BILL ANALYSIS �Ó
SENATE BANKING & FINANCIAL INSTITUTIONS COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
SB 1351 (Hill) Hearing Date: April 9,
2014
As Amended: March 26, 2014
Fiscal: No
Urgency: No
SUMMARY Would, until January 1, 2020, require the issuance and
acceptance of credit and debit cards equipped with microchips
capable of storing a personal identification number (PIN), as
specified.
DESCRIPTION
1. Would enact findings and declarations relating to the
adoption of microchip technology for credit cards in over 80
countries throughout the world, not including the United
States, and to the value of these cards in combatting
payment card fraud.
2. Would, on and after January 1, 2015, require any contract
entered into between a financial institution and a payment
card network to govern the circumstances under which the
logo of the payment card network is displayed on a payment
card issued by that financial institution to include a
provision requiring that any new or replacement payment card
issued by that financial institution with that payment
network logo, on or after October 1, 2015, to a cardholder
with a California mailing address, have an embedded
microchip capable of storing a PIN or any other technology
that is generally accepted within the payments industry as
being more secure than microchip technology at preventing
card-present payment card fraud.
3. Would delay the imposition of the requirement summarized in
Number 2, above, by two years for small financial
institutions, which would be defined as financial
institutions with assets of $5 billion or less.
4. Would, on and after October 1, 2015, require a retailer
that accepts a payment card to provide a means of processing
�
SB 1351 (Hill), Page 2
card-present payment card transactions involving payment
cards equipped with embedded microchips capable of storing
PINs or other technology that is generally accepted within
the payments industry as being more secure than microchip
technology at preventing card-present payment card fraud.
5. Would delay the imposition of the requirement summarized in
Number 4, above, by two years for small retailers and gas
station pump payment terminals, and would define a small
retailer as a retailer with ten or fewer employees.
6. Would state the intent of the Legislature that the bill
provide consumer protection consistent with federal law.
7. Would sunset on January 1, 2020.
EXISTING LAW No existing state or federal law explicitly
requires implementation of specific payment card technologies by
card-issuing financial institutions, nor acceptance of specific
payment card technologies by retailers. Relevant state data
breach and data security laws are briefly summarized below.
Existing state law:
1. Requires any agency, person, or business that owns or
licenses computerized data to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement (Civil Code Sections
1798.29 and 1798.82).
2. Requires any agency, person, or business that maintains
computerized data that the agency, person, or business does
not own to notify the owner or licensee of the information
of any security breach immediately following its discovery,
if personal information was, or is reasonably believed to
have been, acquired by an unauthorized person (Civil Code
Sections 1798.29 and 1798.82).
3. Imposes (with limited exceptions) an across-the-board data
security standard on businesses that own or license personal
information about California residents. The Information
Security Law requires such businesses to implement and
maintain reasonable security procedures and practices
�
SB 1351 (Hill), Page 3
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction,
use, modification, or disclosure (Civil Code Section
1798.81.5)
COMMENTS
1. Purpose: This bill is intended to reduce card-present
payment card fraud by requiring the use of microchip
technology.
2. Background: SB 1351 is based upon the premise that the
U.S., generally, and California, specifically, will
experience less card-present, point-of-sale (POS) payment
card fraud by migrating away from credit and debit cards
equipped with magnetic stripes toward credit and debit cards
equipped with integrated circuit cards. Credit and debit
cards that contain embedded integrated circuit cards are
known by many names, including "chip cards," "integrated
circuit cards," "smart cards," and "EMV cards." The term
"chip card" will be used in this analysis.
This bill's author observes, "Retail fraud from counterfeit
credit cards has more than doubled since 2007 in the U.S.,
one of the last countries in the world that relies almost
exclusively on magnetic strip identification technology for
credit cards. Even though credit cards with embedded
microchips reduce card-present fraud, less than one percent
of credit cards issued in the U.S. have chips. By
comparison, chip-based credit cards - which carry
identification information as encrypted data in a microchip
that can be read only by special scanners in stores -
reduced counterfeit card fraud in Britain by 70 percent from
2007 to 2012, according to the U.K. Card Association.
Meanwhile, hackers have found it increasingly easy to copy
identifying information on magnetic stripes and produce fake
cards. If chip cards were used in the U.S., fraud losses
could be halved, Aite Group estimates. U.S. merchants and
banks had 2012 losses of $11.3 billion due to credit card
fraud, or 5 cents on every $100 spent, according to the
Nilson report."
According to a white paper written by payment processor First
Data and information assembled by the research and
investment-focused Aite Group, there are over 1.2 billion
chip payment cards in circulation worldwide, and over 15
�
SB 1351 (Hill), Page 4
million POS terminals capable of reading those cards.
Nearly all of those cards and card readers reside outside
the U.S. Of the 5.6 billion credit and debit cards in
circulation in the U.S., only an estimated 15 million to 20
million are chip cards, issued mainly to people who travel
overseas frequently. Only 14 percent of all payment
terminals in the country are capable of reading chip cards.
At the present time, the timeline for U.S. migration to chip
cards is uncertain. As will be discussed in more detail
below, the major card networks are pressuring card-issuing
depository institutions and merchants to migrate to chip
cards by October 2015. However, full migration represents a
chicken-and-egg challenge. Banks and credit unions are
hesitant to issue chip cards to their card-holding customers
if those cards cannot be read by the POS devices used by
merchants. Merchants are hesitant to expend the significant
costs necessary to update their POS devices to chip readers
before chip cards are in wide circulation. According to
recent press accounts, the cost to achieve full migration
(presumably to chip and PIN, though the press accounts are
unclear on this point) is estimated at approximately $8
billion: $6.8 billion to replace POS devices, $1.4 billion
to issue new cards, and $500 million for ATM upgrades.
3. Definition of Key Terms: Several key terms are defined
immediately below, in order to help ensure that those
debating SB 1351 use consistent terminology.
Payment card fraud is the use of a payment card to purchase
goods or services by an individual who is not the card owner
and is not authorized by the card owner to use the card.
Payment card fraud can either be card-present fraud , where
the person presenting the card is face-to-face with the
merchant, and the card is present during the transaction;
or, it can be card-not-present (CNP) fraud , where the person
providing the card number and other relevant card
information is not face-to-face with the merchant, and the
card is not physically present and available to the merchant
during the transaction, as is the case during transactions
completed online, via phone, or via mail.
Existing card fraud can occur when an unauthorized person gains
physical access to a payment card that has been lost,
stolen, or discarded by its owner without being destroyed.
�
SB 1351 (Hill), Page 5
It can also occur when the card physically remains with the
cardholder, but the card number and other identifying
cardholder information is stolen and either counterfeited to
create a new card with the same number or fraudulently used
in one or more CNP transactions. Existing card fraud
affects accounts that were opened by the actual card owner,
but subsequently used for fraudulent purchases not
authorized by the card owner.
New card fraud involves the establishment of a new payment card
account in the name of someone whose identity has been
stolen. Because the person in whose name the account is
opened is often unaware of the existence of the new account,
new card fraud can be harder to detect, and can go on for
longer periods of time, than existing card fraud.
SB 1351 is intended to reduce the incidence of card-present, POS
payment card fraud on both new and existing accounts.
.
Identity theft , or more accurately identity fraud or
impersonation, occurs when one person uses someone else's
personal information (e.g., name, date of birth, or social
security number) to commit fraud or other crimes. There are
many different types of identity theft, including criminal,
financial, medical, and others. Financial identity theft
includes the creation of new payment card accounts in the
name of the person whose identity was stolen. SB 1351 does
not focus on identity theft; instead, it focuses on
preventing one of the potential consequences of identity
theft.
Data breaches involve the theft or unintentional disclosure of
data residing on a computer system or other electronic
device. A data breach may not result in payment card fraud
or identity theft, if the data breached are encrypted or
otherwise unusable, or if the people whose data are stolen
take immediate steps to close existing accounts, monitor
their accounts for fraudulent activity, and monitor their
credit reports for unauthorized account creation. In the
alternative, a data breach can lead to identity theft and/or
payment card fraud, if enough payment card data and other
personal identification information in a usable form is
stolen. SB 1351 does not directly focus on preventing data
breaches. However, as discussed in more detail below (see
"Why can chip cards sometimes provide greater fraud
protection than magnetic stripe cards?"), the bill may
�
SB 1351 (Hill), Page 6
reduce the frequency of certain types of data breaches, by
making certain credit card data less attractive to thieves.
4. How Do Chip Cards Work? The chips in chip cards are
integrated circuits, and thus, microcomputers. Because they
are equipped with embedded microcomputers (also called
microcontrollers), chip cards can securely store large
amounts of data, carry out their own on-card functions such
as encryption and authentication, and interact more
intelligently with card readers than cards equipped with
magnetic stripes. Unlike cards equipped with magnetic
stripes, whose stored data are static (unchanging from one
transaction to the next), chip cards generate a new code for
each transaction, making them far less susceptible to
cloning than traditional magnetic stripe cards.
Generally speaking, very little information on chip cards is "in
the clear" (i.e., unencrypted). According to experts
familiar with chip technology, only the card number,
expiration date, and three-digit security code are available
"in the clear" on these cards. Cardholder names are
commonly not in the clear on these cards, nor is other
cardholder data, such as billing address.
Chips in chip cards are commonly one of three types: contact,
contactless, and dual-interface (capable of being read in
contact or contactless mode). Cards equipped with contact
chips must be inserted into a chip-enabled terminal in order
to be read, to ensure that the contacts on the chip can make
physical connection with the contact readers in the
terminal. Because contact cards lack an antenna with which
to wirelessly transmit data from the chip, data on these
chips cannot be read without physical connectivity.
Contactless cards contain chips equipped with wireless antennae.
These antennae must be within approximately one and a half
inches of a terminal or other reader in order to be read.
Contactless chips with the latest technology can be turned
off. Other contactless chips cannot be turned off, but can
be shielded. Some companies sell sleeves into which
contactless chip cards can be placed, to protect these cards
from being remotely read unless they are physically removed
from the sleeve. At least one company currently advertises
a wallet equipped with similar shielding.
However, experts contacted by Committee staff wished to assure
�
SB 1351 (Hill), Page 7
the Legislature that contactless chip cards do not represent
security hazards to their holders. Not only must the cards
be extremely close to a reader to be read, there is very
little useful information available from these cards, even
if it they are read by thieves. A card number, expiration
date, and three-digit security code are of little use to a
fraudster, without a cardholder name or address. Experts
advise that the address verification software used by most
merchants who accept credit and debit cards would reject a
transaction attempted by someone who lacked the billing
address or billing zip code for an account.
5. Why Can Chip Cards Sometimes Provide Greater Fraud
Protection Than Magnetic Stripe Cards? The microchips used
in chip cards generate new verification values each time the
card is used in a transaction. This dynamic technology
differs greatly from the static manner in which magnetic
stripe-equipped cards transmit data. For example, when a
magnetic stripe card is swiped ten different times, the same
information is transmitted to the card reader each time the
card is swiped. However, if a chip card is dipped or
scanned using a radio frequency reader ten different times,
it returns a unique authentication code each time.
Because a new code is generated each time a chip card is used,
it is very difficult to for chip cards to be cloned
(counterfeited); the dynamic authentication technology is
simply not capable of being duplicated in a manner that will
return the same dynamic codes as those that would be
returned by a valid chip card.
The following statement by Visa explains the value of chip
cards: "Not only will chip technology accelerate mobile
innovations, it is also expected to secure payments into the
future through the use of dynamic authentication. Chip
technology greatly reduces a criminal's ability to use
stolen payment card data by introducing dynamic values for
each transaction. Even if payment card data is compromised,
a counterfeit card would be unusable at the point of sale
without the presence of the card's unique elements. By
reducing static authentication, we diminish the value of
stolen cardholder data, benefitting all stakeholders."
Chip cards, however, are not panaceas. Although chip cards
cannot be cloned into other chip cards, chip card data can
be captured and used to create a counterfeit magnetic stripe
�
SB 1351 (Hill), Page 8
card. Once a counterfeit magnetic stripe card is created,
it has the potential for fraudulent use in a card-present,
POS transaction with a retailer that accepts magnetic stripe
cards or in a CNP transaction.
Available evidence from other countries supports the assertion
that a migration to chip cards reduces card-present POS
fraud, but increases the percentage of fraud perpetrated
through CNP transactions ("CNP Fraud: A Primer on Trends
and Authentication Processes," Smart Card Alliance, February
2014). Not surprisingly, fraudsters attack the most
vulnerable point in a payment system; when steps are taken
to make card-present fraud more difficult to perpetrate,
fraudsters shift to CNP fraud.
Will migration to chip cards result in fewer data breaches? The
answer is unclear. The data generated by chip cards is no
less susceptible to theft than the data generated by
magnetic stripe cards, but its value to thieves is much
smaller than the value of magnetic stripe card data.
Because thieves typically focus on vulnerabilities that have
the greatest lucrative potential, they may direct their
focus away from chip card data and toward other types of
data that are easier to use in a fraudulent manner.
6. Allocation of Financial Responsibility When Payment Card
Fraud Occurs: Generally speaking, as long as a consumer
notifies their card issuer that a transaction is fraudulent,
the card issuer will not require the cardholder to pay for
the goods or services that were fraudulently obtained. But,
if the consumer doesn't pay, who does? It depends.
If payment card fraud occurs in an in-person (card-present)
transaction, despite every party's adherence to their
contractual obligations to prevent fraud, the card-issuing
financial institution is typically responsible for covering
the cost of that fraud. According to information provided
by one of the major payment networks, financial institutions
cover the cost of approximately 80 percent of card-present
fraud. This cost allocation framework is one of the reasons
why migration to chip cards is so challenging in the
short-term. Card-issuing financial institutions (rather
than merchants) bear most of the costs of card-present fraud
and will thus receive most of the cost savings from this
migration, but merchants are being asked to shoulder the
majority of costs attributable to migration.
�
SB 1351 (Hill), Page 9
In recognition of the challenges posed by existing liability
allocation rules for migration to chip cards, the major
payment card networks have announced a liability shift,
which they will begin to apply in October 2015. In August
2011, Visa announced plans to accelerate the migration to
chip technology in the U.S. One of the key elements of
Visa's migration roadmap includes a "liability shift for
domestic and cross-border counterfeit card-present
point-of-sale (POS) transactions, effective October 1, 2015.
Fuel-selling merchants will have an additional two years,
until October 1, 2017, before a full liability shift takes
effect for transactions generated from automated fuel
dispensers. Currently, POS counterfeit fraud is largely
absorbed by card issuers. With the liability shift, if a
contact chip card is presented to a merchant that has not
adopted, at a minimum, contact chip terminals, liability for
counterfeit fraud may shift to the merchant's acquirer [the
merchant's bank]. The liability shift encourages chip
adoption since any chip-on-chip transaction (chip card read
by a chip terminal) provides the dynamic authentication data
that helps to better protect all parties. The U.S. is the
only country in the world that has not committed to either a
domestic or cross-border liability shift associated with
chip payments."
MasterCard made a similar announcement to its customers in
January 2012.
Significantly, the Visa and MasterCard announcements only
affect card-present, POS transactions. They do not affect
CNP transactions, nor do they extend to ATM transactions.
Historically, merchants typically bear the cost of CNP
fraud. According to a report prepared by specialty
publisher Nilson based on 2012 data (Nilson Report, Issue
1023), retailers bear just over one third of the cost of
payment card fraud losses annually. CNP fraud represents
the largest category of merchants' fraud costs.
The Visa and MasterCard announcements also do not extend to
liability for covering the cost to re-issue new payment
cards, when payment card fraud is detected. One of the
other significant costs of payment card fraud involves
card-reissuance. When a valid card number is fraudulently
obtained, card-issuing financial institutions typically
cancel the card whose number was compromised and re-issue a
�
SB 1351 (Hill), Page 10
new card to the legitimate cardholder. The cost to reissue
these cards is borne by the card-issuing financial
institutions, a cost pressure that will not be alleviated by
the liability shift imposed by the card networks.
It should also be noted that the cost allocation rules and
proposed liability shift summarized above are based upon the
assumption that each party involved in authorizing a
fraudulent transaction complies with all of their
contractual responsibilities to prevent fraud. Often,
mistakes are made by one or more party when a fraudulent
transaction is authorized. For this reason, financial
responsibility for covering the cost of payment card fraud
is often determined by overlaying the results of forensic
security investigations with the terms of contracts that
govern the responsibilities of each party in a payment
transaction. In reality, despite the planned liability
shifts described above, the cost of holding customers
harmless for fraudulent transactions involving their cards
is allocated, and will continue to be allocated, based on
the responsibility of each party for authorizing the
fraudulent transaction.
7. Should We Migrate to "Chip" Or "Chip and PIN"? The Visa and
MasterCard roadmaps summarized above call for migration to
chip. They are agnostic on whether migration to chip should
also be accompanied by a migration to "chip and PIN." The
majority of integrated circuit card implementations
worldwide to date have been of the "chip and PIN" variety,
but, according to Visa, none (other than Canada) was
accomplished in a single move. In nearly all instances,
countries migrated first to chip, and only later to chip and
PIN.
There is considerable disagreement over whether chip and PIN is
any safer than chip or chip and signature at preventing
card-present, POS payment card fraud. Some experts assert
that the anti-theft value of chip cards derives from their
dynamic authentication methods, and not in their reliance on
a cardholder's use of a static PIN at the time of sale.
These experts observe that PINs can be stolen, and
signatures can be forged; however, chip cards cannot be
counterfeited, and it is that inability to be cloned that
represents their true anti-theft value. These experts
assert that the use of PINs provides little marginal benefit
in combatting payment card fraud, but adds significant
�
SB 1351 (Hill), Page 11
additional cost for both card issuers and retailers. They
suggest that the U.S. should complete its migration to chip,
before we attempt to integrate a migration to chip and PIN.
On the flip side, some, including the California Retailers
Association, strongly advocate migration to chip and PIN.
They reason that if retailers are going to invest
significant amounts of money in new payment terminals, they
ought to get the greatest security bang for their buck.
They assert that the addition of PINs to chip cards provides
a greater level of security, and point to the magnetic
stripe card environment (in which use of PINs is widely
believed to add a layer of security missing with signatures)
to support their conclusion.
This bill would require migration to chip and PIN by October
2015 (October 2017 for small banks, small retailers, and
fuel sellers). In that way, it goes beyond the payment card
networks' roadmap.
8. Should the State and Local Governments Be Exempted From This
Bill? As drafted, this bill would exempt from the
definition of retailers subject to the bill "the state, a
county, city, city and county, or any other political
subdivision of this state." The author is proposing to
exempt the state and local governments from the requirements
of this bill primarily for cost reasons; imposing such
requirements on the state and local governments could prove
prohibitively expensive, and could result in failure of the
bill on fiscal grounds.
However, numerous studies of payment card fraud, in both the
U.S. and elsewhere, conclude that thieves migrate to the
most vulnerable points in a payments system. If most
retailers in California migrate to acceptance of chip cards,
and the state and local governments do not, they may find
themselves besieged by crooks, aiming to take advantage of
their use of outdated payment technology. Although it may
be extremely expensive to require the state and local
governments to migrate to chip, it may be equally, if not
more costly, to combat the efforts of thieves seeking to
capitalize on governments' use of outdated magnetic stripe
readers and to deal with the payment card fraud that
results.
9. Should Credit Cards Issued By Retailers Be Subject to This
�
SB 1351 (Hill), Page 12
Bill? As drafted, SB 1351 is silent on the manner in which
it is intended to apply to retailers that issue credit and
debit cards to their customers. According to bank and
retailer representatives, some retailer-issued credit and
debit cards contain payment network logos, while others do
not. If a credit or debit card containing a payment network
logo is counterfeited, the counterfeit card could be used at
any merchant that accepts cards with that payment network
logo - not just at the retailer that issued the valid card.
Because of the significant potential for payment card fraud
that could result in these cases, an amendment is suggested
(see Amendment 12b) to apply this bill to retailer-issued
payment cards that carry payment network logos.
According to retailer representatives, if a credit or debit card
that lacks a payment network logo is counterfeited, the
counterfeit card can only be used at the retailer that
issued the valid card. Thus, the potential for widespread
payment card fraud is considerably smaller. If the author
wishes to amend his bill to cover retailer-issued cards that
lack payment network logos, an amendment is included for his
consideration (see 12e). However, given the limited number
of places counterfeit, non-payment-network-logoed cards can
be used, it is unclear whether the benefits of migrating
these cards to chip and PIN exceed the cost of doing so.
10. Which Banks and Credit Unions Will Get Two Additional Years
to Comply With This Bill's Provisions? SB 1351 would give
financial institutions with $5 billion or less in assets an
additional two years in which to comply with its provisions.
In an effort to get a sense for which depository
institutions would receive this additional time, Committee
staff reached out to the California Independent Bankers
Association and California Credit Union League. Although
the lists provided by both organizations only include banks
and credit unions with a physical presence in California
(and could thus exclude depository institutions located out
of California, with card-holding California customers), they
are informative.
It appears that most credit unions and community banks with a
California presence fall below the $5 billion threshold, and
would thus be given until October 1, 2017 to comply with the
provisions of this bill. Community banks which exceed the
$5 billion asset threshold, and which would therefore not
receive the additional two years, include Farmers and
�
SB 1351 (Hill), Page 13
Merchants Bank of Long Beach, BBCN Bank (Los Angeles),
Citizens Business Bank (Ontario), Pacific Western Bank
(Santa Monica), Cathay Bank (Los Angeles), California Bank &
Trust (San Diego), Silicon Valley Bank (Santa Clara), East
West Bank (Pasadena), OneWest Bank (Pasadena), City National
Bank (Beverly Hills), and First Republic Bank (San
Francisco). Westamerica Bank of San Rafael falls just below
the $5 billion threshold and could rise above it, depending
on changes in its deposit base and its merger and
acquisition plans.
Credit unions which exceed the $5 billion asset threshold
include First Tech Federal Credit Union (Mountain View), San
Diego County Credit Union (San Diego), Star One Credit Union
(Santa Clara), Golden 1 Credit Union (Sacramento), and
SchoolsFirst Credit Union (Orange).
�
SB 1351 (Hill), Page 14
11. Summary of Arguments in Support:
a. Consumers Union (CU) supports SB 1351 on the basis
that it will help reduce the number of Californians whose
credit and debit information is stolen by taking steps to
reduce counterfeit payment card fraud. CU supports
requiring the highest possible existing payment card
security standard, and applauds SB 1351's emphasis on
both card issuers and merchants. Although SB 1351 would
not stop all payment card fraud, the bill would help
reduce it. Over 90 percent of retail sales are made at a
physical point of sale, the focus of this bill.
CU is also supportive of the bill's requirement of chip and
PIN. "EMV cards allow for several cardholder
verification methods including chip and signature and
chip and PIN. PIN is considered a more secure
verification method than signature. Requiring a PIN may
prevent a stolen physical card from being used at the
point of sale if the point of sale requires a PIN. So,
if a consumer's wallet was stolen and an EMV chip and PIN
card was taken but that PIN wasn't known to the thief,
the thief could not use that card to go on a shopping
spree so long as all the merchants at the mall required a
PIN to complete a transaction. By requiring that the
microchip technology use a PIN for verification, SB 1351
is ensuring better consumer protection than either
magstripe or chip and signature can provide."
b. Privacy Rights Clearinghouse supports Senator Hill's
attempt to protect Californians from the now-pervasive
epidemic of card-present payment card fraud. "Recent
high-profile payment card breaches at Target,
Neiman-Marcus, Michaels, and other retailers clearly
demonstrate the need to move away from magnetic stripe
technology."
12. Summary of Arguments in Opposition:
a. The California Bankers Association (CBA) opposes the
bill on several grounds. First, CBA asserts that the
bill interferes with interstate commerce by attempting to
regulate contracts between two out-of-state parties,
neither of which is the state or a California consumer.
Because of this, the state does not have standing to
demand contract conditions.
�
SB 1351 (Hill), Page 15
Second, the bill applies to payment cards that contain
payment network logos, but not to private label cards
issued by retailers. Federal law requires banks to
establish, maintain, and continually test their data
security protocols to protect their customers from data
security hackers. Banks also maintain state-of-the-art
fraud detection computer programs to detect unusual
spending patterns on bank-issued cards. Private label
cards do not maintain these types of protections and will
not maintain the added protections under the bill. There
is no reason to exempt private label cards from the bill,
especially since they currently lack the enhanced
security protections provided for bank-issued cards.
Third, the bill's broad definition of a retailer covers a
bank's ATM and in-branch card readers. Although banks
are in the process of upgrading their ATMs to accommodate
new card technology, it is not expected to be completed
by the October 1, 2015 deadline.
Finally, the bill specifically exempts state and local
government entities as either the entity originating the
issuance of payment cards or accepting payment cards for
transactions. The bill only applies to credit and debit
cards, but does not include electronic benefit transfer
cards for social service recipients because those cards
are prepaid cards. Social service beneficiaries or
people making payments to government entities should have
the same security protections that are afforded to all
other credit and debit card transactions.
b. A coalition of business groups, including the
California Chamber of Commerce, California Hotel and
Lodging Association, California Restaurant Association,
and Association of California Life and Health Insurance
companies expressed similar concerns as those expressed
by CBA. In addition to those concerns, which are
discussed immediately above, the coalition notes that the
bill will set a bad precedent by placing a specific
method of fraud prevention in statute. "We are learning
of all the ingenious and innovative ways that hackers and
fraudsters are employing today, but they continue to get
more and more creative. Unfortunately, this bill ties
the hands of the law-abiding companies that need dynamic
and innovative methods instead of a one-size fits all
�
SB 1351 (Hill), Page 16
approach to fight fraudsters and hackers."
The coalition is also concerned about the broad definition
of retailer in the bill, which not only covers large
companies, but also small stores, small restaurants, and
non-profits. Businesses with very small profit margins
may have to resort to cash-only transactions to avoid the
requirements in the bill.
Finally, the coalition questions whether the bill will
provide its purported protections. Payment cards issued
after October 1, 2015 to comply with the provisions of SB
1351 will have to include magnetic stripes to accommodate
entities that are not required to accept chip and PIN
cards until October 1, 2017. For this reason, financial
institutions and retailers in California that are subject
to the October 1, 2015 implementation deadline in the
bill will incur the costs and potential liability created
by the bill, without fully experiencing the expected
benefits.
13. Amendments: The following technical amendments are
suggested, to help ensure that the bill can be implemented,
as intended by its author. None of these amendments is
expected to remove outstanding opposition.
a. Clarify that the bill is intended to apply to POS
transactions, and not to ATM transactions:
Page 4, lines 9 through 11, amend the bill as follows:
that accepts a payment card in a card-present, point of
sale transaction shall provide a means of processing
card-present point of sale transactions involving payment
cards equipped with an embedded
b. Define financial institution, and clarify that it
can include a retailer which issues its own in-house
credit or debit card with a payment network logo:
Page 4, between lines 29 and 30, insert: "Financial
institution" means a depository institution or other
entity that issues a payment card to a cardholder for use
by that cardholder to purchase goods, services, or
anything else of value. For purposes of this bill,
financial institution can include a retailer.
�
SB 1351 (Hill), Page 17
c. Clarify when the $5 billion asset threshold will be
applied to financial institutions for purposes of
determining which financial institutions are deemed
"small financial institutions" for purposes of the bill,
and clarify how long a financial institution has in which
to comply with the bill if it exceeds the $5 billion
threshold at some point after the bill becomes operative.
Page 4, line 31, after "less" insert: as of January 1,
2015. Any small financial institution whose assets
subsequently exceed $5 billion shall be provided with one
year from the date it first exceeds the $5 billion
threshold to comply with subdivision (a) of Section
1748.70.
d. Page 4, line 33: Strike "chapter" and insert:
title
e. If this Committee wishes to ask the bill's author to
apply the bill to retailer-issued credit and debit cards
that lack payment network logos, the following amendment
could be added:
Page 4, between lines 15 and 16, insert: (b) A retailer
that issues a payment card which lacks a payment network
logo shall ensure that any new or replacement payment
card issued on or after October 1, 2017 has an embedded
microchip capable of storing a PIN or any other
technology that is generally accepted within the payments
industry as being more secure than microchip technology
for card-present fraud prevention.
14. Prior and Related Legislation:
a. AB 779 (Jones), 2007-08 Legislative Session: Would
have mandated compliance with specified Payment Card
Industry Data Security Standards (PCI DSS) by entities
that sell goods or services to any resident of California
and accept as payment a credit card, debit card, or other
payment device, as specified. Vetoed by Governor
Schwarzenegger.
b. AB 1656 (Jones), 2007-08 Legislative Session:
Substantially similar to AB 779. Vetoed by Governor
Schwarzenegger.
�
SB 1351 (Hill), Page 18
c. AB 1710 (Dickinson and Wieckowski), 2013-14
Legislative Session: Would mandate compliance with
specified PCI DSS by entities that sell goods or services
to any resident of California and accept as payment a
credit card, debit card, or other payment device, as
specified; make any such entity liable for reimbursing
all reasonable and actual costs of providing notice of a
data breach and for the reasonable and actual costs of
replacing payment cards following a data breach; would
add to California's data breach notification
requirements, as specified; and would add to the remedies
available to prosecute violations of the aforementioned
provisions. Pending before the Assembly Judiciary
Committee.
LIST OF REGISTERED SUPPORT/OPPOSITION
Support
Consumers Union
Privacy Rights Clearinghouse
Opposition
Association of California Life and Health Insurance Companies
California Bankers Association
California Chamber of Commerce
California Hotel and Lodging Association
California Restaurant Association
Consultant: Eileen Newhall (916) 651-4102