BILL ANALYSIS ��
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 1351|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 1351
Author: Hill (D)
Amended: 5/19/14
Vote: 21
SENATE BANKING & FINANCIAL INST. COMM. : 6-2, 4/9/14
AYES: Evans, Block, Correa, Hill, Hueso, Roth
NOES: Torres, Vidak
NO VOTE RECORDED: Berryhill
SENATE JUDICIARY COMMITTEE : 5-2, 5/6/14
AYES: Jackson, Corbett, Lara, Leno, Monning
NOES: Anderson, Vidak
SUBJECT : Payment cards
SOURCE : Author
DIGEST : This bill requires, until January 1, 2020, the
issuance and acceptance of credit and debit cards equipped with
microchips or any other technology, as specified.
Senate Floor Amendments of 5/19/14 strike references to
generally accepted within the payments industry"; strike a
requirement that retailers cards with no credit card logo
contain a chip; and add clarifying language to legislative
intent.
ANALYSIS : No existing state or federal law explicitly
requires implementation of specific payment card technologies by
CONTINUED
�
SB 1351
Page
2
card-issuing financial institutions, nor acceptance of specific
payment card technologies by retailers. Relevant state data
breach and data security laws are briefly summarized below:
1. Requires any agency, person, or business that owns or
licenses computerized data to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement.
2. Requires any agency, person, or business that maintains
computerized data that the agency, person, or business does
not own to notify the owner or licensee of the information of
any security breach immediately following its discovery, if
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
3. Imposes (with limited exceptions) an across-the-board data
security standard on businesses that own or license personal
information about California residents. The Information
Security Law requires such businesses to implement and
maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction,
use, modification, or disclosure.
This bill:
1. Enacts legislative findings and declarations relating to the
adoption of microchip technology for credit cards in over 80
countries throughout the world, not including the U.S., and
to the value of these cards in combatting payment card fraud.
2. Requires, on and after January 1, 2015, that any contract
entered into between a financial institution and a payment
card network to govern the circumstances under which the logo
of the payment card network is displayed on a payment card
issued by that financial institution to include a provision
requiring that any new or replacement payment card issued by
that financial institution with that payment network logo, on
or after April 1, 2016, to a cardholder with a California
CONTINUED
�
SB 1351
Page
3
mailing address, have an embedded microchip or any other
technology that is more secure than microchip technology at
preventing card-present payment card fraud.
3. Requires, on and after January 1, 2017, any contract entered
into between a small financial institution, as defined, and a
payment card network to govern the circumstances under which
the logo of the payment card network is displayed on a
payment card issued by that financial institution to include
a provision requiring that any new or replacement payment
card issued on or after October 1, 2017, to a cardholder with
a California mailing address by that financial institution
with that payment card logo, have an embedded microchip or
other technology that is more secure than microchip
technology for card-present fraud prevention.
4. Specifies that if its assets exceed $5 billion, the small
financial institution will be provided with one year from the
date it first exceeds the $5 billion threshold to comply with
the provisions specified in #2 above.
5. Requires, on and after April 1, 2016, a retailer that
accepts a payment card in a card-present, point-of-sale (POS)
transaction to provide a means of processing card-present,
POS payment card transactions involving payment cards
equipped with an embedded microchip or any other technology
that is more secure than microchip technology for
card-present fraud prevention. Provides, however, that this
requirement applies to small retailers, as defined, and gas
station pump payment terminals on and after October 1, 2017.
6. Defines, among other terms, the following:
A. "Retailer" means a person or entity that furnishes
money, goods, services, or anything else of value upon the
presentation of a payment card by a cardholder.
"Retailer" shall not mean the state, a county, city, city
and county, or any other political subdivision of the
state.
B. "Small financial institution" means a financial
institution with assets of
$5 billion or less as of January 1, 2015.
CONTINUED
�
SB 1351
Page
4
C. "Small retailer" means a retailer with 10 or less
employees.
1. States legislative intent that this bill provides consumer
protection consistent with federal law and not impact private
agreements between retailers, small retailers, and payment
card networks relating to which party bears liability for
fraudulent payment card usage.
2. Sunsets the bill's provisions on January 1, 2020.
Background
This bill is based upon the premise that the U.S., generally,
and California, specifically, will experience less card-present,
POS payment card fraud by migrating away from credit and debit
cards equipped with magnetic stripes toward credit and debit
cards equipped with integrated circuit cards. Credit and debit
cards that contain embedded integrated circuit cards are known
by many names, including "chip cards," "integrated circuit
cards," "smart cards," and "EMV cards (Europay, MasterCard and
Visa)." The term "chip card" will be used in this analysis.
This bill's author observes, "Retail fraud from counterfeit
credit cards has more than doubled since 2007 in the U.S., one
of the last countries in the world that relies almost
exclusively on magnetic strip identification technology for
credit cards. Even though credit cards with embedded microchips
reduce card-present fraud, less than one percent of credit cards
issued in the U.S. have chips. By comparison, chip-based credit
cards - which carry identification information as encrypted data
in a microchip that can be read only by special scanners in
stores - reduced counterfeit card fraud in Britain by 70 percent
from 2007 to 2012, according to the U.K. Card Association.
Meanwhile, hackers have found it increasingly easy to copy
identifying information on magnetic stripes and produce fake
cards. If chip cards were used in the U.S., fraud losses could
be halved, Aite Group estimates. U.S. merchants and banks had
2012 losses of $11.3 billion due to credit card fraud, or 5
cents on every $100 spent, according to the Nilson report."
At the present time, the timeline for U.S. migration to chip
cards is uncertain. Major card networks are pressuring
card-issuing depository institutions and merchants to migrate to
CONTINUED
�
SB 1351
Page
5
chip cards by October 2015. Banks and credit unions are
hesitant to issue chip cards to their card-holding customers if
those cards cannot be read by the POS devices used by merchants.
Merchants are hesitant to expend the significant costs
necessary to update their POS devices to chip readers before
chip cards are in wide circulation. According to recent press
accounts, the cost to achieve full migration is estimated at
approximately $8 billion: $6.8 billion to replace POS devices,
$1.4 billion to issue new cards, and $500 million for ATM
upgrades.
Chip cards . The chips in chip cards are integrated circuits,
and thus, microcomputers. Because they are equipped with
embedded microcomputers (also called microcontrollers), chip
cards can securely store large amounts of data, carry out their
own on-card functions such as encryption and authentication, and
interact more intelligently with card readers than cards
equipped with magnetic stripes. Unlike cards equipped with
magnetic stripes, whose stored data are static (unchanging from
one transaction to the next), chip cards generate a new code for
each transaction, making them far less susceptible to cloning
than traditional magnetic stripe cards.
Very little information on chip cards is "in the clear" (i.e.,
unencrypted). According to experts familiar with chip
technology, only the card number, expiration date, and
three-digit security code are available "in the clear" on these
cards. Cardholder names are commonly not in the clear on these
cards, nor is other cardholder data, such as billing address.
Chips in chip cards are commonly one of three types: contact,
contactless, and dual-interface (capable of being read in
contact or contactless mode). Cards equipped with contact chips
must be inserted into a chip-enabled terminal in order to be
read, to ensure that the contacts on the chip can make physical
connection with the contact readers in the terminal. Because
contact cards lack an antenna with which to wirelessly transmit
data from the chip, data on these chips cannot be read without
physical connectivity.
Contactless cards contain chips equipped with wireless antennae.
These antennae must be within approximately one and a half
inches of a terminal or other reader in order to be read.
Contactless chips with the latest technology can be turned off.
CONTINUED
�
SB 1351
Page
6
Other contactless chips cannot be turned off, but can be
shielded.
Experts contend that contactless chip cards do not represent
security hazards to their holders. Not only must the cards be
extremely close to a reader to be read, there is very little
useful information available from these cards, even if it they
are read by thieves. A card number, expiration date, and
three-digit security code are of little use to a fraudster,
without a cardholder name or address. Experts advise that the
address verification software used by most merchants who accept
credit and debit cards would reject a transaction attempted by
someone who lacked the billing address or billing zip code for
an account.
Comments
According to the author, "SB 1351 reduces card present fraud at
the front-end by requiring chip technology. The bill allows for
any other technology that is more secure than chip technology to
promote innovation. Amendments have been taken to delay
implementation and create a five year sunset. Small employers
and small financial institutions will have extra time to comply.
Californians expect their government to do what is reasonable
to protect them. This bill ensures that financial institutions,
credit card companies and retailers utilize more secure payment
methods as soon as reasonably possible to protect consumers."
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 5/21/14)
Consumer Federation of California
Consumers Union
Privacy Rights Clearinghouse
OPPOSITION : (Verified 5/21/14)
Association of California Life and Health Insurance Companies
California Attractions and Parks Association
California Bankers Association
California Chamber of Commerce
California Hospital Association
CONTINUED
�
SB 1351
Page
7
California Hotel and Lodging Association
California Independent Bankers
California Restaurant Association
Electronic Transactions Association
Internet Coalition
MasterCard Worldwide
National Federation of Independent Business
Orange County Business Council
Simi Valley Chamber of Commerce
TechNet
The Internet Association
Visa, Inc.
ARGUMENTS IN SUPPORT : Consumers Union (CU) supports this bill
on the basis that it will help reduce the number of Californians
whose credit and debit information is stolen by taking steps to
reduce counterfeit payment card fraud. CU supports requiring
the highest possible existing payment card security standard,
and applauds this bill's emphasis on both card issuers and
merchants. Although this bill will not stop all payment card
fraud, this bill will help reduce it. Over 90% of retail sales
are made at a physical POS-the focus of this bill.
Privacy Rights Clearinghouse states, "Recent high-profile
payment card breaches at Target, Neiman-Marcus, Michaels, and
other retailers clearly demonstrate the need to move away from
magnetic stripe technology. SB 1351 would help protect
Californians from the now pervasive epidemic of card present
payment card fraud."
ARGUMENTS IN OPPOSITION : The California Bankers Association
asserts that this bill interferes with interstate commerce by
attempting to regulate contracts between two out-of-state
parties, neither of which is the state or a California consumer.
Because of this, the state does not have standing to demand
contract conditions.
A coalition of business groups, including the California Chamber
of Commerce, California Hotel and Lodging Association,
California Restaurant Association, and Association of California
Life and Health Insurance companies, notes that this bill will
set a bad precedent by placing a specific method of fraud
prevention in statute. "We are learning of all the ingenious
and innovative ways that hackers and fraudsters are employing
CONTINUED
�
SB 1351
Page
8
today, but they continue to get more and more creative.
Unfortunately, this bill ties the hands of the law-abiding
companies that need dynamic and innovative methods instead of a
one-size fits all approach to fight fraudsters and hackers."
The coalition is also concerned about the broad definition of
"retailer" in this bill, which not only covers large companies,
but also small stores, small restaurants, and non-profits.
Businesses with very small profit margins may have to resort to
cash-only transactions to avoid the requirements in this bill.
MW:k 5/22/14 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED