    Ms. Moy, can you tell us, for example, in my State of 
California, what are we doing with the cybersecurity? And is 
that stronger than what is being proposed here now?
    Ms. Moy. Sure. Yes. Thank you.
    That is a good question and a good place to start because 
California passed the first breach notification law years ago 
and has really been a leader in this area. So thank you for 
your work on that.
    For one thing, California recently passed a law to include 
log-in and password for account authenticators, so not just for 
financial accounts but for other types of accounts as well. For 
example, my email account, if my log-in and my password were 
breached, I would get a notification, which I certainly would 
want to, because there is a lot of information in there that, 
while it may not lead to financial harm, could lead, certainly, 
to emotional harm if that information were breached and if it 
were misused.
    California also has a reasonable security standard, much 
like the Federal standard right now, but California does 
enforce that standard and has had a number of cases over the 
past few years and, along with that, has some very rich 
guidance for businesses attempting to comply with the 
reasonable security standard.
    So one thing that I think California is also very strong on 
is the type of guidance that the State AG's office provides to 
the consumers and the way that the State AG's office interacts 
with consumers and businesses to provide that important 
guidance.
    Ms. Waters. Thank you very much.
    I am sure that none of us would want to interfere with 
States' abilities to have the strongest possible laws for 
cybersecurity.
    And so, Ms. Moy, don't you think that perhaps the Federal 
law should be a floor and that we should certainly allow States 
that have tougher laws to be able to enforce those laws? And 
that would require the attorneys general to be involved. Do you 
think that is the best way to approach this?
    Ms. Moy. I do think from the consumers' perspective, that 
would provide the strongest protection.
    And you had mentioned previously that there is a 
discernible pattern among the various States' laws. I think 
that is the case. When you look at the various breach 
notification laws of the States, most of them cover a core of 
common information and have very similar requirements in terms 
of what ought to be provided in the notification, when the 
State AG and the consumer reporting agencies ought to be 
notified.
    And then, in addition to that, some States have added on to 
that. And so that is where, for example, you see States like 
Texas and Wyoming and just this year Hawaii and Montana have 
added medical information to the class of protected information 
in order to extend protection to categories where they see a 
developing threat that must be addressed.
    Ms. Waters. So we certainly would not want Texas to be 
preempted, with the good law that they have, particularly as it 
relates to medical information, would we, Ms. Moy?
    Ms. Moy. I do think that it is important not to preempt the 
protection for pieces of information like medical information 
in, including other States, the very State of the chairman, 
Texas.
    Ms. Waters. Thank you very much.
    And I yield back.
    Chairman Hensarling. The Chair understood the subtle point.
    The Chair now recognizes another gentleman from Texas, the 
chairman of our Financial Institutions Subcommittee, Mr. 
Neugebauer, for 5 minutes.
    Mr. Neugebauer. Thank you, Mr. Chairman.
    I would note that if you let the Federal standard be the 
floor and all the States then have an opportunity to start one-
upping each other, then basically we are right back where we 
are now, and it defeats the purpose of having a Federal 
standard.
    Mr. Dodge, in reading your testimony last night on our 
proposed data security legislation, there is actually a lot 
that I think you and I agree on. I am hoping that maybe today 
we can discuss some of the provisions where we maybe have a 
little bit of a difference of opinion, in hopes that we could 
have a better understanding of where everybody is on this 
issue.
    On page 7 of your testimony, you state, ``Retailers support 
a carefully calibrated, reasonable data security standard.''
    Under H.R. 2205, Mr. Carney and I laid out a data security 
standard that is process-specific and based on certain key 
elements of data security programs that have worked well under 
Gramm-Leach-Bliley. To ensure the smaller retailers are not 
unduly burdened, we calibrate the standard to match the size, 
scope, and type of information that those entities hold. Where 
there are some process requirements that don't apply to you, 
you don't have to necessarily implement them.
    So the question is, can you identify the specific processes 
we have laid out that aren't carefully calibrated and 
reasonable, in your estimation?
    Mr. Dodge. Thank you for the question.
    And I think, first, it is important that we are having this 
debate about proper national data security standards to help 
businesses address this growing and sophisticated threat.
    It is the perspective of retailers that the Gramm-Leach-
Bliley Act, which is the baseline for the legislation you 
introduced, especially the data security standards within it, 
were expressly written for the financial services community. 
The industries are very different. Anybody who has ever filled 
out a mortgage understands that the information that a bank 
holds is very different from that of a retailer.
    If we were to pursue legislation that replicated the--or 
shoehorned the Gramm-Leach-Bliley Act to apply to the rest of 
the business community, we would be applying this law to 
industries beyond the retail industry, of course, well beyond 
us, into high-tech, Internet, app makers big and small.
    And so we think that the history of enforcement through the 
Federal Trade Commission provides a good standard that is very 
clear and strong for businesses to adapt to, to meet today's 
challenges, and it evolves for the future.
    We don't think that you can regulate your way to security, 
that we need to employ layers of security. We need to start 
with the baseline that we believe is a strong standard and 
embolden the Federal Trade Commission to enforce these 
standards and then look at other ways for us to work together, 
including strengthening the payments system by advancing the 
security that is in that system today.
    Mr. Neugebauer. Now, you mentioned, I think, 50 FTC 
enforcement actions since 2001. That would be 3.1 a year. And 
so, if you believe that the FTC is your enforcement agency, do 
you support giving the FTC rulemaking authority to make a 
uniform standard?
    Mr. Dodge. The FTC has enforced these cases under the 
Unfair and Deceptive Practices Act or Section 5 of the FTC Act. 
We think that giving them the express authority from Congress 
is the right way to go about it, and it would preserve that 
flexibility that they needed in order to adapt to the threats 
as they changed over time.
    Mr. Neugebauer. Yes. The question is, would you support 
them then promulgating standards that make sure that the 
playing field is level and that you are doing the things that 
are specifically necessary in your industry to have a uniform 
standard?
    Mr. Dodge. We wouldn't support rulemaking, because we think 
that is the purpose of passing a law. We think Congress has the 
privilege of defining the law and then leave it to the agency 
to adapt it over time. They have the flexibility under current 
law--
    Mr. Neugebauer. Isn't that what we are trying to do, then? 
Congress is trying to pass a uniform standard--
    Mr. Dodge. Exactly. And we believe that providing the FTC 
the authority to enforce data security laws based on the case 
law today, the common law based on the 50 cases, would provide 
businesses not only with the clarity that they need on what the 
expectations are of government but the flexibility for the 
enforcement agency--in this case, the FTC--to evolve over time 
to meet new threats.
    Mr. Neugebauer. So do your members take steps to protect 
consumers' data?
    Mr. Dodge. Absolutely. There is no more important 
relationship in the retail business than that which they build 
and maintain with their customers. And obviously a breach, a 
data breach, would be a breach of trust with those consumers. 
They work extremely hard to prevent data breaches.
    Mr. Neugebauer. So, if they are already doing it, what is 
the objection, then, to just codifying that those are standards 
and they are reasonable and they should be applied across the 
industry?
    Mr. Dodge. You are speaking specifically about a law that 
was written for the financial services community.
    Mr. Neugebauer. I am talking about the law written for--I 
am talking about my bill.
    Mr. Dodge. Right. So , which you would be expanding under 
your legislation, expanding Gramm-Leach-Bliley to the rest of 
the business community. What we are saying is that we should 
stick within the current regulatory structure that has the 
Federal Trade Commission as the regulator for most industries, 
and Gramm-Leach-Bliley can remain for the financial services 
community.
    Mr. Neugebauer. Yes. We took principles from that, but this 
isn't a Gramm-Leach-Bliley rewrite. This is a uniform national 
Federal standard.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Delaware, Mr. 
Carney.
    Mr. Carney. Thank you, Mr. Chairman, and thank you to the 
panelists for coming today.
    I would like to talk a little bit about this preemption 
issue because I know it is a concern for many of the members, 
and we have worked hard to try to address it.
    I said in my opening comments that the preemption provision 
in our bill should not have unintended consequences outside the 
issues covered in the bill. So we don't believe that it affects 
the medical debt issue which was raised a moment ago with 
respect to California. We would certainly be willing to make 
that plain.
    Ms. Moy, I thought I heard you say that 50 different 
standards is not the answer. Is that what you said, or did I 
mishear your comments?
    Ms. Moy. What I have said is that I think that the best for 
consumers would be to create a floor not a ceiling so that 
States can continue to--
    Mr. Carney. So set a national standard and then allow 
States to--
    Ms. Moy. Allow States to protect additional categories of 
information. For example--
    Mr. Carney. Right. So my understanding is that 13 States 
currently have data breach notification and standards like 
this, and that our legislation, our Federal legislation, would 
be better than all of all of them, except maybe one, which is 
Massachusetts, and I have been talking to some of my colleagues 
from Massachusetts.
    Would you agree with that?
    Ms. Moy. I think that Oregon also has a pretty good 
standard, and I also think that there are elements of other 
State laws that you might not consider specific data security 
lawsuits, but they do have elements--
    Mr. Carney. So a pretty high standard.
    Ms. Moy. It is a pretty high standard, yes.
    Mr. Carney. So that is the starting point for us.
    How about the--there has been some discussion about the 
standard in Energy and Commerce. Would you say that is a high 
standard or a higher standard than what our bill would propose 
or--
    Ms. Moy. That standard is a reasonableness standard that 
looks more like what the Federal Trade Commission is currently 
doing. And so I think the difference here is not only might be 
there be a difference in what the language says in that bill, I 
think also, we would be looking to the common law of the 
Federal Trade Commission and others to flesh out what the 
specific requirements are. But it is also really important as 
we are thinking about how strong the security standard is to 
think about who has the enforcement power and who is actually 
going to be guiding the parties there because if the Federal 
agencies are solely responsible for it, then even a very strong 
standard might not provide a strong protection as a general 
reasonableness standard that allows State AGs to continue to 
work on a piecemeal basis with entities that are trying to 
comply.
    Mr. Carney. Okay. So you think that the standard in our 
bill is a pretty good, pretty high standard in terms of a 
Federal standard, but you believe that the States ought to have 
the flexibility to go beyond that, notwithstanding some of the 
issues that might create in terms of having different 
standards.
    How about this enforcement question? Have you looked at our 
bill in terms of the enforcement provisions in the bill, and 
how would you suggest that they be improved, from your point of 
view?
    Ms. Moy. I have looked at it, but unfortunately, I am not 
prepared to provide a detailed response on the enforcement 
provision. So I would be happy to respond in writing if you 
would prefer that, but I do think that the key issue with 
respect to enforcement is that I believe your bill would only 
facilitate enforcement by Federal agencies, and, as I said, I 
really think--
    Mr. Carney. You have said a number of times--I think what I 
heard you say is that allowing the State AGs some kind of role 
there would be an improvement, again, not having looked at the 
details there. Not to put words in your mouth.
    Ms. Moy. Yes. I believe that a very critical element here 
is that we must have enforcement authority.
    Mr. Carney. I explore these issues just because, as I said 
in my opening statement, Mr. Neugebauer and I are willing to 
try to improve the bill so that we can get a greater consensus 
around--we believe, I think as you said, that a national 
standard is important to have, and 50 different standards is 
not the way to go. It has to be a high bar and one that is 
enforceable.
    Would any of the other panelists like to comment on the 
conversation that we have just had about preemption, about the 
standard and the enforceability of that standard?
    Mr. Oxman. If I could, Congressman Carney, I think the bill 
on a bipartisan basis really takes on this issue in the right 
way, and that is to recognize that the act of legislating to 
unify 47 disparate State regimes with a Federal regime that is 
not preemptive would merely be adding a 48th regime and 
wouldn't serve the purposes that the legislation seeks to 
undertake, which is to protect consumers' financial 
information. And, from ETA's perspective, the bill takes the 
right approach to ensure that the Federal regime is operative 
and is not interfered with.
    Mr. Carney. And everybody agrees that we need a higher 
standard and kind of one standard across the country?
    Mr. Dodge. We fully agree that there should be a national 
standard. We think that the States deserve a tremendous amount 
of credit for having acted in a place where the Federal 
Government has not yet. And that is why we believe that, as a 
broad concept, preemption--a strong law should offer State 
preemption and, as a broad concept, State AGs should have the 
ability to play a role in the enforcement of it.
    Mr. Carney. I see I am out of time.
    Thank you, Mr. Chairman.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from New Jersey, Mr. 
Garrett, chairman of our Capital Markets Subcommittee.
    Mr. Garrett. Thank you, Mr. Chairman.
    Thank you for holding this hearing on an issue that really 
hits home for a lot of folks.
    Let me just start--I also have a couple of questions--with 
the basics, if I can.
    And, Governor, I will throw it to you.
    When there is a breach or if someone does steal your card 
and they go to a retailer and buy a TV, who actually is 
responsible for that? Does Target have to pay the bill for 
that? Is it the bank or is it the Visa or MasterCard or 
Discover that is paying for that?
    Mr. Pawlenty. Congressman Garrett, the answer is a little 
complicated, but the oversimplified version is that--
    Mr. Garrett. That is what I am looking for, the 
oversimplified version.
    Mr. Pawlenty. The consumer is made whole, and the issuing 
bank is the one who makes them whole.
    However, there is a secondary process managed and run by 
contract between the payment networks and various players in 
the payment system that gets resolved through a, shall we say, 
contractual process between Visa and MasterCard retailers, 
merchant acquirers, the issuer--people take issue with how that 
all works from time to time, but that is how it gets sorted out 
after the fact.
    Mr. Garrett. Oh. Okay. Does anybody else want to give an 
over--
    Mr. Dodge. I would just add to that, yes, it is obviously--
the merchant ultimately pays for fraud in the wake of a data 
breach, should the data breach have occurred at a retailer. 
They also pay a variety of fees. There are three real fees that 
they pay in total. The first one is on every transaction ever 
processed. It is an interchange fee. A component of it is a 
prepayment of fraud or prepayment of the data breach should one 
ever occur. And then post-breach there is a fee associated with 
reissuing the cards and--
    Mr. Garrett. Right. So that is where the banks actually end 
up having to pay the 15 bucks or whatever it is to actually pay 
to send me a new card every so often.
    Mr. Dodge. But the merchant reimburses for those fees based 
on a--
    Mr. Garrett. Really? Because I hear different stories on 
that.
    Mr. Dodge. Yes. I have included a schedule of that 
repayment in my written testimony.
    Mr. Garrett. I will look it up.
    So, I just got one of these cards that have the little chip 
on it. And, also, just to be clear on this, putting this chip 
on the card may help to some degree as far as the lost card or 
the stolen card and the data breach as far as going to the 
retailer, but as someone else on the panel said, and I know it 
was in the testimony, this chip does absolutely nothing with 
regard to when they steal that information and they use it 
online. Is that correct?
    Mr. Dodge. I think it is important to note, the chip--the 
technology that is available in the United States today, 
predominantly the magnetic stripe, is 1960's-era technology. 
Europe introduced something called chip and PIN technology more 
than a decade ago.
    Mr. Garrett. Right. And, in Europe, my understanding is 
that you saw an uptick of the data breaches not on--at the 
store anymore or the retailer anymore but now online. Is that 
correct?
    Mr. Dodge. That is true. In fact, fraud moved in two 
directions when chip and PIN went into place in Europe. It 
moved online, and it moved to the United States because 
suddenly the United States had the weakest security in the 
world. It still does today.
    When chip-only goes into effect later this year, the United 
States will still have the weakest card technology in the 
world.
    Mr. Garrett. Right. And somebody said--and maybe down here. 
You said that all--we can't solve all this stuff, and putting--
so the bottom line is, doing the chip is not going to solve it 
entirely, but also to the point of what seems to be a lot of 
discussion in the bill as well as far as the disclosure 
information that--as Ms. Moy is talking about a lot and others 
as well--that doesn't do anything to--actually none of this--
that doesn't do anything to do as far as preventing the fraud 
in the first place. That just tells me as a consumer: You were 
robbed, and now this is who is going to pay for it.
    Mr. Oxman. Yes. Congressman, if I could answer your 
specific question about the chip, you are absolutely right. The 
chip in the card prevents the card from being counterfeited.
    Mr. Garrett. Yes.
    Mr. Oxman. And that is today the number one source of card 
fraud in the United States. It is about two-thirds of card 
fraud at retail, but it does not address the online issue.
    The online fraud issue is addressed by those other layers--
    Mr. Garrett. And really quick on this, because my time is 
running out a little faster than I want it to, the data that is 
on the card when I use this chip and I put it through has my 
number right on it. I hope nobody can see this. Does the 
retailer keep that information?
    Mr. Dodge. The retailer transacts that information--
    Mr. Garrett. Yes. So they have that information. So if 
somebody now breaches in--
    Mr. Dodge. But retailers are instituting--many have and all 
are moving towards it to make sure that information--
    Mr. Garrett. So it is still a place that--it is still a 
target for, not to use that company, but it is still a target 
for the hacker to go into the--or any of them. Not--medical or 
whatever. The hospital keeps that information too, I guess as a 
data source where they will go, try to breach it, and they 
won't be going to the retailer to use it, but they will be 
doing it online. So it is still a target and maybe even a 
larger target. Is that true now with the chip? Gosh, my time is 
going quickly. Is it a larger target because of that well?
    Mr. Orfei. I think it is important that we recognize the 
chip technology is really designed to button down the point of 
sale to defend against counterfeit, lost, and stolen. It is but 
one critical layer of security. There are other technologies 
that have been referenced in testimony here today, such as 
point-to-point encryption and tokenization, that will protect 
that data from the cyber breach you are referencing, 
Congressman.
    Mr. Garrett. Okay.
    Ms. Moy. If I may just add a short comment in response to 
the point about notification and--
    Mr. Garrett. Fine with me.
    Chairman Hensarling. Short.
    Ms. Moy. Thank you. Thank you so much.
    Yes, I just wanted to say I think that notification does 
actually provide an important incentive for companies to keep 
information more secure. I can't remember actually whose 
written testimony it was, but someone's written testimony 
pointed out that companies do suffer reputational harm as a 
result of reporting breaches. And I also think it is important 
because that provides information to consumers who are 
considering where to vote with their wallet, so to speak, as 
they are determining which service to go with.
    Mr. Garrett. I get that. Thanks.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentlelady from New York, the 
ranking member of our Capital Markets Subcommittee, Mrs. 
Maloney.
    Mrs. Maloney. Thank you, Mr. Chairman, and Ranking Member 
Waters, for putting this hearing together. It is an incredibly 
important issue because it affects everyone: consumers; 
government; retailers; and financial institutions.
    And I also want to commend Mr. Carney and Mr. Neugebauer 
for putting forward a bill that would create a national data 
security standard for all businesses that handle sensitive 
financial information for consumers. And this bill would 
significantly strengthen the data security procedures for 
businesses but in a way that is flexible and can evolve as 
cyber threats change and evolve.
    I am still concerned about the scope of the state of 
preemption in the bill, and I want to keep working on the 
preemption and enforcement provisions, but I have signed on to 
this bill as a cosponsor because I think it is a serious good-
faith effort to tackle what is a critically important issue to 
our economy.
    And, again, I would like to commend Mr. Neugebauer and Mr. 
Carney for their hard work and leadership on this issue, and I 
look forward to working with them, particularly in the 
enforcement provisions in it.
    My first question is to Governor Pawlenty. I would like to 
ask you about the data security standards that Gramm-Leach-
Bliley put in place for the financial institutions. You 
mentioned they had worked well in the financial institutions, 
but I also want to know, have they proven to be overly 
burdensome for smaller banks and credit unions?
    Mr. Pawlenty. Congresswoman Maloney, no. The standards have 
been flexible, and I think Congressman Neugebauer and 
Congressman Carney have done a good job in doing the same thing 
in their bill, which is to say: Look, we are going to have 
standards, but we are going to allow them to be scaled to the 
size and complexity of the enterprise in question. I think that 
is a good model.
    Mrs. Maloney. In other words, they have worked well and not 
been too burdensome for smaller financial instructions, and 
they won't be too burdensome for smaller retailers.
    And I would also like to know your feelings about having a 
minimum or a floor standard. I know that California and Oregon 
have a standard that is higher. I think it is important--you 
have to have a floor. Do you think it should be a floor, or do 
you think it should be a ceiling, and why?
    Mr. Pawlenty. Congresswoman, again, another great question, 
and if--right now we have nothing--
    Mrs. Maloney. Right.
    Mr. Pawlenty. --in many sectors. So something is better 
than nothing.
    Mrs. Maloney. Absolutely.
    Mr. Pawlenty. And so the floor would be progress, but a 
ceiling if it is set high. I would just encourage you--in 
Minnesota, when I was Governor, we passed what we thought were 
Nation-leading data protection standards and notification 
standards. You wouldn't want a bill that undercuts the 13 or so 
States that have done this. If you are going to set it, set it 
high. Set it aspirationally, and I think that would be the best 
place to be, and it would serve the country best. And think 
about the way that people place data centers, where they store 
data, how they store data. The fact that there is going to be 
wide variance between States doesn't sync with how we know 
cyber commerce gets done.
    Mrs. Maloney. But as a Governor, you know how valuable the 
creativity of the State system is to come out with solutions 
that--and are adopted in this area. It seems to evolve every 
day with new technologies, new ways to threaten consumers, and 
really the security of our information.
    I would like to ask Stephen Orfei, given your 
organization's experience in establishing data security 
protocols and procedures, what would you say are the most 
important aspects of a company's data security plan? In other 
words, what is the most important thing that a company could do 
to protect their customers, to protect their company against 
data breaches?
    Mr. Orfei. Thank you, Congresswoman, for that question. I 
think what is most important is that the PCI standard is, in 
our view, the best defense against cybercriminal attacks. It 
really becomes a question of vigilance and being methodical and 
disciplined in your approach and looking at and paying special 
attention to the fundamentals. Doing the blocking and tackling. 
Looking at the physical and logical security. It is day in and 
day out. It needs to be 24/7. It needs to be built into the DNA 
of an organization from the CEO right down to the working 
level.
    Mrs. Maloney. Okay. Thank you.
    And you mentioned in your testimony, Mr. Oxman, that you 
thought that sharing information was so important, and can you 
just expand on that, on what we need to do additionally in 
expanding information in this area?
    Mr. Oxman. Thank you, Congresswoman Maloney. The issue is 
companies are barred from sharing cyber threat information with 
each other and, in some cases, even with the government. The 
House fortunately passed a measure that we support that will 
eliminate those impediments to that kind of important 
information sharing. We support that legislation. We hope the 
Senate will move forward on it. And we need to make sure that 
companies can, without liability, share information with each 
other and the government to prevent future threats.
    Mrs. Maloney. Okay. Great. Thank you. My time has expired. 
Thank you.
    Chairman Hensarling. The Chair now recognizes the gentleman 
from Missouri, Mr. Luetkemeyer, chairman of our Housing and 
Insurance Subcommittee.
    Mr. Luetkemeyer. Thank you, Mr. Chairman.
    I am kind of curious--I want to approach this from a little 
bit different angle this morning from the standpoint of, when 
we have a data breach, whose fault is it? If there is somebody 
at all, there is going to be some liability. It would seem to 
me--and my experience has been from the--of institutions I have 
been aware of, and I appreciate the Governor's description a 
minute ago of who winds up paying the bill on this, but 
generally the banks wind up--or the financial institution who 
issues the cards originally are the ones that wind up footing 
most of the bill.
    And it would seem to me to be that at some point, as a 
regulator, I would think that you would go into a financial 
institution and see a number of retailers, a Target line of 
credit, for instance, or any other local line of credit--in our 
area, we had a supermarket that issued debit cards. The 
information was accessed, and suddenly everybody in the whole 
area--whole region, actually, their information was broached, 
and as a result, there was a tremendous cost to the financial 
institutions. And it would seem to me that as a regulator, you 
would look at this as a liability exposure for the bank from 
the standpoint of what you are going to have to incur by all of 
these retailers not having adequate protections.
    From Mr. Dodge's perspective, it looks like--I would think 
that the regulators would ask the financial institutions to 
force the retail folks to have a policy in place, an insurance 
policy in place that would protect them against a data breach 
so that the banks would not be the fallback position for a data 
breach.
    Governor, would you like to comment on that thought 
process? Am I off on that?
    Mr. Pawlenty. I think you have connected the dots exactly 
correctly, Congressman, and I think on your last point about 
cyber insurance, that is an evolving area. There are some who 
think their traditional insurance covers it. There are some 
disputes around that. There is some uncertainty about how you 
underwrite it when you can't get your arms around the magnitude 
of it and what it looks like in the future. So that is an 
evolving and developing space, and one that is--
    Mr. Luetkemeyer. How do the standards fit into that 
situation?
    Mr. Pawlenty. The standards fit into that because I think 
if you set standards, like the financial services sector has, 
on other sectors and we get more resilient better systems as a 
result of that, you decrease risk. You de-risk the system. That 
is good for financial institutions. It is good for the payment 
system. And, frankly, it is good for everybody involved.
    I will say to the chairman's point on Energy and Commerce's 
bill, that is a bill that says, ``Have reasonable standards.'' 
We are going to get a standard one way or the other in this 
country because everybody is suing everybody. And, over time, 
the courts are going to develop a standard, and it is going to 
say, ``Be reasonable.'' And that is a 10-year pathway. It is 
too slow, and it is too vague. Or you are going to have a bunch 
of States doing a hodgepodge of standards, some of which will 
be great, and some of which will be not so great. So Congress 
can play a really important role here bringing this debate 
forward more quickly and at a more--a level of rigor in the 
standard, and it will help.
    Mr. Luetkemeyer Mr. Dodge, would you like to comment on my 
question?
    Mr. Dodge. Yes. First, the suggestion that banks are not 
reimbursed in the wake of a data breach is simply not true. As 
we talked about earlier, there are three major ways in which 
they pay, and there are certainly more than just those three. 
But the first is in the fees that they pay on every 
transaction. Then, after a breach, through the contracts that 
they sign with the card networks, there is a formula for 
reimbursement which--
    Mr. Luetkemeyer. They still suffer a loss, Mr. Dodge. From 
a business, I can tell you--
    Mr. Dodge. But the issuing bank--the issue is--if the banks 
have an issue with that, it is with their facilitator, which in 
this case is Visa and MasterCard. Retailers sign those 
contracts, and if there is a suggestion that there has been a 
violation of those contracts, then there is certainly the legal 
avenue for resolving that.
    Mr. Luetkemeyer. Okay. My question, though, is with regards 
to the exposure, liability exposure, that a bank would have 
with regards to this situation. You have lots of retailers. And 
this seems to be almost an epidemic. Every week you have 
another entity that has been breached. If that is the case, 
pretty soon those institutions are going to have a tremendous 
liability sitting there. And if you have lots--if you do a lot 
of commercial lending to retailers, I see that as a problem 
that is going to have to be fixed. And I would assume that you 
would be supportive of the idea of having the retailers 
purchase a liability policy of some sort that would protect 
them as well as the institution against a breach.
    Mr. Dodge. As Governor Pawlenty said, the cybersecurity 
insurance market is a new market, but many retailers are buying 
that kind of insurance. There is no question about that. But 
the level of standard--the suggestion that there are no 
standards on retailers is belied by the fact that there were 50 
cases, some of which were retailers, but many were not, where 
strong enforcement was brought down by the Federal Trade 
Commission, enforcement of that includes not only substantial 
fines, but the prospects of consent decrees that allow the 
Federal Trade Commission to take up residence in the business 
for 20 years. So there are very, very strong standards that 
retailers are bound by today.
    Mr. Luetkemeyer. I just have a few seconds left. Just one 
comment: Mr. Orfei, I am disappointed that you gave everybody 
my password to my computers.
    But with that, I yield back. Thank you, sir.
    Chairman Hensarling. The gentleman yields back, and he 
better put a fraud alert on all of his credit cards.
    The Chair now recognizes the gentleman from California, Mr. 
Sherman.
    Mr. Sherman. Governor Pawlenty, I do weird things that 
cause my credit card company to get very concerned, like I buy 
gasoline in Los Angeles, and a day later, I buy gasoline in 
Washington. So, of course, their computers flip out. And you 
would think what they would do is send me an email. But they 
don't. They either call me, usually at the worst possible time, 
or if they are too lazy to do that, they freeze the account and 
force me to call them.
    Is this entirely because they are not handling it right, or 
is there something in our statutes that we could do to 
facilitate or prod credit card companies to check with their 
cardholders by email rather than by telephone?
    Mr. Pawlenty. Congressman, great question. I have had some 
interesting experience with cards myself personally. So--
    Mr. Sherman. You engage in similar unusual activity?
    Mr. Pawlenty. I am not admitting to unusual activity, sir, 
but anyhow, as to--
    Mr. Sherman. Another guy--we have another guy going to 
Iowa.
    Mr. Pawlenty. I think the concern that you raise is a good 
one, but it is being addressed in realtime by technology. The 
controls that you can now set on many cards--and it is 
advancing by the day and the month--are getting really good. 
So, for example, on one card that I have, I can get a text or 
email alert if it goes over a certain amount, any transaction. 
I can get a text or email alert if it goes over a certain 
number of transactions per month. I can get a text or email 
alert if it goes over a certain amount. And soon, I think, I am 
going to be able to get an alert if--
    Mr. Sherman. I am not looking for more alerts. I am simply 
looking for them to contact me by email rather than by phone, 
rather than by freezing my account without telling me about it.
    Mr. Pawlenty. The short answer is, I think if you can't, 
many cards already do or will soon offer you the chance to be 
in the driver's seat as to exactly how you want to get that 
message.
    Mr. Sherman. I am sure your members are aware of email--we 
are here talking about how to upgrade to technology, and I am 
hoping that email is--
    Mr. Pawlenty. If you can't, I can recommend a card that--we 
will get it to you.
    Mr. Sherman. Yes, but not with the United Airlines miles.
    Basic economic theory is that you apply liability against 
the entity that should be investing in safety measures so that 
you get that entity to spend the appropriate amount of money on 
safety measures.
    Retailers ought to be spending more on safety to protect 
consumers and to protect the entire business system from the 
extraordinary costs that happen every time somebody hacks into 
one of these accounts. But retailers face no liability except 
the reputational liability, which Ms. Moy referenced.
    But then we have these lesser known data breaches where the 
media doesn't know or barely reports to the general public some 
of the data breaches.
    Is it problematic that consumers at some stores may have 
their data hacked, but they never hear about it? And does this 
mean that the merchant that has mishandled the data faces no 
liability and no reputational risk?
    Ms. Moy, in order to have that reputational risk, do we 
have to do more to make sure that every data breach is known by 
the public?
    Ms. Moy. Yes, I think we do. And I think that there are a 
couple of ways to do that. And one is to make sure, as I 
mentioned multiple times, that the bill is written in such a 
way that it covers classes of information that entities may 
hold that consumers consider personal but they would want to be 
notified about but currently might not be notified about. So, 
for example, email address and password. That is one that a lot 
of retailers hold. It is one that could be breached. If my 
email address and my password are breached, I would certainly 
like to know about it.
    And another thing that could be done is, again--sorry to be 
a broken record--but providing State AGs with the authority to 
enforce is really important because they will help work to make 
sure that these breaches are notified. And, in particular, many 
States have a threshold for notification of State AGs and for 
consumer reporting agencies that is much lower than what we 
have in a lot of Federal legislations. And in a lot of the 
Federal bills that we have seen proposed, the threshold would 
be 10,000 affected consumers. Many States have a threshold of 
1,000, for example.
    I believe that just a couple of months ago, the 
Massachusetts State AG's office appeared at another hearing on 
breach notification and data security and they said that the 
average breach--the size of the average breach was about 74 
consumers. So it is really important that we have State AGs 
working to ensure that consumers are notified.
    Mr. Dodge. Congressman, if I could just jump in on that?
    Mr. Sherman. Yes, and I will add another question and let 
you jump in on both.
    We are proposing Federal legislation. Is the work of the 
State AGs and the States enough to prod retailers to spend 
enough on safety?
    Mr. Dodge. So, to your question about liability, retailers 
face considerable liability. Obviously, there is reputational 
harm. You cited that. But under the enforcement available 
through the FTC's current authority and what we have endorsed 
for stronger authority and at the State level, there is 
enforcement liability and the prospects of consent decrees that 
could take--allow the FTC to take up residence in a business 
for 20 years.
    Mr. Sherman. I will see if the Governor can just chime in.
    Do the retailers face enough reputational and financial 
liability to spend enough on safety, or do we need to do more?
    Mr. Pawlenty. Congressman, I would respond with a 
rhetorical question. How is the current system working? Not so 
good.
    Mr. Dodge. The Verizon report, which is the gold standard 
for reporting on data breaches, says there were 2,100 breaches 
last year: 277 were financial institutions; 166 were merchants. 
There were 1,000 times more merchants. So the standards that 
are applied to the financial industry are not perfect.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Michigan, Mr. 
Huizenga, chairman of our Monetary Policy and Trade 
Subcommittee.
    Mr. Huizenga. Thank you, Mr. Chairman.
    And I appreciate the opportunity to spend a little time 
with you all.
    Mr. Orfei, while we are on the breaches, I would be remiss 
not to say that Mr. Garrett's credit card has now purchased at 
least three things online and is available widely on a Russian 
Web site.
    But, in all seriousness, that is the concern all of us 
have. Right? When we are calling in somewhere or buying 
something online in the very transient kind of economy that we 
have, I think we all have a legitimate and serious concern.
    But I am curious, Mr. Orfei, from your perspective, have 
you evaluated how many breached companies are in compliance 
with your PCI standards at the time of their breach? Or have 
they had those standards, and then it has caused them to take 
action? Or did they have them already, and they still were 
breached?
    Mr. Orfei. What I would reference is the Verizon report, 
which is an objective third party that looks at the data for 
breaches for the past 10 years. And the findings--there are two 
significant data points that I would give you, Congressman. One 
is that 99.9 percent of the breaches that have occurred were 
preventable and covered by the PCI standard.
    The second point is that I think that the PCI standard has 
done a very effective job, and there hasn't been one single 
compromise where the merchant or the entity was found in 
compliance.
    Mr. Huizenga. Okay. I am a former State legislator as well, 
and, Governor, it is good to see you again.
    And I, like you, had those situations where we were sitting 
in the State capitals saying, ``What in the world is Washington 
trying to do to us now?'' Yet, at the same time, I understand 
when you have States doing various actions and not 
coordinating, and oftentimes that is somebody like the Council 
of State Governments and ALEC and other organizations like that 
are trying to get States to harmonize oftentimes.
    But what I am struggling with on this--and, Ms. Moy, you 
had mentioned this earlier, as did my friend, Mr. Neugebauer--
is how is setting a national floor but then allowing States to 
maintain a patchwork of other requirements different than what 
we have now? And I think maybe it was you, Mr. Oxman, who said 
we would go from 47 regimes to 48. So help me out, somebody, 
with what we do on this. I would love to hear from Governor 
Pawlenty.
    Mr. Pawlenty. Congressman, I would think about this--I am a 
big fan of the 10th Amendment. I am a big fan of States' 
rights. I am a big fan of laboratories of democracy for public 
policy at the State level. I believe in all of that profoundly. 
But I have come to think of this issue as a threat to the 
national security and critical infrastructure of the United 
States of America, not just in the payment space but in the 
ability to do most of what we do. And so I think it rises to 
the level of being worthy of being viewed in that light and 
setting the table nationally because it does threaten our 
ability to function. It presents, taken to any sort of 
reasonable extension, an existential threat to our economy and 
to our Nation's security. And I could walk you through the 
scenarios, and they don't take a lot of imagination. But I 
think if you view it in that light, it rationalizes an 
aggressive and muscular Federal involvement.
    Mr. Huizenga. And that is where I struggle as well, and we 
can have a constitutional debate later, whether this is part of 
a commerce clause or how this is affected.
    But, Ms. Moy, I don't know--quickly. Briefly.
    Ms. Moy. Thank you. Thank you so much. Yes. So just to 
repeat again, I think most States certainly with breach 
notification, there is a common core of elements that we see 
across the various--across the 47 plus, I think, three 
territories, laws. And then there are some additional elements 
above that. But I do think that it is really important. For 
example, I believe in your own State, there is a harm trigger 
for the breach notification law that is broader than just 
applying to financial harm. It is really important that we take 
that into account, as Governor Pawlenty has said. If we are 
going to set a preemptive Federal standard, let's set it high. 
Let's not reduce protections like those in your own for 
consumers who are benefitting from that.
    Mr. Huizenga. And I would agree. I think it would have to 
be high. And somebody help me out on what--as Mr. Sherman had 
said, he doesn't want more notifications. Now, I am a little 
confused as to how, if you have an email breach, are they 
supposed to notify you through email if that has been breached? 
But what of this ``cry wolf'' overnotification, is that a real 
concern?
    Mr. Dodge. Congressman, we think that it is. We think it is 
important and on--I align myself with the most recent points 
made by the Governor. We agree entirely on this. We think it is 
important that consumers be able to get information quickly and 
information that they can take action on in order to protect 
themselves from financial harm.
    A standard beyond the financial harm would subject 
customers to repeat notifications. And the worst case scenario 
is the customer would stop paying attention to those 
notifications and not take action to protect himself or herself 
in the wake of something that could put them at risk.
    Ms. Moy. If I may just add a brief point about that, which 
is that I think in order to determine the answer to that, we 
should really look to the State AGs, who have a ton of contact 
with consumers who are suffering from breaches. And in the 
words of Illinois attorney general, State AG--I'm sorry--
Illinois Attorney General Lisa Madigan, ``Consumers may be 
fatigued over data breaches, but they are not asking to be less 
informed about them.''
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Massachusetts, 
Mr. Capuano.
    Mr. Capuano. Thank you, Mr. Chairman.
    I can barely see you guys. They kind of moved everybody 
apart, but we will try to communicate.
    Mr. Chairman, I would like to submit a letter from the 
Massachusetts Attorney General for the record.
    Chairman Hensarling. Without objection, it is so ordered.
    Mr. Capuano. Thank you, Mr. Chairman.
    Did anybody at this table think that 5 or 10 years from now 
the data security--the issues and the challenges you face will 
be the exact same that you face today? Does anybody believe 
that to be true?
    Mr. Oxman. Technology is changing so quickly, Congressman, 
I think it is highly unlikely that the issues will be exactly 
the same.
    Ms. Moy. Yes. I think it is highly unlikely. I mention in 
my written testimony the example of several apps that now exist 
that allow you to photograph your physical keys to your house 
and your car--
    Mr. Capuano. That is great. Well, thank you. I don't think 
so either, but then, again, I don't know much about technology. 
I struggle with a cell phone. And that is life.
    But the one thing I do know is that something is going to 
be changing, and I guess I raise the issue because to advocate 
for a congressional solution with no ability to change a year, 
or 2, 3, or 4 years from now when the problems change except to 
come back to Congress, you are sitting here today because the 
Congress is last to the issue. States are first to the issue, 
like in most issues. The Federal Government is oftentimes the 
last one to the fight because we are the biggest; we are the 
most diverse; and that is the way it has always been. And yet 
you are advocating for a situation that we have one great--
let's assume it is a fantastic law that has no ability to be 
upgraded through regulation, which is why we have regulatory 
bodies, because they can act quicker than us, except to come 
back to us and ask us to do this all over again, which in and 
of itself, to me, is the main problem here.
    But the other issue I ask, do--I don't know where any of 
you live, but I am going to presume that since I think you are 
all part of associations and like that you must live in the 
general Washington area, at least have an apartment here. Do 
you think that the Federal Government, the EPA, should tell the 
State of Maryland that they have to have only Federal standards 
on their drinking water, that the State of Maryland would then 
be totally preempted from saying, ``No, no, no, we like a 
little less arsenic in our drinking water than the Federal 
Government requires, and, therefore, we would like to do it?'' 
Do you think that the State of Maryland should be told, 
``Sorry, you can't do that?''
    Mr. Oxman. Congressman, I spent 7 years in the great 
Commonwealth of Massachusetts. I had the pleasure of living 
there for a long time, and I think you raise a very important 
question, and that is, how can we bring uniformity to an issue 
that has nationwide implications, and indeed international 
implications when we are talking about cybercrime without 
interfering with the power of the Commonwealth of 
Massachusetts?
    Mr. Capuano. Not just the power, the responsibility, as I 
look at it. I actually like the idea. I am very happy that we 
are talking about Federal standards. I have gotten in trouble 
on a regular basis because what the heck, I am a liberal 
Democrat. I am all for Federal regulation. My friends over 
they, they know it. I would regulate everything. Don't worry 
about it. But then again, I didn't know that some of my friends 
on the other side apparently want to join the Socialist Party. 
They are welcome to; Bernie Sanders has cards and you can sign 
up.
    That is my problem. I don't have any problems. I love the 
idea of creating Federal standards and a Federal floor, but I 
like two other things: I like flexibility in that because, 
let's be honest, most Members of Congress are not 
technologically capable. I know some guys here, but every one 
of us fumbles with our cell phones. I call my staff all the 
time. I kick the damn things. I drop them. This one was broken 
7 times because I threw it. And I know none of you have done 
that because you are technologically capable. We need 
flexibility. We need the ability to move quickly because 
whatever the threat is today is going to change tomorrow. That 
is the only thing I know.
    Mr. Oxman. That is right. And, Congressman, I would submit 
that ETA, on behalf of the payments industry, supports the 
approach that Chairman Neugebauer and Mr. Carney have taken in 
this bill because it has the exact flexibility you are--
    Mr. Capuano. That is critical.
    Mr. Oxman. It doesn't dictate any technical standards. And, 
in fact, it makes very clear that it is not up to the Federal 
Government to dictate how we protect data security, but it is a 
requirement of the Federal Government that security be 
implemented.
    Mr. Capuano. And we also have to have somebody who knows 
what they are talking about, not necessarily the United States 
Congress, number one. And, number two, I really don't see why 
you would want to take away the ability of the States to be 
more flexible than anybody else. Holding to a minimum standard? 
Absolutely totally agree. And, again, we have the same issue on 
everything that we do. Every financial issue we deal with, we 
deal with this issue. How much of a Federal standard, 
including, we deal with insurance every day. Insurance is 
totally regulated at the State level, and every time we come 
close to even thinking about the Federal involvement, everybody 
gets all worked up because the States do it. And I strongly 
suggest the concept is right. The approach needs to be 
significantly changed on those two issues, to provide 
flexibility, number one, and to maintain the States' ability to 
deal with it as they see fit. Thank you.
    Mr. Neugebauer [presiding]. I thank the gentleman.
    And now the gentleman from Wisconsin, Mr. Duffy, the 
chairman of our Oversight Subcommittee, is recognized for 5 
minutes.
    Mr. Duffy. Thank you, Mr. Chairman, and it nice to see that 
we are making news today with Mr. Capuano endorsing Bernie over 
Hillary, my good friend. Also great visuals of you throwing 
your flip phone around the Capitol.
    As Mr. Huizenga said, he was a State legislator. I was not, 
Governor, but I was a former hockey player like yourself.
    Do you agree with Mr. Dodge that the banks don't pay any 
fees when there is a data breach? I haven't heard you respond 
to that claim.
    Mr. Pawlenty. Congressman Duffy, the banks--again, the 
system of how this all gets sorted out is complicated, but it 
is certainly true that the issuing banks pay in all sorts of 
ways if there is a breach, including the cost of reissuing the 
cards, subject to possible partial reimbursement in the future, 
as well as making the consumer whole through a complicated 
series of transactions. So--
    Mr. Duffy. Okay. And just to be clear, does the whole panel 
support Federal preemption? Does anyone disagree with that 
concept? I think I have heard everyone say they agree.
    Ms. Moy. Only if it is a high standard that preserves 
protections for consumers.
    Mr. Oxman. We support it.
    Mr. Duffy. Okay. So, quickly, just so I understand, talking 
about when the card is present, what percentage of the fraud 
comes from a fraudster who steals data and reproduces cards and 
makes purchases as opposed to the guy who had his wallet 
lifted, and someone goes in and uses actually the cards--
    Mr. Pawlenty. The majority of it--excuse me, Congressman. 
The majority of it is people scraping cards and using 
counterfeit cards. And the people who do the lost and stolen, 
some of that happens, but that is the minority of the 
transactions, not counting the online stuff.
    Mr. Duffy. So when we talk of chip versus chip and PIN, if 
we just at least get to chip, we are going to address a vast 
majority of the fraud that is talking place right now when the 
card is present. Is that fair to say?
    Mr. Dodge. I would say in a static world, it would have an 
effect. But we don't live in a static world. The reality is 
that there is a single line of defense between the fraudsters 
and their ability to commit fraud. In this case, it would be 
chip. And they will focus all of their energy on breaking that. 
We have seen examples where they have done it already, and we 
have simply argued that one of the baseline tactics of cyber 
hygiene is two factor authentication. We should require that at 
the point of sale as well.
    Mr. Duffy. But by you saying that, are we going to see more 
pocket thieves out there?
    Mr. Dodge. No, no, no. I am saying that fraudsters will 
develop new and innovative ways to crack the chip and commit 
fraud.
    Mr. Duffy. Is that happening--
    Mr. Orfei. Congressman Duffy, if I may--
    Mr. Duffy. You may.
    Mr. Orfei. --the chip will defend against counterfeit, 
lost, and stolen at the point of sale. It will button down the 
point of sale at physical environment. Once that environment is 
secured, fraud will then move to the card-not-present 
environment. It is what we observed in the Asia-Pacific and 
European theaters who have had chip technology. Now, the chip 
technology is--you cannot clone it. So what we will see is, it 
will migrate.
    Mr. Duffy. So how far away are we from tokenization for 
online purchases?
    Mr. Orfei. Tokenization is a technology that has been 
around for 10 years. And now the acquiring community and 
technology venders and the price points have come down. So 
point-to-point encryption coupled with tokenization coupled 
with EMV at the point of sale is how we get to devaluing the 
data so that it is useless.
    Mr. Duffy. So if the card-not-present online purchases, the 
technology is there but just not implemented yet to secure--
    Mr. Pawlenty. Apple Pay has a--what I call an early stage 
version of--I don't want to say primitive--but early stage 
version of tokenization, and it has had some other breach 
issues, but it is kind of the first--one of the first kind of 
tokenization platforms to come to market.
    Mr. Duffy. I just want to be clear. So, when we have a 
chip, does a retailer--are they able to maintain data about the 
card in their database if you just have a chip card as opposed 
to a magnetic strip?
    Mr. Orfei. Again, Congressman, the chip is just going to 
work at the point of sale. How that merchant stores data--
    Mr. Duffy. But can they store--so what my question is--
listen. We have heard about all the retailers who have had data 
breaches. If we migrate to the exclusive use of chips, does 
that mean that retailers are no longer keeping personal 
consumer data in their databases, which means--
    Mr. Orfei. No. No, sir.
    Mr. Duffy. --they are not at risk to have breaches any 
longer?
    Mr. Orfei. No. Again, it is just taking off the threat at 
the point of sale. So it is a critical layer, but it is not a 
silver bullet.
    Mr. Duffy. But on the back end, retailers still keep 
information--
    Mr. Orfei. On the back end, the information could be 
replaced, though, by tokenization, could be protected by point-
to-point--
    Mr. Duffy. Do you have recommendations on how long 
retailers are recommended to keep financial information about 
consumers? How long should a retailer keep that information?
    Mr. Orfei. It is really not necessary to keep that 
information.
    Mr. Duffy. So--
    Mr. Dodge. Congressman, if I could just jump in.
    Mr. Duffy. Sure.
    Mr. Dodge. A couple of things. First, many retailers have 
instituted encryption for that information when it comes in so 
that if it ever was acquired, it would be in a format where it 
would be useless to a criminal. Further, they have no desire to 
keep information they don't need nor to keep information--
    Mr. Duffy. But do they need any information, is my 
question? Could retailers, after 30 days, wipe those databases 
clean so you don't have 6 months of consumer data or a year of 
consumer data; you might only have 15 days or 30 days of 
consumer data? Isn't that really one of the risks that we have 
with so much data being collected and stored, not just from the 
government, but from retailers?
    Mr. Dodge. The information that retailers collect is 
designed to allow them to provide the concierge-type services 
that they want. Consumers generally want receipt-less returns. 
So there is an element of information that consumers have 
voluntarily said: We want to be able to--you have this 
information so that we can do these--
    Mr. Duffy. I don't know that I have ever been asked to 
volunteer to enter into one of the concierge services. I think 
they are just offered to me, and that information is kept on my 
card. And I do think there is a consumer protection issue here 
when we are not asked, it is just given to us, and you keep 
that information on--my time--
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Texas, Mr. 
Hinojosa.
    Mr. Hinojosa. Thank you, Chairman Hensarling and Ranking 
Member Waters, for holding this important hearing today.
    And thank you to our panelists for your testimony.
    Mr. Chairman, before asking my questions, I request 
unanimous consent that my opening statement be made a part of 
today's record.
    Chairman Hensarling. Without objection, it is so ordered.
    Mr. Hinojosa. My first question is to the Honorable Tim 
Pawlenty and Ms. Laura Moy.
    How can a Federal data security standard that creates a 
floor provide for more consumer financial security while at the 
same time providing certainty to industries that would need to 
implement such a standard across all 50 States?
    Mr. Pawlenty. Congressman Hinojosa, thank you for your 
question.
    For certain sectors, not including financial services and 
health care and a couple others, they don't have standards 
currently other than in the 13 States or so where they have 
them. So, by Congress creating a floor or a ceiling--but we 
hope a high standard--that is for the whole country, you will 
lift the game and the expectations and the legal 
responsibilities for those sectors in those places that don't 
have a standard currently. And, again, this has migrated to 
international proportions, and I think if the members of this 
committee knew that Russia or China or semi-state agents were 
about to compromise the payment system, the electrical grid, 
you wouldn't say: Yes, let's kick it to the States; let's let 
them handle it. I don't think you would do that. So whatever 
you do will be helpful, even if directionally, it will be 
better than what we have now for those sectors that don't have 
any standard in those States.
    Mr. Hinojosa. Ms. Moy?
    Ms. Moy. I would say a couple of things. One is that 
consumers are protected right now by the Federal Trade 
Commission Section 5 authority, and the FTC is enforcing that. 
As we have heard, they have enforced over 50 cases since 2001. 
And consumers in 47 States and 3 jurisdictions are protected by 
breach notification laws. So there are protections existing for 
consumers. I think setting a floor and not a ceiling, as I have 
mentioned before, there is a clear pattern in terms of what is 
covered even by the disparate State laws. So, as a practical 
matter, most companies that have to comply with the laws of 
multiple States are just complying with the strongest standard 
and are mostly okay under the other States, including--in fact, 
many States have a provision that allows an entity to notify 
some consumers who have been affected by a breach under the 
standard of another State.
    But I would add to that, if we are going to have a Federal 
preemptive standard, as I said before, it has to be a high one, 
and it has to provide flexibility to adapt to changing 
technology, not only in terms of what the security standard is 
but also in terms of what information is covered by the bill. 
That is a critical element that I think we might be missing 
here.
    Mr. Hinojosa. Thank you for your response.
    My second question is addressed to Mr. Jason Oxman and Mr. 
Brian Dodge.
    Given the ever-increasing sophistication and sheer number 
of cyber attacks on our financial institutions and markets, do 
you think a catastrophic attack, which can have severe 
repercussions on the financial system as a whole, is imminent, 
and what can the Federal Government do to help prevent such an 
attack or prepare to respond to such an attack?
    Mr. Oxman. Thank you for the question, Congressman 
Hinojosa.
    The possibility of such an attack is always on the minds of 
the payments companies that ETA represents, and preparation for 
those attacks is, of course, something that is always included 
in all the operational plans of all the companies that we 
represent. Our sincere hope is that something like that never 
happens, but we do recognize the important role that the 
payments infrastructure plays in empowering commerce in this 
country. And protecting our customers, be they merchants or 
consumers, is always at the top of our minds. So we are focused 
on that. We are prepared for it, and it is our sincere hope 
that nothing like that ever comes to--
    Mr. Hinojosa. Thank you.
    Mr. Dodge?
    Mr. Dodge. So, in terms of your question about what 
Congress can do, I think the focus on data security to avoid 
such a catastrophic event is incredibly important. We believe 
that the way that you get yourself to a stronger environment is 
layers of security. And Congress can help with that by, as the 
House did last month, passing information-sharing legislation, 
but also as we are talking about today, providing clear and 
strong guidance for businesses on how they should maintain 
their systems to ensure cybersecurity, and then providing the 
flexibility for businesses and for regulators to adapt to that 
threat over time. There is no doubt that the threat is 
increasing. The level of sophistication is growing extremely 
fast. And we need to be able to stay involved in it.
    The last point is we need to look to where our greatest 
vulnerabilities are, and right now our greatest vulnerability 
from the merchant community is the cards that we accept at the 
point of sale. They are the weakest security technology enabled 
in the world today, and when we move to chip technology without 
the PIN like has been instituted in the rest of the 
industrialized world, we will still have the lowest level of 
security in the world, and fraud will continue to flow towards 
us.
    Mr. Hinojosa. Thank you.
    My time has expired and I yield back, Mr. Chairman.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from South Carolina, 
Mr. Mulvaney.
    Mr. Mulvaney. Thank you, Mr. Chairman.
    And thank you to everybody on the panel for helping us try 
to do something we don't do enough here, which is just try and 
collect information, which is what I am going to try and do. I 
am not here to try and beat anybody up. I actually have an 
honest-to-goodness question. And I think it is directed to Mr. 
Pawlenty and Mr. Dodge, but I would welcome everybody to chime 
in on this. Okay?
    Let's say that Mr. Capuano steals my credit card, which is 
possible because he is that kind of guy, even though he is not 
here yet, and he goes to my local gas station or his local gas 
station, slides it in there, happens to--maybe he knows my ZIP 
code and buys the gasoline with my stolen credit card. I catch 
it when my statement comes in the next week or maybe I get an 
email notification, which I think is a service my bank actually 
provides, which I enjoy very much. I catch it. I call my bank 
and I say, ``Someone stole my credit card. And they just used 
it to buy gas in Massachusetts.'' And they say, ``Okay, Mr. 
Mulvaney, thank you very much. We will take it off your bill.''
    Who eats that loss? Is it the retailer? Is it the bank that 
issued my card? Is it Visa or is it somebody else? Who eats 
that loss for that gasoline bought with a stolen credit card?
    Mr. Dodge. First, I would say if a PIN was required in that 
transaction, the fraud would have never occurred in the first 
place. You wouldn't have had that.
    Second, there is a difference between data breach fraud 
repayment and traditional fraud repayment. And so there would 
be, based on the contracts that the retailer signed with the 
card networks, an evaluation of where was the weakest link in 
the system. So if it was a stolen card and it was reused, then 
it would probably--actually, I don't know the answer to that 
question as how it would go, but it is determined by--
    Mr. Mulvaney. Whoa, whoa, whoa. Is that--
    Mr. Dodge. But in many cases, in almost all cases, fraud--
an element of that fraud is charged back to the retailers.
    Mr. Mulvaney. Mr. Pawlenty?
    Mr. Pawlenty. Initially, somebody has to give the cash back 
where it is a debit transaction or the value to--
    Mr. Mulvaney. Again, it was a credit transaction.
    Mr. Pawlenty. It is the issuing bank, and then they sort it 
out afterwards as to who pays what. But, in terms of who eats 
most of it initially, in our view, over the long term of the 
discussion, it is the banks.
    Mr. Mulvaney. All right. Mr. Dodge, and here is why I asked 
the question, because I have my banker friends come in, and 
they say, ``Look. We have to do something about this because we 
eat all of this loss.'' And just last week, I had some of my 
convenience store people come in and say, ``Look, we have to do 
something about because this because we eat all of this loss.'' 
Are both of them eating a little bit of the loss? Is that what 
it comes down to? I see some people in the back row nodding 
their heads, which is usually a good sign.
    Mr. Dodge. I included in my testimony a schedule of 
repayment that shows the fees of the structure of the contracts 
that obligates merchants to repay in the wake of a breach. 
Those are reissuance costs, the cost to reissue the cards, and 
then fraud, fraud that is associated with the breach. But every 
single day on every transaction that is processed, a merchant 
pays a fee. It is called an interchange fee. Sometimes it is 
called the swipe fee. And an element of that fee is a 
prepayment of fraud. It goes into the account. Whether fraud 
happens or not, they are prepaying it every single day. So how 
that is divided up by the banks, is a great question for them. 
But we know we pay it on every single transaction.
    Mr. Mulvaney. Okay.
    Mr. Oxman. Congressman, if I could--
    Mr. Mulvaney. Yes.
    Mr. Oxman. The hypothetical you asked actually has a pretty 
simple answer, and that is the card issuer is responsible for 
that fraud. The lost and stolen fraud you described is never 
the responsibility of the merchant. Since your card was stolen 
out of your pocket, and you hadn't yet reported it stolen when 
that card was used and the transaction was authorized by the 
issuing bank at the gas station, the issuing bank has a 
responsibility for that. You don't and the merchant doesn't.
    Mr. Mulvaney. Thank you, Mr. Oxman, because I think that 
leads me to the next question, which is, does the analysis 
change--I think I got it now for a stolen card out of my 
pocket. Mr. Capuano steals my credit card. I get it. And he 
would do that too. He is--what if the card is counterfeit? Is 
it any different? If someone gets it from Target, gets my 
information from Target, and they create a counterfeit card and 
then use it, is the outcome any different? Is the distribution 
of who bears the loss different? Mr. Oxman?
    Mr. Oxman. So, as it stands today, the analysis is exactly 
the same. In the case of a counterfeit card, the issuer would 
have responsibility for that and the merchant would not.
    The migration to EMV chips that we have been talking so 
much about this morning actually changes that calculus, and the 
responsibility for the fraud, after October of this year, will 
actually fall on the party to the transaction, whether it is 
the merchant side or the issuing side, that has deployed the 
lesser form of security. Not to get too complicated, but if 
that card that you are talking about has been counterfeited and 
it was a chip card and the issuer has issued chip cards but the 
merchant hasn't installed the chip readers, then the merchant 
will have responsibility for that fraud. So that is a change to 
the current system, which is the issuer takes responsibility.
    Mr. Mulvaney. And then, finally, if I can have the 
indulgence of the chairman for 15 more seconds, the third 
example of the fraud we have talked about today is the online 
fraud, which is there is no card present, we are online buying 
airplane tickets. Who bears the risk of loss on that one?
    Mr. Dodge. Merchant, 100 percent; 100 percent the merchant 
is subject to the fraud cost.
    Mr. Mulvaney. I thank the witnesses very much. I really 
appreciate the information.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Missouri, Mr. 
Clay, the ranking member of our Financial Institutions 
Subcommittee.
    Mr. Clay. Thank you, Mr. Chairman, and I wanted to note 
that I am so glad to be back in this refurbished hearing room.
    Mr. Orfei, you note at the end of your testimony that not a 
single company has been found to be compliant at the time of 
their breach, but in many cases, firms that have been breached 
were at one point PCI-compliant.
    How does your compliance framework lend itself, if at all, 
to ongoing monitoring of the PCI compliance, and what role does 
the PCI play in monitoring compliance?
    Mr. Orfei. Thank you for that question. Yes, 99.9 percent 
of the compromises were preventable and covered by the 
standard. And if you think about our standard, what we are 
advocating is a move away from compliance to a risk-based 
approach, and we are advocating vigilance and discipline and 
being methodical in close adherence to the standard. Security 
is a 24/7 responsibility. It is not a matter of compliance. 
What we see happens is a company works diligently to bring its 
organization into compliance. They high-five each other on 
Thursday, and on Friday, the environment starts to deteriorate. 
So it is about being disciplined, methodical, and paying 
attention to the fundamentals, sir.
    Mr. Clay. Thank you for that response.
    And, Mr. Oxman, although chip technology is fairly new to 
the United States, it has been around for decades and is 
ubiquitous in other parts of the world.
    Given the rapid pace of technological development, are we 
not at the point where other types of security measures are 
more appropriate for use in connection with U.S. payment cards 
and payments in general?
    Mr. Oxman. Thank you for that question, Congressman Clay. 
You are absolutely right that the chip is a well-developed 
technology, and the good news is the payments industry 
recognizes, as you have heard this morning, that the chip 
addresses one type of fraud. That happens to be the most 
prevalent form of fraud here in the United States today, and 
that is counterfeit card fraud. So the chip implementation will 
address that type of fraud. But, as you noted, other types of 
security are important as well, which is why our industry is 
deploying a layered security technology approach, which 
includes the chip in cards, but also tokenization, which 
replaces account information with a one-time use mathematical 
cryptogram that can't be intercepted and reused. It also 
includes point-to-point encryption, which secures all entry 
points into the payment systems. So that layered approach with 
multiple different technologies, as you suggested, is in 
recognition of the fact that the chip card addresses one type 
of fraud, but we need to do much more because criminals are 
much more sophisticated.
    Mr. Clay. Thank you.
    And for anyone on the panel, how prevalent is fraud in the 
case of online checking? Is that pretty secure? Can anyone 
respond to that?
    Mr. Dodge. Online checking?
    Mr. Clay. Yes.
    Mr. Dodge. Certainly, e-commerce is an environment where 
there are limited security options for merchants to employ 
right now. It is a frustration of merchants. The fact that e-
commerce is such a big part of the economy and there is no 
strong means of security is a considerable frustration.
    Back to your first question a moment ago, though, I want to 
note that Jason's point about all the levels of the different 
layers of technology is a good one, that we need to be evolving 
to the next generation of technology, we need to be finding 
ways to make tokenization, encryption, and all these other 
things work, specifically for the e-commerce environment.
    But today there are 1.2 billion cards circulating in the 
United States, most of which have 1960s-era technology in them. 
And later this year, when we start to see more chip cards, we 
are going to see early-2000s technology issued in the United 
States. So we aren't keeping up with the biggest area where 
transaction is occurring, and we need to do a better job of 
that.
    Mr. Clay. All right. Thank you so much for your responses.
    And, Mr. Chairman, I yield back.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from North Carolina, 
Mr. Pittenger.
    Mr. Pittenger. Thank you, Mr. Chairman. Thank you for 
hosting this hearing.
    And thank you to each of you for being with us today.
    Governor Pawlenty, according to the Identity Theft Resource 
Center, financial institutions were responsible for less than 6 
percent of all breaches in the United States in 2014.
    Some could draw a connection with this fact and the fact 
that financial institutions have been subject to the Gramm-
Leach-Bliley Act since 1999. Do you think this is a fair 
connection to make?
    Mr. Pawlenty. Congressman, I do. I don't think there would 
be much dispute that the financial services sector has the best 
cyber defenses, cyber capabilities, and most resiliency in this 
space. But, as everyone in this room knows, even financial 
institutions get breached. But, relative to other sectors, we 
are more advanced and get breached less.
    So that is not a bragging point; it is just a point of, 
well, what caused that? It is caused by investment, hard work, 
and technology. And I do believe that Gramm-Leach-Bliley set a 
standard and people tried to adhere to the standard. Plus, we 
get examined by our regulators to that standard. And I would 
say that contributed to the state of the industry's cyber 
defenses and the relatively good quality of it.
    Mr. Pittenger. Thank you.
    Yes, sir, Mr. Dodge?
    Mr. Dodge. Congressman Pittenger, I would note that the 
Verizon report, the annual Verizon cybersecurity report, is 
sort of considered to be the gold standard for cyber reporting. 
And it found that last year there were 2,100 data loss 
cybersecurity intrusions. Of that, 277--
    Mr. Pittenger. You mentioned that.
    Mr. Dodge. --were financial institutions, and 167 were 
retail businesses. There are 1,000 times more retailers 
operating in the United States.
    So I don't think we should have the philosophy that a 
single regulation can guide us to a successful cybersecurity--
    Mr. Pittenger. Mr. Dodge, let me build on that. Building on 
Chairman Neugebauer's statement earlier and the reference to 
legislation, it says, ``to develop, implement, and maintain a 
comprehensive information security program that ensures 
security and confidentiality of the sensitive information that 
is appropriate to the size, scope, and sensitivity of this 
information.''
    This was written to create some measure of flexibility so 
the standards are modified in ways. Do you think this is a good 
approach, in terms of creating these flexibilities of 
standards?
    Mr. Dodge. We applaud Congress for looking at lots of ways 
to address this issue.
    I think what is important is that we look at the regulatory 
environment as it exists today and recognize that the Gramm-
Leach-Bliley Act was written specifically for the financial 
services community and that there is a very strong regulatory 
regime that applies to most of the rest of the business 
community, and that is enforced through the FTC.
    The FTC has moved aggressively on this over the last 
decade, and they have established a clear and strong set of 
standards that businesses have to comply with. We think that is 
the way to go--
    Mr. Pittenger. Let's refer to this. The provision of the 
bill says, ``A covered entity's information security program 
shall be appropriate to the size and complexity of the covered 
entity, the nature and scope of the activities of the covered 
entity, and the sensitivity of the consumer's financial 
information to be protected.''
    What other flexibilities do you see would be needed that 
would ensure that consumers are protected but not prevent 
adaptability for new future threats?
    Mr. Dodge. The language that you cite is not dissimilar 
from what we have endorsed for authority to the FTC. We think 
that businesses need to have a clear understanding of what 
their obligations are, and that the enforcement agency, as the 
FTC does today, has the ability to evolve their interpretation 
of that law over time to meet new threats, and that businesses 
of different sizes and businesses that collect different kinds 
of data should be treated based on their size and the kind of 
information--
    Mr. Pittenger. And this legislation seeks to do that; isn't 
that right?
    Mr. Dodge. Based on what you quoted, that sounds right. 
But, as I said, we believe that you need to look at the 
regulatory environment as it exists today and work within that.
    The debate here today is about how do we pass a law that 
could provide businesses with more clarity and the ability to 
evolve with the threat. I don't think that the objective should 
be to shoehorn a law that was written for one industry to apply 
to the entire business community. We should--
    Mr. Pittenger. And I don't think that is what this law 
does, according to what I just read. I think it clearly states 
that the provisions in there would reflect the size, 
complexity, the nature and scope. It personalizes it. It 
creates that flexibility.
    Mr. Dodge. And I appreciate your focus on that, because we 
agree with the need for that flexibility. We simply are looking 
at the proposal in its entirety, and it is hard to separate 
things out without talking about how it would affect it when it 
is all merged together.
    Mr. Pittenger. Thank you.
    I yield back.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Massachusetts 
who did not steal Mr. Mulvaney's credit card in his 
hypothetical, Mr. Lynch, for 5 minutes.
    Mr. Lynch. Thank you, Mr. Chairman. I appreciate that.
    I want to thank the witnesses for your testimony.
    Ms. Moy, on the question of Federal preemption, when we 
talk about complete Federal preemption, we are talking about a 
Federal standard, and, at least as far as this legislation 
goes, we are talking about Federal enforcement, as well, that 
is being taken away from the attorneys general of the States.
    And, even further, it looks like the notification for 
breach will be taken away from the FEC and given to the FTC. So 
we are consolidating that, as well.
    And, as well, it might involve, if I am--I am not sure if I 
am getting this correct. If we have a Federal standard, and a 
retailer or a business complies with that Federal standard, 
does that imply some type of immunity for that individual 
retailer? If they are complying with what the Feds require, is 
that also holding them harmless from any liability?
    Ms. Moy. I'm sorry. You mean in an environment where this 
creates a floor and not a ceiling and States continue to have--
    Mr. Lynch. This would be a complete obliteration. This 
would be--
    Ms. Moy. Right.
    Mr. Lynch. --just total preemption so you will have one 
standard. You could call it--well, it would be a ceiling. It 
would be a ceiling.
    So is that implying some type of immunity or protection 
from liability for the complying company?
    Ms. Moy. Yes, a company would then only be liable as it 
would be held liable under the Federal law, and any additional 
obligations of the State law that had previously existed would 
no longer be actively enforced against them.
    Mr. Lynch. Right. And, under this legislation, that would 
be problematic, because, as your testimony indicated, it only 
recognizes financial harm, right? There is a trigger--actually, 
personal--there is a financial harm trigger, and I think there 
is also a trigger for a very narrow set of personal 
information.
    Ms. Moy. Actually, I am not sure if there is. I was under 
the impression that the financial harm trigger applies to 
everything, but perhaps you are right. I will take a look at 
that and--
    Mr. Oxman. If I may, Congressman--
    Mr. Lynch. Sure.
    Mr. Oxman. --the provisions of the bill, of H.R. 2205, also 
provide for triggers related to identity theft as well as 
financial harm.
    Ms. Moy. Right. Yes, although many States, as I noted in my 
written testimony, have either no harm trigger at all, 
recognizing that consumers want to be notified of the breach of 
certain classes of information and want to be able to safeguard 
that information regardless of whether or not it could be used 
for identity theft or financial harm, and a clear majority of 
States have either no trigger or a trigger that is broader than 
just financial in nature.
    Mr. Lynch. One of the problems I have is that this 
introduces a Federal standard and it takes out the States. 
Massachusetts happens to have a very robust consumer protection 
privacy framework that I think will be harmed.
    And we also have--we have been blessed with attorneys 
general who have been very active in defending consumers. And 
some of those cases, as you pointed out--I think the average 
case of breach in Massachusetts--we had 2,400 last year, but 
the average size was about 74 consumers. So that is not the 
type of thing that the FTC is going to go after, in my opinion.
    Ms. Moy. That is right. And that is why we think it is so 
critically important--if we want to ensure that all consumers 
are protected by a Federal standard, it is really important 
that we have as many people keeping an eye on what is happening 
with breaches and working with companies to help develop their 
security standards and working with consumers to respond after 
their information has been breached and to watch out for 
potential harm that could be coming down the pike. It is really 
important to have the involvement of the State AGs in all of 
that.
    Mr. Lynch. And if we did introduce--and I am in favor of 
introducing a very high floor across-the-board that I think 
would subsume maybe close to 40 States. But I would like to 
have that flexibility for States that--number one, they are 
more flexible. Congress is not known for its speed at all. And 
so having the States out there with the ability to provide 
additional protections, especially in the face of the 
sophistication of some of these hackers, is very, very 
important, in my mind.
    There is some incongruity in this bill. It talks about a 
Federal standard, but then it says every covered entity will be 
responsible for adopting a system of security protection that 
is commensurate with their size and their complexity. The 
gentleman from North Carolina just brought this up in a 
different context.
    But how do we deal with that, where a pizza shop, a coffee 
shop, a bank--well, banks are a different class--but each and 
every company is going to be able to right-size the level of 
protection, but, in reality, that stream of information that is 
breached may not be compartmentalized?
    Ms. Moy. I'm sorry. What do you mean by the information may 
not be compartmentalized?
    Mr. Lynch. If they hack into, as you said, your email and 
your password, that opens up a whole other door of information 
that they can access that might not be readily evident, based 
on where they entered the stream of information.
    Ms. Moy. Right.
    May I just respond to him?
    Chairman Hensarling. A very brief answer.
    Ms. Moy. Sure.
    Yes, I would just say there are certainly log-in 
credentials that, because people recycle passwords, can be used 
across accounts. And that is an important reason for--
    Mr. Lynch. All right. Thank you.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from California, Mr. 
Royce, chairman of the House Foreign Affairs Committee.
    Mr. Royce. Thank you, Mr. Chairman.
    There has been a lot of discussion here about the current 
liability, what it looks like. I guess one of the questions is 
what it should look like.
    And if I could ask Governor Pawlenty--I had a question 
here. When a data breach occurs, how should we allocate 
financial responsibility for that breach?
    For example, if a breach of sensitive customer information 
occurs at a financial institution and it is shown that the 
institution did not protect the customer information, as Gramm-
Leach-Bliley requires, do you agree that the financial 
institution should be responsible for the cost of the breach?
    Mr. Pawlenty. Congressman Royce, yes. We believe that the 
entity that was negligent, or entities, plural, should be 
responsible for their negligence.
    Mr. Royce. Okay. Then, Governor, should the same be true of 
the merchant? If there is a breach with a high likelihood of 
harm being done to the consumer, should the merchant be 
responsible for the costs associated with that breach to the 
extent that the entity has not met minimum security 
requirements?
    Mr. Pawlenty. Congressman Royce, absolutely.
    Mr. Royce. And, Mr. Dodge, do you agree on that point?
    Mr. Dodge. I would tell you that we do agree because that 
is what happens today. Today, merchants are obligated, if they 
have a breach, by contracts signed with the card networks to 
reimburse the banks for the fees associated with the costs, in 
addition to the fees that they pay every day every time a 
transaction--which is obligated to prepayment of fraud, if it 
happens or even if it doesn't happen. So those fees are being 
paid constantly.
    Mr. Royce. So the next question I was going to ask Governor 
Pawlenty is: It has been proposed by some that consumers should 
receive notification of a data breach directly from the company 
that was breached even if they have no relationship with that 
company.
    Wouldn't a simpler solution be to allow the notice to come 
from the company that the consumer gave their financial 
information to directly, while also allowing the company to 
identify where the breach occurred if it is known?
    It is my understanding that there is currently no law, no 
contractual obligation that would preclude a financial 
institution from identifying the institution where a data 
breach occurred when sending out a notification to their 
customer. Is that your understanding, as well?
    Mr. Pawlenty. Congressman Royce, yes.
    And, of course, you might imagine, if there is a breach, it 
unfolds in the early hours and days with a great deal of 
uncertainty and sense of crisis around it. So, as people think 
about what they are going to say publicly in sending out 
notices, particularly if it incriminates another company, you 
want to make very sure that you are articulating that correctly 
and accurately, for fear of liability. And so I think some 
companies don't name names in those initial notices over some 
of those concerns.
    Mr. Royce. As we look at the cyber attacks, and we see this 
increasingly as we talk to European and Asian governments, a 
lot of these are being conducted now by state-sponsored or 
state-sanctioned entities. We actually, for example, see 
individuals traveling from a certain bureau in North Korea to 
Moscow to be trained, and then we see their conduct with 
respect to the banking system in South Korea and the attempt to 
implode the financial system in South Korea with those direct 
attacks.
    What can or should be done, in the view of some of the 
panel here, to hold these countries accountable in situations 
like this? And how do we do that?
    Mr. Pawlenty. Congressman, to the extent this has evolved 
into an international dynamic and you have state-sponsored or 
semi-state-sponsored activity, the United States is going to 
have to respond in kind at a level of country-to-country 
discussions and potential consequences.
    As you may know, under current law, the only entity that 
can fire back, if you will, in cyberspace is the U.S. 
Government. Private entities cannot hack back. And so the 
deterrent or consequences for this potential behavior can only 
come from the U.S. Government.
    And then, lastly, there needs to be rules of the road 
internationally. We have rogue states, semi-rogue states acting 
recklessly, irresponsibly, in a very concerted fashion. And 
what you see now in terms of payment disruption is relatively 
minor. The consumers get reimbursed. It is inconvenient, it is 
menacing, it is concerning, and you should act on that alone. 
But compared to some not-too-fanciful scenarios where the 
entire payment system is disrupted or another piece of critical 
infrastructure is disrupted, that is something you need to be 
thinking about.
    Mr. Royce. We have seen Iranian attempts here. Have you 
seen that in your industry?
    Mr. Pawlenty. We are cautioned not to attribute, other than 
what has been reported publicly. But it has been reported 
publicly that North Korea was involved in an incident, an 
attack that was attributed to them. And I think you have seen 
public reports of Russian or Russian-sponsored entities, and 
Iranian and Iranian-sponsored entities, and on down the list.
    Mr. Royce. Thank you very much, Governor. My time has 
expired.
    Mr. Chairman, thank you.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from New York, Mr. 
Meeks.
    Mr. Meeks. Thank you, Mr. Chairman.
    First, I guess, Mr. Oxman, let me ask you this question in 
the same line. After 9/11, we talked about having all of our 
intelligence agencies working closely together, et cetera. And 
so here, when you talk about preventing data breaches, there 
are a number of entities that are concerned, whether you are a 
device manufacturer, whether you are a network operator, 
whether you are a financial institution or an app developer. It 
seems to me that it would be important that these entities work 
together to develop effective mobile data protection solutions.
    In your estimation, is industry working in a collaborative 
way, all of the interested parties, in doing that? And what, if 
anything, do you think that Congress can do to ensure greater 
collaboration so that we can make sure that everybody is 
working together to try to eliminate this huge problem?
    Mr. Oxman. Thank you, Congressman Meeks.
    I think the good news is that the short answer to your 
question is yes. The industry, the ecosystem is working 
enormously smoothly together to deploy the next-generation 
security products and services that we need out there in the 
market to secure against these increasingly sophisticated cyber 
attacks.
    The industry is working collectively through standards 
bodies, like PCI, to deploy next-generation security 
technologies like chip technology in cards, like tokenization 
to take account information out of the system, and like 
encryption to secure points of entry against intrusion from 
cyber attacks.
    The industry, as you noted, is enormously complicated. It 
does involve a number of different players, from financial 
institutions to payment processors, merchants, consumers, and 
device manufacturers. And as we move to new technology, like 
mobile payments and wearables, it is going to get even more 
complicated.
    But, again, I think the good news is we are working very 
well together to deploy all these next-generation technologies 
because we all share an interest across the ecosystem in 
ensuring that our customers feel comfortable shopping at our 
stores and using electronic payments.
    As to the second part of your question, Congressman, what 
can Congress do, I think H.R. 2205 represents the ideal vehicle 
for addressing what we do need Congress' help with, and that is 
unifying a patchwork of State laws that are inconsistent and, 
in some cases, incompatible with one another to address how we 
let consumers know when something does go wrong. Because 
criminals are sophisticated and they are going to keep acting, 
and we need to make sure we are all on the same page when we 
let our customers know if something happens. And that is where 
I think Congress can be helpful.
    Mr. Meeks. Thank you.
    Let me ask Mr. Pawlenty, I know and you believe--in reading 
your testimony, you noted that the EMV chip cards have proven 
very effective. And I have a number of my cards now that are 
coming, have to switch out on them, make sure you have the 
chip.
    But one of the questions--and this happens with my 
daughters, et cetera, now, that they are doing more and more 
shopping online. People are not going to the store as much, and 
they are doing shopping online. And it seems as though there is 
more fraud that is now taking place when people are doing this 
shopping online.
    So can you discuss ways in which firms are innovating to 
prevent customers or consumers who rely more on the online 
shopping so that we can prevent fraud in that regard? And, 
again, like I asked Mr. Oxman, ways that Congress can ensure 
greater data breach protection as we move away from in-store 
purchases? It just seems that with this new generation, it is 
just online. My daughters won't go to stores anymore; 
everything is online. What can we do, in that regard?
    Mr. Pawlenty. Congressman, that is a great question. And as 
was mentioned earlier, the chip cards will go a long way 
towards eliminating or greatly reducing card-present fraud for 
the reasons that were mentioned earlier. So that is progress 
and good, and we applaud that and enthusiastically embrace it.
    But as we have seen in the other EMV-adopted countries, the 
fraud then shifts to the online environment. And what happens, 
of course, is, if you make an order online, over the phone, or 
otherwise, you enter in your credit card number, you enter in 
your three- or four-digit code and your expiration date, and 
away you go. And so, if I have that information from you, I can 
make that transaction online, and it is--let's just say it is 
loose, to put it mildly.
    So the future of that in the near term is a technology 
platform called tokenization, which will allow that transaction 
to occur with a unique set of data that connects needed data to 
finalize the transaction, but the personally identifiable 
information isn't necessarily transmitted as part of it. It is 
a token, one unique signal that goes.
    That is coming. It is just around the corner. And it is 
already into market, to some extent. But as was mentioned 
earlier, the cost of it is coming down, it is becoming more 
ubiquitous. So that will be a big part of the solution. It was 
invented 10 years ago. So there will be something else that 
will come next.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Maine, Mr. 
Poliquin.
    Mr. Poliquin. Thank you, Mr. Chairman. I appreciate it very 
much.
    And thank you, all you folks, for being here today. I 
really appreciate it.
    Mr. Oxman, I know you and I are both from Maine, probably 
the safest State in America. And we invite all kinds of other 
folks to come up there and enjoy our State.
    That being said, we are not immune to folks who are 
stealing our credit card numbers, or using our debit cards 
fraudulently, and what have you. So we know there is a problem. 
The problem is across the country, even in our great State of 
Maine.
    That being said, one of the things that I have heard this 
morning that I am delighted about is that there seems to be 
some common ground, a lot of common ground, when it comes to 
the fact that there is an issue with cybersecurity. We all know 
it is there, and you folks all agree to it, even though you are 
from different parts of this space, if you will.
    And I have also heard, if I am not mistaken, that there is 
a consensus that we need, instead of 48 individual laws that we 
have to deal with, that one national standard would be very 
helpful when it comes to notification.
    What I would like to hear from each of you--we will start 
with you, Governor, if you don't mind terribly--is what else is 
on the top of your list. What else would you like to inform 
this committee about that would be very helpful for all the 
players in this space to make sure our consumers in Maine's 
Second District and throughout the country are well-protected 
with their bank accounts and their credit cards and what have 
you? What could you advise us today?
    Because your members are the folks who are on the ground. 
You are much closer to this problem than we could ever be. 
Please tell us.
    Mr. Pawlenty. That is a great question. And when you think 
about notification, it helps notify people that there was a 
problem and now we need to clean up the mess.
    Mr. Poliquin. Right.
    Mr. Pawlenty. That is little consolation for people who 
have the mess visited upon them. And so it is helpful.
    As to standards, again, it will help as people raise their 
game. I think this entire space is going to evolve in a very 
interesting and probably disruptive fashion over the next 10 
years. The things that we are talking about here today in terms 
of technology platforms, as was mentioned earlier, will look 
very different 10 years from now. I don't think we are going to 
be walking around with pieces of plastic and PINs. The whole 
thing is shifting increasingly to mobile and other ways to make 
payments.
    So I would say it is going to come from the technology 
sector, big changes and good changes.
    Mr. Poliquin. Mr. Dodge?
    Mr. Dodge. I am glad some attention is being paid to 
collaboration, because I think that is an important outcrop 
from these catastrophes, this focus.
    Last year, we collaborated with the Financial Services 
Roundtable and the Electronic Transactions Association, with a 
whole bunch of merchant and financial services associations, to 
talk about these challenges, and to try to find some common 
ground.
    Collaboration has also found its way into the threat-
information-sharing world, where businesses can share threat 
information, sort of a rising tides--for a Maine term, ``rising 
tides lift all ships''--the ability to see a threat, deflect 
it, and share with others what you saw and how you did it. That 
is really important. And we congratulate Congress for passing 
legislation on that last month.
    I think one of the things that we really look towards is, 
how do we enhance security to the 21st Century and beyond? Card 
security today is weak. It needs to improve. There is a half-
step on the calendar for later this year, but it is only a 
half-step. We need to get beyond that. And we really want to 
see Congress focus on that, and we certainly want to see the 
business community that is responsible for creating those cards 
focus on it, as well.
    Mr. Poliquin. Mr. Oxman?
    Mr. Oxman. Thank you, Congressman Poliquin.
    I am excited about the changes in technology that we are 
seeing in our industry. And I think if there were one thing for 
the committee to be aware of, it is that there actually is no 
need for an inquiry into that technology because the industry 
is working together to deploy it.
    My first job was as a bank teller, during the summer after 
my first year in college, at Mechanics' Savings Bank in the 
heart of the Second District of Maine.
    Mr. Poliquin. You bet.
    Mr. Oxman. And the hot technology back then in the 1980s 
was the ATM machine. Today, consumers can buy things with a 
watch. It is absolutely amazing what is happening out there.
    And I think the good news from Congress' perspective is 
that the industry is deploying that technology safely, 
securely, and reliably, and we are going to get it done.
    Mr. Poliquin. What about Apple Pay, Google Wallet, Square, 
these pieces of technology that are being developed much more 
quickly than I can understand for how to pay for the goods and 
services you buy online or through a mobile device? Do you see 
any problems coming down the road with those types of 
technology, or is that where it is going to go and where it 
should go, in your opinion?
    Mr. Oxman. Yes, I think this kind of technology is 
incredibly exciting, particularly because it allows us to 
deploy more robust security alongside.
    The way to think about it is, it is a new means of 
implementing a payments transaction, of initiating that 
transaction. You are using your watch or your phone instead of 
a plastic card. And that watch or phone or whatever device it 
is has many more security capabilities to it than the plastic 
cards, so it is actually a good thing for consumers.
    Mr. Poliquin. Mr. Orfei, unless here in this country we go 
down this path where we continue to work on this problem and 
find solutions to it, aren't we exposing our consumers and our 
families and our businesses to more cyber risk if Europe is 
ahead of us and other developed countries or parts of the world 
are ahead of us?
    Mr. Orfei. May I answer that question?
    Mr. Neugebauer [presiding]. Quickly.
    Mr. Orfei. I think the technology is going to evolve here, 
and we will have good answers. Particularly, mobile will be the 
future of payments.
    But I think what is really key is this information-sharing 
effort that is in progress right now. Being able to collect 
that information, translate it so it is actionable 
intelligence, and then that will allow us to preempt attacks 
from organized crime, rogue states, and state-funded actors.
    Mr. Poliquin. All right.
    Thank you all very much. I appreciate it.
    Thank you, Mr. Chairman. I yield back.
    Mr. Neugebauer. I thank the gentleman.
    Now the gentleman from Georgia, Mr. Scott, is recognized 
for 5 minutes.
    Mr. Scott. Yes. Governor Pawlenty, I would like you to 
address this, and anybody else can chime in, as well. But with 
the challenge for our migration of the EMV chip technology in 
the United States basically due by October 15th, why are U.S. 
consumers only now receiving the chip cards when consumers in 
Europe and Canada have had them for many years? Why are we 
behind the eight ball?
    Mr. Pawlenty. There is some unique history as it relates to 
how Europe got to where it is relating to technology, their 
telecommunications system, how they did batch processing, how 
that works relative to how we did it in the United States.
    I think, to sum it up here, I would say the transition from 
what we had to what we need and where we are headed next is a 
very big transition. You think about the millions and millions 
and millions of point-of-sale terminals that would have to be 
chip-ready. Right now, only about 25 percent of retailers can 
even take a chip card. So they will have to flip over their 
systems, their point-of-sale systems, their backroom systems. 
Payment networks have to do the same; the banks have to do the 
same. So it is a massive transition.
    Would we have benefited from it being done earlier? 
Probably. But we are where we are, and now we just need to get 
it done as quickly as possible. And all of this is highlighting 
the urgency of it.
    Mr. Scott. Okay.
    Now, since we have such a brain trust of cybersecurity 
before us in this distinguished panel, I want to shift gears 
for a moment. Are you satisfied and how would you describe the 
national security threat to our country as a result of 
cybersecurity, as a national security issue? I think it is one 
we really, really have to deal with.
    And how would you relate that, particularly when we have 
had attacks on our cybersecurity from China, from Russia, from 
Iran, from North Korea, ISIS, Al Qaeda, other terrorists. Now 
our military bases are being put on heightened terrorist attack 
alert at a level we haven't seen since 9/11.
    What is it that we need to do more? And how do you address 
and how do you rate this threat at its present time as a 
national security issue?
    Governor Pawlenty, or any of you?
    Mr. Pawlenty. I will say, Congressman, I would rate it as a 
clear and present danger. And that is why I said what I said 
earlier. I think, particularly for folks who are on the 
Republican side of the aisle, it is not as comfortable to say 
we are just going to do something uniform across the country, 
but I think this is elevated, not just the card and processing 
but many other aspects, to a national security issue.
    We have known, identifiable threats to critical 
infrastructure of this country that would impair not just the 
economy but the health and well-being of our citizens if they 
are deployed to any sort of scale. And so it is a clear and 
present national security threat that I think needs to be 
addressed with that kind of urgency and that kind of 
seriousness and that kind of weight behind it.
    Mr. Oxman. And, Congressman Scott, it is a question that is 
answered largely by technology. And thank you for your 
leadership in taking a founding role in the Congressional 
Payments Technology Caucus, because technology companies, 
including many from the great State of Georgia, are out there 
deploying systems to secure networks against intrusion.
    And there is no question that the payments industry is 
focused relentlessly on this. Because the security of networks 
and the reliability of networks and systems is why consumers 
choose electronic payments as their preferred method of 
engaging in commerce. And we need to make sure that remains a 
confident factor for consumers.
    Mr. Scott. And, Mr. Oxman, how ready will we be? October is 
right around the corner. What are your expectations? Have we 
set that date? Is it accomplishable?
    Mr. Oxman. Yes, Congressman Scott, the migration in October 
to the chip cards is a date that we have set as a milestone, 
and it is a lot of work to do: 1.2 billion cards in consumers' 
wallets need to be replaced, and more than 8 million merchants 
in the United States need to upgrade their systems in order to 
accept chip cards. That is going to take some time.
    Will we be completely finished by October? The answer, 
frankly, is, no, we won't be all done. But we will be largely 
there. And, most importantly, the industry is entirely unified 
in recognizing the importance of making this infrastructure 
upgrade. We are doing it. We are working together--merchants, 
financial institutions, payments companies, and consumers. And 
we are going to get it done.
    Mr. Scott. Thank you, Mr. Chairman. I yield back.
    Mr. Neugebauer. I thank the gentleman.
    The gentleman from Arkansas, Mr. Hill, is recognized for 5 
minutes.
    Mr. Hill. Thank you, Mr. Chairman.
    And I thank the panel for being with us this morning.
    On Mrs. Maloney's comments about Gramm-Leach-Bliley and the 
impact on banks, having run a community bank for the entire 
history of Gramm-Leach-Bliley's existence, I do think it was 
flexible in the standards when it comes to examination and 
practice, both in scope of business and not. So I think that is 
something that has worked well in the financial services 
industry.
    One question I have I would like the panel to react to is, 
what role does liability insurance coverage play here when you 
think about standards?
    I know in our company we took out the coverage at the very 
modest premium for notification coverage, which was sort of 
what was recommended by the underwriters. I didn't find it very 
compelling or particularly useful, but in a large breach it 
certainly would be helpful to pay the out-of-pocket expenses.
    But what is happening in the liability arena on insurance 
coverages for our entities beyond that? What standard are they 
setting when they come to underwrite a retailer--let's start 
with you, Mr. Dodge--about data breach. Because there is 
obviously a mathematical loss potential for one of your 
members.
    Mr. Dodge. Sure. I will acknowledge at the outset that I 
don't claim to be an expert on cybersecurity liability 
insurance; however, my exposure to it offers me a little bit of 
perspective.
    First is it is a pretty immature market, pretty new, and it 
is rapidly involving. And I know the Administration is working 
on ways to make that a more mature, more competitive market.
    Many retailers are looking into, many have purchased 
liability insurance as it relates to cybersecurity. I don't 
have a number for that, but I suspect that number is growing by 
the day. And one of the challenges that they all face is where 
exactly to price it. They don't know how much to get, and they 
don't know if they are getting a great value for it. But they 
know that it is important to have, and they are working on 
making sure that improves over time.
    But I think your point is a good one, sure.
    Mr. Hill. Also, in the Verizon report that has been 
mentioned, only about 20 percent of those breaches are as a 
result of the retail and the banking industry, which means 80 
percent aren't. And we haven't heard one question about that 
today.
    Just last week, I got a letter from the Arkansas Medical 
Society, where over 60 physicians had their identity stolen 
when they filed their income tax return. They didn't know it 
until they went to hit ``send'' electronically to the IRS, and 
they suddenly learned they had already filed their return, 
which, of course, they hadn't.
    So can you reflect on standards that we have talked about 
today for that other 80 percent that is not represented here 
today?
    Or maybe, Mr. Oxman or Mr. Orfei, you might take that one?
    Mr. Oxman. Yes. Thank you, Congressman Hill. And I do think 
that is an important issue because the harm that consumers 
suffer from identity theft can in some circumstances be as 
impactful as the harm suffered from the theft of financial 
data.
    And I think H.R. 2205 does a good job of making sure that 
all entities, not just retailers and financial institutions and 
payments companies, but all entities that have the storage or 
access to sensitive personal information are required to abide 
by the Federal standards that H.R. 2205 would put in place. And 
I do think that is a very important component of the bill.
    Mr. Hill. Would anybody else like to add to that?
    Mr. Orfei. I think the fundamentals of the PCI standard are 
applicable across all vertical markets.
    I also share your concern in my discussions with law 
enforcement that the healthcare systems, in particular, will be 
a next big target. Protecting that data and following adherence 
to the PCI standard would benefit those industries, as well.
    Mr. Hill. I think it is a little odd that HIPAA--we can't 
even have a conversation about our aunt's health with the 
doctor without everybody jumping through hoops, but we 
obviously have healthcare data at risk. It is financial data, 
and this IRS situation is financial loss. I think this is a 
serious matter, certainly as serious as having your credit card 
number compromised.
    So I am glad to hear you say that you have some comfort 
that the standards in this bill will help in this other 80 
percent of the issue that we are not addressing today. Thank 
you.
    Mr. Dodge?
    Mr. Dodge. I would say that we also endorse a strong 
reasonableness standard, one that provides businesses with the 
strong expectations of what government considers to be a 
reasonable standard. We believe that it should be enforced by 
the FTC, and we have endorsed the legislation that came out of 
the Energy and Commerce Committee to do just that.
    We think it is important, as we are addressing this issue, 
that we first look at the regulatory landscape as it is today 
and design solutions that fit within that, rather than moving a 
regulation design for one industry--in this case, the financial 
services industry--to apply to the entire rest of the economy.
    Mr. Hill. Right. Thank you for that comment.
    I yield back. Thank you.
    Mr. Neugebauer. I thank the gentleman.
    And now the gentlewoman from Wisconsin, the ranking member 
of our Monetary Policy Subcommittee, Ms. Moore, is recognized 
for 5 minutes.
    Ms. Moore. Thank you so much, Mr. Chairman.
    I just want to thank all of the witnesses for taking the 
time and for being patient with us. And I can tell you that you 
guys almost and Ms. Moy almost answered my questions when other 
Members were asking, and so I do want to apologize if things 
seem redundant.
    Let me start with you, Ms. Moy. You talked about having a 
Federal standard, a floor standard. And you talked about the 
FTC really providing that service at this point. I guess I want 
your opinion or knowledge about whether or not you think the 
FTC is currently staffed up and resourced up enough to continue 
this stewardship.
    How much more would it cost to do it? How many more 
employees do you anticipate? Or is there a necessity to create 
a new agency?
    Ms. Moy. I apologize because I don't have those numbers for 
you, although I could do some research and try to help you 
answer that question.
    I do think that the FTC is doing a pretty good job 
enforcing data security, specifically with the biggest cases. 
And at the State level, the States are active in this area, as 
well, also enforcing sometimes their own data security standard 
and sometimes a standard that they are drawing from the 
authority of their general consumer protection acts, their many 
FTC acts.
    I think it is really important, though, to preserve the 
ability of what the States are doing, to preserve the ability 
of State AGs to continue to provide that important service, and 
to set our new standards at a level that will continue to 
preserve protections for pieces of information that would not 
be covered by the legislative proposals we have seen.
    For example, in your own State of Wisconsin, the breach 
notification standard would extend to DNA and biometric data 
that is not necessarily covered by what we have seen in some 
legislative proposals.
    Ms. Moore. I really would like to know how much this will 
cost.
    And in keeping with the same theme, Mr. Mulvaney was sort 
of going down this road about who pays for the cost of a 
breach. And on October 1, 2015, there is going to be a merchant 
liability shift.
    And so we are at Gwen Moore's custard stand here, and I 
have just gotten my little smartphone to be able to swipe my 
card. How much is this going to cost me? Or do I just take 
risks and say, I will just take chances for a few years until I 
get my business up and start franchising my custard store? How 
much will it cost me to be compliant?
    Mr. Oxman. Congresswoman Moore, the good news is for a 
small business that is interested in upgrading their 
infrastructure, the costs are actually very low. You can get an 
EMV chip device from Square for $30--
    Ms. Moore. Oh, okay.
    Mr. Oxman. --if you want to go that route, or you can get 
it from a payments processor for not much more. So the cost is 
actually very low for the merchant.
    And the good news is that October liability shift date that 
you are talking about, if the merchant makes that small 
investment in the upgrade to accept chip cards, and if the card 
issuer has issued chip cards, then the liability for a 
fraudulent transaction and counterfeit card actually rests with 
the issuer. So the merchant is exactly the same as they would 
be today. As long as they have made that investment in the 
infrastructure, they don't have liability for a counterfeit 
card transaction in that scenario. So it is good news for the 
merchant.
    Ms. Moore. That was the answer that was escaping me this 
entire hearing; how much is it going to cost Gwen's custard 
stand to be able to do it.
    Obviously, there will be a lot of costs for ATMs, and I 
guess that is a little bit more costly. How much will it cost 
to update all the ATMs?
    Mr. Oxman. Yes, the ATMs and, actually, fuel dispensaries, 
so gas stations--
    Ms. Moore. Right.
    Mr. Oxman. --actually have an extra 2 years to upgrade 
their infrastructure simply because it is pretty complicated to 
actually take the credit card equipment out of an ATM or out of 
a gas pump. So they don't have to worry about upgrading their 
infrastructure until October of 2017 for those two industries.
    Ms. Moore. Okay.
    In my remaining time, for Governor Pawlenty, as the head of 
the Financial Services Roundtable, I guess I am just curious 
about why it has taken us so long to do this, why we are behind 
Europe and Canada? And you guys have testified that we are 
going to stay behind.
    Mr. Pawlenty. Yes. Some of the countries that went to EMV 
didn't have much legacy technology to begin with, so they could 
just jump to it as first adopters. Other countries have other 
histories, like the U.K., for example. In an era where telecom 
was really expensive, they loaded up all their transactions and 
processed them at the end of the day, called batch processing. 
So the ability to do, kind of, realtime communication via 
telecom had something to do with how and when things evolved.
    All that being said, I think the United States has been 
slow to this issue, but the fact of the matter is we do see the 
need, obviously--everybody does--and we are moving as quickly 
now as possible to implement it and for good cause.
    Ms. Moore. Mr. Chairman, I realize my time has expired, but 
I just want to ask Governor Pawlenty, are the Vikings going to 
be as bad as they were last season?
    Mr. Pawlenty. Did you say the Packers? The Vikings. Well--
    Mr. Neugebauer. I think the big question is, how do we get 
some of that custard?
    Mr. Pawlenty. The Vikings are going to be better this year, 
Congresswoman.
    Mr. Neugebauer. The gentleman from Florida, Mr. Ross, is 
recognized for 5 minutes.
    Mr. Ross. Thank you, Mr. Chairman.
    And thank you, panelists.
    I can only preface my remarks by thinking back to the early 
1980s when I was installing computer systems, little 16-bit 
processors in pharmacies across the eastern United States, and 
we would use a dial-up modem to update their drug prices and to 
process data. And then, at that time, the movie ``WarGames'' 
came out, starring Matthew Broderick, that showed how we can 
hack into the WOPR, the intelligence computer that started an 
international war game. And we have evolved today to where you 
go to Walt Disney World and you get a magic band you wear that 
has all your data, shows Disney exactly where you are, what you 
are doing, what ride you want to be on, all your billing 
information.
    The evolution of technology has been a tremendous benefit 
to us. It has given us a path of expanding our commerce and our 
economy tremendously. And, obviously, it has given 
opportunities to give those who seek ill will against us, and 
that is why we are here.
    One of the institutions of higher education, the University 
of South Florida, rests in my district. And 2 years ago they 
were designated by the Florida legislature to be the center of 
cybersecurity, an academic program. Now, they have over 100 
students seeking masters in this particular arena.
    My question is, is there a great deal of cooperation 
between the private sector and the academic sector in trying to 
innovate ways to continue to fight cybersecurity? If anybody 
can address that?
    Mr. Dodge. I would just speak up and say, I know that the 
retailers who have sought such partnerships have found welcome 
partnerships in it.
    Last year, we established something called the Retail Cyber 
Intelligence Sharing Center. And at the core of that is a 
retail ISAC, but wrapped around that is an opportunity for 
educational opportunities. And I know that group has found 
great partners already in the academic community looking for 
ways to identify ways to bring future chief information 
security officers up through the ranks but also to share 
information so that everybody has the best skills available 
today.
    Mr. Ross. It would seem to me that would be a good 
partnership, even though I would say that well over 80 percent 
of our commerce in the cyber world is through the private 
sector.
    Mr. Dodge, let me ask you this particular question, because 
as my colleague, Mr. Mulvaney, was asking you about who bears 
the cost of a fraudulent transaction, is it between the banks 
and the retailers? Is there not in existence any particular 
either expressed or implied right of indemnification between 
the parties that would allow that to be resolved absent 
statutory or legislative involvement?
    Mr. Dodge. The fraud payment requirements, who pays after a 
breach or in the instance of fraud, is spelled out in the 
contracts. So the retailers are bound by those contracts, and 
their unwillingness to--if they violate those contracts, they 
risk losing the right to accept cards.
    Mr. Ross. So there is a limited negotiation, I guess, is 
what you are telling me in order for a retailer--if a retailer 
wants to accept a MasterCard, they accept all the terms and 
conditions without, really, negotiation.
    Mr. Dodge. It is not a negotiation. You sign the contract 
presented to you.
    Mr. Ross. Okay.
    And, Mr. Oxman, one of the things that we have talked 
about--you talked about very well and in depth is the EMV, the 
electronic MasterCard/Visa chip. Now, for some time this has 
been in practice in the European markets, has it not?
    Mr. Oxman. It has.
    Mr. Ross. And, just recently, had it not been for, I guess, 
an Executive Order, we would not be pursuing it as fast as we 
are in the United States.
    What has been the reason for the delay of the 
implementation of the chip technology here?
    Mr. Oxman. The reason that chip technology is being 
deployed today in the United States and has been deployed 
already in Europe is the following: In Europe, they don't have 
the ability that we have here to authorize a transaction 
online.
    When you swipe your card at the point of sale, what happens 
is that transaction is transmitted through a payment network to 
the card issuer for a ``yes'' or ``no'' answer. And when the 
receipt is spit out 1.4 seconds later with a ``yes'' answer, it 
is because that transaction was authorized and approved online.
    Mr. Ross. I see.
    Mr. Oxman. In Europe, they don't have the infrastructure to 
do that. The card authorizes the transaction--
    Mr. Ross. I see.
    Mr. Oxman. --which means that chip with the swipe machine 
isn't going anywhere--
    Mr. Ross. It is making the decision right there.
    Mr. Oxman. It is making the decision right there.
    Mr. Ross. I see.
    Mr. Oxman. And that is why the chip infrastructure is 
necessary in Europe and hasn't been necessary--
    Mr. Ross. And now we move into tokenization, which is 
essentially protecting the database of all the private 
information, and it is encoding or encrypting that particular 
transaction with a one-time identification, and then that 
allows anybody who captures that to have really nothing.
    Mr. Oxman. That is exactly right. The way the system works 
today, in many cases, your actual account number is 
transmitted.
    Mr. Ross. Right.
    Mr. Oxman. So what are cyber thieves looking for? They are 
looking for credit card numbers. Why do they breach retailers? 
Because there are tens of millions of them there.
    In a tokenized environment, it takes the actual account 
number out of the equation, so there is nothing to steal and--
    Mr. Ross. How fast are we moving in that direction? Are 
we--
    Mr. Oxman. We are moving in that direction very quickly.
    Mr. Ross. So it is going to become the predominant barrier, 
if you will?
    Mr. Oxman. It is being ubiquitously deployed across all 
retail segments. Again, we have an existing infrastructure that 
needs to be replaced. It will take some time to get there, but 
we will get there. It is a great technology, and everyone is 
working together to make it happen.
    Mr. Ross. Good.
    One last thing. I know we have talked about point-of-sale 
defenses predominantly today, but, after the data has been 
breached and then the consumer's identity is stolen, how 
effective are some of these companies out there that allegedly 
protect consumers from having their identity stolen? Is that 
good, or is it bad, or is it just somebody else's opportunity?
    Mr. Dodge. I can't speak to any one of those companies. I 
think, again, everybody needs to be vigilant. You need to 
monitor yourself in addition to services you may provide.
    But I want to go back to a point you made a second ago, 
which is about advancing to the technology in cards to get to 
where we are in Europe and have been in Europe for a decade. 
The migration that is happening in the United States is only a 
half-step. We are only instituting a chip; we are not requiring 
a PIN.
    Mr. Ross. Right.
    Mr. Dodge. A PIN authenticates the cardholder, and we 
believe that there is a redundancy. It is a belt-and-suspenders 
approach to security that is needed in the card. It has worked 
in Europe. It has worked in Canada. It has brought fraud down. 
And so we should have it here.
    Mr. Ross. So PIN and the chip eliminated almost--
    Mr. Dodge. You need to have it together. And we are not 
moving to that here in the United States because of decisions 
made by the card networks.
    Mr. Ross. Thank you.
    I yield back.
    Mr. Neugebauer. I thank the gentleman.
    And now the gentleman from Arizona, Mr. Schweikert, is 
recognized for 5 minutes.
    Mr. Schweikert. Thank you, Mr. Chairman.
    Okay. This may be a little way from the legislation that is 
being vetted. Mr. Oxman, from my listening, you seem to be the 
most technical member of the panel. Is that a fair--
    Mr. Pawlenty. Yes.
    Mr. Schweikert. Yes. He says yes.
    Mr. Oxman. I guess I have been voted most technical.
    Mr. Schweikert. As the Governor says, ``Yes, give it to 
him.''
    Okay. Can we walk through a couple of mechanics? And, 
first, the philosophical box I want to work from is, if you and 
I wanted to design as robust a system as possible--I am not 
asking practical, but possible today, where I still have the 
use of my financial instruments, my credit cards, online, at 
the retailer, in any fashion it may be, what would I be doing?
    Because when we sat through something in this regard a 
couple of years ago, we had such high hopes for the 
tokenization handoffs and the randomization of the designs of 
those tokens.
    Is it token-plus? If you and I were designing a system here 
and making sure that, as we work on the legislation, it has 
enough openness to grab tomorrow's technology, what should we 
be doing?
    Mr. Oxman. A system designed from scratch would ensure that 
actual information that can be tied back to you or your account 
cannot be intercepted. Put another way, you would make sure 
that you didn't transmit actual information in a way that could 
be taken by somebody else and used in the same form.
    That is the real goal of all of the layered security 
technologies that you see deployed today. It is dynamic, and it 
makes sure that intercepted information cannot be useful.
    We haven't really talked about how the chip works in the 
chip card, for example. But the real difference between the 
chip and the mag stripe is it generates a unique dynamic 
security code--
    Mr. Schweikert. Yes.
    Mr. Oxman. --with each transaction. So even if you 
intercepted the chip information or tried to create a 
counterfeit chip, you wouldn't know the code for the next 
transaction, so it would be useless to you.
    So, again, does that--
    Mr. Schweikert. It is the handoff.
    Mr. Oxman. Yes, designing a system from scratch would make 
sure that the information was dynamic and couldn't be tied back 
to anything, even if it were intercepted.
    Mr. Schweikert. Now, is it a blend of, okay, here is my 
tokenization, handoff mechanics, and a biomechanic? If I am 
doing online, an IP algorithm behind saying, is this an IP that 
matches--what am I doing to make these things work?
    Mr. Oxman. Right. That is kind of the interesting thing 
about mobile payments, for example, which a lot of ETA-member 
companies, great technology companies, are moving to deploy--
    Mr. Schweikert. You beat me to our last minute of 
conversation, but we might as well move on to that. As we all 
move to the mobile pay and sort of catching up with the rest of 
the world, is the technology in my payment systems on this, is 
that my future of transaction security?
    Mr. Oxman. It is a great future of transaction security, 
because what that mobile device has on there is the token that 
we were talking about earlier--
    Mr. Schweikert. It could have all three. It could have the 
tokenization. It could have my bio data with my fingerprint.
    Mr. Oxman. Exactly.
    Mr. Schweikert. And it obviously has its version of--it is, 
as you know, not technically an IP, but it has--
    Mr. Oxman. It is encrypted.
    Mr. Schweikert. --the ability to hand over, saying, here is 
the device that goes with this.
    Mr. Oxman. That is right. So the future of technology that 
we are all working together to deploy has all of those elements 
to it. So it is almost as if we have an opportunity, thanks to 
the advances in technology, to devise that utopian system from 
scratch.
    Mr. Schweikert. Okay.
    Now, for everyone else on the panel, how do I incentivize 
that?
    Mr. Dodge. The one point that I would make at the outset 
is, Jason is absolutely right, the future of payments is in 
mobile technology, and we are going there, but we are not there 
yet. There are 1.2 billion cards circulating in the United 
States, and we need to make sure we are locking down that 
before we move to the next generation or while we are moving to 
the next generation.
    But I think I won't try to wade into the deep technological 
comments, but we believe that tokenization is a great 
opportunity and a great, great potential. And, certainly, 
mobile technology and the encryption that is in place today I 
think will work for a long period of time.
    Mr. Orfei. So the end game, really, is you devalue the data 
so that it is useless in the hands of criminals. And the three 
technologies that we have talked about today do exactly that: 
EMV at the point of sale; point-to-point encryption; and 
tokenization. If you bundle those correctly, and you implement 
it properly, the value is useless. There is no reason to break 
in. And even if you did, whatever you stole, you can't use 
anywhere else.
    Mr. Schweikert. Okay.
    Much of today's conversation was, who holds the liability, 
who pays. And my fear, at one level, is that is an absurd 
conversation to have. We should be having the conversation of, 
how do we build the robust technology so we don't have the 
problem?
    Mr. Pawlenty. Congressman, I know we are out of time. The 
good news is, it is happening. While mobile payments and some 
of the things you mentioned are a small part of the picture, 
the rate at which they are growing is rapid, and the adoption 
rate, particularly for younger people, is very high. So the 
future that you are foreshadowing is unfolding.
    Mr. Schweikert. I yield back, Mr. Chairman. Thank you.
    Mr. Neugebauer. I thank the chairman.
    And now the gentleman from Indiana, the chairman of the 
Republican Policy Committee, Mr. Messer, is recognized for 5 
minutes.
    Mr. Messer. I thank the panel for being here. Thank you for 
your stamina. I think we are getting close to wrapping up.
    I wanted to talk a little bit further about breach 
notification, and I think, Mr. Dodge, a couple of times you got 
pretty close to this, but I just want to make sure I better 
understand your position and your organization's position.
    You stated earlier that you wanted clarity for the business 
community, and I know you support the one sentence standard 
that was based on reasonableness found in the Energy and 
Commerce Committee bill.
    Now, I think if you look at Section 4 of H.R. 2205, it has 
a set--a process that is laid out that, frankly, is much 
clearer and I think more scalable. It is based and modeled off 
of what banks have been doing for 16 years under Gramm-Leach-
Bliley.
    Can you explain from your perspective why you believe H.R. 
2205's clarity isn't sufficient?
    Mr. Dodge. The Gramm-Leach-Bliley Act, and certainly the 
legislation you are referencing, were designed primarily for 
the financial services industry. It was passed in 1990, 2000, 
and enforced over the last 15 years.
    What we have argued is that you have to look at the 
regulatory landscape as it is today and look at what has been 
done for regulations that apply to other industries. And there 
has been a substantial body of work done by the Federal Trade 
Commission in enforcing cybersecurity expectations of 
businesses. That has established a decades-worth of case law 
that merchants or businesses all under the authority of the FTC 
understand what the expectations are of them.
    Mr. Messer. So am I hearing you say that while the Energy 
and Commerce bill has a one-sentence standard, you believe that 
one sentence incorporates the FTC standards that have been--
    Mr. Dodge. I do. And I think any business that would be 
forced to comply with it--and most businesses today are--don't 
look at the sentence that would be in the legislation, but they 
would look at what the body of work is and the requirements 
that would be--
    Mr. Messer. Okay. And so that I make sure I understand your 
objection, is your objection to who the regulator would be? 
That you believe under the Energy and Commerce bill, it would 
be a different regulator?
    Mr. Dodge. We think the way that the Energy and Commerce 
bill is structured and how it builds upon the work that has 
been undertaken by the FTC to date, it makes sense, and we 
believe that is the best way to move the ball forward in terms 
of cybersecurity.
    Mr. Messer. Okay. Other members of the panel, I don't know 
if anybody would like to comment on the specificity and clarity 
of the language in the--
    Mr. Pawlenty. Congressman, I would say while we recognize 
the brevity of it, to simply say, ``Hey, go act reasonably,'' 
that is just a negligence standards that is built into common 
law for everything. We are all under a duty to go act 
reasonably in our daily lives and not be negligent. So it 
doesn't--when you are facing a threat of this magnitude, this 
nature, which is exponentially accelerating, to have the 
Congress say, ``Hey, act reasonably,'' I think is underwhelming 
as a standard and expectation as we enter the age of cyber 
battles.
    Mr. Messer. Yes. I would agree, Governor, particularly when 
you have a road map that has worked for 16 years in another 
industry that you can lean on.
    But, moving on to another topic, I would like to talk a 
little bit about how unreasonable delay works in the real 
world. There is talk about whether a notice should be 
immediate. Could you put some specific timeframe on when a 
reasonable notice would occur? Could anyone on the panel 
comment on whether it is realistic to require a company to 
notify consumers within a specific number of days?
    Mr. Oxman. I think that the challenge of the existing State 
laws is that different States have different requirements for 
what ``reasonableness'' means. And, obviously, all of us in the 
industry across the payments ecosystem and retail share an 
interest in making sure our customers know what happened as 
quickly as possible, but in some circumstances, there are 
issues that arise. For example, law enforcement may ask that we 
delay notification because they are pursuing the criminals, and 
they don't want to interfere with the investigation or the 
possibility of apprehension. So I do think that kind of 
flexibility is important, Congressman, because there are 
circumstances in which what one may think is reasonable someone 
else may decide--
    Mr. Messer. And is that relatively unanimous on the panel?
    Ms. Moy. I would just add that I think one of the problems 
with having a harm trigger and having a risk analysis between 
the discovery of the breach and notification of the consumers 
is that it can delay notification to the consumers. One of the 
reasons that that many States have no trigger at all is to 
ensure that consumers get notification as quickly as possible.
    Mr. Messer. And in my very limited time, could anybody talk 
about over-reporting? It seems to me one of the challenges of 
what happens in the practical world when you have this big 
patchwork of standards is companies go out and over-report and 
there are consequences to consumers of that as well.
    Ms. Moy. Once again, I would just turn to what the State 
AGs are saying on this topic, which is that in their 
conversations with consumers, they are not hearing that 
consumers want to hear less about breaches of their personal 
information. Consumers are upset about the fact that they are 
hearing about so many breaches because they are upset that so 
many breaches are taking place. But they don't want to forego 
the possibility of protecting themselves in the event of a 
breach.
    Mr. Messer. They want to be notified when they should be 
notified if there is a real problem.
    Mr. Oxman. I think that is right. That is fair.
    Mr. Messer. Okay. Thank you very much.
    Mr. Pawlenty. Congressman, on that last point, we do see in 
the auto-manufacturing recall space dealers and others noticing 
people paying less attention, unfortunately, to recall notices 
because they think they get too many of them or they are not 
serious enough. So they are just something to at least keep an 
eye on.
    Mr. Messer. Okay. Thanks, Governor.
    Mr. Neugebauer. I thank the gentleman.
    I would like to thank our witnesses for their testimony 
today. It has been a little 3-hour exercise here. We appreciate 
your patience, but also I think the panel has been very 
informative. This is a very important issue to our country. It 
is a very important issue to the Americans that use the system 
on a daily basis, that we give them the confidence that they 
can continue to use one of the most aggressive and progressive 
payment systems in the world.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    With that, this hearing is adjourned.
    [Whereupon, at 1:05 p.m., the hearing was adjourned.]

                            A P P E N D I X



                              May 14, 2015
                              
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]