BILL ANALYSIS ��
SENATE BANKING & FINANCIAL INSTITUTIONS COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
SB 1351 (Hill) Hearing Date: May 27,
2014
As Amended: May 22, 2014
Fiscal: No
Urgency: No
SUMMARY Would, until January 1, 2020, require the issuance and
acceptance of credit and debit cards equipped with microchips,
as specified.
NOTE: This bill is back before the Senate Banking & Financial
Institutions Committee pursuant to Senate Rule 29.10. Because
the Committee heard and passed SB 1351 on April 9, 2014, this
analysis will focus on the changes made to this bill since that
hearing.
DESCRIPTION Changes made to the bill after it passed this
Committee on April 9th are shown in bold. Strikeouts represent
language that was in the version passed by this Committee and
subsequently deleted from the bill. Italics represent language
that was added to the bill after it passed this Committee.
1. Would enact findings and declarations relating to the
adoption of microchip technology for credit cards in over 80
countries throughout the world, not including the United
States, and to the value of these cards in combatting
payment card fraud.
2. Would, on and after January 1, 2015, require any contract
entered into between a financial institution and a payment
card network to govern the circumstances under which the
logo of the payment card network is displayed on a payment
card issued by that financial institution to include a
provision requiring that 75 percent of any new or
replacement payment cards card issued by that financial
institution with that payment network logo, on or after
April 1, 2016 October 1, 2015 , to a cardholder with a
California mailing address, have an embedded microchip
capable of storing a PIN or any other technology that is
generally accepted within the payments industry as being
�
SB 1351 (Hill), Page 2
more secure than microchip technology at preventing
card-present payment card fraud.
3. Would delay the imposition of the requirement summarized in
Number 2, above, by eighteen months two years for small
financial institutions, which would be defined as financial
institutions with assets of $5 billion or less.
4. Would, on and after April 1, 2016 October 1, 2015 , require
a retailer that accepts payment cards in card-present, point
of sale transactions to provide a means of processing
transactions involving payment cards equipped with embedded
microchips capable of storing PINs or other technology that
is generally accepted within the payments industry as being
more secure than static magnetic stripe microchip technology
at preventing card-present payment card fraud.
5. Would delay the imposition of the requirement summarized in
Number 4, above, by eighteen months two years for small
retailers and gas station pump payment terminals, and would
define a small retailer as a retailer with ten or fewer
employees.
6. Would require a retailer that issues a payment card which
lacks a payment network logo to ensure that any new or
replacement payment card issued on or after October 1, 2017
has an embedded microchip capable of storing a PIN or any
other technology that is generally accepted within the
payments industry as being more secure than microchip
technology for card-present fraud prevention.
7. Would provide definitions for the terms financial
institution, small financial institution, payment card,
payment card network, retailer, and small retailer.
8. Would state the intent of the Legislature that the bill
provide consumer protection consistent with federal law and
not impact private agreements between retailers, small
retailers, and payment card networks relating to which party
bears liability for fraudulent payment card usage.
9. Would sunset on January 1, 2020.
EXISTING LAW No existing state or federal law explicitly
requires implementation of specific payment card technologies by
card-issuing financial institutions, nor acceptance of specific
�
SB 1351 (Hill), Page 3
payment card technologies by retailers. Relevant state data
breach and data security laws are briefly summarized below.
Existing state law:
1. Requires any agency, person, or business that owns or
licenses computerized data to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement (Civil Code Sections
1798.29 and 1798.82).
2. Requires any agency, person, or business that maintains
computerized data that the agency, person, or business does
not own to notify the owner or licensee of the information
of any security breach immediately following its discovery,
if personal information was, or is reasonably believed to
have been, acquired by an unauthorized person (Civil Code
Sections 1798.29 and 1798.82).
3. Imposes (with limited exceptions) an across-the-board data
security standard on businesses that own or license personal
information about California residents. The Information
Security Law requires such businesses to implement and
maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction,
use, modification, or disclosure (Civil Code Section
1798.81.5).
COMMENTS
1. Purpose: This bill is intended to reduce card-present
payment card fraud.
2. Why Is SB 1351 Back Before This Committee? SB 1351 is back
before this Committee for two reasons. First, when SB 1351
was heard by this Committee on April 9th, its author offered
to take five amendments, which were subsequently approved by
this Committee when it voted to pass the measure. One of
those amendments applied the bill to private label cards
(i.e., payment cards that lack the logo of a major payment
network, such as Visa or MasterCard). On May 19th, the
author amended SB 1351 to exempt private label cards from
�
SB 1351 (Hill), Page 4
the bill. SB 1351 is now back before this Committee, to
allow Committee members to weigh in on whether the May 19th
amendments went against the Committee's wishes by deleting
language that the Committee had previously approved.
Second, SB 1351 has been significantly amended since it was last
heard by this Committee. The May 22nd amendments, in
particular, represent a significant change to the substance
of the bill that was heard and passed by this Committee on
April 9th. This Senate Rule 29.10 hearing will allow
Committee members to review the entirety of the amendments
made to the bill since it was last heard by this Committee.
3. What Options Does This Committee Have? Pursuant to Senate
Rule 29.10, this Committee may vote to return SB 1351 to the
Senate Floor or hold the bill in Committee. The Committee
may not amend SB 1351. If the Committee wishes to ask the
author to amend his bill, it would seek a commitment from
the author to amend his bill upon its return to the Senate
Floor or in the Assembly.
4. Discussion: The author has taken several amendments since
SB 1351 was passed by the Committee on April 9th, all of
which were intended to address concerns raised by the
opposition. Those amendments:
a. Delete the bill's reference to personal
identification numbers (thus turning the bill from one
that would have required migration to "chip and PIN" to
one that would require migration to "chip"). Opponents
had argued that "chip and PIN" provides a very small
marginal benefit over "chip" in combatting payment card
fraud, but adds significant additional cost for card
issuers and retailers, and adds significant complexity
that would makes migration to chip and PIN by the dates
required by the bill extremely challenging.
b. Delayed the October 1, 2015 implementation date by
six months, to April 1, 2016, for financial institutions
and retailers that are not otherwise covered by
provisions of the bill that allow for an October 1, 2017
implementation date. This amendment was intended to
provide more time for financial institutions and
retailers to achieve compliance with the provisions of
the bill.
�
SB 1351 (Hill), Page 5
c. Deleted the phrase "generally accepted in the
payments industry as being more secure" than microchip
technology for card-present fraud prevention, in several
places where it had previously appeared in the bill. The
opposition had argued that the "generally accepted"
language was too vague and would be too difficult to
implement (i.e., who would determine whether a technology
was "generally accepted?").
d. Reduced, from 100% to 75%, the percentage of new and
replacement credit and debit cards that must be equipped
with microchip technology or a technology that is more
secure than microchip technology by the dates specified
in the bill. This amendment was intended to respond to
concerns that 100% compliance was unachievable and
unrealistic. This amendment is discussed in more detail
below.
e. Deleted private label cards from the bill. This
amendment is discussed in more detail below.
f. Changed the standard to which retailers and small
retailers are held. Instead of being required to accept
cards equipped with microchips or with another technology
that is more secure than chip, retailers and small
retailers will be required to accept cards equipped with
microchips or with another technology that is more secure
than static magnetic stripe. This amendment is discussed
in more detail below.
g. Added a statement of intent that the bill is not
intended to impact private agreements between retailers,
small retailers, and payment card networks relating to
which party bears liability for fraudulent payment card
usage. Opponents had argued that the bill would impact
these contracts.
5. The "Private-Label Card" Amendment: Private-label cards are
credit and debit cards that lack payment network logos. On
April 9th, this bill's author offered an amendment to apply
the provisions of this bill to private label cards. He did
so in response to concerns expressed by financial
institutions and others that the bill should not be
selectively applied; if cards with network logos had to be
chip-enabled, then cards without network logos should have
to be chip-enabled, as well.
�
SB 1351 (Hill), Page 6
However, in the weeks following that hearing, bank and retailer
representatives contacted the author, seeking to have the
private label card amendment removed. According to these
advocates, private label cards are associated with low
incidences of fraud, because, even when they are lost,
stolen, or counterfeited, they can only be used at the
retailer that issued them (unlike cards equipped with
payment network logos, which can be used anywhere cards with
that payment network logo are accepted).
Furthermore, many private label cards are used once, and then
never again. Many consumers sign up for a private label
card in order to obtain a discount ("get 10% off your
purchases, if you sign up today"), and never use the card
again. Other consumers may use private label cards more
than once, but don't carry the cards with them; when they
shop at the retailer that issued their card, they ask the
employee at the cash register to look up their card number,
and use the card in an in-person, card-not-present
transaction.
Thus, it appears that, in many cases, the cost of migrating
private label cards to chip technology outweighs the
benefits that would be derived from that migration. For
that reason, the author removed private label cards from his
bill.
6. Amendment Requiring 75% Compliance: This amendment was
intended to address concerns raised by financial
institutions and payment card networks that 100% compliance
by financial institutions with the bill's provisions is
unachievable and unrealistic. According to the author's
office, major financial institutions have informed the
author that they will achieve 75% compliance by April 1,
2016.
However, this amendment does pose implementation challenges. A
100% compliance rate is fairly easy to verify; if a single
California consumer receives a new or replacement card after
April 1, 2016 that is not chip-enabled (or equipped with a
technology safer than chip), the financial institution which
issued that card is not in compliance with the bill. A
compliance percentage lower than 100% is much harder to
verify. Many of the financial institutions that will be
subject to this bill are federally-regulated. Because the
�
SB 1351 (Hill), Page 7
state lacks visitorial powers over federally-chartered
financial institutions, our state regulators may not examine
them, nor require them to submit documentation regarding
their levels of compliance. For that reason, this amendment
relies on self-policing by the banks and credit unions that
are subject to the bill. This amendment may also place
responsibility for validating compliance percentages with
the courts, if a California cardholder brings an action
against a card-issuer to enforce the provisions of the bill.
7. Amendment Requiring Retailers To Meet a "Chip or Safer than
Stripe" Standard: As amended on May 22, 2014, SB 1351 holds
retailers to a different standard than financial
institutions. Financial institutions must issue cards
equipped with chips or with a technology that is safer than
chip, while retailers must be able to accept cards equipped
with chips or with a technology that is safer than static
magnetic stripe. This amendment was intended to provide
more flexibility to retailers, many of which have informed
the author they are utilizing mobile card acceptance
technologies that are more protective of consumers than
existing magnetic stripe readers. This amendment was also
intended to help address concerns raised by the technology
and electronic payments industries that SB 1351 will stifle
the development of innovative new payment technologies.
According to the author's office, some examples of the
technologies whose use this amendment would allow include
Ziosk, a tablet-based payment technology that was recently
tested at the Chili's restaurant chain; Square, the dongle
which allows anyone with an iPhone to accept a credit or
debit card; Intuit's GoPayment, VeriFone's SAIL, and
PayAnywhere.
However, this amendment also raises questions. First, why hold
financial institutions to a different standard than
retailers? Why is "chip or safer than stripe" appropriate
for retailers, when financial institutions are held to a
"chip or safer than chip" standard?
Second, will this amendment undercut the author's desire to
protect California cardholders? Will the amendment
encourage the development of technologies that are safer
than stripe, but not as safe as chip?
�
SB 1351 (Hill), Page 8
8. Summary of Arguments in Support (based on the May 22nd
version of the bill):
a. The Consumer Federation of California writes, "While
SB 1351 would not stop all payment card fraud, it will
ensure that Californians receive the latest technology to
protect their payment card information at the physical
point of sale, thereby lowering the chances that
California consumers will be victims of counterfeit card
fraud."
9. Summary of Arguments in Opposition (based on the May 22nd
version of the bill):
a. MasterCard and Visa support the expedient adoption
of EMV microchip technology, but oppose a state
legislative mandate requiring such adoption. Both
payment card networks believe that the legislative
mandate contained in SB 1351 will create more harm than
good. By mandating a specific technology, the bill ties
the hands of California businesses who wish to adopt
newer or additional fraud prevention methods to keep pace
with today's cyber criminals. The liability shift
approach that has been used by MasterCard and Visa to
encourage migration to chip cards around the world has
been extremely effective. Liability shifts allow
companies to look ahead and more effectively plan their
EMV implementations. The liability shift approach also
allows businesses to focus their attention on the areas
of greatest risk and opportunity. For example, a large
retail chain location with high international traffic may
benefit more from an earlier investment in chip than a
neighborhood dry cleaner with a single dial-up terminal
that is at low risk of cyber attack or fraud.
The card networks also believe that a state legislative
mandate to adopt EMV chip would be inefficient for both
merchants and financial institutions. Large retailers
and financial institutions which are not headquartered in
California, but which do business in the state, will be
forced to segregate their implementation of an already
complex and expensive migration, and will likely see no
fraud reduction benefits as a result of that additional
expense, because fraud can easily migrate across state
lines. Small, service oriented merchants will be
particularly harmed by the mandate, due to the high
�
SB 1351 (Hill), Page 9
expense of migration coupled with the low levels of fraud
they currently experience.
Furthermore, the technology that supports the electronic
payments ecosystem is dynamic and moves at a rapid pace.
The future of payment security relies on at least three
technologies in the near term: EMV chip, tokenization,
and point-to-point encryption. The payments ecosystem in
the U.S. is larger and more complex than any other in the
world. Leading industry brands have been mindful to
allow enough time for this migration to occur without
disadvantaging smaller merchants and financial
institutions or unduly disrupting the ability of
consumers to rely on electronic payments as the migration
process occurs.
b. A coalition of business and technology groups,
including the California Chamber of Commerce, National
Federation of Independent Business, San Francisco Chamber
of Commerce, Greater Riverside Chambers of Commerce,
California Hotel and Lodging Association, California
Attractions and Parks Association, California Restaurant
Association, California Hospital Association, TechNet,
the Internet Coalition, and others oppose the bill on six
grounds.
First, the bill stifles fraud prevention innovation by
freezing a specific technology in statute. This will
result in unnecessary litigation to determine which
technology is more secure than microchip technology.
Although the bill attempts to allow for additional
technology that is more secure than chip deployment, it
is unclear how a bank or retailer can or will apply and
interpret that standard. The electronic payments
industry is concerned that by codifying chip technology,
SB 1351 will not only pick winners and losers at the
expense of innovation and competition, but will also
stifle nascent marketplace innovations that hold great
promise for reducing future criminal activities. The
bill will ultimately have the effect of pushing old
technology into the role of floor and ceiling relating to
anti-fraud efforts. Promising technologies, particularly
those that involve mobile wallet solutions which enhance
security and authentication, may be derailed because of
the technology mandate in the bill.
�
SB 1351 (Hill), Page 10
Second, the bill increases litigation costs for companies
that do not have chip card readers by the bill's
deadline. The bill will not only cause litigation, but
will also generate threats of litigation by people
claiming harm because their payment card transaction was
not processed via a more secure payment processor.
Small- to medium-sized businesses will find themselves
victims of industrious litigants seeking settlement
payments, even though the plaintiffs suffered no
financial hardship.
Third, the bill sets back a comprehensive national plan
that includes card issuers, merchants, and card payment
networks and has been ongoing for three years. By
attempting to override the national plan, the bill will
have the perverse effect of delaying issuance and
acceptance of chip-embedded credit and debit cards. Even
a well-intentioned disruption of the timeline could slow
the migration process, delay widespread adoption of new
technology, and expose consumers to unnecessary
confusion.
Fourth, the bill rejects the national liability shift that
will motivate migration towards chip-embedded card
issuance and acceptance. This bill deviates from the
liability shift and, by failing to reference card issuers
in its intent language, arbitrarily picks winners and
losers in the national payment card ecosystem fight
against card-present fraud.
Fifth, the bill exempts government entities from its
provisions. The state government is one of the largest
processors of credit and debit card transactions in
California and should not be exempted.
Finally, the coalition is concerned about the broad
definition of retailer in the bill, which not only covers
large companies, but also small stores, small
restaurants, and non-profits. Businesses with very small
profit margins may have to resort to cash-only
transactions to avoid the bill's requirements.
Although they did not sign on to the coalition letter,
several organizations in opposition to the bill expressed
very similar opposition arguments, including the
California Independent Bankers, Electronic Transactions
�
SB 1351 (Hill), Page 11
Association, Small Business California, Silicon Valley
Leadership Group, and Southwest California Legislative
Council.
c. The California Bankers Association (CBA) signed on
to the coalition letter whose contents are summarized
above. In addition to sharing the concerns of the
coalition, CBA believes that SB 1351 is both
unconstitutional and pre-empted as it applies to
federally-chartered banks and thrifts.
CBA believes that the bill is unconstitutional, because it
interferes with interstate commerce by attempting to
regulate contracts between two out-of-state parties,
neither of which is the state or a California consumer.
CBA's assertion that the bill is federally pre-empted is
bolstered by a memorandum prepared for CBA by two
Morrison and Foerster attorneys. In that memo, the
attorneys conclude that SB 1351's chip card requirement
is likely pre-empted by federal banking law, because it
significantly interferes with federally chartered banks'
authority to issue credit and debit cards. The attorneys
also opine that any attempt by the state to enforce the
bill against federally-chartered banks and thrifts would
be pre-empted as an improper intrusion on the Office of
the Comptroller of the Currency's "exclusive exercise of
'visitorial powers' over national banks and federal
thrifts."
Finally, CBA is concerned that the bill exempts state and
local government entities. Although the coalition letter
whose content is summarized above cites concerns about
the bill's failure to treat the state and local
governments as retailers when they accept payment cards,
CBA's letter of opposition adds an additional concern.
Because SB 1351 applies only to credit and debit cards,
it does not apply to electronic benefit transfer cards
provided to social service recipients; these are prepaid
cards and are thus outside the scope of the bill. CBA
believes that social service beneficiaries should be
protected to the same extent as credit and debit
cardholders.
�
SB 1351 (Hill), Page 12
LIST OF REGISTERED SUPPORT/OPPOSITION
Support (based on May 22nd version)
Consumer Federation of California
Opposition (based on May 22nd version)
California Attractions and Parks Association
California Bankers Association
California Chamber of Commerce
California Hospital Association
California Hotel and Lodging Association
California Independent Bankers
California Restaurant Association
California Medical Association
Consumer Bankers Association
Electronic Transactions Association
Independent Community Bankers of America
Internet Coalition
Greater Riverside Chambers of Commerce
Heartland Payment Systems
Los Angeles Chamber of Commerce
MasterCard
National Federation of Independent Business
San Francisco Chamber of Commerce
Silicon Valley Leadership Group
Small Business California
Southwest California Legislative Council
TechNet
Visa
Consultant: Eileen Newhall (916) 651-4102