tv Key Capitol Hill Hearings CSPAN August 13, 2015 9:00am-11:01am EDT
>> many presidential candidates visiting the iowa state fair, we'll learn about the fair's history and its tradition as a stop on the road to the white house as we look back on the 2008 presidential race. and saturday evening at six on the civil war, historian and author john corps steven on the 1864 battle of mobile bay, the resulting union victory and the closing of one of the confederacy's last major ports. get our complete schedule at c-span.org. >> there's an october 1st deadline to replace u.s. credit
cards with i new ones 'em -- with new ones embedded with security chips. up next, a conversation on credit card security technology. the event hosted by protect my data. >> good afternoon, everyone. i'm deborah berlyn, i'm leader of the protect my data and president of consumer policy solutions, and i'd like to welcome you to our program and thank you for being here to take part in this discussion today regarding an important consumer issue. protect my data is a consumer education campaign on credit card security. we're joined today by our distinguished white house guest speaker followed by a panel of leading industry and consumer issue experts to discuss this issue. after brief opening remarks and our discussion, we will open
this to answer any questions you all may have. we're here today to explore the steps retailers and financial institutions are taking to secure credit and debit card transactions. the differences between chip and pin technology compared to chip-equipped cards -- thank you -- chip-equipped cards, that's better, with signature requirements and to provide a brief overview of what the white house is doing to protect american consumers from credit card fraud and identity theft. after what seems like an unending occurrence of cyber attacks at government agencies, financial institutions, retailers, health care companies and even in the entertainment industry in recent years, hundreds of millions of american consumers have had their personal and financial data
stolen and their confidence shaken. given these recent data breaches, it's no surprise that data security is at the forefront of many consumers' minds. congress is trying to work in a bipartisan manner on efforts to improve public and private cybersecurity measures, but less attention has been paid to the issue of improving payment security measures. and while we certainly need more robust cybersecurity measures to protect sensitive financial data, we also need front line measures that will stop criminals who try to use stolen banking and credit card information. the most common credit cards, like the ones you have undoubtedly been using, date back to the 1970s. they use a magnetic stripe on the back of the card which houses our financial information along with a signature for
authentication. but as we all know, thieves have all but mastered the ability to exploit the weaknesses of existing credit cards. what's more, they can use stolen financial information to exploit the weaknesses of existing credit cards. what's more, they use that financial data to create counterfeit cards to run up fraudulent transactions and steal from consumers' accounts. to help combat fraud, many card issuers and financial institutions in the united states have begun deploying new microchip-equipped cards, also known as ehv cards, that are -- emv cards, that are encrypted. some of you have already started to receive these new chip cards. however, most of these cards still rely on a signature as a secondary form of identification; a feature that, unfortunately, can still be easily forged.
instead, chip-enabled cards could offer greater protection for consumers by coupling them with the requirement that consumers enter a personal identification number, a pin, to properly authorize a transaction instead of a signature. the pin requirement adds a distinct layer of security to each transaction that has been proven to reduce fraud. our panel of experts here today will discuss these issues in more detail. the evidence of chip and pin's benefits and huguetened security -- heightened security protection were highlighted in president obama's executive order issued last october, and it's with great pleasure that i welcome our first guest speaker today to tell us more about the administration's actions. dr. marisa porges is the senior policy adviser at the national economic council and is the lead for the president's buy secure
initiative. she has a very impressive background in international affairs and also served our country as a flight officer in the u.s. navy. so please join me in welcoming our first speaker to present today, dr. porges. [applause] >> thank you, deborah. thanks, everyone, for being here today. i'm really excited to get a chance to talk to the group and join my fellow panelists for a conversation about consumer financial protection and looking at it through the cybersecurity lens, and i'm particularly excited to see some faces i've worked with and names i've worked with in the past but also new people coming to the table for this conversation. as i'll describe, and as i think our conversation will demonstrate, this isn't about a whole-of-government approach, it's not even about a whole-of-industry approach, it's really about a whole-of-everyone
approach including folks here representing their members of congress, including our consumers in the conversation, and the fact that we're out there to demonstrate why this is really about including even in the conversation is looking back at our data reports rather than reports of data breaches. it used to be if we think back to the 2007-2011 time frame, we often mostly thought of the business sector as being the target and, in fact, for that period over 34% of the data breaches reported were targeting businesses, retail industry, the payment processers. but if we look just at this year and, you know, even until the end of july, we've seen the medical health care industry becoming the number one reporter of data breaches. second behind them, of course, being the government and the military. and we've already seen this year will likely surpass that last year which in and of itself was, set a new unfortunate standard for how many data breach instances that american consumers were facing.
so with that and sort of the understanding that it's really about everyone playing a part, i'm going to talk about consumer financial protection through the lens of the white house and look at it in three lanes, three areas. first and foremost, what we're doing from the perspective of the federal government to insure the federal government is better protecting american consumers. second, how we're making sure the private sector is positioned for success on this front. and last but not least, to talk briefly from a strategic perspective how we think of consumer financial protection within the broader landscape of cybersecurity and how we should sort of think of things not just in the next year, but moving forward over the next decade, what questions, concerns, issues should we consider. so with that, i'll dive right into looking at it through the government lens, what we are doing to enhance american consumer financial protection. and i'll go back to what debra
mentioned, the executive order signed by president obama in october of last year which launched the buy secure initiative. now, buy secure has become a keystone in the federal effort to lead the way in protecting american consumer transactions. and during that announcement and ever since, we've been working to transition federal agencies to insure that we are using enhanced security payment technology with all our retail payments. what does this mean? it means that the two lead agencies who work with card issuers to issue cards on behalf of the u.s. government -- the general services administration, gsa, and treasury -- have begun actively, aggressively issuing chip and pin enabled cards. and i'm excited to report that we got the numbers back in yesterday for the month of july, and it means that gsa working with the payment industry has
issued over one million new emv chip and pin-enabled cards to federal government workers so they can use them when they travel, when they're making payments. and this is an effort to drive and lead the way for how we're protecting our transactions. likewise, treasury has started issuing 10,000 new cards a day as part of a phased approach to introduce emv technology to recipients of federal benefits who have a direct -- excuse me, a direct express debit card. and so we're really looking at all sides of the system on that front, but also even moving past emv how we're using other secure, enhanced payment features. things like online payment, paypal, card not present. and so you may have seen in february treasury announced that if you pay -- paying bills to government agencies online through pay.gov, things like court fees, things like payment to your fba loan, you now have
multiple payment options to include paypal and dwalla. of course, we also have to think of to it on the receiving end, and anyone who's been to a u.s. post office lately, their payment terminals have been upgraded to include enhanced security features, the ability to use chip and pin, and that's something we're doing across federal agencies, and we see 19 federal agencies are currently upgrading their terminals. it's how we're receiving the american customer, consumer for any federal payment transaction. and i can talk more about there's a number of other things in terms of tools we're giving the american consumer, but that gives you a taste for what buy secure is doing to demonstrate how we can better protect american consumers and their financial transactions. now, i'll turn briefly to how we're looking to help the private sector on this because, again, it's not just a whole-of-government approach, it's a whole of government, industry, congress, everyone
approach. and this is a challenge that industry and government must tackle together. suffice to say that our computer networks and the systems that consumers deal with every single day are mostly held by the private sector. on the other hand, government oft times has the latest and greatest intelligence and information to help the private sector monitor threats and respond most effectively and quickly. so it's only by marrying those two groups up and making sure they arter in more -- partner more collaboratively together that we can insure consumers are better protected. and what does this mean? it happens on a multiple front. again, first and foremost, it's about positioning the private sector to lead and effectively lead on this issue. hopefully, a number of you saw or heard about -- hopefully attended, since it was in california in mid february -- the cybersecurity and consumer financial protection summit held in september, rather, held in stanford in mid february.
and it was a really exciting event not just because of the good weather and not just because of the 24-plus senior leaders, ceos and other executives we had from the tech industry for consumer advocacy groups, from retail, health care, others, but it was about the dialogue that happened that day and, of course, commitments that those companies made coming out of the summit. and that day we had over two dozen companies make major commitments to improve their cybersecurity efforts, to do more to give consumers tools that they could use to protect their identity, to manage their risk better and introduce more enhanced security payment features. so, again, what does this look like? this looks like announcements by qvc, caser permanent today, walgreens, u.s. bank, pacific gas and electric and others to start using the cybersecurity framework to better protect
information they hold on behalf of the american consumer. it looks like visa announcing a more aggressive timeline for tokennization. and american express introducing enhanceed security technology in the form of multifactor authentication. and entities like nationstar who have, are now offering free credit scores on a regular basis to their consumers. again, tools we all can be using to monitor for identity theft and more quickly respond to any incident of a malicious attack or incident. but what else are we doing? the interesting thing that came out of this summit were how we're collaborating more ever since. one thing that came out of the dialogue was that oft times individual or sector-specific engagement is the most effective. and what does that look like? that looks like efforts by specific agencies addressing the sectors they work with to simulate cyber incidents, talk through the responses and identify key challenges moving
forward so they can better, more effectively respond in the future. specifically one good example for the group is treasury. treasury has done multiple tabletop exercises that, again, simulate what happens in a malicious attack or cyber incident and determine how best to respond so that we in government can help the private sector most quickly and effectively protect the american consumer. and, again, a key part of that -- as always -- is information sharing. now, as a third lane just to briefly consider how this all fits into broader cybersecurity efforts, cybersecurity and consumer financial protection are often two sides of the same coin, and we've seen the cybersecurity threat continue to evolve, rather, over the past few years. and likewise, our responses continue to evolve. so, too, our consumer financial protection responses must
continue and be an ever-evolving process. and what does this look like? this looks like conversations about legislation, conversations about including new stakeholders in the conversation, conversations about how consumers and the american public consider their identity moving forward in the next decade and what identity management looks like. and to dive into a few of those a little more, on the legislation front, now, i'd be remiss in this audience not to mention it, specifically since 2014 was such a really good year for us when we look at congress passing cybersecurity-related legislation, specifically legislation that addresses, that improves how the federal government protects its own network and positions the central government to -- the federal government to engage in cybersecurity missions moving forward. but we're all well aware that there is still new legislation proposed out there to address
consumer protection issues. and i'm addressing legislation proposed by the white house earlier this year that addresses a few key issues including information sharing and data breach notification. and provides additional safeguards to insure the american public has its privacy and civil liberties protected and provides for increased information sharing among government entities, between government and the private sector. and so we're really hoping that the momentum we had in 2014 will carry forward through the fall of 2015 and we can have progress on this project. because it will set us up for increased success moving forward. last but certainly not least, we're talking about other stakeholders. i will probably say "last" twice because i have two more i'm thinking about. we've talked about the federal government, but this is also state and local entities. and we were really excited at the national economic council to participate in may with
general -- rather, governor mcauliffe at an event where the state of virginia announced they would be the first state to mandate that state agencies would begin accepting chip and pin during the retail transactions. and like the buy secure initiative, the start actively, aggressively issuing emv-enabled cards moving forward. again, thinking about the multilayers of our system and how retail transactions at all those layers can be more secure moving forward. to support this sort of it in other -- of effort in other states and local entities, we just put out late last week, actually, a best practices, a guidebook of sorts that the gsa put together for thousand state and local entities can more aggressively and actively do what other states are doing. so i encourage you all to go online and go to gsa's web site and see how they suggest other entities follow suit and also
address their retail transactions more securely. so is to -- so to close, and i said i'll address one more stakeholder, and i'll do it in my closing. and i'll close by saying i think we're at a strategic inflection point. i think we're positioned for success moving forward with all the people we have in the room, with the people on the panel, with the good efforts on the private sector and by various government agencies and other entities on in this issue over the past year, but there's a lot of work that needs to be done. nothing i mentioned is a silver bullet, but they're all pieces of the puzzle that we need moving forward, and the last piece, of course, is the american consumer. and i would just encourage in our dialogue moving forward to consider how we include the american consumer in the conversation. not just about how they should start using the chip on their card, but really what identity theft management looks like moving forward, why multifactor authentication is key, how to
move the password and what the future of identity protection looks like for us all. so i look forward to your questions and look forward to talking with the panel on this. thank you, debra. [applause] >> thank you so much. those remarks were right on target, fabulous, and it's so exciting to hear about everything the administration has been doing to move us forward for consumers for credit card security. this is great. we have an outstanding panel before you here today, and is i'm really excited about introducing them all to you right now. i'm going to introduce them all, and they're not necessarily going to speak in the order that you see lined up here, so i'm going to ask them each to just sort of nod or raise their hand as i introduce them, and then we'll get started. first off will be liz garner who is vice president of merchant
advisory group, and then we will hear from bill boger who is senior vice president and chief legislative counsel for the american bankers association. and then we will hear from our wonderful consumer issue team of john breyault who is with the national consumers league, he's vice president of public policy, telecommunications and fraud. and steve pociask who is president of the american consumer institute. and i've had the pleasure of working for many years with both john and steve on a whole host of consumer issues, so it's wonderful to have both of them here today to join me. so first off, i'd like to call on liz to talk to us and, plain what retail -- and explain what retailers are doing to better
protect consumers. >> thanks, and thanks for having us today. a lot of familiar faces in the crowd. let's start, i would like to engage the audience. how many people know how many visa credit cards have been compromised in the past two years? how many people know how many mastercard cards have been compromised in the past two years? how many people could name a big retailer or bank who's been compromise in the past two years? i think that says it all. our members and our brands who are at stake when it comes to payment card security, and it's our relationship with our customer. so protecting customer data and payments in particular is paramount to the merchant community, and it's something that all of our folks take very seriously. at my organization our direct members are the finance and treasury professionals. so i'm not even talking about cios and the technology people within the company, and i can tell you that payment card security is a number one issue for our folks. that's how important it is
because of the brand damage and the customer service issues that a retail merchant or another business like a bank or someone else faces if -- in the wake of a data breach. so here are a couple things that we're doing, some of the technologies that are already at market that we're very focused on. we're going to talk a lot about emv today, but i'll get to that last. two of the other important ones are tokennization and encryption. tokennization takes that data out of scope. if it's stolen, it makes it virtually unusable to thieves who have managed to access data. encryption is when you protect information in transit. when i swipe one of my cards at, you know, my neighborhood grocery store, that goes out for authorization through my merchant acquirer. it goes through the payment card brand and goes to the issuing bank, and then it goes back all the way to the merchant point of
sale, and that's not even talking about some of the new transactions that are out there. if i'm transacting with this now, i've got mobile carriers, potentially apple on my phone or somebody else who's going to touch that data. and protecting that all the way through the transaction is critical. and that's something that our merchants are very focused on, deploying tokennization and encryption solutions together. and when i say tokennization, i should clarify be i'm not talking about an off the shelf payment brand version, i'm talking about our own proprietary tokennization technologies that several of my members have been utilizing for years that are more inclusive. they include all the products we have, not just credit and debit cards to retail gift cards, and it's much more expansive. same thing with some of the office shelf solutions we're buying from our merchant acquirerrers. -- acquirers. emv is the one that everybody's focused on because we've got this october 1 liability shift
date. so what is emv? your to -- euro pay mastercard visa. it's, essentially, a computer chip on a card that helps prevent against counterfeit fraud on this card meaning it makes it more difficult for me as a thief to come in and recreate this versus the old mag stripe cards that we have that we still utilize in the states today. so the important thing here is that this prevents card not present -- or card present, i apologize, counterfeit fraud. and that's what we're trying to get at with the deployment of emv in the united states. and we're the last country in the industrialized world to go there. so we've got this liability shift date, october 1, 2015, to simplify, there are a lot of nuances of what exactly happens and who bears liability once this shift goes into effect. but to simplify it, the party who's done the least to enable emv will be the most responsible for fraud in a card-present environment. so i think if we look at some of the global deployment numbers,
it's really interesting. worldwide emv card issuance, the adoption rate is about 40-50% whereas on the merchant side, merchant terminallization -- so i've set up the means to accept emv -- is closer to 80-90%. i think we're likely to see over time the same trends here in the u.s. where you have merchants installing the capacity to accept cards if they think this is going to -- it's going to reduce their card profile and the risk to their brand. i think a pew research poll came out this week that says only one in ten cards have a chip on it that's in american consumers' wallet. so we're pretty close to october 1 now, so i think a lot of people are asking what does this mean for businesses and consumers when we hit this october 1 date? i think it means a few things. i think some businesses are going to be ready to accept emv, and for those consumers who have those type of cards in their wallet, they'll be able to use it. there are some other businesses who may not, and i want to go
into a few reasons why. it's not for lack of trying, but, you know, i've talked with one of my large members yesterday whose equipment provider hasn't certified they can accept these cards yet. so he can't roll out emv acceptance in his stores until that equipment provider certifies this product and field tests it. one of the reasons we're lagging behind there is this is a global specification. like i said before, euro pay, mastercard, visa. and there are a few cards who govern the brand around acceptance, and one of the things we saw was a technology delay whereby in the u.s. we have domestic debit card networks. so groups that you see on the side of an atm machine, those types of groups who wouldn't have access to transactions on these cards if we didn't deploy a solution that was very specific to their products. and we didn't get the rights to
that technology until sort of early 2014. that timeline for deployment of a simple technology project, even at retail, is 12-18 months because you have all these different parties. you have equipment providers, you have processers, you have everybody who has to test and certify that it's safe and secure for the consumer to come in and use these products. and on our end, we also want to make sure it works smoothly, that it's a seamless process for anyone coming into our stores. we may not be there october 1, but we're going to be move anything that direction. so some people ask me, well, are all merchants going to deploy emv? for that i think we have to take a look at what is the return on investment for deploying emv. and like i said before, there's a huge benefit to merchants if they can better protect their brand from data security. we're thrilled that the white house's initiative to move towards chip and pin cards, a million cards marisa said.
that's fantastic, to already be there. that's really ahead of the game, to get that many cards out at market, and we're really pleased to hear that. we know the challenges that the post office and others have dealt with to get their terminals as well. so i think it's great that the government's making such great headway there. i can tell you i have a friend who works at the state department who has one of the chip and pin credit cards who was so excited to get it in the mail because she travels in eastern europe all the time and has had trouble using her government cards for years, and now she has one that works and is more secure. so we're definitely moving in the right direction. but one of the challenges with emv in the u.s. is that we're not adopting fully the chip and pin initiative that the government supported, and it's not fully interoperable or a best racks with what's out there -- best practice with what's out there internationally. there are a few reasons. one, it's a network-driven investment in the states, we have road maps from major card brands, and there's very more
concentrated network market share in the signature environment versus the pin. so it's a market share issue there. on the issuer side i think, you know, as a business i'm very sensitive to the argument that putting a password on one of these cards, putting a pin on this might make it a little bit more -- might include a little bit more friction when i go to pull that card out as a consumer. and as a business, i am, actually, going to be very worried that that would make me put this card at the bottom of the wallet and take out one of my other credit cards. but, you know, on the flip side i question how big is that risk x. a very important point here is that's a business-driven decision. that's not a security-driven decision. i think security experts will tell you two-factor authentication is really the way to go to increase security for cardholders, for consumers. and then i also question as somebody who's had my phone swiped out of the front of my car not password protected, i
will never not protect this again. apple gives me the ability to set my phone up so that i have to enter a password to access this. and i think by not on the issuing side putting pins or passwords on these products, we're doing a disservice to the american consumer. i mentioned before we're the last industrialized country to really move towards chip and pin to emv cards, and i think one of the benefits of that is we have more technology capabilities here in the u.s. that -- even than others have who have rolled this out sooner. one of which is the ability to accept pins online, and that's a great feature that's commercially available that several of my members have deployed and that if there are pins on these cards, that'll help reduce internet, e-commerce fraud. that's a huge concern for us right now. e-commerce, internet transactions are some of the fastest growing transactions in the united states, and they're transactions that typically do have a lot of fraud. and on the merchant side, we're
bearing somewhere between 70-100% of all that fraud. so for us, protecting those internet/e-commerce transactions and even these mobile transactions is paramount. so we'd like to see pins on these to take it even further. last thing i'll say about pin, you have a chart on your seats there that's from the debit pulse issuer study that came out just last week. look at the fraud loss line. that alone shows you why we prefer pin in the merchant community. it's not about cost, it's about security. security to consumers. it is 7-8 times more secure if you have a pin-protected transaction. those numbers speak volumes. and if anybody says that it's merchants who want to pay less interchange, look at regulated issuers. the interchange at the very top, it's a penny higher on pin. so i would push back significantly that there's any other rationale behind merchants
wanting pins other than it is a more secure type of transaction. to conclude, i think, you know, we need to be pin protecting, password protecting products so that we have two layers of authentication so that we can better protect businesses and consumers from fraud losses in the united states. ill point to one international -- i'll point to one international example, australia launched a campaign that was run by all the major global card brands to, essentially, move to pins on credit cards which is what we should be doing here. and they did it in a very thoughtful way. they did it based off of the risk on the transaction too. so there's a very big difference between my stop in at mcdonalds or wendy's at noon on a friday than it is at midnight on a friday. if i'm buying $50 of food, i might not need to ask for a pin or $35, whatever the threshold's going to be for that noon transaction, but the midnight or one a.m., i may want to ask for
that cardholder authentication just to be sure that person is who they say they are. and if there's not a pin on that product, i can't do that. and, ultimately, that leads to more fraud in the system, and that's bad for consumers and for business. so from our point of view, we really need to take ehv -- which is the next big technology coming to the u.s -- one step further and pin protect it. >> thank you, liz. thank you so much. and now we're going to move to bill boger who is going to talk about the financial services industry from the american bankers association and talk about your perspective on how you're protecting consumers. thank you, bill. >> okay. >> you on? >> yeah. i was -- thank you for inviting me first, debbie. i really think this is an impressive turnout. i don't know if it's the free lunch, but i'm very impressed that you all are out here in an august recess, so
congratulations for being in the audience. and i have to tell you, your opening arguments were terrific. marisa, yours were magnificent. you all set the stage for this talk. and i have to tell you, you know, information sharing is a huge thing for us. we appreciate all the work that the white house has done on it. the house has passed information-sharing bills that you guys have been haley involved in. we're -- heavy i have loved in. we're trying to get it through the senate, and we do agree that information sharing is another side to the coin that we're talking about here. perhaps probably the most important part of it is sharing information and, liz, all your comments laying out the background for emv and your arguments were terrific. i have to tell you, talking about your analogy to late night transactions, if there's any transaction that's after 10:00 that involves me, it is inch herntly a suspicious transaction. [laughter] because i'm in bed by 10:00. so i would appreciate getting a call from my credit card cane to tell me about that. and, in fact, i had a recent
experience where it didn't involve a pin card at all, it just involved a regular card of a major brand that's headquartered in virginia, if you're listening. and i had a nice little lunch, took my son out who's an intern at the american bankers association, had just a quiet lunch at a local restaurant. not a very big ticket item. and in excess of just enjoyment of having a conversation with my son which if you know teenagers, doesn't happen very often. but just a talk with him, i left an excessive tip which was over 20%. well, the next thing that happened was my institution sent me an e-mail asking me whether, in fact, that was me doing the transaction and looking at the fact that it was in excess of 20%. so i guess my point overall -- and i'll go into my prepared remarks and we can have at it, is i think the talk about pin is
part of the multifactor, protective, you know, environment that we all share that we want to protect consumers, but it's not the beall and end all of everything. and there's other mechanisms in place right now, technology that we're using in our phones, the biometrics that, you know, awe they want case a -- authenticate a frank action that are in place and, quite frankly, are better than static technology such as pins. and when you get a call from your institution almost immediately after a transaction takes place asking if it's a fraudulent transaction or not, that's pretty darn good work. and we want to encourage that. and we don't want to sit back and just say, okay, well, if we put in place a four-digit number, that's going to solve all the problems. we know that it doesn't. we know it doesn't deal with the online transactions. we've all got to work together to try and solve these problems. we want to work with the administration, we want to work with you guys, we want to work with consumers. we want to make emv a success.
we want to continue to evolve our technology to deal we involving threats. but you all have to realize that our market, our credit market is one of the most complicated and extensive markets in the world. i mean, just a couple of factoids. 1.1 billion credit and debit cards are in circulation right now. 1.1 billion. the government, you noted, has made some good progress with chip and pin. that's a million cards versus 1.1 billion. the government's a huge operation, but it's not like the private sector. the value of card purchases was nearly $5.4 trillion in 2014. the number of card transactions was over 100 billion in 2014. folks, this is a big aircraft carrier. it takes time to get this stuff put in place. they start with this emv transition probably three years ago. as liz mentioned, there's an
inflection point that we're dealing with which is the shift in liability. i've heard various reports about how many chips have been put in place by the merchants. i will tell you from our perspective, from the banks, by the end of this year there'll be 600 million, maybe even more of these cards that have been issued. i think if we're looking as long as we can work with our partners in the merchant community and folks in the consumer sector, we may be able to cover most of the cards out there by the end of 2017. so it's going to take a lot of work and a lot of cooperation, but i have a dealing if we can continue to have these kind of conversations, we can work towards that goal. so, and, you know, i don't think i really need to go into a lot of the details of the migration. i will tell you that there's been a lot of work behind the scenes, a lot of cooperation among the networks trying to put in place a uniform date for when this shift in liability occurs. but it's not a deadline.
it's a position point where that shift occurs. it doesn't mean that everybody's got to go out and put it in. it doesn't mean that every bank's got to issue that kind of card, but it does encourage and incent them to do it. and i this i that's -- i think that's the key here. we want to incent people to protect data. we want to work together. we don't want to mandate a single piece of, quite frankly, outdated technology to try to make that occur and somehow walk away thinking the problem's been solved. it hasn't been solved. we need to work together and continue to work together to solve the problem. thanks, debbie. >> thank you very much, bill. okay. so we're going to move now from the industry perspective to the consumer perspective, and, john, i don't know breyault with the national -- john breyault with the national consumers league, tell us some of your thoughts about the consumer advocate perspective. >> sure. can everybody hear me okay? great. so just a quick baseline for
you, ncl is the nation's oldest consumer advocacy organization. we've been around since 1899, almost as long as mag stripe has been around. so the issue that we are seeing here is as we shift to, away from this old mag stripe technology to emv, i don't think there's any question from our point of view that it's a more secure technology. is chip and signature, emv, as secure as chip and pin? no. at least not in our view. that's because of the way that you authenticate a cardholder. but that said, it is a very significant improvement in card security versus traditional mag stripe only. essentially, chip and pin from our point of view tends to be a way to protect consumers against lost card fraud. this is when you actually lose your physical card and somebody
takes that card into a retailer to try and use it. in a chip and pin world, that would be practically impossible, although there certainly are -- we just saw it this morning, brian correct who writes extensively on fraud, talked about new skimming technology coming out of mexico that may make chip cards more vulnerable than we previously suspected. so we'll be keeping an eye on that. that said, we're moving to emv. i don't think there's any question that that's happening. as we just heard, there are millions of these cards that are being provided to consumers, and so this is something that consumers are going to get used to having this chair wallet -- in their wallet. that said, it's not going to be the silver bullet against fraud. we've seen in other countries such as the u.k. that when they made the shift to mag stripe to chip-based cards, much of the fraud that was associated
previously with card duplication or card counterfeiting instead moved to card not present fraud, that is online credit fraud. so that's certainly an area that i think consumers are going to have to maintain individual lance about. unfortunately, we're going to have to continue to recommend to consumers they pay close attention to their credit card statements, flag any suspicious charges. so that's certainly one area that we expect to see based on international experience. you know, on the, on the legislative side i'm glad you raised this earlier in your remarks, because this is an area that we think despite the technology advances that we are seeing in the industry, there remains a very strong need for baseline security legislation from the u.s. congress. ncl has supported a bill that has been introduced by senator leahy in the senate side, i believe there's a house version
that will soon -- that hasn't already been, that will soon be introduced of that bill. we think that is a bill that not only provides baseline security protections that would require all businesses to adhere to a certain level of data security protection, but also provides a data breach notification standard that raises all boats as opposed to looking for a least common denominator approach that would actually reduce consumer protections in many of the states that have passed out a breach notification protection. we're going to be supporting a new bill in illinois that strengthens their existing data security legislation. and, certainly, we look to states like illinois and massachusetts as templates for good data security protection that could be considered as a national template. you know, one thing we're also concerned about with regards to getting back to the pin issue is this long tail of small businesses. so i think that if you read the
press, you're going to see that many of the largest retailers are going to be implementing chip-enabled terminals. if they haven't already implemented, you'll see them starting to get into the checkout lines. we're also going to see more places where they are already in, turning on that functionality, the chip functionality. however, as was mentioned earlier, this is going to take a while. consumers shouldn't expect that by october 1 suddenly their cards are going to be secure when they go to their local retailer. but they should look for retailers who have chip turned on. and so that's going to take a little bit of consumer education to make consumers understand why chip is a different way to pay, the advanced security benefits that it brings. but they're also going to continue to use mag stripe. for example, while we have an october 1 liability shift for many retailers, atm machines and gas stations, for example,
they -- their terminals are not going to be subject to the liability shift, i believe, until the end of 2017. so that -- in addition to that, you're going to have many, many small businesses who simply are going to make the decision that their liability for fraud is not enough to outweigh the not-insubstantial cost of acquiring a new payment terminal. so consumers will continue to see small mom and pop, smaller stores that are going to continue to take mag stripe into the foreseeable future from our point of view. so, you know, while just in closing i think, you know, we are glad to see e america v -- emv rolling out, we do think it's more secure. it's not the silver bullet. we're very glad to see the president's buy secure initiative. i think that the federal government can lead by example here in adopting more secure payment technology. but that doesn't exclude the need for federal legislation to lift all boats.
so we're very happy to be here. debbie with, thank you very inviting ncl to come and speak on this very important issue. and if you don't mind me putting in one quick plug, if you are interested in consumer data security issues from -- we have just launched today a new publication called our data insecurity digest that is going to provide important analysis and links to important media articles about consumer data breach and security issues, and you can find out all the information at nclnet.org. thanks. >> thank you, john. steve, your thoughts. >> thank you, debbie, very much, for inviting me. i'm steve pociask, president of the american consumer institute. we're a 501(c)(3) research/educational institute. it's a pleasure to be here. let me just -- i think we've kind of heard a good baseline here for the discussion, and i just want to emphasize a few points and then add in a few new ones here, so i'll be pretty brief. there's a lot of statistics that
have been used out there about how bad things have been last year and the year before that, and some of the statistics like one-third of americans had their information compromised in data breaches. there was another one that was somewhere between, like, 40-45% of companies had data breaches in the last year. i mean, the importance of this issue can't be, you know, overlooked. i mean, we're talking about the need for better security along all steps of this for better protection against data breaches, reducing fraud and here with the signature still in play, we're talking about reducing forgery be the we can move towards a pin system. i think it's so important that we think about building confidence between the consumer and merchants and the credit card companies, and i think we're just a little bit out of sync here when we're taking an incremental step towards adding
the pin but still leaving a signature in place when, after all, we could have in that -- when you ask merchants to change out their point-of-sale terminals, have just made the change. we're talking about a technology, the chip and pin, a technology that's been in use for over ten years, you know? all the major economies in europe and parts of south america and other places, they use the technology, they have used the technology. there are studies that show a reduction in the fraud that resulted from that. but still we're relying on signature. so we're relying on this 1970s technology, and it's kind of like, you know, why are we doing that? if we're just going to make the incremental step, why don't we just put in what works today? and, yes, we have issues still with online. we want to make sure that we have a, you know, a sort of multifactor authentication, and there's other issues that have to -- but right now we're taking
the step and having merchants put something in place that's already out of date. and to me, that's the -- why? why are we doing this? you know, i'm at a little bit of a loss, but some explanation that i'm hearing is that the major merchants in the u.s., which will soon be put at risk come october, so they're potentially facing higher costs. we have consumers potentially at risk because of these data breaches with their personal information being identified. but to me, the credit card companies themselves are not taking as much of the risk. what we see here is the fact is that the signature system allows them to take a higher transaction fee than the pin system does. so if you look over in europe where they're able to do this, there's more competition for these systems. and the end result is a lower transaction fee.
and if you look at the difference between the signature fee transaction fee versus the pin fee, that should represent to you a measure of market power. that's what it represents. so, i mean, let's look back at what happened with some of the major breaches. i mean, had pins been in place, had they been required on the current magnetic stripe systems that we have, they would have hindered the ability of these thieves to have monetized these stolen cards, and that, in effect, would end up making those cards less valuable. so now we're talking about the breaches that happened such as in target. and it's simple economics. what you're trying to do here is if you think about a thief as running their own business, what you want to do is you want to raise their margin of cost. and the way you do that, you shift that curve to the left. you make it less valuable, you raise their costs, and the end result of that -- like in economics -- you get less fraud.
it's as simple as that. but we're not moving towards that. and i think what we have here today is a market failure. because when you look at the difference between the transaction fee for the signature versus, you know, what would happen with the chip and pin, if you look at that, that in itself represents as i said before a market power, and that market failure just speaks toward the need for a remedy to address this. yeah, thieves are going to be smarter in the future. we're never going to catch up with this, and we're always going to need something new in place, but right now we have something better, and we're not taking that step. we're still sticking around with the 1970s technology, the signature. and that's just a shame, because it's going to require the merchant to go out and get another terminal down the road, and then a couple years later another terminal. and most of these firms, i mean, 80% of them have one employee or less. they're, essentially, many of these are proprietors. so what we're doing is we're adding costs instead of trying
to impose the costs on the thieves. we're adding the cost on the merchants and consumers. and that, i think, is something that needs to change, and i'll stop right there. thank you. >> thank you, steve, and thank you to all the panelists. we've teed up a couple of great issues here, and there's one that i want to get back to that three of our panelists raised, and that's the issue of online transactions. so i heard both john and steve bring it up and, liz, before you mentioned that chip and pin could be used for online transactions. so, liz, i was wondering if you could just expand on that a bit. and you even mentioned mobile transactions as well. so could you talk a little bit more about that? >> sure. well, i think it comes back to the point of we are adopt canners of emv -- adopters of emv, there's so much more we can do from a technology standpoint in the states. there are commercially viable
solutions online to accept pins over the internet. that's one important consumer protection that we could put in. as john pointed out, we did see an uptick in not-present fraud when the u.k. rolled out emv. some large merchants are able to solve for that because, you know, their business is inherent upon solving for that if they've got over 90%e-commerce transactions. they're putting their own r&d and coming up with their own transaction fraud-monitoring systems. but there's several small businesses who really could be disadvantaged here if they don't have the wherewithal to find their own means to protect data better whereas there is an office shelf solution they could go buy where they could pin-protect internet frank actions today. i think it comes back to what steve was saying about issuing emv without pins is a very incremental step. it doesn't make sense here in the u.s. and i do want to point out one
thing. merchant terminals, because chip and pin is an international standard, all have that chip -- they also have pin pads. for us, most merchants who are deploying the terminals could accept chip and pin tomorrow if they were able to program for it and if there were pins on the card. so the additional investment on our end would be a programming issue more so than a hardware issue which is not difficult to do. you have to get in the technology queue, and there are resource costs that go with it, time, employee costs that go with changing that software programming. but it is very doable. i think the challenge that we're facing here is, you know, we're saying there's -- fraud's going to be reduced by so much with emv. are we creating a false sense of consumer confidence is one of the bigger issues. >> so there's another consumer argument that i've heard, and i want to throw it to the panelists, and that's that
consumers would have a tough time remembering a four-digit pin. i was wondering, we all have, we all have our money atm cards with four-digit pin numbers, and i'm wondering if anyone wants to talk about that. yeah, steve. >> yeah, just one thing. there was a study a few years ago that said that consumers on average, you know, remember eight pin numbers. so it's hard for me to understand why that would be an obstacle to be able to function. people do it today. i go in through a garage door, and i put my number in every time, otherwise i don't get in my house. this is just a two-factor, you know, step that i think is, it's crucial. i don't think consumers are stupid enough that they can't remember that number. so i don't see that as a roadblock. >> i'll weigh in really quickly
here too. and i want to come back to a couple of things that bill said. i mean, i think it is important for us to work together. in particular, consumers are bearing some fraud losses in the system, but it's predominantly borne by merchants and issuers. fed data shows that combined we do bear probably 90-plus percent of all the fraud losses out there. i think the information sharing has been key, and we've made great strides working with the financial services industry, retail has, to further that information-sharing capacity. and the federal government's doing great things as well, as marisa noted. i do -- i don't want to appear too rigid on pins, but you brought it up as a static data point, and i think as we're talking about it, you know, it's one of the best means of two-factor cardholder authentications out there today. so a static data point is the little cvv code on the back of my credit card. if somebody steals this, they
can go online and use this. if anybody's collecting this. they don't know the pin that i have in my head. they shouldn't. that would be very strange. [laughter] i think there are other forms of multifactor authentication. bill mentioned biometric. i think that's one of them. that's also, you can easily lift a fingerprint. it's a little bit more difficult than just grabbing the number off a card on a cold, but we need to see how biometrics are going to pan out. again, i can lift that off of something i've touched with my from time to time. there's some security there, but it's not finite. i want to sound reasonable, and it's give and take, right? if your issuers think that there's a better technology to authenticate the cardholder and you're ready to deploy that at atms, i think we would certainly love to work with you on figuring out what that technology is to display at the point of sale as well. >> yeah. well, there's a lot here. a lot of questions, a lot of stuff that went on from the other panelists.
i have to say i just have to step back for a minute. we agree with you on the need for data protection legislation. i don't know all the specifics of the leahy bill, but i me it has a strong data protection standard built into it and strong enfor thement. we in the -- enforcement. we in the financial industry are very much supportive of that sort of thing. that's why we, quite frankly, have been strong supporters of the neugebauer-carney bill in the house and also the carper- blunt bill in the senate which does have strong data protection standards and at least attempts to raise people up to relatively the same level of protection of data. and so, you know, i think that if we all got together on some sort of legislation that would do that, i think we'd all be better off. and i think i can pledge to you that our industry is willing to work with you on that and, hopefully, we can work with the merchants and the consumers on legislation, get it across the finish line that deals with
that. the orr thing on pip -- the other thing on pinker it's really interesting, and just back to the emv card. what the emv, the chip is trying to do is really get at what most of the fraud that is going on today is about which is counterfeit cards. and, you know, the pin would deal with a certain segment of, and a declining area of fraud. and so what we're facing with, and we talked about the major retailer breaches, it had nothing to do with pin. it was because they didn't protect their systems. they didn't protect the back door. it had nothing to do with the pin transaction, it was their process, their system for protecting their data and how they stored their data that was the problem. and so to sort of an -- analogize that pin would have somehow prevented those or somehow alleviated the impasse of that is simply a misunderstanding of the situation. inin fact, i understand that soe
pin data was compromised. and once somebody has your pin, then they've got the keys to the kingdom. when i say it's a static technology, that's what i mean. if somebody has it, if somebody opens your mind and finds your pin, you're in a world of trouble. and so that's -- we're trying to deal with the majority of fraud with emv. pin is out there. you mentioned the online stuff. that's great. love to see all those kind of products come forward, but it's all part of an overall thing. and so, i mean, you know, i -- i'm not here to promote any specific technology as the silver bullet. i'm here to say to you that we all gotta work together on multifactor, all kinds of different, evolving technologies. all the stuff you mentioned is great. encryption, tokennization. let's just not -- i mean, we're looking at a tree, we're not looking at the forest. we're looking at a pin as the single tree. the forest is all the other technologies in the evolution of that that's going on out there. and that's what we need to work together on.
so i pledge to you, i want to work with you. i've worked with you on other issues. i'd like us to work a little more closely on this issue. so why don't we do it, liz? >> everybody heard it here first. [laughter] i agree. as i mentioned, tokennization and encryption, a three-pronged stool. we've got to fix it all. >> john wants to jump in here. >> yeah. so, you know, i think -- i appreciate you talking about the other bills that have been proposed. you know, and i think that, you know, when we talk about data security in this space, while this panel is focused on card security, we also have to really understand on steve's point earlier about the economics of fraud. fraudsters tend to look for low happening fruit -- low hanging fruit. and emv will raise their marginal costs, there's no doubt about that. and i think we already see fraudsters starting to look at other types of information so they can sell medical information, for example, is one
where those credentials go for far more on the online dark markets than credit card information. and that's because fraudsters understand that credit card credentialings are protected -- credentials are protected by layer upon layer of bank and retailer protections. and, actually, turning those card credentials into merchandise so they can resell is becoming harder. but things like medical information, information necessary to commit tax id fraud, those are all information that is still very ripe targets for fraudsters. and so my point in mentioning that is that i don't want this debate over emv and card security -- which is an important one and we need to have -- to hold up data security legislation that addresses in an important way all of the vulnerabilities that businesses and the government in the u.s.
have. so i think a good first step is going to be a comprehensive law from congress that says you need to have come prehencive -- you need to have reasonable data security. i new that's -- i think that's a baseline we can all agree on. we need strong enforcement from the federal trade commission, for example, which has done an amazing job on this and with more tools and more authority could help many consumers. the payment issue is one, unfortunately, we tend to get hung up on, and it's prevented some very necessary reforms. carper-blunt and the neugebauer bill are important, i think we'll have some significant disagreements about preemption and what defines pii -- >> but strong enforcement will take care of that, won't it? again, a national standard -- >> right, right. >> wouldn't that take care of that? >> well, i think a national standard needs to be -- if we want a national standard, that's tine. let's have a meaningful national standard like we have in states
like california, for example, rather than try and reduce existing strong consumer protections to a lowest common denominator. >> certainly agree with you on that. we don't want a lowest common denominator, we want a high standard. >> exactly. so we are in agreement on that. this is consumer advocates and the banking industry coming together at this -- >> it's amazing. [laughter] >> a lot of joint coming together here. very exciting. >> and i just couldn't -- >> and we have you to thank, debbie. >> yeah, thank you. [laughter] >> i just can't resist, you know, consumer education is going to play a huge role in all of this. you know, the administration and the federal trade commission have done a great job on this, but i think more resources put into this. if folks haven't visited idtheftinfo.gov, it's a great resource for consumers to do this. and, liz, as a naggy consider advocate, i have to caution you about flashing yo credit card yes depp cials on c-span. [laughter] >> covering the numbers.
>> can i just provide just a quick personal note on flashing your credit card number? again, i -- [laughter] i'm going to jump in anyway. so my wife took our card to the local car repair shop and, again, my famous to-be-undisclosed virginia-headquartered card was used in the transaction, and it was a trusted merchant. really love these guys, they do a great job. they thpt our cars every year and pass out, which is even more important, as you know. but one glitch. my card, unbeknownst to me, somebody at the register -- it wasn't even anything on the actual card reader -- somebody took a picture of my card with the phone and sold it online. and within four hours, four hours, my information was being used to try to buy a tv in boca raton, florida. my card company called me almost immediately. they stopped the transaction.
they knew that i lived in virginia, and i wasn't in boca raton, and they stopped the transaction. so that's how sophisticated these people are. you don't -- i mean, you're taking the stuff right off of the card. and, you know, that's the kind of stuff that we're dealing with. and that is really dangerous stuff. and we need to work together to try to work on that stuff and stop it. and that's why all these technologies that you're talking about need to be worked on and put in place. and i admit, you know, there is some incrementalty to some of this stuff, but we've got to be incremental and get there together at the end. and it's never going to change, it's never going to stop. and we've got to keep working together. >> so thank you all for this great interaction and discussion. so just before we're going to move in a moment to all of your questions. before we do move, i think it's great that we have agreements for cooperative working together among many of our panelists here, but i just want to sum things up.
what i've heard is that most of our panelists have agreed that chip and pin is a better layer of protection for credit card security. while it is not going to guarantee that there will be no fraud moving forward for consumers, it most certainly is a better layer of protection than chip and signature for -- >> debbie, i did not say that. >> i said "most." [laughter] >> i did not say that. anybody less than clear -- >> i will allow bill to take exception, but i did say "most," i said most of our panelists, and i know bill is the exception. most of our panelists did agree it was a percent layer of protection for consumers -- a better layer of protection for consumers, with the exception of bill. >> thank you. [laughter] >> and with that said, we move now to questions from all of you for our panelists. lynn. >> [inaudible] >> lynn, wait, we've got a mic coming. >> thank you very much.
hi, lynn stanton, i'm a reporter from -- [inaudible] i'm going to push back on this pin versus signature issue, because it seems to me that you're comparing apples to oranges because pins are checked and authenticated when you put a pin in a device at point of sale. signatures, i would say in my lifetime 99.be 99 -- 99.99 president of the time my signature is not checked. i'm not using a machine, i'm at a point of sale with a human being. they don't check your signature. so how do can you even compare if they just check the signature, how -- would it really be that much worse an authentication device? now, the human beings standing in front of them rather than someone who might have somehow stolen the pin. that's my question. >> well, why don't they check your license number, right? while you're standing there? because that happens to me. >> you put on your card, "check
id," 90% of the time you write it on the back of the card -- [inaudible] >> i'll answer that as a merchant representative on the panel. i would agree signatures are worthless. they're a worthless form of two-factor authentication. they're very easily counterfeited. there's a reason we collect them, and that is because we get charged back transactions from issuers on -- if a cardholder calls their bank and says we think this is a fraudulent transaction, then we have to show record we've captured a receipt which we can't do at a fuel pump or in an internet environment which is how we bear a lot of the fraud. so we p maintain records of that signature for the process. again, signatures are easy to counterfeit. it's not a good form of two-factor authentication. so, yeah, something that only the cardholder knows is, like a pinker is much, much -- pin, is much, much better. also there are card network
rules that have said in the past i, as a merchant, should not decline that sale if it's a no match. if i do, i can be with penalized from my ability to accept their card brand or through fines. so that's another rationale why merchants have historically had challenges with signature capture. >> so to add onto that, speaking as a consumer advocate, i really don't think that signature is an authentication method at all. as liz mentioned, i mean, it's simply my signature agreeing to pay my bank back for what i bought from a retailer. so i really don't think the signature is an adequate authentication method. and add on to that, that for many issuers there is a very significant percentage of purchases that they never require a signature at all. if you've ever purchased a hamburger from mcdonald's with your credit card, they don't require you to sign. if it's below a certain, a
certain dollar amount. and there's a huge percentage of purchases that just because of card network rules they don't require any authentication whatsoever. >> so the, the thing i guess we should be asking ourselves is, is a pin somewhat better than the signature, why doesn't the industry have any incentive to innovate? it would seem like it would be a very simple thing to incorporate. and, of course, we always hear that the way the thieves are getting smarter from year to year, you know, once we figure this out, they'll come up with another way of breaking it, and we'll have to always be careful on our feet in coming up with -- but the issue there is, well, why don't we get the best thing we have now in place knowing that down the road we're going to have to change it again to keep up with what's going on. and, instead, what i'm hearing sometimes is, well, let's just
wait and eventually we'll get there which, to me, is just dragging our feet and pushing the cost to someone else. >> let me just say that for our members we, we basically provide zero liability for consumers. i mean, we bear the cost of unauthorized transactions. and liz mentioned the fact that they require a signature in order to protect themselves from that. so our members are actually paying for all this and hold considers harmless. so when we get involved in data breaches or even just the normal run of the mill fraudulent transactions, we are highly motivated, highly motivated to protect and make consumers whole. and so is, you know, there's -- we don't spare any expense and effort to try to protect consumers, because it's, honestly, they're our lifeblood. and it's also in our interest. so to me, you know, we're trying to work on a variety of different areas, and pin keeps being mentioned as sort of like that's the solution.
it's just not the solution. it's part of it. >> but that liability shifts in october, right? >> which is going to provide an incentive for people to upgrade their security standards. incrementally, as you said, we believe it actually will address most of the fraud that's out there right now. >> and i direct you back to the chart. look at the fraud losses on pin versus signature for regulated and unregulated. it's seven to ten times unregulated, the fraud losses are much less even on unregulated debit. i mean, we're talking 1-23, i think it is, on there. >> a question right here from jason. >> thanks very much s and, debbie, con gramlations on a great forum today, really great speakers and great information. >> please identify. >> from eta, the protect tronic transactions association, we're the trade associations payment industry. i just wanted to play credit card industry historian for a second and just for the benefit of the audience, just mention something that i think is
helpful to understanding why chip and pin are often talked about in the same sentence. and steve alluded to this, that everywhere else in the world -- particularly in europe which we're most familiar with -- when the chip was introduced, the mv chip 20 years ago, as he correctly noted, this is 20-year-old technology, it came with chip and pin. they came together. i think an obvious question is, why? why is chip and pin implemented in europe? we're also familiar with, anyone who's traveled to europe and sat in a café in rome and had the credit card terminal brought out to them is just how it's done overseas. and it's not being done in the u.s. and the reason for that is actually a telecom reason which steve and john and debbie and i will all appreciate as telecom geeks. when emv was first deployed 20 years ago in europe, it was the first implementation of electronic authentication of credit card transactions. whereas in the u.s., our
implementation of electronic authorization of credit card transactions was with a magnetic stripe, the technology in cassette tapes that we're all so familiar with that's 40 years old. in europe they don't have the telecom infrastructure that we have in the u.s. so that authorization of transactions in europe actually doesn't take place online, it takes place on the device. here in the u.s. every time you swipe your card, that card transmission goes to the network for authorization, and it is done online. there's actually a realtime authorization that takes place. your card issuer sends a message back to the issuer. in europe they don't have that telecom infrastructure like we have here, so they needed to develop a technology that would allow the aption traction to be authorized on the device, on the hand-held or merchant-located terminal. the pin, actually, is authorized by the credit card terminal in
europe which says yes or no on behalf of the issuer, because the issuer can't get that realtime message. so chip and pin are deployed elsewhere outside of the u.s. because that's the only way to authorize the transaction. here in the u.s. we did it without p pin because the transaction is actually authorized online. i thought that history was kind of important -- >> interesting. >> it's not an answer to whether pin is great or kind of great. your panelists have gone into that in great detail, but i do think that history is important, because it explains why we can deploy chip in the u.s. without pin and still authorize the transaction because that transaction is authorized online. >> jason, i think that's a great point. i'd like to make one clarification on that. are you going to the hand your microphone back before i do? >> [inaudible] [laughter] >> that is absolutely -- >> wait. keep going, i'm loving it. >> that was absolutely the case in france when it rolled out in the early '90s. and there was some fraud on those early emv chip and pin.
so when the u.k. rolled it out, they did the type of transaction that we're doing in the u.s. it wasn't spirally that communication -- entirely that communication with the terminal. it was more of an online-based transaction. they went to chip and pin. so there is historical reference for the type of technology that we're talking about here, because the telecommunications had been built out in europe by the 2000s. and i dare challenge you on a telecom issue, but i think you're right. historically, that's why it was rolled out that way. but other people who have adopted chip and pin prior to that do the type of transaction online as we call it that we do here in the united states. so there is an international precedence for that as well. >> yeah. and that raises another interesting, and this hearkens back to something steve said. sorry to monopolize -- >> and then will be the final note on this. >> that also meant that merchants in the u.k. and france, throughout europe, deployed terminals that had pin pads because they were expecting to have pin part of the frank
action. here in the u.s. one of the complications for not deploying pin is there are millions of merchants in the u.s. who don't have the pin pads. so so restaurants in the u.s., obviously, very different than restaurants in europe. we are accustomed to giving our card to the waiter, and they go out back. we don't have a device presented to us with a pin pad the way they do in europe, so that's very different in the u.s. as well. so thank you. >> thanks, jason. right here, a question. >> yes -- >> oh, wait for the mic. i'm sorry. and if you could identify yourself. >> yes -- [inaudible] policy director for congresswoman sheila jackson lee. i had a question about smartphone-enabled credit transactions, if they provide the same protections on, that banks provide for physical credit cards. are the transactions protected by existing law? and do these transactions meet the october 1st deadline? >> excellent question. which one of our panelists would
like to take that on? >> i, you know, actually, i apologize, i'm, like, deaf in this ear, and i didn't actually hear the first part of your question. >> okay. >> could you repeat it please? >> wait for the mic again. that might help. >> i wanted to know if smartphone-enabled credit transactions are covered under rules by the $50 limit if there's some compromise to that system? the second part of the question is, are these transactions protected by current law, and if so, which law? and the last part, do these transactions meet the october 1st deadline? >> well, the easy answer is, yeah, they're protected by current law and, yes, they're under current law. so whatever current law applies to the online world applies to these. and it's a variety of laws. we could talk about it offline, but there's a whole bunch of laws.
but, yeah. so, and so it's a financial transaction and so, basically, just different methods of doing it. certainly, all the laws would apply to those transactions. you know, the liability shift is really a private sector negotiation, and, you know, people have different views on that, but that's really just kind of a network rule that you work out in the private sector. that's not, that's not a mandated federal law. >> yeah. i will, i'll just weigh in. totally agree it depends on what laws regulate the financial transaction under which that smartphone transaction's taking place. the financial product under which it takes place. one thing from the liability shift that i will point out is that merchants are encouraged to accept contact list transactions as part of the emv liability shift. so, basically, the road maps on emv liability have asked merchants to deploy specifications to accept any emv cards that are loaded onto the
phone. >> and i would just add, you know, whether consumers are using a mobile contact list payment solution or the card itself, i would say that if you detect fraud on there, the same advice applies. they're still protected by reg e, reg z for fraud that you notice on that. so i would say even if you've just gotten apple pay and loaded half a dozen credit cards onto that, that still -- that does not mean you shouldn't be checking your credit card statements and disputing potentially fraudulent charges that may have happened through that a system. >> thank you. yes, right here in front. >> hi. dave -- [inaudible] from politico. i wonder if i could ask a question to the proponents of chip and pin. given the fact that pin only protects against lost and stolen card fraud, where is the study comparing the costs of payment
implementation throughout the entire retailer and credit card and payment processing systems against the fraud it would offset? and in the lack of that study, how can you be so certain of your advocacy? >> well, so is, you know, i have -- i think in my opening remarks i mentioned that, you know, chip-enabled cards are certainly a step forward for consumers. they're a significant step forward, and it does address much of the fraud that occurs due to counterfeiting today. so i -- >> that's emv. but what about pin specifically? pin. >> does liz have -- do you have that data, liz? or steve? >> sure. so i would look at the federal reserve study on debit. they came out with an issuer study in 2013, so this is large issuers, issuers covers my
regulation, ip provisions in particular. and it shows that the basis points of fraud on pin debit are significantly lower than the fraud on signature debit overall. i think it's something like 11 to 3 total. and i think one of the challenges and, i mean, why we need to work together more which bill and i both noted is that's pre dominantly by issuers and merchants. the pin debit fraud is more borne by the issuer side. the signature debit card fraud which is shared is about 60/40 give or take, issuer/merchant. and then in card not present fraud is, like i said, anywhere between 70-100% for us and less for them. but overall, the fraud share is about 60/40 total. so i think when you have to look and drill down into that pin
debit number, the fraud losses total are so much lower. and not just the fed numbers, but looking back at the chart there, i think it's very telling as far as how little fraud losses there are on pin data. and i don't think i've gone far enough for you. keep going. >> yeah, i don't think you have because how can you still understand, how can you still -- where's the data point to say that pin is actually worth the money that it'll cost to the economy? >> what do you mean cost the economy? >> well, because it takes money to implement terminals, processing, back-end systems. none of these things are free. >> host merchants -- most merchants have already programmed to accept pin for mag-striped cards. i started out would recollecting for the grocery -- working for the grocery industry where 40% of transactions are pin transactions already, and the cost of updating that software
to reduce fraud losses by as much as you can on that transsaks is absolutely there -- transactions is absolutely there. and there's no doubt in my mind. and they may be slower adopters, case in point, quick service restaurants have not been high adopters of pin because there's a basis point of fraud in that environment. and it's very, very low. if fraud moves into that category of merchant, then they'll have to start looking at other ways to authenticate cardholders. and, you know, to date several merchants have been looking at other technologies. people said in the audience too thatten pins are part of solving the problem, but tokennization and encryption are two very important technologies for protecting the ecosystem overall. so when a merchant looks at their payment deployment and acceptance strategy, you're looking at all these factors of how can i make the best sense
possible to keep people out of my system, and how can i accept the most secure transactions in my environment? right now in the ecosystem that most secured transaction environment is a pin. >> just one small point -- >> i'm sorry. you know, we actually do have some data that we'd like to share with you talking about the cost of doing a cost benefit analysis on this whole thing. and, again, you've got to remember that the stolen card stuff, it's a declining part of the problem. it's not a growing part. >> and i'd like, i'd like to let dr. porges jump in. >> i've been trying to stay out of the liz/bill battle on this one. [laughter] >> there's no battle. >> for a number of reasons. but we have part of the buy secure initiative, we have made a specific preference for pin-enabled cards or pin-preferring cards. and it goes back to what one of the panelists just said, i think, that it is at the moment what will most secure the american consumer during individual transaction. that said, we're also actively looking for our own transactions
and working with industry and researchers and others to see, well, what is the next generation of enhanced security features? what more should we be doing now recognizing we're a little behind the game, you know? our ecosystem with regards to emv. everyone else has adopted it ahead of us. and so we need to catch up on that front and do more on tokennization, on encryption, on other forms of multifactor authentications. looking at biometrics, iris scans, other things out there. so we're really excited when mastercard as part of the summit announced they were going to do, rather, a test on biometrics. when visa said they were going to do tokennization, amem said they were going to do multifactor authorization. i know chip and pin is the focus of a lot with october 1 on the horizon, but i do want everyone to take a step back and think, okay, that's october 1. what happens in a year, what happens in five years?
we don't want to just catch up with where the europeans have been at, you know, 20 years ago. we want to continue to make sure that we're the innovators that take them to the next step. i do think it's about how we include the consumer in understanding identity theft and identity management. it's not just about the pinker it's about how we conceive of identity conception. it's the pin, it's biometrics. no one should be using passwords the anymore. and i just want to get the group, again, to take a step back and look at that. i think it means especially since i got the last word. >> well done. [laughter] >> it's all about the consumer and protecting the consumer, so thank you so much for being here today, and thank you to our possiblists. [applause] to our panelists. [applause] [inaudible conversations]
>> this weekend on the c-span networks, politics, books and american history. on c-span live from the iowa state fair, presidential candidates speak at "the des moines register"'s candidate soap box beginning saturday at noon. we'll hear from republican rick santorum and democrats lincoln chafee and bernie sanders. and sunday afternoon, more coverage from the iowa state fair with republican candidates ben carson at five followed by george pa tackty. on c-span2, missouri senator claire mccaskill on her life and political career. and sunday morning at 10:30, dinesh d'souza talks about his legal situation involving campaign finance laws. on american history tv on c-span3 sunday morning at 10
a.m. eastern, with many presidential candidates visiting the iowa state fair, we'll learn about the fair's history and its tradition as a stop on the road to the white house as we look back on the 2008 presidential race. and saturday evening at six on the civil war, historian and author john corstine on the 1864 battle of mobile bay, the resulting union victory and the closing of one of the confederacy's last major ports. get our complete schedule at c-span.org. >> the iowa state fair begins today in des moines, and we'll hear from several presidential candidates at the des moines register's candidate soapbox, a longstanding tradition where presidential hopefuls get 20 minutes on stage. coming up at 11:30 a.m. eastern, republican candidate mike huckabee, his speech is live on c-span followed by your phone calls, tweets and facebook comments. >> later today on c-span2, a
discussion on the iran nuclear agreement and what it means for the international community. we'll hear from national security advisers to the president and vice president. also a state department official who coordinates sanctions policy. that's live from the center for strategic and international studies at 2 p.m. eastern here on c-span2. >> booktv is every weekend here on c-span2, and with the senate in recess this august, booktv is in prime time each weeknight. tonight we focus on the white house. at 8 p.m. eastern, nbc political director chuck todd on his book, "stranger: barack obama in the white house." at 9 p.m., american urban radio correspondent april ryan, author of "the presidency in black and white: my up-close view of three presidents be and race in america." and then at ten former presidential candidate ralph nader on his book about the unanswered letters he wrote to
presidents george w. bush and barack obama. booktv in prime time starts tonight at 8 eastern here on c-span2. >> this sunday night on q&a, suit for policy -- institute for policy studies fellow and anti-war activist phyllis bennis on u.s. foreign policy since 9/11, the recent negotiations with iran and the war on terrorism. >> who is isis? what are their origins? what do they believe? why are they so violent? all those questions are important, and i address them all in the book. i think that what's more important in some ways is what is the u.s. policy regarding isis? why isn't it working? can we really go to war against terrorism? are we just doing the war wrong, or is it wrong to say there should be a war against terrorism at all? ..
[inaudible conversations] >> good afternoon, ladies and gentlemen. my name is brian michael jenkins come is brian michael jenkins commenced in your browser to the president at the rand corporation and a member of the aspen institute homeland security group. it is my pleasure this afternoon to introduce you to the next panel, iraq, syria, worse now than ever before. according to the program this panel will explore military
successes in iraq and area and even more complicated in the other parts of syria leading to the overall question which is whether the admittedly brutal debility of the saddam hussein regime in iraq and the prerevolutionary assad regime were more in line with american interests. is this the best outcome now? i would add to that my personal comment so what. i believe that for the panel which will be moderated by my friend, eric schmitt here eric covers terrorism and national security measures for "the new york times." he is the co-author of a terrific book. i bought an extra copy so i can show you. counterstrike: untold story of the american ticker campaign
against al qaeda. eric has spent two decades covering military national security affairs for the times and in that capacity has made dozens of trips to iraq, afghanistan, pakistan and africa. it's all yours. >> thank you, brian. i want to thank the foreign firm to host an underrated panel. this is the most uplifting news for this afternoon. the panelists that appear to have the full bios in your program but briefly to my left, general john allen, retired marine general, president and special envoy for the local coalition isil. he's also the former allied commander in afghanistan and served with distinction in iraq. on his left is perhaps one of the u.s. government's top
sanctions buster who knows more about countering terrorist finance. assistant secretary treasury daniel glaser appeared on the far left is ambassador lukman faily who is the current ambassador, iraq's ambassador to washington and has been in the position for two years now. formerly served as the iraqi ambassador and i learned yesterday ran last year's boston and new york marathon. looking at this topic you need to have that kind of duration. i will start with breaking news on the topic today on a hearing in washington. senator john mccain declared isis is winning. secretary ash carter was in iraq today and one of his books and said it will be one to eight weeks before the iraqi forces in
ramani currently shaping operations will deal it to conduct defenses. in many ways, is a very difficult situation clearly on the iraq side and in syria. braking is that this moment that the turkish government after months of negotiation including one of the panelists here has agreed to work plans and drawings to fly from one of their air bases for targeted seeming to be a major shift on the part of turkey in the fight against isis. i wanted to turn to you since you recently returned and have visited more than 30 capitals in your 10 month tenure. where are we? are things as loony as senator mccain said today in washington or are there few bright spots?
>> first, clark, thanks again for your patience and invited me for the third year in a row. great to be back here on a panel with two dear friends and eric, great to be with you today. we just got back from turkey. it was our 10th contact with them in a whole series of conversations that have been increasingly productive and increasingly fruitful here for your old friends in turkey. we've been allies very long time. we are both faced with real crises here with regard to daish. i don't use the word isil unless i have to. turkey has her longtime double to 1.5 to 2 million person refugee bubble and they deserve a lot of credit for that. boosting the evolution with
turkey take a very important term of late and i believe to washington specific commentary about the pieces are. it is encouraging and important. >> ouster and american american warplanes began flying? >> great question and i will be back to washington to comment on. if it all works out it will complete. a year ago today we were facing the real possibility that iraq would come apart. we worse in the public execution of thousands literally, 1700 or so recruiters, christians come ecb is going under the knife and we weren't sure where this would go. about the seventh or eighth of september at the new prime minister was designated, a body, who was different than its
predecessor nouri al-maliki and surely after that the president was secretary kerry and a number of other close traditional partners called for the establishment of a coalition that went to work and was formed relatively quickly with 62 partners today and went to work ready quickly. we operate on a military line about her, and spending a lot of his time countering the flow of firefighters, messaging and ultimately humanitarian assistance state with nation support and the coalition is deeply engaged in those lines and the effort of courses intended to achieve our strategic outcome. since the coalition was formed, since the effort with respect to daish has come into greater focus, we have seen significant progress. the push against daish and areas in iraq has in fact produce the
outcomes are hoping to create a an insignificant city of about 12,000 iraq he internally displaced persons have gone home and a government administered program definitely supporting that regard. they will be cleared relatively soon. falluja is in circle. a number of bases to train iraqi security security forces to bring them online and the air campaign has been very fact that as well. the kurds in both iraq and the kurds in syria have been successful. if you look at a map where daish was this time, say september of last year and where they are today, the surface area and population under their direct control has strong significantly and will continue to shrink. most of the turkish border is
back in the hands of friendly and as we to close those aspects we can have it. i'm always reluctant to take issue with senator mccain in public in my commanders and how there would be some who feel that daish's momentum remains unchecked. it has been check strategically, operationally and by a large. there is a counter finance campaign, and the humanitarian peace and they all have confluence towards strategic object is in its very important that the larger strategic perspective when you consider whether we're having an effect. >> talk a little bit about the islamic finance when it swept into northern iraq that took
over banks and assets. the coalition continues to sell oil on the black market. it seems to be with the constraints of the last 10 months or so, thriving as an economic engine. >> answer the question. i should start its general allen did by thinking the aspen institute or inviting me to be with his colleagues and general allen and has been a served under his leadership in this fight. what i thought i would do is run down really quickly what isil sources of revenue in a financial strain and pause briefly about our strategy to counter that. as i've been listening to the panelists in previously over the course of the day, a lot of people have been coming back to the fact that isil has a new set
of challenges. that is certainly the case with the financial aspects and i don't think we've ever seen a terrorist organization to draw from its own internal territory this kind of research. there have been organizations in the past that controlled territory hamas in gaza, but it's truly unprecedented the resources isil can derive and i will run some numbers on that. the most important source of revenue right now as eric alluded to is the money in the bank vault that was there when isil took control of the territory as well as the central bank of iraq on the two big state-owned banks in mosul. 90 some odd private banks that have branches in the controlled
territory. the numbers come somewhere between $500 million after close to a billion dollars. the good news is that is nonrenewable. once they burn through the money that is not available to them anymore but it is money at there does postal. moving on from there, they are renewable sources of wealth that they have. most importantly he extortion or taxation, the normal way of government extracting wealth from territory and isil does that hundreds of millions of dollars a year. we will continue to have access to resources. the territory is highly liquid. the cash continues to be infused in the territory both in terms of payment salaries of government employees in general commerce continues to go on with
respect to territories and taxing the sources of revenue to the tune of hundreds of millions of dollars per year. the third most important source of revenues for sale of oil. there's been a lot of numbers thrown out and all the numbers are soft but i can say we believe in a one-month period earlier this year. isil made and extrapolate out in the course of the year. this is all internally generated. once he started looking at other sources of wealth, it's much less significant and foreign donations but they are tiny drops in the bucket in what they generate internally. i really has to confirm the
strategy because the traditional tools we have too targeted group like al qaeda aren't as relevant in this case. we have a four pronged strategy that can run through extremely quickly. and the extent they are driving to go after that and a certain number of instances in that case and of course we were quickly put the kurdish authorities and customs issues to make sure it's reduced and i think the kurds and turks have made good progress in the area. the most important element is the second element isolating the international methods we use with respect to when we want to apply brought economic pressure on foreign countries. we are using the same method and strategies in this case.
we are working extremely closely with the iraqi government. i'm going back next week to work with the iraqi authorities making sure they can't be used by isil to make sure branches are cut off and the exchange money and mentors are not available to isil. if they have the money we can make it much less valuable to them if they can't bend it. if all it can to circulate in the territory and that is the most important part of our strategy right now. that is of course also includes working with other countries in the region. uae, jordan, lebanon and then the global coalition with countries around the world on these issues. the third part of the strategy is understanding the
inter-financial architecture, identifying the key financiers within the structure and targeting them. but the military targeting and the treasury tools we are actively engaged in that as well in the fourth is to identify the external networks. as the campaign which is fine they will need access to a variety of international networks that are going to allow them to bring in the materials and that gets back to the classical authorities and will have the ability to disrupt that. so that is the strategy. isil has plenty of money. maybe i should've just said one quick word about their expenses. if you look at the high-end of what the estimates on foreign
fighters are, 30,000 is the high-end. look at the high-end of how much money they make. but a thousand dollars. that would be the major expense. the amount of money they bring and can cover that out. it would be great to bankrupt the isil. and to bring and make it harder to meet their costs. that's an achievable goal. isil the political line of the third within iraq there's been concerns about whether the iraqi army could muster enough troops
to mount defenses and places and the fundamental question of the sunni tribes in the last work with the government they don't trust in bag that. how do you see this reconciling self with the president says there's a very limited american involvement here. they are not sending tens of thousands of troops that the iraqis don't need to get it together on this one. >> thank you for the time and allowing me to participate. we've done a tremendous job. he's done a lot more than anybody else. i asked him to be generous. i think the challenges we face with the security aspect general allen and i alluded to his geopolitical within iraq in the
region. iraq in the new prime minister has been extremely inclusive to all whether it's tribes, political entities in iraq and so on. he's done a tremendous job fair. we have cohesion between the communities and that will take some time and the strategy can be a good common project and have social cohesion focused on the threat to our ethnicities and the heritage of iraq and so on. here we significantly be to international cooperation of the
attrition. for example in relation to china, the oil and somebody needs international support. here you have a clearer u.n. council resolutions, which is the jihadist. here are her neighbors need to play a better role and focus more on the side of urgent d. and relation to twitter and others to help us with control. the international dimension is the sense of urgency and it's not that small and tremendous support from all. the aspect of it and that has to
prove strong. i think we have what we might call -- [inaudible] winning ticket or politics act together and we are working hard on not. we have god a tremendous plot against isis. we want to go through the painful process for our road long-term policies. to that effect i don't think they have been doing it tremendously. every day in and bar we have falluja and grimaldi. we will continue doing that, by the way. it is something we are not looking forward to but we'll
continue to do. >> whether it's military aid in the form of ground spotters to call in airstrikes and additional u.s. special forces. >> the good news is the u.s. has not given us any lines. is more to do with operational needs and see how we can help and will act accordingly. but we have from the u.s. and others is to push our neighbors to act and be responsible to the challenge. they mentally get the challenge but physically change the procedures, hasn't taken place. here's the? again the defensive urgency of others. >> general, you know the dynamics on the ground. is it possible for the iraqis to pull this off in an iraqi army to pull into the cities not relying on the shia militias
reported no-space day outside. secondly, going back to the turkey issue, isil has been supported greatly by foreign fighters. but will this new announcement helped cut off a source of military support for isis on the ground. >> i spent a lot of time as you know what the tribes in 07 in 08 and the ability to organize the tribes and motivate them was the principal and deciding during the defeat of al qaeda and that part of the war. i still maintain close contact with the shiite and they are very committed to the defeat of al qaeda, the defeat of daish and very important while they in 07-overweight were skeptical of the maliki regime from the governors have spoken to have
the sunni provinces too many shiites, they have seen a big difference between defensive attitude and the attitude today. they do feel abadi is willing to support them. he has taken steps to support them. he has made it clear that the opening of the new facility after cottam & co. had a something he supports. he issued a five-point plan with unanimous consent of the ministers ultimately to take back al-anbar against mosul. >> why does it take so long? >> we have to understand the iraqi security forces took a heckuva beating a year ago survey constituting the forest in top to bottom and building capacity through training, especially with focus on
leadership will take time. it is clear the hardest part is done by iraqi security forces called the shia volunteers and dancers were in accordance of forces. they prevented daish from enforcing them play the role as well. there has to be a combination of our training and irregular forces, empowering the tribes and managing the role of the popular mobilization for of the shia in combination to a military object to and many of those elements, eric, i scheduled with the intent of the prime minister should be the base element for the national guard brigades that will be formed over time. the tribal elements trained
about 1800 or so an alley and bar or every other week will be the base element bear and other provinces of the national guard brigades as they come along. they will be a purpose over the long term. >> in the meantime, isis continues to draw a thousand foreign fighters a month. many through turkey. what will the new deal -- how will that change this or will they come in another way? >> i think they are always going to try to get in. ..