MARK R. WARNER cour vee FINANCE BANKING, HOUSING, AND TURBAN AFFAIRS Wnited States Senate uncer WASHINGTON, DC 20510-4608 IvTELUGENCE RULES AND ADMINISTRATION January 12, 2015 ‘The Honorable Janet L. Yellen ‘The Honorable Thomas J. Curry Chairman Comptroller Board of Governors of the Federal Reserve Office of the Comptroller of the Currency 20th St. and Constitution Ave., NW 400 7th Street, SW Washington, DC 20551 Washington, DC 20219 The Honorable Martin J. Gruenberg ‘The Honorable Richard Cordray Chairman Director Federal Deposit Insurance Corporation Consumer Financial Protection Bureau 550 17th Street, NW 1700 G Street, NW Washington, DC 20429 Washington, DC 20552 Dear Chair Yellen, Comptroller Curry, Chairman Gruenberg, and Director Cordray: | write to inquire on the steps federal banking regulators are taking to ensure that meaningful security improvements in the card payments space are being undertaken to protect consumers. Over the course of the last few years, Americans have faced an unprecedented wave of data breaches compromising the personal financial or sensitive data of hundreds of millions of Americans. The breaches at Heartland Payment Systems, JPMorgan Chase, Target, Home Depot and CardSystems Solutions alone — just to name five — have affected approximately 134 million,! 83 million,” 70 million, 56 million,’ and 40 million® customer accounts, respectively. * See Tracy Kitten, New Details on Global, Heartland Breaches, BANKINFO SECURITY, Jul. 29, 2013, http://www. bankinfoseeurity.com/card-fraud-case-sheds-light-on-breaches-a-5946 (130 million); Brian Krebs, Paymem Processor Breach May Be Largest Ever, WASHINGTON Post, Jan. 20, 2009, http: /voices.washingionpost.com/securityfix/2009/0 l/payment_processor_breach_may_b.html; Privacy Rights Clearinghouse, http://www privacyrights.org/data-breach-ase?title~heartlandpayment#systems (accessed Jan. 12, 2015) (over 130 million); Post of Kevin Judge to Comodo Blog https:/blogs.comodo.conve-commerceithe- heartland-breach-a-cautionary-tale-for-e-commerce! (Oct, 15, 2013) (134 million). * See JPMorgan Chase Current Report (Form 8-K) (Oct. 2, 2014) (disclosing 83 million affected customer accounts); Emily Glazer, JP. Morgan's Cyber Attack: How the Bank Responded, WALL ST. J., Ost. 3, 2014, hntpy/blogs.wsj.com/moneybeat/20 4/1 0/03/)-p-morgans-cyber-attack-how-the-bank-responded/; Priya Anand, P. ‘Morgan doesn't plan to inform vietims of cyber attack, MARKET WATCH, Oct. 4, 2014, http:/www.marketwatch,com/story/jp-morgan-doesnt-plan-to-inform-victims-of-eyber-attack-2014-10-04; Craig Timberg et al., Hacked? Customers are often the last 10 know, WASHINGTON Post, Aug. 28, 2014, ‘ntp:/www.washingtonpost.com/blogs/the-switch/wp/20 14/08/28/hacked-customers-are-often-last-1o-know/, > See Target Data Breach FAQs, https:/corporate.target.com/about/shopping-experience/payment-card-issue-FAQ (70 million) (last visited Jan. 12, 2015), * See Pross Release, Home Depot, The Home Depot Completes Malware Elim Payment Data in All U.S, Store (Sept. 18, 2014) (56 million card accounts). jon and Enhanced Encryption ofCollectively, these five breaches alone have affected over 380 million individuals, more than the entire 309 million-person population of the U.S. (based on 2010 census data).° Furthermore, a USA Today report in October 2014 cited Federal Bureau of Investigation (FBI) officials stressing the vulnerability of banks by observing that “hackers have stolen more than 500 million financial records over the past 12 months.”” In an economic system increasingly reliant on electronic data and communications to conduct financial transactions and that has seen a proliferation of debit and credit card usage, such data thefts not only undermine consumer confidence, but also impose substantial costs on consumers, businesses, and the U.S. economy Responding to these data breaches and the need for stronger payment card security, President ‘Obama today announced an effort to improve data breach notification requirements, an initiative I wholeheartedly support. He also issued an Executive Order last October that requires, as of January 1, 2015, all new payment processing terminals acquired by or through the Treasury Department to have enhanced security features, including chip-and-PIN protections. The Executive Order also requires the Treasury Department to implement a plan for government agencies to install enabling software. Additionally, all payment cards provided by the General Services Administration (GSA) will now be required to have chip-and-PIN authentication and GSA will begin replacing old cards that do not have these enhanced features. Other agencies will be required to provide the Office of Management and Budget their own plans for ensuring their payment cards have chip-and-PIN protection. ‘The President's measure takes strong steps towards ensuring cards used by the Federal Government have enhanced security authentication measures. I have concerns, however, that as merchants spend billions of dollars this year to upgrade their infrastructure to accept chip-and- PIN enabled cards, there is an insufficient emphasis being placed by federal banking regulators on ensuring a meaningful improvement in consumer safety with the corresponding issuance of chip-and-PIN debit and credit cards in the private sector. Specifically, I remain puzzled why many of the financial institutions your agencies oversee continue to issue and encourage use of chip-and-“signature” cards for the U.S. economy when better anti-fraud technology and authentication measures exist and indeed are prevalent in other countries, particularly the major economies that constitute the “G-20” group of nations. Furthermore, constant innovation in payment card security is essential, and I hope efforts are not limited to simply implementing PIN technology but also incorporate tokenization and other evolving technologies to ensure consumers are protected from theft of their financial data. Lam interested in learning more about what your organizations are doing to ensure the U.S. financial system addresses its security issues and begins to lead the way in this arena. Specifically, I would appreciate getting your views on the following questions: * See Jeanne Sahadi, 40M credit cards hacked, CNN MONEY, Jul. 27, 2005, ‘ntp://money.cnn.com/2005/06/17/news/master_card/; Kim Zetter, CardSystems’ Data Left Unsecured, WIRED, Jun. 2, 2005, hitp(/archive.wired,.com/science/discoveries/news/2005/06/67980, ® See U.S. CENSUS BUREAU, POPULATION DISTRIBUTION AND CHANGE: 2000 T0 2010, C2010BR-01 (2011) 7 See Brin Kelly, Ofictals warn 500 million financial records hacked, USA TODAY, Oct. 20, 2014, Iap:/svww.usatoday.comistory news/politis/2014/10/20/secret-service-fbi-hack-cybersecuurity/1 76150251. 21. What steps is your organization taking to ensure the safety and security of the U.S. payment card system? 2. Specifically, how are you requiring or encouraging the entities under your jurisdiction to enhance the security of the payment cards themselves? 3. What steps have you taken to discourage reliance on signature authentication and to encourage or require the issuance of chip-and-PIN cards (as opposed to chip-and- “signature” cards) in the private sector? Has your organization considered the efficacy of the continued reliance on a consumers’ signature as an authentication mechanism in light of the increasing number of breaches of payment card numbers? 4, What other countries have already implemented a chip-and-PIN payment system? 3, What have been the fraud and data security results and trends in countries that have moved to chip-and-PIN payment cards? 6. What percentage of payment cards in circulation now, and issued in the past year, inside the United States are chip-and-PIN cards (ie., require a PIN as a first option when inserted into a chip reader)? What percentage of payment cards in circulation now outside the United States are chip-and-PIN cards? 7. What percentage of payment cards in circulation now, and issued in the past year, inside the United States are chip-and-“signature” cards? What percentage of payment cards in circulation now outside the United States are chip-and-“signature” cards? 8. According to the Federal Reserve's survey of debit transaction fraud published in June 2011, annual fraud on signature debit transactions was $1.11 billion and on PIN debit transactions was $181 million, Does that indicate that the use of PINs can help reduce fraud on existing magnetic stripe cards (similar to PIN-enabled magnetic stripe bank ATM cards)? For example, how many transactions at bank ATMs do not require the entry of a PIN? 9. By how much would the fraud-reduction benefits of using PINs be enhanced by pairing them with chip cards? 10. I want to ensure sufficient innovation is being considered so that financial institutions are remaining ahead of hackers and criminals who are attempting to infiltrate their systems and steal consumer data, What steps are you taking to encourage other authentication and security enhancements, aside from chip-and-PIN? ® See BOARD OF GOVERNORS OF THE FEDERAL RESERVE, 2009 INTERCHANGE REVENUE, COVERED ISSUER COST, AND ‘COVERED ISSUER AND MERCHANT FRAUD LOSS RELATED TO Desir CARD TRANSACTIONS (2011). 311. Implementing chip-and-PIN is progress, but as our economy relies increasingly on the digital frontier, fraud will increase for online transactions. How are you working with entities you regulate to ensure adequate attention is being given to security for online transactions? Do you believe sufficient investment is being made by the banking and other sectors in combating online fraud? 12. It is my understanding that in Canada PINs are used to authenticate online transactions and that some U.S. companies have adopted this technology as well. Are financial institutions prepared to handle online transactions with PIN numbers? Are there other countries in which online transactions use PINs? ‘These issues are of vital importance to the payment system and our economic system. T urge you to seriously consider them and I look forward to reviewing your responses to this letter by February 12". In the meantime, please feel free to contact Milan Dalal of my staff at 202-224- 2023 or Milan.Dalal@warer.senate.gov with any questions. Sincerely, Wok K Name Mark R. Warner U.S. Senator