Last Tuesday, February 4, the Senate Committee on the Judiciary held a hearing on “Privacy in the Digital Age.” Among the panelists were Executive Vice President and Chief Financial Officer of Target, John Mulligan, and Senior Vice President and Chief Information Officer of the Neiman Marcus Group, Michael Kingston. Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez joined the executives in offering testimony, along with representatives from the United States Department of Justice, the Secret Service, the Consumers Union, and the security industry.
Much of the hearing focused on so-called chip-and-PIN payment card technology. Initially raised by Mulligan—who relayed that Target was accelerating its $100 million investment to update its point-of-sale systems to support chip-enabled technology—the idea was quickly adopted by the Committee members and became a focus of discussion. The technical name for chip-and-PIN technology is “EMV,” which stands for Europay, MasterCard, and Visa, who founded EMVCo in the 1990s to develop specifications for secure payment transactions. In the payment industry, EMV refers to cards equipped with an embedded microprocessor—essentially, a small computer. With an EMV card, instead of swiping and signing, consumers insert their cards into a slot and enter a PIN for authentication.
The U.S. is one of the last major economies lacking such technology; it is already used in much of the rest of the world. Other countries’ early adoption of the technology is largely attributed to the (previously) higher fraud rates in those markets and the fact that the technology can operate in offline mode, which was an attractive characteristic in areas without robust telephony networks.
The Committee’s focus on chip-and-PIN technology may suggest to retailers and banks that it is looking for immediate, tangible improvements to data security practices around payment cards. The Committee was also interested in hearing thoughts on whether a federally mandated data security standard would be effective or was necessary to incentivize the retail and banking industries to adopt effective data security technologies. In so doing, at least some members of the Committee signaled that they may support data security legislation. And, based on the hearing’s spotlight on chip-and-PIN, it is at least plausible that new legislation or rules promulgated thereunder would require adoption of the technology.
Some panelists urged the Committee to proceed cautiously in developing any such legislation. Fran Rosch, Senior Vice President of Security Products and Services, Endpoint and Mobility at Symantec Corporation, and Chairwoman Ramirez of the FTC warned against a standard that required the adoption of certain technologies. Rosch reminded the Committee that, in the war against cybercrime, the key is “flexibility” so that companies can adapt and respond to “threats [that] are changing all the time.” Chairwoman Ramirez echoed these sentiments, underscoring that the FTC “doesn’t advocate particular technologies.”
Chairwoman Ramirez indicated that, instead, the FTC supported federal legislation that would strengthen its existing authority governing data security standards generally and would require companies to provide notification in the event of a security breach. Chairwoman Ramirez also expressed support for increasing the FTC’s rulemaking authority under the Administrative Procedure Act, granting the FTC jurisdiction over non-profits, and granting the FTC the ability to seek civil penalties.
A frequent refrain throughout the discussions was that strengthening protections for Americans is a shared responsibility. And, without widespread adoption of the security technologies by all retailers, banks, and credit card issuers, consumers would remain vulnerable.