[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
THE EMV DEADLINE AND WHAT IT MEANS FOR
SMALL BUSINESSES: PART II
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
OCTOBER 21, 2015
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 114-026
Available via the GPO Website: www.fdsys.gov
___________
U.S. GOVERNMENT PUBLISHING OFFICE
97-228 WASHINGTON : 2015
_________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON SMALL BUSINESS
STEVE CHABOT, Ohio, Chairman
STEVE KING, Iowa
BLAINE LUETKEMEYER, Missouri
RICHARD HANNA, New York
TIM HUELSKAMP, Kansas
TOM RICE, South Carolina
CHRIS GIBSON, New York
DAVE BRAT, Virginia
AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
STEVE KNIGHT, California
CARLOS CURBELO, Florida
MIKE BOST, Illinois
CRESENT HARDY, Nevada
NYDIA VELAZQUEZ, New York, Ranking Member
YVETTE CLARK, New York
JUDY CHU, California
JANICE HAHN, California
DONALD PAYNE, JR., New Jersey
GRACE MENG, New York
BRENDA LAWRENCE, Michigan
ALMA ADAMS, North Carolina
SETH MOULTON, Massachusetts
MARK TAKAI, Hawaii
Kevin Fitzpatrick, Staff Director
Stephen Denis, Deputy Staff Director for Policy
Jan Oliver, Deputy Staff Director for Operation
Barry Pineles, Chief Counsel
Michael Day, Minority Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Steve Chabot................................................ 1
Hon. Nydia Velazquez............................................. 2
WITNESSES
Ms. Jami Wade, Owner, Capitol City CORK and Provisions & Capitol
City Cinema, Jefferson City, MO................................ 4
Mr. Keith Lipert, Owner, Keith Lipert Gallery, Washington, DC,
testifying on behalf of the National Retail Federation......... 6
Mr. Jared Scheeler, Managing Director, The Hub Convenience
Stores, Inc., Dickinson, ND, testifying on behalf of National
Association of Convenience Stores.............................. 8
Art Potash, CEO, Potash Markets, Chicago, IL, testifying on
behalf of the Food Marketing Institute......................... 9
Ed Mierzwinski, Consumer Program Director and Senior Fellow, U.S.
Public Interest Research Group, Washington, DC................. 10
APPENDIX
Prepared Statements:
Ms. Jami Wade, Owner, Capitol City CORK and Provisions &
Capitol City Cinema, Jefferson City, MO.................... 25
Mr. Keith Lipert, Owner, Keith Lipert Gallery, Washington,
DC, testifying on behalf of the National Retail Federation. 28
Mr. Jared Scheeler, Managing Director, The Hub Convenience
Stores, Inc., Dickinson, ND, testifying on behalf of
National Association of Convenience Stores................. 33
Art Potash, CEO, Potash Markets, Chicago, IL, testifying on
behalf of the Food Marketing Institute..................... 40
Ed Mierzwinski, Consumer Program Director and Senior Fellow,
U.S. Public Interest Research Group, Washington, DC........ 46
Questions for the Record:
None.
Answers for the Record:
None.
Additional Material for the Record:
American Bankers Association (ABA), Consumer Bankers
Association (CBA), Credit Union National Association
(CUNA), Financial Services Roundtable, Independent
Community Bankers of America (ICBA), and National
Association of Federal Credit Unions (NAFCU)............... 56
Food Marketing Institute (FMI)............................... 59
Joint Trades Letter to HSBC.................................. 68
National Grocers Association (NGA)........................... 71
TechNet...................................................... 77
THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES: PART II
----------
WEDNESDAY, OCTOBER 21, 2015
House of Representatives,
Committee on Small Business,
Washington, DC.
The Committee met, pursuant to call, at 11:00 a.m., in Room
2360, Rayburn House Office Building. Hon. Steve Chabot
[chairman of the Committee] presiding.
Present: Representatives Chabot, Luetkemeyer, Hanna, Rice,
Brat, Knight, Curbelo, Hardy, Velazquez, Hahn, Lawrence, Adams,
and Moulton.
Chairman CHABOT. Good morning. I call the Committee meeting
to order.
At the Small Business Committee, we make it our job to
understand what is helping and hurting the small businesses
that employ half of the American workforce. Today, we are
interested in hearing more about the transition to EMV chip
card technology because it impacts every person who holds a
major credit card and the more than 20 million small businesses
that accept them. So how is this transition going?
At this time last year, one credit card provider had 55,000
merchants who could accept chip cards. Now that number has
grown to nearly 400,000 merchants, so we are seeing some
progress. But that is still a small percentage of the small
businesses in this country. One of the justifications for this
shift in technology is avid security. The debate over how we
secure the billions of dollars in electronic transactions that
American's complete every day is not static. It requires that
we continue to innovate and continue to think strategically
about how we protect ourselves.
New technologies hold great promise, but there are no
silver bullets, and that is why this Committee supports
innovation in the electronic payments space, and we hope that
small businesses will look at new securities as opportunities
for better customer service. We are in the midst of a private
sector transition, not something mandated by Congress or by the
Administration, but something initiated by the free market. Any
change is hard, but when it impacts millions of people,
controversy is inevitable. That is probably the reason the
Small Business Committee's hearings on the EMV transition are
the first of their kind in this Congress and why we have had
tremendous pushback from all sides. To me, this only confirms
that this is the right issue, the right time, and the right
venue for a fair, open conversation.
Let me be very clear here. We are here to examine an issue
that impacts every American family with a credit card. We are
not here to take sides. To better understand this transition,
we need to speak to all those involved--bankers and merchants--
and that is the conversation that we continue today. Two weeks
ago we heard from the banks. Today, we are hearing from the
merchants.
So with that I want to thank all the witnesses that have
gathered here today. I would ask unanimous consent to allow one
additional witness to this morning's panel. And without
objection, so ordered.
And I would now like to yield to our ranking member this
morning, Nydia Velazquez, for her opening statement.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
In the last 15 years, new technologies have revolutionized
the payment system, allowing customers to easily purchase goods
and services and small businesses to process transactions in a
quick manner. During the same period, card payments rose from
23 percent to nearly 50 percent, while payment by cash and
checks dropped from 70 percent to 35 percent. This has had a
significant impact on how small businesses process payments.
This trend, however, has not come without challenges. As we
discussed during the first hearing on this issue two weeks ago,
payment fraud has become a serious problem, not just for banks
but also for companies of all sizes, including small
businesses. Last year, it was reported that more than 60
percent of companies were the target of payment fraud.
Globally, the United States has 25 percent of the world's
credit card use, but 50 percent of the world's credit card
fraud, costing more than $5 billion. Clearly, something needs
to be done to address this issue.
EMV cards are one answer. They offer a significantly higher
level of data security than stripe cards. Data on the chip is
secured using both hardware and software security measures, so
even if the card data is compromised, the chip itself will
still be difficult to counterfeit. We know that EMV is a
technology that has shown great promise for reducing fraud.
Much of the rest of the world--Europe, Canada, Latin America,
and the Asian-Pacific region are already in the process of
transitioning to EMV-enabled cards. The U.S. is the last major
country to implement what is now a de facto global standard
We are concerned, however, that small businesses remain in
the dark on this transition. Most will need to upgrade their
payment systems as only about 20 percent of payment terminals
are currently equipped to accept chip cards, and most of these
are at larger retailers. We have also heard much about the high
cost of these new terminals, but I was glad to learn at the
prior hearing that Square is able to provide an EMV device for
as little as $49. This should bring EMV compliance within the
reach of most retailers.
Perhaps the biggest concern is the liability shift
resulting from not installing the new EMV readers. Many small
businesses are unaware of this new outcome, and that is the
problem. Educational efforts must continue, and again, I am
hopeful that more low-cost readers become readily available.
However, it is also important to note that EMV is not a
mandate, and businesses are not required to install the readers
if they determine that their risk of fraud is law and the
transition cost is too high for them to bear.
Two weeks ago we heard from a panel of financial
institutions about the rationale for this new technology and
how it has the potential to reduce fraud. Today, we will hear
about the experiences of those on the frontlines--small
businesses--that will be using this new equipment in their
stores.
I have to say that this topic has brought back memories of
the interchange fee debate which this committee followed very
closely. However, while both involved payment issues, my view
is that they are very, very different. This current issue
concerns the adoption of globally accepted fraud-prevention
technology and the potential burden on small businesses. The
interchange debate surrounded the transparency or lack thereof
regarding the fees charged by payment network providers to
merchants. I recognize the tension between these networks and
those that use them, but I hope that we can focus solely on the
EMV implementation issue at hand today.
With that in mind, hearings such as this present the
committee with an opportunity to become a resource and sounding
board for advances in finTech and payments innovation in
general. The Small Business Committee is uniquely positioned at
the intersection of finance and small business--the frontier
really--for the adoption of these new technologies.
I thank the chairman for his leadership on this issue, and
I look forward to hearing the testimony of today's witnesses.
Thank you so much for taking time to be here. Welcome.
Chairman CHABOT. I thank the ranking member. And if
Committee members have opening statements, we would ask that
they submit them for the record.
And I will take just a moment to explain our lighting
system and our rules here. You get five minutes to testify and
we will have five minutes to ask questions. We will alternate
back and forth, Republicans and Democrats. The green light will
be on for four minutes, the yellow light will come on to let
you know that you have one minute to wrap up, and then the red
light means stop. And we would ask that you try to stay within
that, if at all possible. We will give you a little leeway but
not a whole lot.
So, and I would now like to yield to the vice chairman of
the Committee, Mr. Luetkemeyer, from Missouri, to introduce our
first witness this morning.
Mr. LUETKEMEYER. Thank you, Mr. Chairman. I would like to
introduce a constituent of mine, Jami Wade, who is a small
business owner from Jefferson City, Missouri. Five years ago
she decided to follow the American dream and opened her own
small business, Capitol City CORK and Provisions, a wine shop
and restaurant located in historic downtown Jefferson City. In
addition, Jami is executive director of Capitol City Cinema, a
single screen, nonprofit community-based, member-supported
movie theater. As owner and operator of two small businesses,
she knows firsthand the day-to-day challenges faced by our
nation's small businesses.
I want to thank Ms. Wade for taking time out of her busy
schedule to be here for us today to testify on her experience
with upgrading her payment card terminals to EMV technology and
what this transition means as far as business. Thank you, Jami.
Ms. WADE. Thank you, Representative Luetkemeyer.
Chairman CHABOT. We will go ahead and introduce the rest of
the members before we start with your testimony.
Ms. WADE. Okay.
Chairman CHABOT. Our next witness will be Keith Lipert. Mr.
Lipert owns the Keith Lipert Gallery in Washington, DC, a
retail establishment offering fine art and jewelry. Mr. Lipert
serves on the board of directors for the National Retail
Federation, and we welcome you here this morning.
Our next witness will be Jared Scheeler, who is managing
director at The Hub Convenience Stores in Dickinson, North
Dakota. Mr. Scheeler is a veteran of the convenience store
industry and serves on the board of directors for the National
Association of Convenience Stores, and we welcome you here as
well.
Our fourth witness this morning is Art Potash. He is the
CEO of Chicago, Illinois', Potash Markets, a small chain of
neighborhood groceries in Chicago's North area. Mr. Potash is
testifying on behalf of the Food Marketing Institute. We
welcome you here this morning.
I would now like to yield to Ms. Velazquez for introduction
of our next witness.
Ms. VELAZQUEZ. Thank you, Mr. Chairman. It is my pleasure
to introduce our witness, Mr. Ed Mierzwinski, the Consumer
Program Director and Senior Fellow of the U.S. Public Interest
Group. With over 25 years of experience, he has testified
before Congress, state legislatures, and federal agencies on a
wide range of consumer issues. He has published articles in the
American Prospect, the Journal of Consumer Affairs, Suffolk
University Law Review, and authored the consumer reference
guide ``Watchdogs and Whistleblowers''. Mr. Mierzwinski is also
chair of the Americans for Financial Reform CFPB Taskforce. He
earned both bachelor's and master's degrees from the University
of Connecticut. Thank you for being here.
Chairman CHABOT. Thank you very much.
And Ms. Wade, you are recognized for five minutes.
STATEMENTS OF JAMI WADE, OWNER, CAPITOL CITY CORK AND
PROVISIONS AND CAPITOL CITY CINEMA; KEITH LIPERT, OWNER, KEITH
LIPERT GALLERY; JARED SCHEELER, MANAGING DIRECTOR, THE HUB
CONVENIENCE STORES, INC.; ART POTASH, CEO, POTASH MARKETS; ED
MIERZWINSKI, CONSUMER PROGRAM DIRECTOR AND SENIOR FELLOW, U.S.
PUBLIC INTEREST RESEARCH GROUP
STATEMENT OF JAMI WADE
Ms. WADE. Good morning, Mr. Chairman, Ranking Member
Velazquez, and other Committee members. My name is Jami Wade,
and I am the owner of Capitol City CORK and Provisions, a wine
shop and restaurant in historic downtown Jefferson City,
Missouri, just a few blocks away from our Missouri State
Capitol. I am also the executive director of the Capitol City
Cinema.
I would like to thank the Committee for the opportunity to
speak today about the matter of small businesses upgrading
their payment card terminals so that those terminals can now
read the new chip-enabled payment cards.
I began my adult life as a high school teacher in Columbia,
Missouri. Five years ago, I moved from Columbia to my hometown
of Jefferson City and opened Capitol City CORK and Provisions.
I have five employees at that restaurant. We can only seat 32
patrons at our tables, so we truly are a small business. Next
door to Capitol City CORK is the Capitol City Cinema, a single
screen movie theater. It is a nonprofit, community-based,
member-supported movie theater.
As the owner of one small business and the founder of
another, I have to rely on myself to exercise sound business
judgment. Any misstep could have serious consequences for the
businesses I run and the people I employ. The manner in which
we get paid is essential to our ability to generate cash flow,
pay bills, and stay in business. Acceptance of payment cards is
the lifeblood of our operations. First of all, approximately 90
percent of the restaurant sales are made through debit or
credit card transactions. When a customer pays with a card, I
always know I am going to get paid, get paid quickly, and get
paid without hassle. My restaurant has never even had to deal
with a disputed card transaction. Also, it may just be the
result of basic human nature, but it seems that customers are
willing to spend a little more, maybe an extra glass of wine or
dessert, when they are paying with cards instead of cash. For a
small business, that is valuable.
On the other hand, we do not accept checks, other than for
special events, and even then, we only accept them from well-
established clients. We cannot run the risk that checks will
bounce and we will not get paid, leaving us to cover the cost
out of pocket.
At Capitol City Cinema, many of our customers still
purchase their movie tickets with cash, but we do accept cards
and we often see customers making purchases of higher priced
items with cards. At both Capitol City CORK and Capitol City
Cinema, we have been fortunate never to have been the victim of
credit card fraud payment. I know firsthand, however, that the
threat is real. A few years ago, my husband was the victim of a
breach at a local grocery store in Jefferson City. His card
information was stolen, and the hackers ran up $7,000 in
charges. I am glad to say that we were not held responsible for
paying for those transactions because those fraudulent charges
would have done serious damage to our personal finances.
Both of my business rely on card payments, particularly my
restaurant, and I will tell you that it would be a very big
deal for us to absorb the costs associated with even one major
incident of fraud. The potential liability would be seriously
detrimental to our business, especially at Capitol City CORK.
This is why I have made the business decision to upgrade to
terminals that can read chip-enabled payment cards at Capitol
City CORK and Capitol City Cinema.
A bit of background. I am lucky to have a good relationship
with my card processor, another small business located a block
away from the restaurant and the movie theater. Because I
talked to my processor on a regular basis, I was able to learn
about the new chip-enabled terminals that were becoming
available, and my processor explained to me about the liability
shift well before it went into effect October 1st. The total
cost for a new chip-enabled terminal at Capitol City CORK is
about $300, and yes, this is an out-of-the-ordinary expense for
the restaurant, but I do not consider it to be a financial
burden given the peace of mind that a new terminal will
provide. I look at it as paying a small premium for an
insurance policy to protect the restaurant against a
potentially significant downside. I cannot imagine leaving my
business vulnerable to external threats when there are
reasonable steps that I can take to protect it.
I also learned that a chip-enabled card reader is available
for the Capitol City Cinema for $10. I have voiced my support
for making the upgrade and the decision whether to make the
purchase is currently pending before the cinema's board of
directors. I do believe that it is up to each business owner to
make the proper decision for his or her own business. Some
small business owners will no doubt choose not to upgrade their
terminals, whatever the reasons. In my opinion, they are
putting their businesses on the line by leaving them
susceptible to fraud in card transactions.
As I started out saying, as a small business owner, I have
had to rely on myself and my own sound judgment in making my
vision a reality. I will continue to do so as I look ahead and
upgrading to chip-enabled technology is the right decision to
ensure my business is around long into the future for my
family, my employees, and my customers.
I appreciate the opportunity to share my experience with
the Committee today, and I welcome any questions that you may
have for me.
Chairman CHABOT. Thank you very much.
Mr. Lipert, you are recognized for five minutes.
STATEMENT OF KEITH LIPERT
Mr. LIPERT. Mr. Chairman and members of the Committee,
thank you for the opportunity to testify today. My name is
Keith Lipert. I am a shopkeeper with one full-time and two
part-time employees. My gift store, the Keith Lipert Gallery,
can be found here in Washington, DC, and online at
www.keithlipert.com.
I love being a retailer and I love serving my customers.
When I opened my doors in 1994, I intended to be successful by
selecting beautiful items to sell and by taking care of my
customers. Back then, unique merchandise and quality customer
service were enough to keep customers returning to my store.
Manual sales slips were enough to conduct cash and credit
transactions. Today, the small retail business model is being
disrupted with challenges such as online competition, evolving
technologies, and especially the struggle to keep up with the
ever-changing compliance standards and ever-higher credit card
swipe fees.
EMV was created by the largest card companies and is
imposed on retailers. This October marked the deadline when
card networks effectively shifted the bank's liability for
fraud onto any retailer who could not accept a chip card. It is
an arbitrary date and the card brands dictated it without
seriously considering its effect on millions of small
businesses. For businesses like mine, the EMV transition is
overwhelming and costly. I do almost everything myself, and I
must rely on outside vendors when it comes to IT needs.
Selecting the right point-of-sale, EMV-compatible system can be
very confusing for small merchants. There are countless
options, all with their own fine print regarding new additional
fees and rules. Card fees are already amongst my highest budget
items. How many more card costs can there be?
Not only is the process extremely complex, but the costs
can be very high. Despite claims to the contrary, the
additional cost of fully incorporating EMV compliance into my
POS terminal will exceed $1,000 to $2,000 once training,
integration, and other expenses are included. There are big
delays in getting the EMV hardware, installing the software,
and for many retailers, receiving the certification. I cannot
obtain equipment today because, as my rep explained, it is on
backorder. With tens of millions of POS terminals in our
country, I cannot imagine that I am the only one in this
position.
As you might expect from a system where practically all the
important decisions are made unilaterally by Visa and
MasterCard, the migration to EMV serves the goals of their big
banks and largely leave small retailers to fend for themselves.
Merchants are particularly disappointed that the banks expect
retailers and other businesses to adopt these costly upgrades,
but the banks will not adopt secure chip and PIN technology.
Chips help protect banks from the kinds of fraud they are
likely to be responsible for, but in situations where retailers
bear the largest share of the risk, the new chip and signature
cards do virtually nothing. In those situations, notably lost,
stolen, and online fraud, PINs are the single most certain way
of stopping fraud.
When I opened my store, cash and checks were very common.
These forms of money cost virtually nothing. A $100 sale netted
me $100 in revenue. The card networks have spent untold
millions of dollars to convince consumers to use cards instead
of cash. Today, when a customer spends that $100 using a card,
I get less than $97. This might not sound like a big reduction
to some, but over the course of a year, for my one store, it
amounts to tens of thousands of dollars, on par with the
healthcare costs I provide. From my perspective, the whole
approach to EMV is costly, incomplete, and further enhances the
monopoly power of the card interest industry at my expense.
Small retailers are entirely at the mercy and whims of the big
banks here. We have no say, and we have no way to use the
marketplace to make our objections heard and our concerns
valued. Unless the government or someone can help achieve a
level playing field, we will continue to see the slow
destruction of the small local merchants that provide the glue
for our communities.
We need two things: secure payment technology and payments
that are transparent and competitive. Instead, we are getting
opaque, ever-more costly half measures from our card industry
partners.
Thank you for your interest in this issue, and I look
forward to your questions.
Chairman CHABOT. Thank you very much.
Mr. Scheeler, you are recognized for five minutes.
STATEMENT OF JARED SCHEELER
Mr. SCHEELER. Chairman Chabot, Ranking Member Velazquez,
and members of the Committee, thank you for giving me the
opportunity to testify this morning on the EMV transition. My
name is Jared Scheeler and I am managing director of the Hub
Convenience Stores and a board member of the National
Association of Convenience Stores. The Hub has four retail
outlets in North Dakota where we employ on average 12 employees
per store.
The EMV transition has been very costly in both time and
money for my small business. We do not have the technical
support a large company often has to facilitate such a massive
undertaking. It has cost more than $134,000, approximately
$44,500 per store to install EMV equipment at just three of our
four stores. At our Dickinson, North Dakota store alone, the
upgrade is costing us more than $100,000. We have installed six
brand new fuel dispensers at $17,000 a piece, and installed an
instore point-of-sale card reader for $2,000. Despite these
large investments, we cannot yet receive EMV transactions in
part because Exxon Mobil has not yet made their card processing
network EMV compatible.
At our unbranded New England in Mott, North Dakota stores,
we had older fuel dispensers which would have cost $9,000 per
dispenser to upgrade. This is a common problem for smaller and
more rural locations, which often have older equipment that is
more expensive to upgrade, even though the dispensers still
work just fine. Rather than paying $9,000 to upgrade 20-year-
old dispensers, we elected to transfer four-year-old dispensers
from another store and paid $4,000 to upgrade and transport
each of those pumps. We have installed four dispensers at the
New England store and are waiting to install two at the Mott
store. We also had to invest in new instore PIN pads for both
locations which cost $2,000 each.
The costs I have just described are just for hardware.
There are also software costs. Our Exxon Mobil branded stores
will require a software update, which is part of an annual
service package that cost $1,500 per store. Without the service
package, the software upgrade costs $1,000 on its own. Once the
upgrade is complete, the stores' cash registers and credit
network will be unavailable for six to eight hours during the
software download. We operate our stores 24 hours per day, so
this downtime, which will happen during the daytime when tech
support is available, will create inconvenience and costs. In
fact, we estimate that it will cost more than $10,000 in lost
sales and labor at each store during that time.
Even after the EMV transition is complete at my stores,
there will be significant ongoing expenses. While I know the
upgrade costs from my branded stores, the costs for my
unbranded locations might be higher. I just do not know yet.
According to industry estimates, ongoing maintenance and
upgrade expenses are expected to be upward of $2,240 per store
per year.
Although we have installed almost all the necessary EMV
hardware in our stores, none of our stores have gotten the
requisite software upgrades. We need to get our terminals
programmed and certified to be able to handle EMV transactions,
but there is a shortage of programmers and the card networks do
not have enough people to certify stores like mine. Finally, we
will have to run a system pilot and engage in significant staff
training before pushing our EMV system live.
Due to these delays, despite beginning the transition
process early, we will not be fully EMV operable until late
summer of 2016. As a small business owner, I am also frustrated
because I am investing heavily in technology that provides
second-rate security. In spite of the proven security benefits
of chip and PIN cards, the fact that a small business like mine
could implement PIN easily, the card networks are mandating
chip without PIN. Thus, despite the cost, EMV will not reduce
fraud as much as it could and should. This is a serious problem
because retailers already pay the price for the unsecure
payment card system in the form of fraud chargebacks, high
swipe fees, and more. PIN could reduce fraud costs, but the
card companies are not providing it on credit cards as they
have elsewhere and will not let me require PIN on debit cards.
The transition to EMV has been a costly and burdensome
undertaking, and unfortunately, it does not appear that the
card companies took small business concerns into consideration
when they came up with their EMV transition plans.
Thank you for your time, and I look forward to answering
any questions you might have.
Chairman CHABOT. Thank you very much.
Mr. Potash, you are recognized for five minutes.
STATEMENT OF ART POTASH
Mr. POTASH. Good morning, Chairman Chabot, Ranking Member
Velazquez, and members of the Committee. My name is Art Potash,
and I am the CEO of Potash Markets in Chicago, Illinois. My
family has owned and operated grocery stores in the Chicago
area for 65 years. We currently employ 140 people. I appreciate
the opportunity to speak to you about steps my company has
taken to migrate to EMV and the challenges that we have faced.
EMV is currently not an expressed mandate on merchants;
instead, Visa, MasterCard, and other card brands announced that
merchants who did not migrate to EMV by October 1, 2015, would
have additional fraud costs placed upon them. This is in
addition to fraud costs we already pay and interchange fees and
card backs. After studying if the added costs of fraudulent
cards would outweigh the cost of upgrading, we decided, like
the majority of the grocery industry, to migrate our stores to
EMV. In making this decision, providing the most robust
security for our customers' data was our central concern.
As you can imagine, upgrading to EMV is not as easy as
buying a $49.99 Square reader. Our point-of-sale equipment is
complex, providing for credit, debit, snap transactions,
coupons, returns, along with a customer loyalty program, and
ties into a network that requires substantial upgrades and both
the front and back ends to be EMV and PCI compliant.
Additionally, I rely on third-party vendors to actually perform
these upgrades and interface with the other links in the chain.
We rely on our merchant acquirer, in our case Worldpay, to make
this happen for us.
In May of 2015, we purchased and installed all new EMV
point-of-sale devices in two of our three stores at a cost of
$1,000 per lane. For the two stores, this meant $8,000 just to
conduct EMV-compliant payment transactions. This is a large
investment but we were willing to make it to protect our
customers. While we now have EMV-compliant readers in our
stores, we are not yet EMV compliant and are facing a holiday
season exposed to greater fraud liability as we wait for our
merchant acquirer to complete our transition.
Currently, our acquirer estimates that they will be ready
to upgrade our backend software by the end of November at best.
Unlike the issuing banks who were enticed to issue chip cards
with the promise of seeing their fraud costs reduced, merchants
were pushed into EMV under the threat of seeing costs increase.
This is particularly difficult for us to accept since we
already pay the highest interchange fees in the developed
world. Visa, MasterCard, and other card brands have defended
charging American merchants $71 billion a year in interchange
fees as a way of offsetting the cost of fraud. In a market-
based system, those fees should be reduced if fraud is reduced.
Unfortunately, as we heard in the first hearing, Visa currently
has no plans to pass any savings along to merchants. We hope
that will change and that the Federal Reserve will see it to
that it does.
Retail food companies operate at razor-thin margins due to
the competitive nature of the industry. Even when food
retailers have realized savings due to technological
advancements, the net profits for businesses in the industry
has remained below 2 percent as savings have been passed along
to the customer. If retailers realize savings from reduced
fraud, those savings will also be passed along to the customer.
I would be remiss if I failed to address the issue of PIN
authentication. Every point of sale device in our stores is
PIN-enabled. PIN is a proven safety measure that has been
adopted globally but not in the United States. Historically,
the card companies have ruled out EMV as chip and PIN
technology, so not only are they verifying a card is
legitimate; they are also confirming that the person presenting
the card is authorized to use it.
Unfortunately, here in the United States the card companies
have rolled out an untested model they call Chip and Choice. It
is up to the issuing banks to decide whether to issue PINs.
Technology and industry are evolving and improvements are made
every day, but here is what we know: PIN works today. It
reduces fraud, period.
In conclusion, Potash Markets has made significant
investments of money and time to migrate to EMV. Unfortunately,
we find ourselves waiting for our providers to get us across
the finish line, while we face a busy holiday season with the
threat of higher fraud liability over our heads.
I greatly appreciate the Committee's interest in this very
important issue, and I look forward to answering your
questions.
Chairman CHABOT. Thank you very much. Mr. Mierzwinski, you
are recognized for five minutes.
STATEMENT OF ED MIERZWINSKI
Mr. MIERZWINSKI. Thank you, Mr. Chairman. Chairman Chabot,
Representative Velazquez, members of the Committee, I
appreciate the opportunity to testify before you on behalf of
the U.S. Public Interest Research Group. We are a coalition of
nonprofit, nonpartisan public interest research groups around
the country that take on powerful interests on behalf of their
members.
I really want to make three points in my opening statement.
First, chip and PIN would have been better than chip and
signature. Second, the reason that we went only to chip and
signature is because the banks prefer it because they make more
money. And third, a big issue before the Congress is data
breach legislation. We urge the Congress not to pass any
preemptive data breach legislation that takes away the right of
the states to protect consumers from data breaches and other
privacy and security risks.
Chip and PIN is something that has been around in Europe
for over 10 years, but the United States has only been using
magnetic stripe technology, which is a 1970's technology, and
only recently proposed to go, as the merchants have said, to
chip and signature, which prevents a card from being cloned,
which prevents information from being inserted into a
merchant's computer, which can be used by a bad guy to commit
existing account fraud, but it does not prevent the fraud of a
card being stolen and being used by an imposter. If I have your
wallet with your chip card in it, I can use your chip card
without a PIN, and that is the problem that we are not solving
today.
Since I wrote my written testimony by the way, I found out
that PIN technology also benefits merchants in online
transactions, yet only one in five banks accepts online PIN
debit. I am surprised that we think the fastest-growing part of
fraud is going to be online fraud with the transition to chip
cards, EMV technology, but why will the banks not allow the
merchants to use a proven technology, PIN technologies, to
prevent growing online fraud.
Well, the reason for it is quite simple. Visa and
MasterCard act as a cartel. They control their payment
platforms. They drive traffic to their signature-based payment
platforms. That is what they want to do. The interchange fight
is, I would respectively point out, related to this because in
the interchange fight, we also are fighting over whether
merchants can give consumers signals or the right to choose a
less expensive payment method. The fight is not over the cost
of interchange; it is over whether there is competition for the
Visa and MasterCard controlled networks. But the fact is they
control those networks. They wanted to continue and extend
their dominance of those networks. That is the reason we are
only going to chip and signature, which only prevents part of
the fraud problem.
The October 1 switch really does not affect consumers
directly. It is a business-to-business issue. As the three
merchant witnesses before me have pointed out, in fact, we
already have a tremendous amount of ways that the banks can
collect money from merchants, and I would encourage you to ask
them questions about what is the chargeback, and do you have
any control over a chargeback? And do not the interchange fees
already include fraud costs?
I want to point out that consumers are already well-
protected by law from most existing account fraud costs. If
only your bank account number or your credit card number is
stolen, you are protected for 60 days on a debit card from any
risk, and you are protected on a credit card from any risk of
$50 or more forever. That is why I only use credit cards. I
never use debit cards. The problem with debit cards is that
many consumers, they get their money back from the bank but
they face the problem of cash flow, bounced checks, while they
are waiting for the bank to conduct a reinvestigation. But as
long as you have not lost the card, when your liability goes up
dramatically with a debit card, you are in good shape if you
have only lost the number.
In my remaining time I will just point out that there are
many more fraud problems than existing account fraud. There is
new account takeover identity theft. There is IRS tax refund
fraud. There is theft of medical services fraud. And the OPM
breach has demonstrated that another kind of harm that data
breaches cause is reputational harm. The security clearance
information that was lost by the OPM breach poses reputational
risks. So I urge Congress, please do not pass almost any of the
data breach laws before Congress that would narrowly protect
consumers and broadly preempt the states from data security
protections.
Thank you very much.
Chairman CHABOT. Thank you very much.
Members now will have five minutes to ask questions, and I
will yield myself five minutes to do that.
Ms. Wade, I will start with you. What efforts have you seen
made by the financial service providers to inform small
businesses like yours of the EMV technology migration and the
resulting liability shift? Have those efforts been helpful? Are
there any things that you think should be added or changed in
any way?
Ms. WADE. Sure. You know, I have the luxury of seeing my
card processor once a week. He has dinner with his wife in my
restaurant every Tuesday night, so I have a really personal
relationship with him. And so this is a conversation we started
having this summer. I was aware that it was coming. I have
total faith in him, and I know that when we go live, and we
have not. I have the chip reader. It goes live in a week with
this particular company. I have faith that it will happen
seamlessly and it will not interrupt my business.
Chairman CHABOT. Okay. Thank you very much.
Ms. WADE. You are welcome.
Chairman CHABOT. And the next one I would like to address
to the three middle witnesses here. One of the things we heard
at the last hearing is that some of the small businesses are
waiting for the big stores to lead the way to transition to
chip cards, and some of those big box stores have done so;
others have not. How is the pace of the adoption of EMV
technology by the big stores affecting--and a number of you
have already gone ahead with this, but those in the industry
that you all are part of, what are you seeing? Are folks
looking towards the big box stores or not?
Mr. Lipert, I know you are a little bit of a different type
of business. In fact, let me come back to you. Let me ask these
two gentlemen here that question.
Mr. Scheeler?
Mr. SCHEELER. Well, I can speak first simply because our
stores technology involve what you would consider big box and
also independent stores because we are branded by Exxon Mobil.
So the communication from Exxon Mobil really started many years
ago. But the fact that we have both branded and unbranded
stores, that has dictated that since we are required by Exxon
Mobil to be EMV compatible, we elected, both from a business
decision and from a moral decision of protecting our customers,
that we wanted to convert all of our, even our unbranded stores
as well, at the same time or as close to the same time as
possible.
Chairman CHABOT. Thank you.
Before I get to Mr. Potash, I meant to ask you one follow-
up question, Mr. Scheeler. Since you are branded by Exxon, you
had mentioned the significant costs, and they certainly are in
this. Will they pay a portion or a significant amount of that
cost? How much of that would be on you versus the fairly large
corporate entity that we are talking about here?
Mr. SCHEELER. Yeah, 100 percent of the costs of this
upgrade are on us as the business, and none of it is supported
by Exxon Mobil.
Chairman CHABOT. Okay. It is a bad deal.
Mr. SCHEELER. It is.
Chairman CHABOT. Mr. Potash, if you want to go back to the
big box question that I had asked, how much reliance do you see
amongst small business folks on kind of waiting until those
folks decide which way they are going to go on this? Is that
having much of an impact?
Mr. SCHEELER. We were not waiting for the big box stores at
all. In fact, we were trying to keep up with the big box
stores. We wanted to be at the same level they were for
protection purposes. My concern is that the fraud activity will
move from the big box stores to the smaller retailers. You
know, the weakest link. So the liability looms even larger than
it did before. We knew about this well in advance. We bought
the card readers back in May. We wanted to be ahead of the
curve, and the backup system, with the rest of the links in the
chain there, we are waiting on them still.
Chairman CHABOT. Thank you.
Mr. Lipert, at the hearing that we had a few weeks ago when
it was mainly the banks involved, and they had argued that
there was relatively low costs in a number of incidents, even
down to $49, you have obviously indicated that the costs are,
in your words, overwhelming and costly. What would be your
recommendation? I mean, how do you think this ought to be
handled differently?
Mr. LIPERT. All of this, thank you, in terms of what to
recommend, my specialty is I am a shopkeeper. I will tell you
that when this came rolling in, I called my merchants. First,
the provider of the equipment for what the recommendations
were. They gave me a couple of options that made me a little
anxious about what was going on. I was anecdotally told that
some of these EMV machines were not working properly yet. I was
told that at restaurants it had been a problem because the EMV
technology, they were having trouble because they were
certified but then they could not do tips, and so there was
that. I was told that there were some problems because the
transaction takes longer. And all these things made me a bit
nervous. And I am a little technologically phobic anyway. So I
then called my bank and I asked them to help me, to see if
there was another decision. There they sent me to somebody
else. They sent me to the bank. I think in this case First
State, or I had to another fellow. He told me I could buy a
machine for $600 that would go into my phone line or into a
modem, but it could not work with my POS system. And the point-
of-sale system is the system that allows me to know my customer
history, and I have had it for 10 years, so 10 years of
history, 10 years of inventory management. It sort of helps me
run my business. And he said I could either use this device,
the EMV device which was separate from my POSs for $600, or he
could sell me another POS system, but that system would not be
compatible with my existing POS system so I would lose 10
years' worth of information. My merchant provider had said to
me that whatever you do, do not go back to the side thing
because it is going back to the dark ages because now you will
have taken the customer staff, the inventory staff away from
the payment staff and I would have to do it manually. And so
that was a step backwards for me.
So I hope I have answered your question. It has been a bit
overwhelming.
Chairman CHABOT. And I can certainly relate to being, I
think you said technologically phobic.
Mr. POTASH. It makes me very nervous.
Chairman CHABOT. I certainly feel that way myself very
often. But I will now yield to the ranking member for her time.
Ms. VELAZQUEZ. Thank you.
Mr. Lipert, can you explain why you, as a retailer, are
more likely to bear the loss in a chip and signature
transaction?
Mr. LIPERT. Can you repeat that to me?
Ms. VELAZQUEZ. Can you explain why you, as a retailer, are
more likely to bear the loss in a chip and signature
transaction?
Mr. LIPERT. Well, at the moment, when someone comes in with
a fraudulent card, if it is EMV enabled and I put it into the
machine, it will go through. So the signature does not really
protect, as I understand it, who that person is in front of me.
I just know that the card is real. In chip and PIN, I know that
both the card is legitimate, and when they put the PIN that the
person is legitimate. And I think that the problem with the
system at the moment is we divided that. So I am more liable
without the PIN.
Ms. VELAZQUEZ. Is there a way to better verify the
signature?
Mr. LIPERT. We must ask for their driver's license or other
forms of identification.
Ms. VELAZQUEZ. And that might require additional training
to the employees.
Mr. LIPERT. Well, it is me. It is me and one other person.
Ms. VELAZQUEZ. What about a store that has more than one?
Mr. LIPERT. It is more than one. Yes.
Ms. VELAZQUEZ. Mr. Mierzwinski, you noted that Congress has
occasionally examined legislative solutions to our nation's
data breach program. However, one criticism of such efforts is
the cost on small businesses where fraud is unlikely to reach
the magnitude of those breaches suffered by the big box stores.
In your opinion, what should small businesses be doing to
protect their customers' data?
Mr. MIERZWINSKI. Well, I think all businesses have a
responsibility under the Gramm-Leach-Bliley Act and other
legislation, and just good common sense, to protect the
information of their customers. And so I would use best
available technology industry standard practices is what I
would do. But the problem we face here today with this issue,
the issue of chip and PIN versus chip and signature to respond
to the question you asked the previous witness, is really, we
went to something that was best for banks, not something that
was best for everybody. So as Congress goes forward, I would
recommend, try to come up with technologically neutral
performance standards that push industry to do a better job
without forcing anything on people.
Ms. VELAZQUEZ. Yes. We have heard in previous hearings,
anecdotal stories that U.S. consumers are the ones driving the
use of signature instead of PIN as a matter of convenience.
Would you expect any significant consumer pushback if more
banks did require PINs?
Mr. MIERZWINSKI. Not at all. And by the way, we know of at
least two banks, Target Bank and First Niagara Bank in Upstate
New York, that are requiring chip and PIN. And also, the
Federal Government, in all its cards, is requiring chip and PIN
under an executive order by the president. I do not think
consumers will push back. If merchants were allowed to tell
them more, to signal to them more that it costs them more to
pay for fraud on a signature-based platform than on a PIN-based
platform, the consumers would not push back.
Ms. VELAZQUEZ. Any comments from the other witnesses?
Mr. SCHEELER. I can add to that, Ranking Member Velazquez.
We deal with hundreds of card-based transactions per day in our
industry, and I can say from experience that a PIN-based
transaction takes no more time than a signature-based
transaction. In fact, I would argue that it is actually a
little bit quicker.
In addition to that, our argument for PIN, you know, I
carry a debit card. I would imagine most people in this room
carry a debit card that carries a PIN with it, and any time
that we walk up to an ATM, ATMs that are invented by the banks
using cards invented by the banks, most of them owned and
operated by banks, every single time we have to utilize a PIN.
If they are requiring that, there must be something to that.
And I think us as retailers should have that option as well.
Ms. VELAZQUEZ. Thank you. Thank you, Mr. Chairman.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentleman from Missouri, Mr. Luetkemeyer, who is the
vice chairman of this Committee, is recognized for five
minutes.
Mr. LUETKEMEYER. Thank you, Mr. Chairman.
Ms. Wade, I was curious. We had a little different cost
here and I want to get to Mr. Scheeler in a minute and find out
what the reason was for his cost. But you indicated in your
testimony that it cost you about 300 bucks?
Ms. WADE. Right.
Mr. LUETKEMEYER. It is a one-time cost; is that correct?
Ms. WADE. It is.
Mr. LUETKEMEYER. So in other words, how often do you change
software on your computers or even buy a different computer to
be able to maintain the kind of records you need and the
interaction with other merchants and all of your other filings
that you have to do?
Ms. WADE. Okay. So I have been in business close to five
years. I started out with a national processing server. I used
them for two years and then I became familiar with a local
processing server. So in the five years that I have been in
business, I have switched one time, and it is because my local
processing server offers incredible customer support and I have
a personal relationship with him.
So I look at this fee, I mean, technology becomes
antiquated pretty quickly. I do not assume that I will not in
the future--I am going to keep up with technology--have to
update again. I am prepared to do that. It is sort of like when
the iPhone comes out; I like to have the newest one. I like to
be up on technology. I embrace it. I think it is part of doing
business and it is something that I understand and I am
committed to doing.
Mr. LUETKEMEYER. You know, you made a comment a minute ago
in your testimony that you do not take checks.
Ms. WADE. I do not.
Mr. LUETKEMEYER. Unless it is from a very well-established
customer. So in other words, you do not have a wall behind the
cashier there with all your checks pasted on the wall----
Ms. WADE. No.
Mr. LUETKEMEYER.--pasted on the wall there so people can
see the folks who are kind of the stinkers in your community
that you have got to be careful of?
Ms. WADE. Right. No, I do not have the wallpaper check wall
behind my cash register. That is a little antiquated, too.
Mr. LUETKEMEYER. So the convenience and safety of the cards
make it something--you are willing to pay the cost for the
convenience and safety?
Ms. WADE. I am. I look at it as an insurance policy for my
business and I look at it as one for my customers. I live in a
community where most of my customers are a little older, and I
think that they also value that.
Mr. LUETKEMEYER. And to me, you know, it is interesting,
you know, if we knew that there were--if you knew in the
neighborhood, for instance, that there were a lot of burglaries
going on, you would be willing to spend some money probably to
put a burglar system in to keep your business safe. Would you
not?
Ms. WADE. Absolutely.
Mr. LUETKEMEYER. This kind of, I would think, would be
equated to that. That is a way to keep your money safe, your
transactions safe, and minimize the fraud that can happen.
Ms. WADE. Yeah. I really believe it is the cost of doing
business, and I am a very tiny business. Probably the smallest
one of everyone up here on this panel. And I choose that. And
it is just, for me it is the cost of doing business, and I look
at it as another insurance policy, and I am so insured. I am
probably over insured. But that is piece of mind for me, and I
think that that is important for my customers.
Mr. LUETKEMEYER. Thank you for being here, and I appreciate
your entrepreneurial spirit.
Ms. WADE. Thank you.
Mr. LUETKEMEYER. Mr. Scheeler, you talked about the cost of
your system, which is significantly different. I assume it is
probably from the standpoint that as the kind of business that
you are in, the transactions that you take at the pump are more
complicated perhaps than what they are at Ms. Wade's
restaurant? Or are they not? What is your costs? I am trying to
make sure I understand the difference here.
Mr. SCHEELER. Absolutely. And that is a terrific question,
Congressman Luetkemeyer.
I wish our system was as simplified as Ms. Wade's. However,
in our industry, what we deal with is, first of all, we deal
with transactions inside and outside the store. At our largest
location, we have 21 different fueling stations, all which have
their own independent card readers, which is a piece of
hardware in and of themselves.
Mr. LUETKEMEYER. Excuse me. What does that card reader cost
for each one of those different----
Mr. SCHEELER. Each individual reader is about $1,500 each,
or $2,000--$3,000, I am sorry, per dispenser, because they
include both sides of the dispenser. So about $3,000.
Mr. LUETKEMEYER. Why is it so much more expensive for that?
Just the type of transaction that you are involved in?
Mr. SCHEELER. Certainly. The network that we are on, it is
a fully integrated network that connects our fuel dispensers,
our cash registers and point-of-sale system, our back office
system, our scanners, and of course, our instore card readers.
So the IT that goes along with that, and we are talking
hardware and installation, is pretty extensive.
Mr. LUETKEMEYER. Okay. One thing that all three of you
gentlemen have talked about is that you prefer to see the PIN
incorporated into this as well. Is the equipment that you are
installing, is it going to be able to read the PIN as well
right now?
Mr. SCHEELER. I can speak for myself and my industry. I
know that every card reader in my businesses have the ability,
and always have had the ability to accept PIN.
Mr. LUETKEMEYER. Because I can tell you just from the
testimony we had the other day, you know, the card companies
are in the process of--this is a step-by-step process. Over the
next 10 to 15 years, we are going to go from this to PINs, to
some sort of biometric type of thing where you put your
thumbprint on it or eye scan or whatever. I mean, they are
going even further here. So, I mean, this is going to continue
to evolve to where it gets more and more safe all the time.
But I see my time has run out, but I again thank you for
your comments.
Chairman CHABOT. The gentleman yields back.
Would the gentlelady from California yield for a moment so
I can ask a quick question?
Ms. HAHN. Yes.
Chairman CHABOT. I thank the gentlelady for yielding.
Mr. Scheeler, in the gas distribution business, your
industry gets an additional two years, I believe, to implement
all this. Is that correct?
Mr. SCHEELER. The additional time involves pay-at-the-pump.
So there is some additional time that we get to get that
converted, whereas our instore is in line with everybody else.
Chairman CHABOT. Okay. Thank you very much.
The gentlelady from California, Ms. Hahn, is recognized for
five minutes. Thank you for yielding.
Ms. HAHN. You are the chairman. What am I going to do? Of
course I am going to yield to you. I may be new around here but
I know the rules.
Thank you, Mr. Chairman, Ranking Member, for holding this
hearing.
As you have heard, we had another hearing a couple weeks
ago and sort of heard a different story. We heard from the
banks. We heard from Visa, who sort of painted a little bit of
a different picture about what this process actually involved,
particularly when it came to small businesses. So it is great
that we are hearing from the small businesses this morning.
I conducted an informal survey with the small businesses in
my community and just sort of asked them did they know, did
they understand when October 1st came that that really was a
pretty significant date in terms of the liability for fraud
being 100 percent shifted to small businesses if they did not
have this chip technology. So I found the majority of them
really did not understand that October 1st date. And, in fact,
I then held a small business seminar with Hispanic business
owners who I found that level of knowledge was even lower in
terms of their understanding. And many of them, English was not
their first language, so I did not really think these banks did
a good job. I mean, I think Visa told us they did a 20 city
tour to roll out this new technology, which I thought was a
little limited concerning how big this country is, that they
only did it in 20 cities.
So I was going to ask Mr. Lipert, you know, and maybe if
the other of you want to answer it, except for Ms. Wade who has
dinner every week with her bank. That is sort of an unfair
advantage. How was the process when you actually understood
this October 1st deadline, and do you feel like it was--and I
know you speak for the National Federation of Retailers--do you
feel like there was a good sense, particularly maybe for
business owners who had some language barriers, on the rollout
of this new technology?
Mr. LIPERT. My experience was that from my involvement with
my trade association, I was aware. And that did give me a leg
up in starting the process of asking the questions of both my
equipment supplier and then my bank. The responses I got from
both really made me more nervous about the whole business,
which sort of slightly froze me to put off this. In my store, I
care very much about fraud and about my customers. I am a small
store and I know my customers, so I think I am going to go the
route of EMV and put into right all the things that are
necessary, but I would like to feel that what I am doing is
really going to help. And part of the problem is, as I
experience it in the shop, someone coming in with a fraudulent
card, it is still going to pass through the system anyway. I am
not going to be able to prevent that aspect of it. If they got
a proper EMV and I got the machine, it puts in, it goes
through. If it is fraudulent, it is not going to make a
difference. It is going to go through. So I want to make sure
that I do the right thing for my customers. I try to do the
right thing for myself, and try and sort out, you know, what is
the right technology. And there are so many different
technologies coming at me at the moment.
Ms. HAHN. Right. Right. Well, thank you.
I know I only have 50 seconds left, but I am going to move
to Mr. Mierzwinski. And you all have been talking about the
chip-PIN, chip-signature, and it seems like the chip signature,
while maybe less secure, seems to earn more money for the
banks. Could you elaborate a little bit more exaclty what is
the difference of the fees that the bank may earn for the
signature versus the PIN?
Mr. MIERZWINSKI. Well, very quickly, Congresswoman, Visa
and MasterCard own the signature networks that they try to
drive all traffic to. Some of the PIN networks are owned by
them but there are choices that merchants can select to have
PIN networks owned by others that have lower swipe fees. That
is really it in a nutshell. Visa and MasterCard have market
power so they have very high swipe fees on their network which
they trick consumers into using.
Ms. HAHN. And is that an impact on the consumers?
Mr. MIERZWINSKI. Absolutely. Consumers pay more at the
store and more at the pump because the merchants are forced to
bake these higher costs into their prices.
Ms. HAHN. Good information. Thank you.
Chairman CHABOT. Thank you. The gentlelady's time has
expired.
The gentleman from South Carolina, Mr. Rice, who is the
chairman of the Subcommittee on Economic Growth, Tax, and
Capital Access is recognized for five minutes.
Mr. RICE. Thank you, Mr. Chairman. And I am sorry, I cannot
read your nametag down on the very end there. Yes, sir. Can you
tell me, you know, I understand from my old law school
commercial paper about banks' liability for checks and they are
supposed to recognize the signature and credit cards, and a
little bit about debit cards. But can you explain for me,
because you sound pretty knowledgeable about it, about online
banking? Let us take it beyond the scope of this hearing a
little bit. If you do online banking and you get on and you
transfer money around, where does the liability lie there?
Mr. MIERZWINSKI. Congressman, in the interest of full
disclosure, I am not a lawyer, although I do play one on
television, but I have been working in this field for quite
some time. Most transactions that are electronic are covered
under the Electronic Fund Transfer Act. So your direct deposit
of your paycheck and your use of debit cards and ATM cards is
covered by that law. That law has a completely different fraud
and liability standard than the Truth in Lending Act which
covers credit cards. But when you are talking about online
banking, you may also be getting into Uniform Commercial Code
and other issues. But I think the big issue here today, the big
question here today is in addition to the laws, you have the
Visa and MasterCard rules. And in one of Congresswoman Hahn's
questions, I believe she talked about the merchants not really
understanding the rules or being told about the rules, and that
has been a common problem in this space. So online banking, as
opposed to online retail, it is all changing.
Mr. RICE. Well, if a merchant accepts a fraudulent card
under the old rules, before chip technology, magnetic stripe,
who bears the responsibility for that?
Mr. MIERZWINSKI. Well, it depends on whether the merchant
was in compliance with what are known as the PCI (payment card
industry) standards.
Mr. RICE. Assuming that they were.
Mr. MIERZWINSKI. Did the merchant check on the back--if it
is an online merchant, for example, did the merchant comply
with the requirement that they check the three-digit code on
the back of the card, which is something that is typically not
transferred when only the front of a card or card information
is swiped. If it is a gas station, did the merchant do things
like ask you for your zip code or some of the other
requirements? So it all depends on the rules and whether the
rules were filed. Some of the merchant witnesses may have more
to add on it.
Mr. RICE. But if they did comply with those rules, who
bears the responsibility?
Mr. MIERZWINSKI. Well, generally, that is something that I
cannot answer because I am neither a merchant, nor a bank, but
I can tell you that the merchants and the banks have argued
about this in court, they have argued about this in Congress,
and the banks have this tremendous hammer, Congressman, what is
called the chargeback. They do not get paid for their
electronic transactions until the bank decides to pay them.
They can keep the money through the chargeback process or they
can even take it back later.
Mr. RICE. I thought under the law that, assuming that the
merchants undertook their due diligence, that the credit card
issuer was ultimately responsible.
Mr. MIERZWINSKI. But if you are a small 7-Eleven or a small
convenience store and the bank takes your money and says it is
your fault.
Mr. RICE. You are saying that may not be practical?
Mr. MIERZWINSKI. It is not practical.
Mr. RICE. Even though it is the law?
Mr. MIERZWINSKI. That is my understanding of the way it
works.
Mr. RICE. Anybody up there want to add anything to that?
Mr. SCHEELER. I can add that I have heard the term ``
liability shift'' thrown out with this EMV transition, and that
has always confused me because I see chargebacks at every one
of my stores, every month, of every year, that I am responsible
for. The most recent one that I dealt with, I was sent the
transaction information after it was disputed by whomever, by
the cardholder, of the day and time and the amount of that
transaction, with instructions on what the card network needed.
I followed exactly what they needed. I found the actual signed
slip that the customer signed, sent it in, following
instructions, and I got a letter back in the mail that said, ``
We cannot verify this transaction.'' So we did not get paid on
it. So liability shift, I do not understand it because in my
mind we have been liable this whole time.
Mr. RICE. Well, I think under the law, that you are not
liable. Now, practically collecting that, I am not sure. And I
think if you were liable for fraudulent cards and that was a
widespread practice, I do not believe too many people would
take the credit cards. I think that is one of the incentives to
take them.
But anyway, I yield back.
Chairman CHABOT. Thank you. The gentleman's time has
expired.
If I could take the prerogative of the chairman, how much
of the transaction for that was in dispute?
Mr. SCHEELER. It was either $46 or $56. I do not remember
the exact amount.
Chairman CHABOT. Okay. Thank you.
The gentlelady from Michigan, Ms. Lawrence, is recognized
for five minutes.
Ms. LAWRENCE. Thank you.
Mr. Lipert and Mr. Scheeler, you both represent the
National Retail Federation Convenience Store Association where
you are small business owners. So let us be clear. There seems
to be less of an urgency for smaller businesses that handle low
volume or you know your customers, like Ms. Wade has said. It
is a smaller community, so you know your customers basically
when they come in. How can we encourage small business owners
to make this transition? How do we make the case that the
challenges that a small business owner are faced with during
this process is worth it? Can the two of you please comment on
that?
Mr. SCHEELER. I think that is a terrific question. I think
depending on the volume of the store, economically, there is a
legitimate question over whether the upgrades should take place
or not. I think what really should be the deciding factor for
any legitimate businessperson is, do I have a moral
responsibility to my customers? Do I want them to feel
comfortable processing their payment cards in my place of
business? And I think most businesses would say, `` Yes,
absolutely I do.'' So I think speaking for just ourselves and
our smaller stores, that was a deciding factor when I was
making the decision to transfer to EMV.
Ms. LAWRENCE. I did not really get an answer before. At
least I did not hear it. What is the cost that you say if you
average it out for small businesses to be able to have the
equipment and to transfer to this new technology?
Mr. SCHEELER. Okay. And again, it is going to be different
for my industry as opposed to others. The industry average in
the convenience store industry is about $26,000 per store
because there are so many different moving parts involved. As I
said in my testimony, it was about $44,000 per store because
there were some other considerations involved as well. So the
bottom line is the numbers are pretty significant.
Ms. LAWRENCE. Okay. Mr. Scheeler? That is you. So, Mr.
Lipert?
Mr. LIPERT. I think for small stores like myself, I think
if we could be provided secure payment technology and payments
that are transparent and competitive, this would be really
helpful.
Ms. LAWRENCE. Absolutely. We want to protect our customers.
We care about our customers. When I started my testimony, I am
a shopkeeper because I love my stuff and I love my customers. I
want to do the best for them and give them the best service and
experience.
One thing I would just like to add is that in terms of this
cost, I was given an option of doing an EMV reader. So that is
the actual little boxy thing that plugs into a model or into a
phone line that can take a payment. That I was quoted $600 for.
The problem for small businesses, shops that have stuff, shops
where there is inventory, shops where there are customers that
are repeating and coming in, in order to just stay current, we
have to have a point-of-sale system, and the point-of-sale
system is the thing that sort of links my stuff to my customers
so that I can look back and see who bought what, did what, and
all the rest of it. And it is connected also to the payment.
Once you get into that, it becomes very expensive, and this is
the problem, and this is what is causing me such reluctance.
Yes, I could go and buy the box, but as my equipment provider
said to me, `` Do not do that, Keith. That is going back to the
Dark Ages.'' So that is my dilemma. Yes, I can buy the box for
$600 and satisfy a minimum requirement, but it does not help me
try and keep my business current and competitive with all the
other stuff that is going on in our industry.
Ms. LAWRENCE. Thank you for that.
Just briefly, Mr. Mierzwinski, in your testimony, you
highlighted that the Federal Trade Commission noted that the
EMV rollout and the October 1st deadline is being taken
advantage of by scam artists. Can you elaborate on that?
Mr. MIERZWINSKI. Well, certainly, Congresswoman. The scam
artists come out every time there is a new way that they can
hook an old scam up to it. And in this case, consumers are
getting letters that claim to be from their bank that are
trying to obtain information. They say, `` You have not gotten
your chip card yet. You are in trouble. We are going to send it
to you but first you need to verify your current account
number.'' They trick you, social engineering, into giving them
information that allows them to rip you off.
I would point out that I think, I am speculating here, that
I am sure there are also similar scams directed at the
merchants, trying to get them to buy weak technology or
overpriced technology that will not work. That typically
happens as well, small business fraud.
Chairman CHABOT. The gentlelady's time is expired.
Ms. LAWRENCE. Thank you.
Chairman CHABOT. Thank you.
The gentleman from Nevada, Mr. Hardy, who is chairman of
the Subcommittee on Investigations, Oversight, and Regulations
is recognized for five minutes.
Mr. HARDY. Thank you, Mr. Chairman.
In the wake of this change and during this process we have
seen a lot of fraud going on, and also the businesses having
the opportunity to change. Are there certain levels or
categories we find through the fraud process that if you have
certain information you can categorize your information that
can be breached through this process? This would probably be
best for you, Mr. Mierzwinski. Are there levels that businesses
can take of this or is it open, you know, my data, I do not
want all my information out there, but when you have a credit
card and you file for it, you pretty much give the bank all
your information. Does that liability fall back on these small
businesses when all that liability is reached? Or are there
certain levels you businesses have that you can only acquire?
Does it make sense what I am trying to ask there?
Mr. MIERZWINSKI. Well, I think, Congressman, you have asked
a couple of questions. But going to EMV or chip cards is going
to prevent merchant computers from getting your credit card or
debit card number inserted into them. It basically makes every
transaction establish a one-use number based on that
transaction. So the big breaches with thousands of cards being
cloned will no longer occur from chip cards, but there will
still be fraud by imposters, and there will still be bad guys
digging into computers systems to obtain the other kinds of
information that allows them to also commit new account
identity theft, or in the case of the IRS, steal your tax
refund, et cetera. So I would leave it to the merchants. The
merchants have an issue with the banks. As of October 1st they
are saying if you have not installed readers for chip cards,
you will be more liable, but as the merchants have already
pointed out, we are already liable.
Mr. HARDY. I guess this is for all the merchants. The
question I would have is it sounds like a cost for each one of
you, where does that cost get handed down to? We know where it
goes but I do not think you take it on yourself. Does that get
passed on to the consumer, these changes? And is it
exponentially higher for certain businesses and lower for other
bigger businesses? Does anybody care to address that?
Mr. SCHEELER. I would, Mr. Congressman. Thank you.
I think the free market would dictate that typically those
costs would get passed on to consumers. In my industry though,
I see it differently simply because our primary product in the
convenience store industry is gasoline. We are the only
industry in the world that puts a big sign up on the corner and
plasters our gas price up there for everybody to see. So if I
decide to raise my price two cents, whatever it might be per
gallon, the guy down the street, in true competition, may or
may not do that. So market forces will drive that price in our
industry, so I do not think that applies because of the
transparency that we carry that quite frankly the banks do not
know much about.
Mr. HARDY. This process of we are doing chip and signature
now, and I know the banks have committed they are going to move
towards PIN and other identification processes. Do you have any
idea why they are waiting and why we did not try to implement
this at the time with the technology? Mr. Mierzwinski, maybe
you have that idea.
Mr. MIERZWINSKI. I think nobody can figure out any reason
that the banks are delaying and slow-walking this transition
except that they make more money on chip and signature than
they would on chip and PIN because there would be competing
networks that merchants could choose or encourage their
customers to choose that are owned by different people than
Visa and MasterCard. Consequently, the banks would earn less
money. That is really the reason that I can see.
Mr. HARDY. Thank you, Mr. Chair. Most all my other
questions have been asked prior to this, so I will yield back.
Chairman CHABOT. Thank you very much. The gentleman yields
back.
And we want to thank the witnesses for their testimony here
today. We have now heard a couple of weeks back from the
bankers and credit card issuers on one hand, and we have heard
from the retailers this week, so we have, I think, a good sense
from both sides where some of the issues are and what is
happening. I think you have helped educate the Committee, and
hopefully through our means of communicating to the public, we
will be educating the public more and more, as well, because
they are, after all, going to be directly affected by this very
important issue.
I would ask unanimous consent that members have five
legislative days to submit statements and submitting materials
for the record.
Ms. VELAZQUEZ. Not in Washington.
Chairman CHABOT. Not in Washington. Although I have to
note, I am not a frequenter of art galleries, but your shop,
Mr. Lipert, sounds like it would be a fun place to go and
interact and just see all the things that you have there. So it
is not a commercial, but I thought your testimony was very
helpful, as was all the testimony that we heard this week, as
well as a couple weeks ago.
So if there is no further business to come before the
Committee, we are adjourned. Thank you very much.
[Whereupon, at 12:17 p.m., the Committee was adjourned.]
A P P E N D I X
Hearing Entitled ``The EMV Deadline and What it Means for Small
Businesses: Part II''
Testimony of Jami Wade, Owner, Capitol City CORK and Provisions
and Executive Director, Capitol City Cinema
Before the U.S. House of Representatives Committee on Small
Business
October 21, 2015
Good morning, Mr. Chairman, Ranking Member Velazquez, and
other Committee Members. My name is Jami Wade, and I am the
owner of Capitol City CORK and Provisions, a wine shop and
restaurant in historic downtown Jefferson City, Missouri, just
a few blocks from the Missouri State Capitol. I am also the
executive director of the Capitol City Cinema. I would like to
thank the Committee for the opportunity to speak today about
the matter of small businesses upgrading their payment card
terminals so that those terminals can read the new chip-enabled
payment cards.
I began my adult life as a high school teacher in Columbia,
Missouri. Five years ago, I moved from Columbia to my home town
of Jefferson City and opened Capitol City CORK and Provisions.
I have five employees at the restaurant, and we serve a
seasonal and changing menu with locally sourced food. We can
only seat 32 patrons at our tables, so we truly are a small
business. Next door to Capitol City CORK is the Capitol City
Cinema, a single-screen movie theater that specializes in
showing independent, foreign, and documentary films. It is a
non-profit, community-based, member-supported movie theater.
As the owner of one small business and manager of another,
I have to rely on myself to exercise sound business judgment.
Any misstep could have serious consequences for the businesses
I run and the people I employ. The manner in which we get paid
is essential to our ability to generate cash flow, pay the
bills, and stay in business. Acceptance of payment cards is the
life-blood of our operations. First of all, approximately 90
percent of the restaurant's sales are made through debit or
credit card transactions. When a customer pays with a card, I
always know I am going to get paid, get paid quickly, and get
paid without hassle. My restaurant has never even had to deal
with a disputed card transaction. Also, it may just be the
result of basic human nature, but it seems that customers are
willing to spend a little more--maybe an extra glass of wine or
dessert--when they are paying with cards instead of cash. For a
small business, that's valuable. On the other hand, we don't
accept checks other than for special events and, even then, we
only accept them from well-established clients. We cannot run
the risk that checks will bounce and we won't get paid, leaving
us to come out of pocket to cover costs.
At Capitol City Cinema, many of our customers still
purchase their movie tickets with cash. But, we do accept
cards, and we often see customers making purchases of higher-
priced items with cards. For example, they might sign up for an
annual membership giving them discounted admissions and other
perks throughout the year. These purchases are essential to the
business, because without our member support we could not
remain operational.
At both Capitol City CORK and Capitol City Cinema, we have
been fortunate never to have been the victim of payment card
fraud. I know first-hand, however, that the threat is real. A
few years ago, my husband was the victim of a breach at a
grocery store in Jefferson City. His card information was
stolen, and the hackers ran up seven thousand dollars in
charges. I am glad to say that we were not held responsible for
paying for those transactions, because those fraudulent charges
would have done serious damage to our personal finances. Both
of my businesses rely on card payments, particularly my
restaurant, and I will tell you that it would be a very big
deal for us to absorb the costs associated with even one major
incident of fraud. The potential liability would be seriously
detrimental to our business, especially at Capitol City CORK.
This is why I have made the business decision to upgrade to
terminals that can read chip-enabled payment cards at Capitol
City CORK and Capitol City Cinema.
As a bit of background, I'm lucky to have a good
relationship with my processor, another small business located
a block away from the restaurant and the movie theater. The
processor is the company that sells and services the technology
for my businesses to be able to accept card payments and get
connected to a merchant acquirer. Because I talk to my
processor on a regular basis, I was able to learn about the new
chip-enabled terminals that were becoming available and my
processor explained to me about the liability shift well before
it went into effect on October 1. For now, it seems that most
of the local banks and credit unions in Missouri have not
issued cards with chips on them, but I understand that this is
coming soon. When it happens, I want to be prepared and I want
to be protected by the liability shift--this means putting in
new terminals.
The total cost for a new chip-enabled terminal at Capitol
City CORK is about three hundred dollars. Yes, this an out-of-
the-ordinary expense for the restaurant, but I do not consider
it to be a financial burden given the peace of mind that a new
terminal will provide. I look at it as paying a small premium
for an insurance policy to protect the restaurant against a
potentially significant downside. After having survived the
first few years running my own business--a period in which many
new start-ups fail--I cannot imagine leaving my business
vulnerable to external threats when there are reasonable steps
that I can take to protect it. Furthermore, from all of the
information I've received from my processor, I expect the
process to upgrade to the new terminal to go seamlessly,
without any disruption to our everyday business. In fact, we
have the new terminal on site. It just hasn't ``gone live'' yet
but should by the end of this month.
I also learned that a chip-enabled card reader is available
for only fifty dollars for the Cinema. I have voiced my support
for making the upgrade, and the decision whether to make the
purchase is currently pending before the Cinema's board of
directors.
I am a person who left her job to pursue a vision of
running her own business. When I get out and talk to other
members of the downtown Jefferson City community, every small
business owner has a story that is unique, but most of us have
in common that we accept payment cards because they are
valuable to our businesses. In light of the recent headlines
about several data breaches over the last few years, many other
small business owners in Jefferson City and I wonder, what's to
stop it from happening here? They share my concerns and want to
do everything they can to protect their businesses and their
employees--and I suspect that this sentiment is widespread
across the country. I do believe that it is up to each business
owner to make the proper decision for his or her own business.
Some small business owners will no doubt choose not to upgrade
their terminals, whatever the reasons. In my opinion, they are
putting their businesses on the line by leaving them
susceptible to fraud in card transactions. As I started out
saying, as a small business owner, I have had to rely on myself
and my own sound judgment in making my vision a reality. I will
continue to do so as I look ahead, and upgrading to chip-
enabled technology is the right decision to ensure that my
business is around long into the future for my family, my
employees, and my customers.
I appreciate the opportunity to share my experience with
the Committee today, and I welcome any questions that you may
have.
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Chairman Chabot, Ranking Member Velazquez, and
distinguished members of the Small Business Committee, thank
you for inviting me to testify at this important hearing, ``The
EMV Deadline and What it Means for Small Businesses Part II.''
My name is Keith Lipert and I am an independent shopkeeper. I
own The Keith Lipert Gallery, and my storefront can be found
right here in Washington, DC and online at keithlipert.com. I
am a sole proprietor with one full-time employee and two part-
time employees. I love being a retailer and I love serving my
customers.
In addition to running my store, I serve on the Board of
Directors at the National Retail Federation (``NRF''). NRF is
the world's largest retail trade association, representing
discount and department stores; home goods and specialty
stores; Main Street merchants; grocers; wholesalers; chain
restaurants; ad Internet retailers from the United States and
more than 45 countries. Retail is the nation's largest private
sector employer, supporting one in four U.S. jobs and 42
million working Americans. Retail contributes $2.6 trillion to
annual GDP and is a daily barometer for the nation's economy.
Retailers create opportunities for life-long careers,
strengthen communities, and play a critical role in driving
innovation. Many of NRF's small business members, like millions
of other small merchants, are being adversely affected by the
card brands concerted effort to force us to further adapt our
operations to their flawed card system. I want to give you a
sense of our challenges and ask for your help.
When I opened my doors in Georgetown in 1994, I intended to
be a successful merchant by selecting beautiful items to sell
and by taking care of my customers. In those days, unique
merchandise and quality customer service were enough to keep
customers returning to my store and manual sale slips were
enough to conduct credit card transactions. Today, that simple
business model is being disrupted with overwhelming challenges
such as online competition, evolving point-of-sale systems
(``POS''), and the constant struggle to keep up with ever-
changing compliance standards and ever-increasing credit card
interchange rates, or swipe fees. All retailers, no matter the
size, are being held to technological standards that even some
of the most sophisticated businesses in the world have yet to
master.
EMV (the name is from the initials of the owners--Europay
MasterCard Visa) is a proprietary standard that was created by
the largest card companies to be imposed on retailers. U.S.
banks are just now issuing updated cards with chip technology,
protected by the signature authentication (``chip and
signature''). Consumers around the world have been using chip
cards for decades. However, in the rest of the world chip cards
are accompanied by Personal Identification Numbers (``PINs'').
PINs are proven to be a much more secure authentication method
in transactions and, unlike Chips, effectively reduce nearly
all types of fraud. In fact, according to the Federal Reserve,
PIN cards are up to seven times more secure than Signature
cards \1\. Chips help protect the physical card and PINs
reliably authenticate the consumer. This combination is
precisely the sort of protection that the American consumer
wants now \2\.
---------------------------------------------------------------------------
\1\ Board of Governors of the Federal Reserve System, ``2011
Interchange Fee Revenue, Covered Issuer Costs, and Covered Issuer and
Merchant Fraud Losses Related to Debit Card Transaction,'' March 5,
2013, p. 25, http://www.federalreserve.gov/paymentsystems/files/
debitfees--costs--2011.pdf
\2\ Chip & PIN Security Now! Research TargetPoint Consulting,
November 2014, http://www.chipandpinsecuritynow.org/about/
#sthash.c9uJZLis.dpuf
October 1, 2015 marked the deadline when card networks
effectively shifted liability for fraud onto any retailer
without the ability to accept a chip card presented to her for
transaction. This so-called ``deadline'' of October 1st was an
arbitrary date that the duopolistic bank card brands dictated
without seriously considering its effect on millions of small
businesses. No one from my bank processor or existing supplier
even contracted me about the need to add a new EMV device, let
alone a deadline by which to do so. The most shocking part of
this news was that the already sky high swipe fees will stay
high and are rationalized as the cost of fraud prevention, even
---------------------------------------------------------------------------
though the liability for fraud is now being shifted to me.
The EMV transition is overwhelming and expensive for an
independent, small retailer. I do not have an IT department; I
personally handle IT--as well as payroll, benefits, taxes,
buying, selling, and everything else a small business owner
must do to say in business. I rely on service providers and
vendors when it comes to IT needs through consultation over the
telephone. Unfortunately, a phone conversation doesn't cut it
when it cones to adopting complicated payment technology
systems. Not only is the implementation process extremely
complex, but also the cost is extremely high for merchants of
all types (whether retailers or restaurants or taxicabs or
doctors' offices). There are wide ranges of estimates for the
cost attributed to upgrading terminals, but it is fair to say
that for many businesses the costs for fully functional POS
terminals that comply with EMV can easily exceed $1,000 to
$2,000 once all of the training, system integration, and back
office costs are included \3\. Retailers strongly support more
secure payment options, and that is why we are collectively
spending our share of billions of dollars to adopt the chip
card technology even when it makes little sense in any serious
customer protection or basic return-on-investment analysis.
---------------------------------------------------------------------------
\3\ Chris McWilton, President, MasterCard North America. ``Credit
Card Chip Gains Traction.'' Squawk on the Street. CNBC, New York.
http://video.cnbc.com/gallery/?video=3000427478
But that is why we also find it extremely frustrating that
the card industry expects retailers and other businesses to
upgrade when it will not allow the US to adopt the most secure
form of this technology--chips with PINs. Take lost-and-stolen
fraud, for example, which is the kind of fraud that chips with
signature alone will do nothing to prevent. The card industry
maintains that lost-and-stolen fraud is declining, but a more
nuanced evaluation of the data shows that lost and stolen fraud
has remained largely constant while counterfeit card fraud and
card-not-present (``CNP'') fraud have risen.\4\ The use of PINs
will mitigate fraud in all of these situations. But in the two
specific situations where retailers bear the largest share of
the risk--and where chips do virtually nothing--lost and stolen
and CNP--PINs are not just a mitigating factor to fraud, they
are the single most certain way of blocking it.
---------------------------------------------------------------------------
\4\ Board of Governors of the Federal Reserve System, ``2011
Interchange Fee Revenue, Covered Issuer Costs, and Covered Issuer and
Merchant Fraud Losses Related to Debit Card Transactions,'' March 5,
2013, p. 25, http://www.federalreserve.gov/paymentsystems/files/
debitfees--costs--2011.pdf
In addition to the significant costs, there are significant
delays in getting the POS hardware, installing the software,
and, for many retailers, receiving the certification. There are
tens of millions of POS terminals in our country, but small
business updates are simply not a priority for the hardware
manufacturers, the software service providers, nor the
certification entities. I asked my payment technology rep when
I could expect a new device if I ordered it this month and was
---------------------------------------------------------------------------
told the equipment is on backorder.
The delays for the equipment to arrive in my store takes
into account the assumption that I even know which system to
choose in the first place; there are countless options for
retailers, all accompanied by their own fine print regarding
fees and rules. EMV is all new to me, and banks and the
networks are not contacting small businesses to help facilitate
the transition in any way. What may seem like a ``deal'' for an
EMV reader is in fact a solution that will come with increased
costs over time. Customers use many different kinds of cards,
all with different interchange rates, or swipe fees. Now, will
there be more fees on my statement to accept EMV dips after I
install new readers? How many more fees can there be?
When I started in retailing, cash and checks were very
common. Both of these forms of money cost me virtually nothing.
$100 in cash nets me $100 in revenue. These days, however, the
card networks and banks spend billions of dollars promoting the
use of a more expensive form of money: cards. Now a $100 sale
might net me $97 in revenue, because the card industry is
charging me for their rewards programs. In fact, for most
retailers, swipe fees are the second or third highest cost for
merchants behind labor and rent.
All of this would not have happened if two companies,
acting on behalf of thousands of banks, hadn't been allowed to
subject consumers and businesses to an expensive, fraud-prone
payment system. From a small retailer's perspective, the whole
approach to EMV is costly, incomplete, and further enhances the
monopoly power of the card industry at my expense. If banks and
card networks are going to make me spend a lot of money to
reduce their fraud, they should at least offer a more secure
solution and a savings to me and my customers.
Small retailers are entirely at the mercy and whims of the
big players. We have no say and no way to use the marketplace
to make our objections heard and our concerns valued. Until the
government can help effectuate a level playing field, we will
continue to see the slow destruction of the local merchants
that provide the glue for our communities. We need a secure
payment technology solution that trends to processing on par
with cash. Instead we get costly alternatives.
Thank you for your interest in this issue, and I look
forward to your questions.
TESTIMONY OF
JARED SCHEELER
MANAGING DIRECTOR
THE HUB CONVENIENCE STORES, INC.
ON BEHALF OF
THE NATIONAL ASSOCIATION OF CONVENIENCE STORES
FOR THE
HEARING OF THE HOUSE SMALL BUSINESS COMMITTEE
OCTOBER 21, 2015
``THE EMV DEADLINE AND WHAT IT MEANS FOR SMALL BUSINESSES: PART II''
My name is Jared Scheeler. I am Managing Director for the
Hub Convenience Stores, Inc. and I appreciate this opportunity
to present my views regarding the implications of the EMV chip
deadline for my small business.
I am testifying today on behalf of the National Association
of Convenience Stores (NACS). I serve on the NACS Board of
Directors. NACS is an international trade association
representing more than 2,200 retail and 1,800 supplier company
members in the convenience and petroleum retailing industry.
NACS member companies do business in nearly 50 countries
worldwide, with the majority of members based in the United
States. In 2014, the industry employed more than two million
workers and generated $969.1 billion in total sales,
representing approximately 4.0 percent of the United States'
GDP--or one of every 25 dollars spent. The majority of the
industry consists of small, independent operators. More than 70
percent of the industry is composed of companies that operate
ten stores or fewer, and 63 percent of them operate a single
store.
My company, Hub, has four retail outlets in North Dakota.
Two locations are located in Dickinson, one in Mott, and one in
New England, ND. On average, we employ 12 employees per store.
As a small business, the transition to EMV has been a
costly and burdensome undertaking. It does not appear that the
card companies took into consideration the realities of
operating a small business when they came up with their
transition plans. In addition to the substantial time and money
involved, the card companies have erected considerable
obstacles that restrict my ability to reduce payment card fraud
at my stores. Below I offer more detailed comments on the
transition, its impact on my business, and the lost opportunity
for substantially reducing fraudulent transactions.
I. The cost of the EMV transition for my business.
Thus far, it has cost approximately $44,500 per store--more
than $134,500 for a chain our size--to make the point-of-sale
operating systems and fuel dispensers in our three existing
stores EMV compatible. At our existing site in Dickinson, which
is Mobil-branded, we purchased 6 brand new fuel dispensers even
though the existing dispensers had many years of useful life in
them. The new dispensers were $17,000 each and the in-store
point of sale card reader was $2,000. So, the upgrade cost us
more than $100,000 at this site.
Although we made these large investments, because we
process our cards at our existing and new Dickinson sites
through our fuel brand, ExxonMobil, we cannot accept EMV
transactions. That is because ExxonMobil has not yet
implemented EMV technology in their card processing network.
They are not mandating an in-store terminal switch until
October 1, 2016 and they are assuming any liability between now
and that date.
Once they implement the EMV technology, all ExxonMobil
stores will require a software update. These updates are one
part of an annual service package that cost $1,500 per store.
For those who don't purchase the service package, it's about
$1,000 for the software upgrade alone. Further, when the
upgrade occurs, the store's cash registers and credit network
will be unavailable for 6-8 hours while the software download
occurs. We operate our stores 24 hours per day so this downtime
will inconvenience our customers and lose us money. In fact, we
estimate that during the time our stores will be ``offline''
for the software update, we will lost at least $10,200 in sales
as well as labor and overtime costs per store.
Unlike our store in Dickinson, the New England, ND store
does not carry the brand of a major oil company. This store had
older dispensers that still had many useful years in them as
they don't pump a large amount of fuel. There are four
dispensers at this store. Upgrading these older dispensers
would have cost about $9,000 per dispenser. This is a problem
for smaller and more rural locations. They often have older
equipment that is more expensive to upgrade even though it may
have more useful life. Rather than pay $9,000 to upgrade 20
year old dispensers, we elected to transfer 4-year old
dispensers from West Dakota Oil to this store, and we put in
the new, compliant dispensers at West Dakota. The New England
Store bought the 4-year old dispensers from West Dakota Oil,
and paid $3,000 to upgrade each of those pumps plus $1,000 to
transport each pump. This store also installed EMV card readers
inside the store. In spite of these investments, the store
cannot yet accept EMV transactions due to delays in the
software programming necessary to take the transactions.
As in New England, our store in Mott, ND is unbranded. We
have two dispensers left over from the West Dakota Oil that
will eventually be installed here. Like the New England store,
these dispensers would cost $3,000 each to upgrade plus $1,000
to transport each dispenser. We plan to wait to install these
dispensers due to the cost to upgrade.
These costs are staggering. The average convenience store
makes $47,000 in profits in a year. That is pre-tax. Costs in
the low six figures are too much for most to absorb. The
average industry cost, thankfully, is lower than ours. Some of
that difference is driven by the fact that we had some older
equipment that needed to be replaced rather than upgraded.
Again, that will hit smaller and more rural locations the
hardest.
Across the industry, the average cost per store is
estimated to be about $26,000. With 152,000 stores across the
United States, that means our industry will pay about $3.9
billion to move to EMV.
And the transition is costly not only in monetary terms,
but also in terms of staff time and effort. As a small business
owner, I do not have the back office or technical support of a
large company. I have invested a tremendous amount of my own
time to effectuate this transition, at the expense of tending
to other business matters.
My company began the EMV transition process in October 2014
and it took about 16 weeks just to receive the necessary
hardware. We have been at this a long time and we are still not
done. While hardware has been a major expense, it is only the
beginning. None of our stores have gotten their necessary
software upgrades--and we can only proceed with the next steps
in the EMV transition process after that happens. Then, we move
onto what may be the biggest stumbling block, getting
technicians to program the new equipment according to card
company specifications and getting certification. Each of the
major card brands--Visa, MasterCard, American Express and
Discover--require separate certifications. And, we need to get
separate certifications for credit, PIN debit, and signature
debit. The certification process is lengthy and frequently
leads to delays because the card networks have not provided the
resources necessary given the large number of merchants that
needed certifications by the same deadline. Getting programming
and certification, however, is not the end of the EMV journey.
Businesses still need to engage in pilot testing and have
significant staff training in order to be able to start taking
EMV transactions.
Given all this, it is not surprising that my company and
other small businesses are finding this transition difficult.
The timeframes have been unrealistic and the card brands have
not provided the support necessary to get this done in the
timeframe they themselves set. Small businesses, not
surprisingly, get pushed to the back of the line to get
programming and certification services that are necessary to
complete these projects. Wait times are long. And, even when
those wait times are done, to avoid inconveniencing customers,
we often have to work at odd hours to install and program new
EMV terminals.
Even after the EMV transition is complete at my stores, I
have serious concerns about the ongoing expense and burden of
the new system. The costs for getting those services from
ExxonMobil, as noted above, are high, but at least I know what
they are. The costs for my unbranded locations might be
higher--I just don't know yet. In fact, according to industry
estimates, on-going maintenance and upgrade expenses are
expected to be upward of $2,240 per year, per store.
II. Retailers like me already bear the brunt of an unsecure
payments system
As a small business owner, I am absolutely committed to
improving payment card security. I have no problem making
investments in effective fraud-prevention measures because
retailers already pay the price for the unsecure payment card
system. Unfortunately, as discussed in further detail below,
this very costly transition to EMV will not reduce fraud as
much as it could and should, and my business will continue to
suffer from a deeply flawed system.
Banks often claim that they are on the hook for fraud
losses. They also claim that they provide a ``payment
guarantee'' to their retailer customers. Frankly, I find these
claims offensive because they are false. Let's be clear, I pay
for fraud several times over:
First, I pre-pay for fraud with exorbitant swipe fees,
which the card networks have justified as necessary to cover
the cost of fraud and fraud prevention. The Federal Reserve's
rules on debit card swipe fees specifically provide for
merchants like me to pay 5 basis points (0.05% of the
transaction amount) on every transaction to cover banks' fraud
losses. That amount is now higher than the full amount of debit
card fraud suffered by the majority of banks covered by the
Fed's rules. And, credit card swipe fees and debit swipe fees
for banks not covered by the rules are much higher--ensuring
merchants pay for more than 100% of fraud up front.
Second, I pay for fraud in chargebacks. Despite banks'
false claims of providing a ``payment guarantee'' to me and
other retailers, when a fraudulent charge is made, my company
is ``charged back'' for the amount of the fraudulent
transaction about three out of four times. In fact, every year
our company pays $600 per store in chargebacks.
Third, if a merchant suffers a data breach, Visa and
MasterCard rules require the merchant to pay for any increase
in fraud for those breached accounts.
Overall then, merchants pay for far more than 100% of the
card fraud already. Now, for those who have not yet been able
to complete the changeover to EMV, the numbers will be even
higher. That makes no sense.
III. EMV will not reduce fraud nearly as much as it should
Disappointingly, the card companies have mandated an EMV
transition that does not include a simple and very effective
security measure that would substantially reduce fraud losses
for everyone, including small business owners like me. Instead
of migrating to chip-and-PIN technology in the U.S., the card
companies have opted for a transition to chip-without-PIN. This
is true in spite of the fact that the rest of the world has
been moving to chip-and-PIN and that the data the card industry
has used to justify the move in the United States relies on the
use of chip-and-PIN, not chip-without-PIN.
Chip-embedded cards are harder to counterfeit or copy than
magnetic stripe cards, but counterfeit ``chip'' cards (that
don't have a chip but still look like a chip card) can still be
made, and when a person presents a card with a non-functioning
chip, the card's magnetic stripe will be used or the card's
number will be entered to complete the fraudulent transaction.
Most of those transactions would, however, be blocked if a PIN
was required.
Chip technology without a PIN does not help reduce fraud in
instances where a card is lost or stolen. Chip-without-PIN also
does not to stop card fraud on the Internet. But Internet fraud
is already a major proportion of fraud and will undoubtedly
grow along with the EMV implementation. PIN use can help stop
lost and stolen fraud as well as Internet fraud. The fact that
the card industry is not issuing a PIN with every card is mind-
boggling and cuts against all of the experience we have gained
with the technology overseas.
This is particularly important in my business since 35
percent of our sales occur at the pump where the store clerk
does not see the card user or the card for sales. Over the past
few years, motor fuel and other retailers with self-serve
machines have paid fees to require zip code verification for
these transactions. This service adds cost but saves us real
dollars on fraud chargebacks. While generic zip code
verification helps, PIN authentication--which is truly
individualized for each consumer--works better. The benefits of
PIN authentication are real: the Federal Reserve Board has
confirmed that PIN authentication is six times more secure than
signature authentication on debit transactions.\1\ Moreover,
chip and PIN has been used to great success in Europe for over
twenty years--a fact the card networks know well.\2\
---------------------------------------------------------------------------
\1\ Federal Reserve Board, Debit Card Interchange Fees and Routing,
77 Fed. Reg. at 46,261 (Aug. 3, 2010), available at http://www.gpo.gov/
fdsys/pkg/FR-2012-08-03/pdf/2012-18726.pdf.
\2\ The Benefits of Chip and Pin for Merchants, available at http:/
/www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last visited
Oct. 15, 2015) (describing how fraud related to lost and stolen payment
cards in the UK decreased by more than half since chip and PIN was
adopted there in 2004); see also Submission of Visa Worldwide, Visa AP
(Australia), and MasterCard Asia/Pacific to the Australian Competition
& Consumer Commission in support of Authorisations A91379 & A91380
(Aug. 30, 2013), ``Security of Chip and PIN vs. Signature,'' pp. 1-2,
available at http://registers.accc.gov.au/content/
index.phtml?itemID=1120516&display=submission (last visited Oct. 15,
2015) (affirming ``[t]he Applicants' view is that chip and PIN is a
significantly more secure form of [customer verification method] than
signature'').
Despite the clear security benefits of PIN, the card
companies continue to adopt policies and rules that do not
capitalize on those benefits. The EMV transition to chip-
without-PIN is just one example. Another example is the card
companies' prohibition on merchants requiring PIN on debit card
transactions. Even though the vast majority of debit cards are
PIN-enabled, under the card companies' rules, I cannot choose
to require customers to use a PIN to authenticate debit
transactions. That is true in spite of the fact that when banks
act as merchants--dispensing cash from ATMs--they are allowed
to require PINs. And, of course, the banks always do require
---------------------------------------------------------------------------
PINs.
The card companies' actions and policies simply do not make
sense if the real objective is to reduce fraud in the payment
card system. Perhaps this should not be a surprise given that
those networks do not shoulder any of the losses from
fraudulent transactions. But as a small business owner paying
for this costly EMV transition and substantial annual fraud
costs, I am frustrated that I will not see the fraud relief
that I and other retailers could easily get if the networks
were making the type of genuine fraud-reduction effort that
they have made around the world.
IV. PIN authentication would also benefit our customers.
I have heard the card companies and banks say time and time
again that American consumers do not want PIN authentication.
According to them, consumers will refuse or be unable to
remember a 4-digit code. Given consumers' daily usage of PINs
at bank ATMs and their use of similar passwords and codes to
access smart phones, other devices and online accounts among
many other things, this is demonstrably wrong. And, the card
industry position is not supported by the data--a recent survey
commissioned by the National Retail Federation found that 62%
of consumers would prefer to use chip and PIN cards rather than
chip-without-PIN cards.\3\
---------------------------------------------------------------------------
\3\ See NRF Survey, available at https://nrf.com/sites/default/
files/Documents/Chip-and-Pin%20Consumer%20Survey%20One-Pager%2009-16-
2015%20REV.pdf.
The card networks' position against PIN use in the United
States appears to be disingenuous given that they have
advertised in other countries that PIN transactions are more
effective in preventing fraud than signature transactions and
lead to ``increased checkout speed and improved customer
service.'' \4\
---------------------------------------------------------------------------
\4\ ``The Benefits of Chip and PIN for Merchants,'' available at
http://www.visa.ca/chip/merchants/benefitsofchippin/index.jsp (last
visited Oct. 18, 2015) (including a statement that ``using a PIN is 2
to 4 seconds faster than obtaining a signature...''); see also ``The
Importance of PIN,'' available at http://www.visa.ca/chip/cardholders/
importance-of-pin/index.jsp (last visited Oct. 18, 2015) (Visa
advertises to consumers on its website in Canada (where chip and PIN
has been implemented), in a section titled ``The Importance of PIN,''
that ``PIN transactions are easy.'')
The consumer experience is a priority for any small
business. So it is difficult for me to accept that the card
networks and banks are promoting chip-without-PIN when chip-
and-PIN is widely proven to benefit consumers--and the numbers
---------------------------------------------------------------------------
show that consumers want it.
***
Unfortunately, there are many problems with the transition
to EMV. This is not surprising given the fact that the card
companies developed the transition timeline and requirements
without input from merchants and consumers. Beyond the expense
and unreasonable timeliness, the most frustrating aspect of the
transition is that it will fall short of the fraud-prevention
and consumer protection benefits it could easily achieve.
Retailers want strong security--and we've been paying to try to
get it--but transitioning to unproven chip-without-PIN
technology threatens to have a significant negative impact on
small businesses like mine. My company will continue to shell
out money to pay for fraud several times over despite investing
hundreds of thousands of dollars in the card networks' chosen
technology. That is wrong and needs to change.
Testimony of
Mr. Art Potash
Chief Executive Officer for Potash Markets
On Behalf of the
Food Marketing Institute
Before the
House Small Business Committee
Hearing on
The EMV Deadline and What it Means for Small Businesses: Part
II
October 21, 2015
Washington, D.C.
Introduction:
Good Morning Chairman Chabot, Ranking Member Velazquez and
members of the Committee. My name is Art Potash and I am the
CEO of Potash Markets in Chicago, Illinois. My family has owned
and operated grocery stores in the Chicago area for 65 years.
We currently employ 140 people. The Potash family tradition
continues today of helping our customers fulfill their culinary
passions and lead healthier and more fulfilling lives. We enjoy
strong customer loyalty to our local grocery stores and strive
to meet our customers' preferences and demands, from the food
we sell to their peace of mind when using their credit cards to
pay in our stores. I appreciate the opportunity to speak to you
today about steps my company has taken to migrate to EMV and
the challenges we have faced along the way. It is incredibly
important that this committee, Congress and the American
Consumer fully understands how EMV is being implemented here in
the United States, what its potential benefits are, how it is
different than it has been done globally, and the unique
challenges small merchants are facing in meeting these
standards.
About the Food Marketing Institute:
Food Marketing Institute proudly advocates on behalf of the
food retail industry. FMI's U.S. members operate nearly 40,000
retail food stores and 25,000 pharmacies, representing a
combined annual sales volume of almost $770 billion. Through
programs in public affairs, food safety, research, education
and industry relations, FMI offers resources and provides
valuable benefits to more than 1,225 food retail and wholesale
member companies in the United States and around the world. FMI
membership covers the spectrum of diverse venues where food is
sold, including single owner grocery stores, large multi-store
supermarket chains and mixed retail stores. For more
information, visit www.fmi.org and for information regarding
the FMI foundation, visit www.fmifoundation.org.
Decision and Experience Migrating to EMV:
As Visa's witness explained in the prior hearing, their
company did not place an explicit mandate on merchants to
migrate to EMV. Instead, Visa, MasterCard and the other card
brands announced that any merchants who did not migrate to EMV
would have additional fraud costs placed upon them. This would
be in addition to fraud costs we already pay in interchange
fees and chargebacks. As the other witnesses have and will
testify today, each merchant then had to make the business
decision of if the added cost of fraudulent cards would
outweigh the cost of upgrading their point of sale systems to
EMV.
After studying the costs and benefits, including providing
the most robust security for our customers' payment card data,
we decided, like the majority of the grocery industry, to work
to migrate our stores to EMV. As you can imagine, upgrading to
EMV in my business is not as easy as buying a $49.99 Square
reader. Our cash registers and credit card readers are more
complex, providing for credit, debit, SNAP transactions,
coupons and returns, among other features such as our customer
loyalty card program, and ties into a network that requires
substantial upgrades on both the front end and back end to be
EMV-compliant as well as PCI-compliant.
Additionally, like many others, I am in the business of
selling groceries and I rely on third party vendors to actually
perform these upgrades and interface with the other links in
the chain. A small business such as mine does not have the
resources to perform the programming to convert our system to
EMV or the financial wherewithal to own our own switch.
Instead, we rely on and pay our merchant acquirer, in our case
Worldpay, to make this happen for us so we can focus on selling
groceries.
During the first hearing, the panel frequently referred to
the $49.99 Square EMV solution, or a $100 off the shelf EMV
point of sale reader. That characterization innately did not
reflect the true needs and perspective of the merchant
community. The true cost estimates in the United States for
merchants to convert to EMV runs into the billions of dollars.
Even the conservative estimate of $8 billion for merchants did
not appear to consider back end costs as well as man hours and
potential downtime while upgrading the system. This is a huge
investment and cost on all merchants large and small.
In May, we installed all new EMV point of sale devices in
two of our three stores at a cost of $1,000 per lane. For the
two stores, this means an upgrade cost of $8,000 just to
conduct EMV-compliant payment transactions. This is a large
investment to our small business, but we are willing to make it
to protect our customers and hopefully get a reduction in fraud
and our fraud expenses.
While we now have EMV readers in our stores, we are not yet
EMV-compliant and are now facing a holiday season exposed to
greater fraud liability as we wait for our merchant acquirer to
complete our transition., Currently, our acquirer has estimated
they will be ready to upgrade our back end software by the end
of November at best.
The Cost of EMV and Card Acceptance for Merchants Moving
Forward:
This is an investment we made without much incentive from
the card brands. Unlike the issuing banks who were enticed to
issue chip cards with the promise of seeing their fraud costs
reduce, merchants were pushed to do so under the threat of
seeing their costs increase. This is particularly difficult for
us to accept when we already pay the highest interchange fees
in the modern world in the name of fraud costs. Visa,
MasterCard and the other card brands have defended charging
American merchants $71 billion a year in interchange fees as a
way of offsetting the cost of fraud. If a portion of this fee
is assessed because of fraud, those fees should be reduced if
fraud is reduced. Unfortunately, as we heard in the first
hearing, Visa has no plans to pass any savings along to
merchants. We hope that will change and we hope that the
Federal Reserve will see to it that this changes.
The card networks have pushed merchants and encouraged
issuers to migrate to EMV here in the United States under the
guise of reducing fraud, but without promising to share any of
those savings. As a small business I compete every day with
other food retailers from the large box chains to other
specialty markets, these fees restrict my ability to grow and
compete and are a cost that I have absolutely no control over.
The rule with Visa and MasterCard has basically always been
``take it or leave it'' with regards to their operating rules
and fee structure, placing merchants of all sizes, particularly
small ones, at their mercy.
In addition, consider the following historical trend.
Retail food companies operate at razor thin margins due to the
competitive nature of retail food industry. Our profit margin
has never hit or exceeded 2% in the 60 years we have been
collecting data. When food retailers have realized savings
through efficiencies due to technological advancements and
other cost saving measures the net profit for businesses in the
retail food industry has remained at below 2% and savings have
been passed along to the customer. This is further assurance
that if retailers realize savings from reduced fraud those
savings will also be passed along to the customer.
There is a Need for Competition:
As you can see from above the grocery industry is
incredibly competitive, with even the largest company holding
less than a 15% market share. We in the grocery industry all
compete for customers every day with competitive prices, value
and incentives to keep our customers and earn new ones. The
credit card market is inherently different with the top two
brands, Visa and MasterCard holding over 85% of the market.
These brands do not compete for merchant acceptance. They
compete for banks to issue their cards, and they compete by
promising revenues from sources such as interchange fees they
charge to merchants who accept their cards. There is no
competition with the brands to garner merchant acceptance. So
while the grocery customer has more opportunities to save money
as my store competes with others for their business, retailers
have virtually no options as customers of the credit card
companies to reduce their costs.
A Missed Opportunity to Truly Improve Card Security:
I would be remiss if I failed to address the issue of PIN
authentication. Every point of sale in our stores is PIN-
enabled. PIN is a proven safety measure that has been adopted
globally, everywhere but here in the United States.
Historically, the card companies have rolled out EMV as ``chip
and PIN'' technology. So, not only are they verifying that the
card is legitimate, they are also confirming that the person
presenting the card is authorized to use it. Unfortunately,
here in the United States, the card companies have rolled out
an untested model of ``chip and choice'' as they call it. They
left it up to the issuing banks to decide whether to issue
PINs.
I have been a bit mystified by the card brands' and banks'
defense of not requiring PIN. One of the most interesting is
the argument that the PIN is a static number and once
compromised is useless. They instead argue for biometric
authentication or continue to defend the useless signature
method. This argument has a real problem. If your PIN is
somehow compromised, or you forget it, you can go to your bank
and reset it. Many current and former government employees will
tell you, once your fingerprint or other biometric is
compromised, there is no ``reset.'' You cannot go and change
your thumbprint; it truly is static. So I think the ``PIN is
static'' argument has a few holes in it.
We all agree, technology and industry are evolving and
improvements are made every day, but here is what we know
today: PIN works today. It reduces fraud, period.
I think it is important to respond to a question that was
raised during the first hearing regarding PIN. A member asked
if the card companies allowed merchants to require a PIN. The
answer is no. We can prompt for PIN, but the current Visa and
MasterCard operating rules that every merchant must adhere to
or face fines or loss of the privilege of accepting their cards
will not allow a merchant to require a PIN for a transaction
that does not include cashback on a card, even if it is PIN-
enabled. This is a very important note to make. Banks require a
PIN when the customer uses its ATM to withdraw money, but will
not allow me the same privilege when a customer is making a
purchase in my store.
A Federal Data Security and Breach Notification Law:
Another issue that was raised during the first hearing that
deserves a merchant response is the bank and credit union
witnesses support for H.R. 2205 the Data Security Act of 2015.
To be clear, Potash Markets is committed to protecting our
customers' payment card data. Gross mischaracterizations that
merchants are not committed to protecting our customers'
payment card data and that we are not held to any standards is
simply not true. In addition to the various state laws
merchants must comply with, the Federal Trade Commission has
taken an active interest in holding merchants liable for not
adequately protecting customer data with over fifty cases
already pursued. Where we agree with the banks and credit
unions, grocers and other merchant groups would like to replace
the patchwork of state laws with one federal standard. Where we
differ, is how that federal law should work. Unfortunately,
H.R. 2205 in its current form takes a standard that was written
specifically for the banks and puts it on any and all that
accept credit and debit cards. Our desire is to work with the
bill drafters to create a final product that will allow for the
flexibility necessary that will allow for a small business such
as me to take necessary steps to protect data, but tailor it
specifically to my business needs, not unnecessarily opening me
up to liability and heavy handed enforcement without merit. We
all have the common goal of protecting customer data, but that
should be addressed with fair and narrowly written legislation
not punitive overly restrictive requirements.
What Merchants Are Expecting Next in Electronic Payments:
Another piece that was raised during the first hearing has
taken on even more greater importance in the last week. The
Visa witness shared a perspective on merchants having an option
to ``turn on'' the near field communication (NFC) technology on
the new EMV readers. She offered it as a feature and option but
not required or mandated. Unfortunately, this past week we got
a glimpse of what we should expect next. Last week, merchants
in the United Kingdom were informed by their merchant acquirers
that Visa and MasterCard will not mandate that they turn on and
accept NFC transactions. This is something many American
merchants have feared was coming next. By requiring that all
merchants turn on and accept NFC transaction, Visa and
MasterCard have moved to lock in their mobile payments
solution, and effectively block other entrants into the market.
They will ensure that every merchant accept their solution
before any others can make it to market. By eliminating further
competition in that space, Visa and MasterCard are moving to
guarantee their dominance in the market continues. It is also
important to note, it is not as easy as flipping a switch for a
merchant to ``turn on'' their NFC function. This will require
further certification, cost and investment.
Conclusion:
As you can see, there is a great deal more to EMV on the
merchant side than buying a $100 piece of hardware off the
shelf, or opting for Square's $49.99 solution. There is
significantly more investment, dependence on vendors and long-
term repercussions to be considered. As mentioned earlier in my
testimony, we are doing all of this on an untested model of
chip and choice, versus the proven fraud reducing solution of
chip and PIN technology. All of this affects merchants of all
sizes, but as this committee knows very well, these challenges
can be greatly magnified when it comes to small businesses.
In conclusion, Potash Markets has made significant
investments and is committed to migrate to EMV. Unfortunately,
we find ourselves in the unenviable place of waiting for our
providers to get us across the finish line, while we face a
busy holiday season with the threat of higher fraud liability
over our heads. I greatly appreciate the committee's interest
in this very important issue, and look forward to answering
your questions.
Testimony of Edmund Mierzwinski
U.S. PIRG Consumer Program Director
at a hearing on
``The EMV Deadline and What it Means for Small Businesses: Part II''
Before the House Small Business Committee
Honorable Steve Chabot, Chair
21 October 2015
Testimony of Edmund Mierzwinski, U.S. PIRG Consumer Program
Director at a hearing on ``The EMV Deadline and What it Means
for Small Businesses: Part II'', Before the House Small
Business Committee, 21 October 2015
Chair Chabot, Representative Velazquez, members of the
committee, I appreciate the opportunity to testify before you
on the important matter of consumer data security and the
implications of the 1 October 2015 EMV liability change for
small businesses and their consumer customers. Since 1989, I
have worked on data privacy, among other financial issues, for
the U.S. Public Interest Research Group. The state PIRGs are
non-profit, non-partisan public interest advocacy organizations
that take on powerful interests on behalf of their members.
Summary:
Chip and PIN is Safer than Chip and Signature: Since the
1970s, the U.S. credit card, and later, also debit card,
markets relied on magnetic stripe verification technology. To
better deter ``card-present'' or in-person fraud, Canada and
Europe switched to much stronger Chip and PIN technology over a
decade ago. The U.S. is finally transitioning to Chip cards,
although most banks are expected to offer the less robust Chip
and Signature, rather than Chip and PIN, cards. Chips prevent
information from your card from being transferred into merchant
computers and prevent your card from being cloned. PINs prove
you are not an imposter. Note that neither technology will
deter online fraud, only in-person (card-present) fraud.
To accelerate the belated conversion of the U.S. system at
least to Chip, or EMV (Europay, Mastercard and Visa), systems,
the Payment Card Industry (PCI) security standards body made a
scheduled liability change on 1 October 2015. As of that date,
merchants face greater fraud liability if they have not
installed card readers that accept Chip cards. Banks that have
not issued Chip cards retain greater liability. Gas stations
have a longer implementation period.
Banks Make More Money From Signature Transactions: While
the banks have a polished narrative making other explanations
as to ``Why Chip, not Chip and PIN?'', it really comes down to
one factor: Visa and Mastercard have long functioned as a
cartel with market power to drive traffic to their own payment
networks--which are signature-enabled, not PIN enabled. They
earn much higher merchant ``swipe'' or interchange fees. As
merchant witnesses will explain, they already faced significant
liability as well as are limited in their choices by card
network rules. All consumers, including cash customers, pay
more at the store and more at the pump due to these rules,
which drive traffic to the higher-cost, yet riskier signature
platforms, not PINs, quite simply because Visa and Mastercard
profit more from transactions on those platforms. In either
case, lower-income cash customers end up subsidizing more-
affluent rewards card customers because merchants bake the cost
of swipe fees into their prices.
We urge no preemptive federal action on data breaches: For
several years Congress has considered national data breach
notification legislation. Nearly every proposal I have seen,
including numerous bills before this Congress, contains an
onerous Trojan Horse provision. Even though most federal bills
provide only extremely limited consumer protections, they
broadly preempt state data security and consumer protection
laws. Data breaches can result in numerous types of harms yet
the bills do not recognize all the harms. The states have
already implemented data breach notice laws that are working
well.
I will discuss each of these points in greater detail in
the following discussion.
Discussion:
The transition to Chip cards means merchant data breaches
will no longer act as such a treasure trove of account numbers
and expiration dates for existing account fraud. The Chip
technology prevents the transfer of the full card number and
expiration date to the merchant, who will receive only a one-
time transaction code. The Chip cannot be cloned, meaning
counterfeit cards usable in Chip ``dip'' readers cannot be
created from the information available after a data breach. Of
course, many cards will be backward-compatible for some time
(still have a magnetic stripe to be ``swiped'') but these will
be used at fewer and fewer card readers over time, limiting
their value to bad guys going forward.
However, we remain concerned that most U.S. banks and
credit unions are expected to convert only to Chip cards, not
fully to Chip and PIN cards,, which are safer for consumers and
preferred by merchants, both of whom will still face the
problems of stolen Chip cards in a ``Chip and Signature''
world. Chips prove your card is not a clone; PINs prove you are
not an imposter.
So far, we are only aware of one bank, upstate New York's
First Niagara Bank, that's gone beyond Chip and Signature and
is rolling out the more robust Chip and PIN.\1\ Positively,
President Obama ordered last year that all U.S. issued credit
cards and all U.S. agency card readers by Chip-and-PIN.\2\
---------------------------------------------------------------------------
\1\ See Matt Glynn, ``First Niagara rolling out Chip-and-PIN
cards'', Buffalo News, 30 September 2015 http://www.buffalonews.com/
business/first-niagara-rolling-out-Chip-and-pin-cards-20150930
\2\ See Fred Williams, ``Obama puts federal might behind Chip-and-
PIN card security Social Security, other federal payment cards to
switch in 2015,'' http://www.creditcards.com/credit-card-news/obama-
federal-backs-Chip-and-pin-1282.php
When debit or credit card numbers only are stolen, such as
in a breach, consumer protections are quite strong, although
debit card customers may face cash flow problems while they
wait for the bank to conduct a reinvestigation and replace
money in their accounts. However, when debit cards themselves
are lost, debit card customers face much greater liability,
---------------------------------------------------------------------------
much more quickly.
The December 2013 Target stores breach ultimately affected
some 110 million customers and Target accountholders. The first
tranche of some 40 million customers had their card numbers
skimmed or ``scraped'' off the card reader software and made
consumers vulnerable to existing account fraud, forcing
numerous banks to replace cards.\3\ But the Target breach was
only one in a long series of breaches, and an increase in card
fraud generally, that had led to the proposal for the EMV card
switch.
---------------------------------------------------------------------------
\3\ After the thieves rooted around inside the Target mainframe for
some time, they obtained phone numbers and email addresses for many
more consumers with Target accounts. These data could then be used for
social engineering or ``phishing'' attacks designed to obtain the
additional information--Social Security Numbers and birth dates--that
make it possible to commit ``new account identity theft.''
Target and other breached merchants should be held
accountable for their failure to comply with applicable
security standards but that does not mean they are 100%
responsible for breaches. Merchants, and their customers, had
been forced by the card monopolies to use an unsafe payment
card system that relies on obsolete magnetic stripe technology,
buttressed by a constantly changing set of so-called PCI
standards to compensate for the inherent flaws of the
---------------------------------------------------------------------------
underlying, ancient stripe tech.
Increasing consumer protections under the Electronic Funds
Transfer Act (EFTA), which applies to debit cards, to the gold
standard levels of the Truth in Lending Act, which applies to
credit cards, should be a step taken by Congress. While EFTA
provides for zero liability if a consumer notifies her bank
within 60 days after her debit card number, but not her card,
is stolen, she still faces the stigma of bouncing checks and
cash flow problems while waiting for the bank to reinstate her
funds, which is a problem for consumers living from paycheck to
paycheck. But if a debit card is stolen, liability by law of up
to $500 begins accrue if the bank is not notified within 2
days. After 60 days, liability could be greater than $500 and
could include funds taken from linked accounts. Conversely, the
Truth In Lending Act grants credit card customers very strong
protections in all cases, plus, no money is ever removed from
your own bank account by credit card thieves.
The card networks continued to use an obsolete 1970s
magnetic stripe technology well into the 21st century because,
as oligopolists, they wanted to extract greater rents from the
system. When the technology was solely tied to credit cards,
where consumers enjoyed strong fraud rights and other consumer
protections by law, this may have been barely tolerable.
But when the big banks and credit card networks asked
consumers to expose their bank accounts to the unsafe
signature-based payment systems, by piggybacking once safer
PIN-only ATM cards onto the signature-based system after re-
branding them as ``debit'' cards, the omission became
unacceptable. The vaunted ``zero-liability'' promises of the
card networks and issuing banks are by contract, not law. Of
course, the additional problem any debit card fraud victim
faces is that she is missing money from her own account while
the bank conducts an allowable reinvestigation for ten days or
more, even if the bank eventually lives up to its promise.\4\
Further, the contractual promises I have seen contain asterisks
and exceptions, such as for a consumer who files more than one
dispute in a year. Congress should also provide debit and
prepaid card customers with the stronger billing dispute rights
and rights to dispute payment for products that do not arrive
or do not work as promised that credit card users enjoy
(through the Fair Credit Billing Act, a part of the Truth In
Lending Act).\5\
---------------------------------------------------------------------------
\4\ Compare some of the Truth In Lending Act's robust credit card
protections by law to the Electronic Funds Transfer Act's weak debit
card consumer rights at this FDIC website: http://www.fdic.gov/
consumers/consumer/news/cnfall09/
debit--vs--credit.html
\5\ For a detailed discussion of these problems and recommended
solutions, see Hillebrand, Gail (2008) ``Before the Grand Rethinking:
Five Things to Do Today with Payments Law and Ten Principles to Guide
New Payments Products and New Payments Law,'' Chicago-Kent Law Review:
Vol. 83, Iss. 2, Article 12, available at http://
scholarship.kentlaw.iit.edu/cklawreview/vol83/iss2/12
Further, the card networks' failure to upgrade, let alone
enforce, their PCI security standards, despite the massive
revenue stream provided by consumers and merchants through
swipe, or interchange, fees, is yet another outrage by the
---------------------------------------------------------------------------
banks and card networks.
Merchants that accept credit and debit cards are already
subject to a set of fees and a set of rules. The full ``swipe
fee'' includes a small fee paid to the network, a small fee
paid to the merchant's bank and a very large interchange fee
paid to the consumer's bank. Merchants also pay third-party
processing fees. A portion of the interchange fee is already
allocated to fraud prevention. Merchant swipe fees (deducted
from the payments they receive from banks) could range from
about 1% for a ``classic'' debit card to 3.5% or more for an
airline rewards credit card. (The fee schedules are complex and
the fee often includes a flat fee plus a percentage of the cost
of the transaction. Different merchant classes pay different
fees.)
Rules include both the security compliance standards set by
the Payment Card Industry (PCI) process that led to this
liability shift as well as to additional complex network
rules.\6\
\6\ These network rules set by Visa and Mastercard, as well as by
Discover and American Express, have been the subject of a variety of
public and private antitrust lawsuits over many years but are not
directly the subject of this testimony.
Incredibly, the Federal Reserve Board's rule interpreting
the Durbin amendment to the 2010 Dodd-Frank Wall Street Reform
and Consumer Protection Act, which limited swipe fees on the
debit cards of the biggest banks, also provided for additional
fraud revenue to the banks in several ways. Even though banks
and card networks have routinely passed along virtually all
costs of fraud to merchants in the form of chargebacks, the
Federal Reserve rule interpreting the Durbin amendment allows
for much more revenue. So, not only are banks and card networks
compensated with general revenue from the ever-increasing swipe
fees, but the Fed allows them numerous additional specific
bites of the apple for fraud-related fees.\7\
---------------------------------------------------------------------------
\7\ See 77 Fed. Reg. page 46264 (August 3, 2012), available at
http://www.gpo.gov/fdsys/pkg/FR-2012-08-03/pdf/2012-18726.pdf.
Under the Fed's Durbin rules the amount of this additional
compensation is as follows: banks can also get 5 basis points
per transaction for fraud costs, 1.2 cents per transaction for
transaction monitoring, and 1 cent per transaction for the
fraud prevention adjustment. Again, this is in addition to
merchants already paying chargebacks for fraud as well as PCI
violation fines, plus litigation damages, and, now, possible
additional direct costs of fraud for failing to install Chip
---------------------------------------------------------------------------
readers.
Unfortunately, without PINs, the EMV transition will not
provide merchants and consumers the level of protection against
fraud that they both seek.
Further, while most news discussion and bank political
advertising related to the Durbin amendment focuses on bank
complaints about both the reduced revenue stream and the
merchants' purported failure to pass along savings, it is
important to understand that other provisions of the amendment
were also important. For example, the Durbin amendment makes it
easier for merchants to ``signal'' to consumers that certain
payment methods, including the use of alternative networks,
cost them less and are preferred. Of course, the least-costly
networks are generally PIN-based, but most consumers, thanks to
banks only moving partway, will not have PIN cards.
We are only aware of one bank, upstate New York's First
Niagara Bank, that's gone beyond Chip and Signature and is
rolling out the more robust Chip and PIN.\8\ Positively,
President Obama ordered last year that all U.S. issued credit
cards and all U.S. agency card readers be Chip-and-PIN.\9\
---------------------------------------------------------------------------
\8\ See Matt Glynn, ``First Niagara rolling out Chip-and-PIN
cards'', Buffalo News, 30 September 2015 http://www.buffalonews.com/
business/first-niagara-rolling-out-Chip-and-pin-cards-20150930
\9\ See Fred Williams, ``Obama puts federal might behind Chip-and-
PIN card security Social Security, other federal payment cards to
switch in 2015,'' http://www.creditcards.com/credit-card-news/obama-
federal-backs-Chip-and-pin-1282.php
This month, the FBI offered but then immediately ``walked
back'' a recommendation to consumers and merchants that Chip
and PIN is better than Chip and Signature. As Senator Durbin
---------------------------------------------------------------------------
asked in a letter to FBI director Comey last week:
``The revisions to the FBI advisory raise significant
questions about whether current EMV security technology
is adequately protecting consumers and whether the FBI
is taking appropriate steps to warn against and deter
payment card fraud involving lost or stolen cards,''
said Durbin. ``Did representatives of the American
Bankers Association contact the FBI between the
issuance of the October 8 advisory and the release of
the revised advisory? If so, did the American Bankers
Association request that the advisory's recommendations
for consumers and merchants to use PINs be removed?
\10\''
\10\ See ``Durbin Calls for FBI to Explain Walkback of Consumer
Protection Advisory Regarding Security Features on Credit and Debit
Cards,'' 15 October 2015, http://www.durbin.senate.gov/newsroom/press-
releases/durbin-calls-for-fbi-to-explain-walkback-of-consumer-
protection-advisory-regarding-security-features-on-credit-and-debit-
cards
The committee should join Senator Durbin in asking Director
---------------------------------------------------------------------------
Comey these questions.
We believe that if Congress act in the payment card
security, it should take steps, as the President did, to
encourage all users to use the highest possible existing
standard. Congress should also take steps to ensure that
additional technological improvements and security innovations
are not blocked by actions or rules of the existing players. In
general, this means proposing or encouraging a technology-
neutral performance standard.
If Congress does choose to impose higher standards, then it
must also impose them equally on all players. For example,
current legislative proposals may unwisely impose softer
regimes on financial institutions subject to the weaker Gramm-
Leach-Bliley rules than to merchants and other non-financial
institutions.
Further, as most observers are aware, Chip technology will
only prevent the use of cloned cards in card-present (Point-of-
Sale) transactions. It is an improvement over obsolete magnetic
stripe technology in that regard, yet it will have no impact on
online transactions, where fraud volume is much greater already
than in point-of-sale transactions. Experiments, such as with
``virtual card numbers'' for one-time use, are being carried
out online. It would be worthwhile for the committee to inquire
of the industry and the regulators how well those experiments
are proceeding and whether requiring the use of virtual card
numbers in all online debit and credit transactions should be
considered a best practice.
Congress should not enact any federal breach law that
preempts state breach laws or, especially, preempts other state
data security rights or protections: In 2003, when Congress, in
the FACT Act, amended the Fair Credit Reporting Act, it
specifically did not preempt the right of the states to enact
stronger data security and identity theft protections.\11\ We
argued that since Congress hadn't solved all the problems, it
shouldn't prevent the states from doing so.
---------------------------------------------------------------------------
\11\ See ``conduct required'' language in Section 711 of the Fair
and Accurate Credit Transactions Act of 2003, Public Law 108-159. Also
see Hillebrand, Gail, ``After the FACT Act: What States Can Still Do to
Prevent Identity Theft,'' Consumers Union, 13 January 2004, available
at http://consumersunion.org/research/after-the-fact-act-what-states-
can-still-do-to-prevent-identity-theft/
From 2004-today, 46 states enacted security breach
notification laws and 49 state enacted security freeze laws.
Many of these laws were based on the CLEAN Credit and Identity
Theft Protection Model State Law developed by Consumers Union
---------------------------------------------------------------------------
and U.S. PIRG.\12\
\12\ See http://consumersunion.org/wp-content/uploads/2013/02/
model.pdf
A security freeze, not credit monitoring, is the best way
to prevent identity theft. If a consumer places a security
freeze on her credit reports, a criminal can apply for credit
in her name, but the new potential creditor cannot access your
``frozen'' credit report and will reject the application. The
freeze is not for everyone, since you must unfreeze your report
on a specific or general basis whenever you re-enter the credit
marketplace, but it is only way to protect your credit report
---------------------------------------------------------------------------
from unauthorized access.\13\
\13\ http://defendyourdollars.org/document/guide-to-security-
freeze-protection
The other problem with enacting a preemptive federal breach
notification law is that industry lobbyists will seek language
that not only preempts breach notification laws but also
prevents states from enacting any future security laws, despite
---------------------------------------------------------------------------
the 2003 FACT Act example above.
Simply as an example, S. 961 (Carper) includes sweeping
preemption language that is unacceptable to consumer and
privacy groups and likely also to most state attorneys general:
SEC. 6. Relation to State law.
No requirement or prohibition may be imposed under
the laws of any State with respect to the
responsibilities of any person to--
(1) protect the security of information relating to
consumers that is maintained, communicated, or
otherwise handled by, or on behalf of, the person;
(2) safeguard information relating to consumers
from--
(A) unauthorized access; and
(B) unauthorized acquisition;
(3) investigate or provide notice of the unauthorized
acquisition of, or access to, information relating to
consumers, or the potential misuse of the information,
for fraudulent, illegal, or other purposes; or
(4) mitigate any potential or actual loss or harm
resulting from the unauthorized acquisition of, or
access to, information relating to consumers.
Such broad preemption will prevent sates from acting as
first responders to emerging privacy threats. Congress sh9ould
not preempt the states. In fact, Congress should think twice
about whether a federal breach law that is weaker than the best
state laws is needed at all.
I would also note that most federal breach proposals define
harm very narrowly to financial harm. As we have seen with the
latest breaches of health insurance companies, tax preparation
firms and the IRS itself, and now even the U.S. OPM, harms from
data breaches have gone far beyond existing account fraud or
even new account identity theft to include theft of medical
services, theft of tax refunds and the reputational and
physical threat harms that could result from the OPM breach of
security clearance files, including fingerprints.\14\ Just a
few weeks ago, a national consumer reporting agency, Experian,
was even breached, although it states that its credit reports
on 200 million Americans were not affected.\15\
---------------------------------------------------------------------------
\14\ I discussed the issue of broad harms and narrow protections in
detail here in my blog (24 June 2015): http://uspirg.org/blogs/eds-
blog/usp/more-i-hear-about-opm-data-breach-less-i-know-except-its-bad
\15\ News release, ``PIRG, Others Ask CFPB, FTC to Investigate
Experian/T-Mobile Data Breach,'' 8 October 2015, http://www.uspirg.org/
news/usp/pirgs-others-ask-cfpb-ftc-investigate-experiant-mobile-data-
breach
In addition, most federal proposals have a weak notice
requirement with a risk ``trigger'' based on a narrow
definition of harm. The better state breach laws, starting with
California's, require breach notification if information is
presumed to have been ``acquired.'' The weaker laws allow the
company that failed to protect the consumer's information in
the first place to decide whether to tell them, based on its
estimate of the likelihood of identity theft or other harm, but
---------------------------------------------------------------------------
no other harms.
Only an acquisition standard will force data collectors to
protect the financial information of their trusted customers,
accountholders or, as Target calls them, ``guests,'' well
enough to avoid the costs, including to reputation, of a
breach.
Congress Should Allow For Private Enforcement and Broad
State and Local Enforcement of Any Law It Passes: The
marketplace only works when we have strong federal laws and
strong enforcement of those laws, buttressed by state and local
and private enforcement.
Many of the data breach bills I have seen specifically
state no private right of action is created. Such clauses
should be eliminated and it should also be made clear that the
bills have no effect on any state private rights of action.
Further, no bill should include language reducing the scope of
state Attorney General or other state-level public official
enforcement. Further, any federal law should not restrict state
enforcement only to state Attorneys General. For example, in
California not only the state Attorney General but also county
District Attorney and even city attorneys of large cities can
bring unfair practices cases.
Although we currently have a diamond age of federal
enforcement, with strong but fair enforcement agencies
including the CFPB, OCC and FDIC, that may not always be the
case. By preserving state remedies and the authority of state
and local enforcers, you can better protect your constituents
from the harms of fraud and identity theft.
Review Title V of the Gramm-Leach-Bliley Act and its Data
Security Requirements:
The 1999 Gramm-Leach-Bliley Act imposed data security
responsibilities on regulated financial institutions, including
banks. The requirements include breach notification in certain
circumstances.\16\ Congress should ask the regulators for
information on their enforcement of its requirements and should
determine whether additional legislation is needed. The
committee should also recognize that compliance with GLBA
should not constitute constructive compliance with any
additional security duties imposed on other players in the card
network system as that could lead to a system where those other
non-financial-institution players (merchants) are treated
unfairly.
---------------------------------------------------------------------------
\16\ See the Federal Financial Institutions Examination Council's
``Final Guidance on Response Programs: Guidance on Response Programs
for Unauthorized Access to Customer Information and Customer Notice,''
2005, available at http://www.fdic.gov/news/news/financial/2005/
fil2705.html
---------------------------------------------------------------------------
Conclusion:
In conclusion, consumers will benefit from lower fraud
risks by the transition to a Chip card regime but the banking
industry deserves to be called out for imposing higher Chip
reader costs on merchants without also further reducing their
fraud risk by rolling out Chip and PIN instead of Chip and
signature cards. The liability shift is a big stick, added to
numerous other ``fee and rule sticks'' that the banks already
use to extract fees and maintain market power; but the carrot
of reducing fraud even further by going with ``best available''
technology rather than ``best for banks'' technology would have
been a better solution.
I would also note two other impacts on consumers from the
transition. First, as the FTC has noted, the rollout is
confusing and scam artists are taking advantage of the October
1 date to create new scam pitches to consumers.\17\ Another
problem I have heard of, although not confirmed, is one that
may be faced by consumers traveling in Europe who encounter
unattended fare machines that may require a PIN at all times.
\17\ See FTC blog of 19 October 2015, ``Scam du jour: Chip card
scams,'' http://www.consumer.ftc.gov/blog/scam-du-jour-Chip-card-scams
---------------------------------------------------------------------------
Thank you for the opportunity to provide the Committee with
our views. We are happy to provide additional information to
Members or staff.
Statement for the Record
On behalf of the
American Bankers Association
Consumer Bankers Association
Credit Union National Association
Financial Services Roundtable
Independent Community Bankers of America
National Association of Federal Credit Unions
before the
Small Business Committee
United States House of Representatives
Chairman Chabot, Ranking Member Velazquez, and members of
the Committee, the ABA, CBA, CUNA, ICBA and NAFCU on behalf of
the 14,000 banks and credit unions of all sizes that are taking
on criminal hackers by issuing payment cards with highly secure
``EMV'' microchips, we appreciate the Committee's interest in
the transition to the next generation in payments security and
respectfully request that this statement be made part of the
record for today's hearing.
An estimated 575 million so-called ``chip'' cards will be
issued by year-end, millions of merchants will be on the road
to implementation, and the U.S. marketplace will be
significantly safer at the cash register for our nation's
consumers. EMV (or ``chip'') technology makes stolen card
numbers useless to thieves if they try to create counterfeit
cards, and address the lion's share of today's fraud for in-
store (or ``card-present'') transactions. The rollout of chip
or ``EMV'' technology demonstrates how the financial services
and retail industries can and must work together to better
protect consumers.
While the Committee's October 7th hearing was helpful in
highlighting some of the issues around EMV, we want to share
additional information based on some of the questions raised at
the hearing to assist you in preparation for today's hearing.
First, the move to chip technology has been underway for
quite some time. The transition to EMV began in 2011, and card
networks, banks and credit unions, merchant bank processors,
and the merchants themselves have been involved in implementing
the transition since that time. Indeed, many merchant banks
have worked with small businesses to identify ways to upgrade
payment terminals at low- or no-cost. Merchants are our
customers--we want them to succeed.
Second, consumers will benefit greatly from this
transition. After the major data breaches at big box stores,
like Target and Home Depot, tens of millions of account numbers
were posted online, which could have easily been used to create
counterfeit cards. In response, banks and credit unions
reissued millions of cards at an unprecedented pace in order to
protect consumers from fraud. Going forward, chip cards greatly
reduce the fraud risks stemming from such breaches by
generating a one-time code for each transaction, eliminating
the possibility that those chip cards can be counterfeited and
used at another store. Once chip cards fully replace the
magstripe--the U.S. has already issued the most chip cards of
any country in the world--and merchants turn on their chip card
readers, counterfeit cards will become a lot harder to create.
Third, merchants are fully empowered to protect themselves
from any increased liability as part of this transition. Once
merchants install chip card readers and turn them on, liability
returns to the financial institution. Chip card readers are
available for very reasonable prices. Depending upon the vendor
and type of upgrade needed, it can be zero or as little as $49,
which makes it easy for merchants of all sizes to protect their
customers at minimal cost. Moreover, liability shifts only for
accounts that are chip-enabled--so if the card issuer has not
done its part, it bears the risk. This is a private sector
incentive to encourage adoption and better consumer
protections.
Fourth, the ``PIN argument'' is a smokescreen used by
retail trade groups to deflect attention from the high profile
retail data breaches at big box stores over the past few years
and their underlying causes. Rather than coming together to
improve internal data security practices, the retail trades are
fixating on a PIN technology that fights a small and declining
share of today's fraud and which would have been meaningless in
breaches like those at Target and Home Depot. The reality is
that if a merchant is EMV enabled and has their card readers
turned on, they have the same protections whether PIN is used
or not. Instead of fighting, we should embrace ideals like H.R.
2205, the Data Security Act of 2015, introduced by
Representatives Neugebauer (R-TX) and Carney (D-DE), to apply
meaningful and consistent data protection for consumers
nationwide.
Finally, an attempt is being made to interject one of the
most controversial parts of the Dodd-Frank Act--the price
controls of the Durbin Amendment--into the chip card
discussion. The fact is that banks and credit unions annually
spend billions on innovation in payment security in order to
stay ahead of the thieves. We are pioneering cutting-edge
solutions--like the ``tokenization'' technologies used in Apple
Pay and Samsung Pay, end-to-end encryption, and biometric
authenticators--to protect transactions wherever they take
place. That forward-looking approach to ``tomorrow's threats''
today should be the focus of our collective discussions.
Ultimately, the only way to protect our data is to stay
ahead of the ever-changing criminal element through joint
efforts. The security of our payments system impacts all of us
and the payments system will only be secured if everybody--
banks, credit unions, payment networks, retailers and
consumers--work together to fight a common enemy.
Sincerely,
American Bankers Association
Consumer Bankers Association
Credit Union National Association
Financial Services Roundtable
Independent Community Bankers of America
National Association of Federal Credit Unions
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]