The recent deluge of reports about credit and debit card security breaches has senators looking to intervene.
A Banking subcommittee held a hearing on the issue Monday, with the Judiciary Committee following Tuesday morning. There's increasing interest in moving toward a new industry standard, but policymakers and industry alike have been quick to point out that the chip-and-pin technology that's common in Europe and elsewhere won't solve all problems.
As Sen. Orrin G. Hatch, R-Utah, noted in questioning, the chip-and-pin technology is far more secure for in-store transactions, but it doesn't help on the Internet, a point made by banking and credit union interests in a joint letter to Judiciary leaders.
"The major card networks started the EMV migration domestically in 2011, and in 2015 at the retail point-of-sale the party that is not EMV capable (either the issuer or merchant) will be responsible for counterfeit fraud. EMV migration will be fully implemented by October 2017. This liability shift incentivizes both retailers and financial institutions to implement chip-based technology," the groups wrote. "EMV technology improves current security by generating a one-time code for each transaction, so that if the card number is stolen it cannot be used at an EMV card-present environment. However, while EMV addresses card-present fraud, it does not increase the security of on-line transactions, which is an increased target in countries that have implemented EMV."
John Mulligan, the executive vice president and CFO of Target, testified that his company is behind advancing the standards. Target suffered a devastating breach that compromised the data of about 40 million customers.
"To prevent this from happening again, none of us can go it alone. We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response," Mulligan said Tuesday before the Judiciary Committee. "On behalf of Target, I am committing that we will be an active part of that solution."
Aside from the hearings this week, there's no shortage of legislative proposals. For instance, Judiciary Chairman Patrick J. Leahy, D-Vt., has reintroduced personal data privacy legislation previously considered by the panel in 2011, and this week two new bills have surfaced.
Sen. Mark S. Kirk, R-Ill., announced Monday that he planned to introduce legislation setting a new mandatory minimum sentence for theft through hacking. Stealing of a million or more credit card numbers would be subject to a 25-year prison sentence.
"These criminals must face real consequences. Our laws do not sufficiently punish cyber criminals, and these devastating breaches of confidential information must be punished," Kirk announced Monday at the Banking subcommittee hearing with officials from agencies involved in efforts to combat credit card theft.
Tuesday brought yet another effort, with Democratic Sens. Richard Blumenthal of Connecticut and Edward J. Markey of Massachusetts pushing their own proposal, calling for federal standards for transaction security and notification requirements.
"The retailers have a responsibility to stop these kinds of invasive and highly dangerous kinds of thefts of consumer information. There has to be trust. Without it, there will be perils to retailing across the country," Blumenthal said at a news conference with Markey ahead of the hearing.
The Blumenthal and Markey measure includes a provision allowing for a private right of action in the event of data security breaches, a litigation risk that banks and retailers alike would probably rather avoid. One question that will be a key as the debate continues is who is ultimately responsible for implementing new technologies and for covering the losses from new breaches.
"The ones who will pay for it are the retailers and the bankers," Blumenthal said. "The retailers are already moving in this direction because they can see the handwriting on the wall. If they don't protect consumer information, they won't have their business."
"Target shoppers should not have targets on their backs for data thieves as they use their credit cards to shop," Markey said.
Sen. Dianne Feinstein, D-Calif., said at the Judiciary hearing that she began working on data security notification in around 2003 and faced opposition from industry groups.
"This has been the big resistance out there in the commercial community," Feinstein said, saying that she wants notification requirements in any legislation on the topic.