BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
SB 1351 (Hill)
As Amended April 23, 2014
Hearing Date: May 6, 2014
Fiscal: No
Urgency: No
TH
SUBJECT
Payment Cards
DESCRIPTION
This bill would require contracts entered into between financial
institutions and payment card networks to require that new or
replacement payment cards issued on or after April 1, 2106, to a
cardholder with a California mailing address, contain an
embedded microchip or other technology more secure than
microchips for the prevention of card-present fraud. This bill
would extend to October 1, 2017, the date by which small
financial institutions must comply with the above provision.
This bill would also require retailers that accept payment cards
in card-present, point-of-sale transactions on or after April 1,
2016, to provide a means of processing payment cards equipped
with an embedded microchip or other technology more secure than
microchips for the prevention of card-present fraud. This bill
would extend to October 1, 2017, the date by which small
retailers and gas station pump payment terminals must comply
with the above provision.
BACKGROUND
The United States is rapidly advancing toward a cashless
economy. Today, an estimated 80 percent of consumer spending
(by value) is transacted using a form of payment other than
cash. In 2012, the Federal Reserve estimated that American
consumers performed 122.8 billion noncash payments, collectively
valued at $79 trillion. Of these noncash payments,
approximately two-thirds were made using credit cards, debit
(more)
�
SB 1351 (Hill)
Page 2 of ?
cards, and prepaid debit cards (collectively "payment cards").
The number of payment card transactions as a percentage of total
noncash transactions has increased dramatically over recent
years, rising from 43 percent in 2003 to 67 percent in 2012.
Despite an apparent growing reliance on payment cards in the
U.S., the majority of American consumers have expressed "serious
concern" about fraud and other security risks involved in using
credit and debit cards. A 2012 survey found that 52 percent of
Americans are "seriously concerned" about other people obtaining
and using their credit or debit card accounts, and 54 percent
expressed "serious concern" over identity theft. (See Unisys
Security, Unisys Security Index: US (April 18, 2013)
[as of Apr.
29, 2014].) The survey also found that 33 percent of Americans
are "seriously concerned" about the security of shopping or
banking online, and two-thirds (67 percent) are "at least
somewhat concerned about data breaches hitting their banks and
financial institutions." Overall, the survey concluded that
financial security was the largest threat concerning U.S.
residents, driven principally by worry about identity theft and
payment card fraud.
Regarding the amount of fraud occurring on electronic payment
systems, the Federal Reserve estimates that 31.1 million
unauthorized transactions (third-party fraud) occurred on
electronic payment systems in 2012, with a value of $6.1
billion. Ninety-two percent of these fraudulent transactions
(65 percent by value) occurred using payment and ATM cards. By
contrast, only eight percent of fraudulent transactions (35
percent by value) were made using checks and automated
clearinghouse (ACH) direct-debit account transfers.
Multiple technologies exist for use in combatting fraud on
electronic payment systems. One such technology involves
embedded microchips or integrated circuits that communicate
information to a payment or ATM terminal. These "integrated
circuit cards" can be read either directly via contact with a
reader or with a remote, contactless radio frequency interface.
Because they are equipped with embedded microcontrollers, chip
cards are able to securely store large amounts of data, carry
out their own on-card functions such as encryption and
authentication, and interact more intelligently with card
readers than cards equipped with magnetic stripes. Unlike cards
equipped with magnetic stripes, whose stored data are static,
integrated circuit cards are capable of generating new
�
SB 1351 (Hill)
Page 3 of ?
authentication codes for each transaction, making them far less
susceptible to cloning than traditional magnetic stripe cards.
This bill would require payment card networks and financial
institutions to incorporate microchip enabled payment card
technology into the payment card systems used by cardholders
with California mailing addresses by April 1, 2016, and would
require California retailers that accept payment cards at
point-of-sale terminals to provide a means for processing these
microchip-enabled cards by the same date. The bill would extend
to October 1, 2017, the date by which small retailers, gas
station pump payment terminals, small financial institutions,
and private labeled payment cards, as defined, must incorporate
microchip enabled payment card technology into their payment
card systems.
CHANGES TO EXISTING LAW
Existing law provides that a business that owns or licenses
personal information about a California resident shall implement
and maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction, use,
modification, or disclosure. (Civ. Code Sec. 1798.81.5(b).)
Existing law also mandates a business that discloses personal
information about a California resident pursuant to a contract
with a nonaffiliated third party to require by contract that the
third party meet the above security requirements. (Civ. Code
Sec. 1798.81.5(c).)
Existing law requires state agencies, under the Information
Practices Act (IPA), to establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure
compliance with the IPA, to ensure the security and
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in any injury. (Civ. Code Sec. 1798.21.)
Existing law requires any agency, person, or business that owns
or licenses computerized data that includes personal information
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
�
SB 1351 (Hill)
Page 4 of ?
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a) and (c), and 1798.82(a)
and (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b) and
1798.82(b).)
This bill would, on and after January 1, 2015, require any
contract entered into between a financial institution and a
payment card network to govern the circumstances under which the
logo of the payment card network is displayed on a payment card
issued by that financial institution to include a provision
requiring that any new or replacement payment card issued on or
after April 1, 2016, to a cardholder with a California mailing
address, have an embedded microchip or other technology that is
generally accepted within the payments industry as being more
secure than microchip technology for card-present fraud
prevention.
This bill would, on and after January 1, 2017, require any
contract entered into between a small financial institution, as
defined, and a payment card network to govern the circumstances
under which the logo of the payment card network is displayed on
a payment card issued by that financial institution to include a
provision requiring that any new or replacement payment card
issued on or after October 1, 2017, to a cardholder with a
California mailing address, have an embedded microchip or other
technology that is generally accepted within the payments
industry as being more secure than microchip technology for
card-present fraud prevention.
This bill would, on and after April 1, 2016, require a retailer
that accepts a payment card in a card-present, point-of-sale
transaction to provide a means of processing card-present,
point-of-sale payment card transactions involving payment cards
equipped with an embedded microchip capable of storing a
personal identification number or any other technology that is
generally accepted within the payments industry as being more
secure than microchip technology for card-present fraud
prevention. This bill would provide, however, that this
�
SB 1351 (Hill)
Page 5 of ?
requirement shall apply to small retailers, as defined, and gas
station pump payment terminals on and after October 1, 2017.
This bill would require a retailer that issues a payment card
that lacks a payment network logo to ensure that any new or
replacement payment card issued on or after October 1, 2017, has
an embedded microchip or other technology that is generally
accepted within the payments industry as being more secure than
microchip technology for card-present fraud prevention.
This bill would remain in effect until January 1, 2020, and as
of that date would be repealed, unless a later enacted statute,
that is enacted before January 1, 2020, deletes or extends that
date.
This bill would define, among other terms, the following:
"Retailer" means a person or entity that furnishes money,
goods, services, or anything else of value upon the
presentation of a payment card by a cardholder. "Retailer"
shall not mean the state, a county, city, city and county, or
any other political subdivision of the state.
"Small financial institution" means a financial institution
with assets of five billion dollars ($5,000,000,000) or less
as of January 1, 2015.
"Small retailer" means a retailer with 10 or less employees.
COMMENT
1.Stated need for the bill
The author writes:
There are many types of credit card fraud that negatively
impact consumers. SB 1351 just focuses on the issue of
"card-present fraud" when perpetrators use counterfeit cards
at stores either by skimming a duplicate or getting your card
information from a source then putting it onto a fake card.
Retail fraud from counterfeit credit cards has more than
doubled in the United States since 2007. In 2012, U.S.
merchants and banks had losses of $11.3 billion due to
credit-card fraud. Less than 1 percent of credit cards issued
in the U.S. have chip technology, yet more than 80 countries
around the world utilize this technology for most of their
transactions. Chip cards reduced counterfeit card fraud in
Britain by 70 percent from 2007 to 2012. If chip cards were
�
SB 1351 (Hill)
Page 6 of ?
used in the U.S., fraud losses could be cut in half. This is
because chip cards are nearly impossible to duplicate and they
create unique verification codes for each transaction.
Fortunately, our financial institutions, credit card networks,
and retailers are moving in the right direction by
transitioning to chip based technology starting in October of
2015. However, I believe it's taken us too long to get here
and it's hurt all parties, especially the consumer. We owe it
to our constituents to ensure that all of the players
successfully participate in the transition in October of 2015.
SB 1351 ensures that financial institutions and credit card
networks issue cards with chip technology and it requires
retailers to use machines capable of reading the chip cards.
This bill ensures that financial institutions, credit card
companies and retailers utilize more secure payment methods as
soon as possible. It's in the best interest of consumers and
it's in the best interest of the industry because it will
reduce fraud. I often hear from my constituents about what
we're doing in the legislature to address credit card fraud
and privacy issues. This bill tries to address the in-person
card-present fraud problem with a technology that we know
works. We owe it to Californians to get this technology
deployed as fast as possible.
2.Pending Liability Shift
Both federal and state laws limit consumer liability for
fraudulent activity on credit and debit card accounts.
Financial institutions and card issuers often times further
agree to hold consumers harmless for fraudulent activity as a
matter of contract, provided that consumers timely inform their
card issuer of suspected fraud. Consequently, whenever card
fraud occurs, liability for associated costs is typically
apportioned between financial institutions, card issuers, and
retailers, according to payment network rules and use contracts.
Generally speaking, if payment card fraud occurs in an in-person
(card-present) transaction, despite every party's adherence to
their contractual obligations to prevent fraud, the card-issuing
financial institution is typically responsible for covering the
cost of that fraud. If the fraudulent transaction is of the
"card-not-present" variety (e.g., online, phone, or mail order
transactions), the merchant generally bears the cost of fraud.
The existing apportionment of liability is scheduled to change
�
SB 1351 (Hill)
Page 7 of ?
in October 2015 in what is known as the "liability shift." In
an effort to drive the adoption of more secure payment card
technology across the industry, many of the major payment card
networks plan to adopt a new apportionment rules for fraud
liability which will generally place costs with the party that
has not adopted the more secure technology. According to
MasterCard:
[I]f a merchant is still using the old system, they can still
run a transaction with a swipe and a signature. But they will
be liable for any fraudulent transactions if the customer has
a chip card. And the same goes the other way - if the
merchant has a new terminal, but the bank hasn't issued a chip
and PIN [personal identification number] card to the customer,
the bank would be liable . . . The key point of a liability
shift is not actually to shift liability around the market.
It's to create co-ordination in the market, so you have
issuers and merchants investing in the migration at the same
time. This way, we're not shifting fraud around within the
system; we're driving fraud out of the system. (Gara, October
2015: The End of the Swipe-and-Sign Credit Card (Feb. 6, 2014)
[as of April
30, 2014].)
Other countries that have migrated to chip-enabled payment card
systems experienced repeated delays in implementing the new
technology. For example, Canada's implementation of chip and
PIN payment card systems took more than seven years. (See
Schuman, Canada Delays Ultra-Secure Payment Card System (Oct. 1,
2010)
[as of April 30, 2014].) This has led some
commentators to suggest that full implementation of chip-enabled
payment card systems in the U.S. could take close to a decade.
(Id.)
This bill would essentially force payment card networks, card
issuers, financial institutions, and retailers to largely adhere
to the October 2015 date for adopting chip-enabled payment card
systems. The bill would require relevant contracts between
financial institutions and payment card networks entered into
after January 1, 2015, to expressly require the adoption of
payment card systems capable of reading cards with embedded
microchips by April 1, 2016, with 18 month extensions for small
retailers, small financial institutions, and gas station pump
�
SB 1351 (Hill)
Page 8 of ?
payment terminals. This bill would not necessarily prohibit the
use of legacy magstripe card payment terminals by retailers, but
it would require that all new or replacement payment cards
issued after April 1, 2016, to cardholders with California
addresses contain embedded microchip technology, its
technological equivalent, or a fraud prevention technology more
secure than microchip technology. However, those market
participants that continue to use legacy payment systems after
the statutory deadlines in this bill and fail to at least
procure the new infrastructure could potentially expose
themselves to litigation.
Several entities in opposition suggest that forcing a transition
to microchip-enabled payment cards could actually derail
existing plans to introduce this technology in U.S. markets.
The Electronic Transactions Association, for example, states:
Advanced technologies like chips embedded in credit and debit
cards ("EMV" cards) are already coming to market in the U.S.
by October 2015. The payments industry has been working for
more than 4 years to facilitate EMV acceptance at more than 8
million merchants in the United States, and we are in the
final stretches of that effort. Even a well-intentioned
disruption to the timeline could slow the migration process,
delay widespread adoption of new technology, and expose
consumers to unnecessary confusion.
Other entities in opposition suggest that the implementation
timeframe required by SB 1351 is unrealistic. MasterCard and
Visa, for example, state:
We also believe that any expectation of 100 [percent]
compliance to the required adoption timeline is unrealistic
given the complexities of the migration. Under the current
liability shift timelines, we will see card issuance and
merchant terminalization steadily increase but we won't see
full adoption within the timeframe required by SB 1351. Even
today, the UK, which has been highlighted in the legislation,
doesn't have 100 [percent] chip adoption.
3.Exempting Government Entities
As amended, this bill would exempt state and local governments
from having to adopt a means of processing card-present,
point-of-sale payment card transactions involving payment cards
equipped with an embedded microchip by specifying that the term
�
SB 1351 (Hill)
Page 9 of ?
"retailer" does not include the state, a county, city, city and
county, or any other political subdivision of the state. To the
extent the author seeks to drive industry-wide adoption of more
secure payment card technology, this exemption could prompt a
significant part of the payment card landscape to retain legacy
card technology and infrastructure. The State of California,
its cities, counties, special districts, and other subdivisions
actively participate in the state's retail sector, selling
anything from souvenirs at State Parks, to agency trade
publications and reports, to customized license plates at DMV
service centers. Indeed, as recent news of a suspected data
breach of payment card data collected by the Department of Motor
Vehicles demonstrates, the state and its subsidiaries are no
more immune to payment card fraud and data breach than any other
retailer. (See Carlton and Sidel, California DMV Investigating
Potential Credit Card Breach (March 23, 2014)
[as of Apr. 30,
2014].)
As the payment card industry shifts to more secure payment card
technology, state and local government retailers may be
compelled to adopt the more secure technology in order to meet
their obligations under existing law. For example, statutes
such as the Information Practices Act already require state
agencies to "establish appropriate and reasonable
administrative, technical, and physical safeguards to . . .
ensure the security and confidentiality of records, and to
protect against anticipated threats or hazards to their security
or integrity which could result in any injury." (Civ. Code Sec.
1798.21.) Depending on the way California's retail non-cash
payment market evolves, existing law could mandate adoption of
the very technology at issue in this bill. However, in the near
term this bill might undercut statewide adoption of enhanced
security payment card technology by exempting arguably one of
the largest retailers in the state.
4.Fraud Migration to Online Transactions
Although valuable in combatting card-present fraud, payment
cards equipped with embedded microchips are no more or less
secure than cards with magnetic stripes in card-not-present
transactions (e.g. online transactions). Countries that have
migrated to integrated circuit cards have seen a shift away from
card-present fraud to card-not-present fraud following the
adoption of these cards. According to the Smart Card Alliance:
�
SB 1351 (Hill)
Page 10 of ?
Experience with EMV [chip card] implementation in other
countries indicates that one indirect consequence of EMV
implementation is an increased incidence of fraud for virtual
POS [point-of-sale] purchases, in what are often referred to
as "card-not-present" (CNP) transactions. CNP transactions
are just what the name implies: transactions in which the
plastic card form factor is not presented to the merchant at
the time of purchase (e.g., for purchases made on the Internet
or by telephone). These are transactions that cannot be
authenticated using "standard" processes used at the physical
POS. CNP transactions require an alternative approach to
cardholder authentication. (Smart Card Alliance,
Card-Not-Present Fraud: A Primer on Trends and Authentication
Processes (February 2014) [as of Apr. 30, 2014]).
Staff notes that a multiplicity of tools are available to combat
card-not-present fraud, including the use of static passwords or
PINs, random static passwords, static knowledge-based
authentication, random knowledge-based authentication, one-time
password using hard tokens, one-time password using soft tokens,
scratch cards, bingo cards, voice verification, chip
authentication programs with personal card readers or mobile
devices, physical biometrics, and behavioral biometrics.
5.Codifying Technological Standards
Several groups in opposition suggest that this bill would have
the practical effect of freezing a particular anti-fraud
technology in law, potentially preventing the payment card
industry from adopting newer, more effective anti-fraud
technology as it becomes available. TechNet, in opposition,
writes:
While recognizing that this legislation is well intentioned,
we would caution against legislating technology standards or
mandating a specific security or payment technology, to avoid
hindering the rapid rate of new payment innovations that are
coming to market, especially mobile wallet solutions that will
leverage a range of new tools to authenticate payments and
enhance security. In forging this well intended policy, SB
1351 will stop technological advancement with mandates that
are not aligned with innovation.
Staff notes that two provisions of the bill potentially address
�
SB 1351 (Hill)
Page 11 of ?
concerns that SB 1351 could require the adoption and deployment
of obsolete security technology. First, each operative
provision of the bill that requires payment card industry
participants to deploy or accept payment cards with embedded
microchips also contains a clause allowing "any other technology
that is generally accepted within the payments industry as being
more secure than microchip technology for card-present fraud
prevention" to be adopted or deployed in its place. While this
added flexibility could result in interoperability problems as
different technologies are adopted by different market
participants, it does allow industry participants to adopt new,
more secure payment innovations as they are developed. It may,
however, delay immediate adoption of more secure technologies
until they are "generally accepted within the payments
industry," meaning that widespread adoption or endorsement may
be required before these other technologies could be used in
lieu of microchip technology. Second, this bill contains a
sunset clause that would automatically repeal its provisions on
January 1, 2020. To the extent this bill would freeze
technological standards in statute, it could only do so up until
that date.
6.Interference with Interstate Commerce :
Several entities in opposition suggest that the payment card
implementation mandates proposed in this bill unduly interfere
with businesses that operate both within and outside of
California, or, relatedly, that payment card security standards
should be implemented nationwide at the federal level, if at
all. The California Bankers Association, for example, states:
This bill attempts to regulate interstate commerce by
interjecting the state into a contract in which it is not a
party. The contract to issue a credit or debit card is
between the financial institution and the payment card
network. In many instances these corporations are not
incorporated in California and they agree to the contract
terms outside of California. These contracts are not similar
to the contracts between a card issuer and a consumer, but a
contract between two businesses. Neither the [S]tate of
California nor California consumers are parties to that
contract and do not have standing to demand contract
conditions.
This concern - that California ought not interfere with
interstate commerce - raises the question of whether this bill
�
SB 1351 (Hill)
Page 12 of ?
runs afoul of the Dormant Commerce Clause of the U.S.
Constitution. According to the U.S. Supreme Court, "[w]here [a]
statute regulates even-handedly to effectuate a legitimate local
public interest, and its effects on interstate commerce are only
incidental, it will be upheld unless the burden imposed on such
commerce is clearly excessive in relation to the putative local
benefits." (Pike v. Bruce Church, Inc. (1970) 397 U.S. 137,
142.) Given the fact that most major card networks expect
market participants to adopt microchip-enabled payment card
infrastructure by October 2015, this bill arguably has only
incidental (if any) impacts on interstate commerce. Further,
the State of California undoubtedly has a substantial interest
in combatting the impact of payment card fraud on California
consumers.
7.Technical Amendment :
A prior iteration of this bill would have required payment card
networks, financial institutions, and retailers to incorporate
microchip enabled payment card technology capable of storing a
personal identification number (PIN) into the payment card
systems used by cardholders with California mailing addresses in
accordance with the deadlines set by the bill. On April 23,
2014, the author amended this bill to, among other things,
remove the requirement that payment card networks, financial
institutions, and retailers incorporate payment card technology
specifically capable of storing PIN numbers into their payment
card systems. However, one reference to PIN technology was
inadvertently left in the bill. The author offers the following
amendment to remove this remaining reference.
Author's Amendment :
On page 4, lines 9 through 10, strike: "capable of storing a
personal identification number"
Support : Consumers Union; Privacy Rights Clearinghouse
Opposition : Association of California Life and Health Insurance
Companies; California Bankers Association; California Chamber of
Commerce; California Hospital Association; California Hotel and
Lodging Association; California Independent Bankers; California
Restaurant Association; Electronic Transactions Association;
Internet Association; Internet Coalition; MasterCard Worldwide;
�
SB 1351 (Hill)
Page 13 of ?
National Federation of Independent Business; TechNet; Visa, Inc.
HISTORY
Source : Author
Related Pending Legislation : AB 1710 (Dickinson and Wieckowski)
would require a person or business that sells goods or services
to any resident of California and accepts as payment a credit
card, debit card, or other payment device, to comply with
certain provisions of the Payment Card Industry (PCI) Data
Security Standards. This bill would also impose reimbursement
costs on a party who violates the standards for the reasonable
and actual costs of breach reporting and card replacement caused
by any breach of payment card data if the data was unencrypted.
This bill is pending in the Assembly Committee on Judiciary.
Prior Legislation :
AB 1779 (Jones, 2008) would have codified certain provisions of
the Payment Card Industry (PCI) Data Security Standards relating
to payment card transactions where a person, business, or agency
sells goods or services to any resident of California and
accepts as payment a credit card, debit card, or other payment
device. This bill would have also imposed reimbursement costs
on a party who violates the standards for the reasonable and
actual costs of breach reporting and, under certain conditions,
the actual costs of reissuing payment cards caused by a breach
of unencrypted payment card data. This bill died in the Senate
Committee on Judiciary.
AB 1656 (Jones, 2008) would have codified certain provisions of
the Payment Card Industry (PCI) Data Security Standards relating
to payment card transactions where a person, business, or agency
sells goods or services to any resident of California and
accepts as payment a credit card, debit card, or other payment
device. This bill would have also imposed reimbursement costs
on a party who violates the standards for the reasonable and
actual costs of breach reporting caused by a breach of
unencrypted payment card data. This bill was vetoed by Governor
Schwarzenegger because the bill legislated "in an area where the
marketplace has already assigned responsibilities and
liabilities that provide for the protection of consumers."
AB 779 (Jones, 2007) was substantially similar to AB 1656
(Jones, 2008) and was vetoed by Governor Schwarzenegger for the
�
SB 1351 (Hill)
Page 14 of ?
same reasons.
Prior Vote : Senate Committee on Banking and Financial
Institutions (Ayes 6, Noes 2)
**************