STATEMENT OF RUSSELL W. SCHRADER

SENIOR COUNSEL AND VICE PRESIDENT,
VISA U.S.A. INC.

HEARING ON DEBIT CARD ISSUES

SUBCOMMITTEE ON

FINANCIAL INSTITUTIONS AND CONSUMER CREDIT

COMMITTEE ON BANKING AND FINANCIAL SERVICES

UNITED STATES HOUSE OF REPRESENTATIVES

SEPTEMBER 24, 1997

Visa U.S.A. Inc. appreciates this opportunity to present this statement to the Subcommittee on Financial Institutions and Consumer Credit in connection with its September 24, 1997 hearing on debit card issues.

I. Background

Visa is the world’s largest consumer payment system. Visa is made up of nearly 21,000 financial institution members from around the world that issue Visa brand cards. There are more than 580 million Visa cards held by consumers globally, which are accepted at more than 14 million merchant locations and 350,000 automated teller machines worldwide. Visa – which provides transaction authorization, clearing and settlement, and risk management services to member financial institutions – supports more than $1 trillion in Visa-related payment transactions annually throughout the world. Visa’s transactions volume in the United States is approximately $470 billion per year.

Debit cards, the subject of this statement, are the fastest growing new consumer payment device in the history of Visa. For the 12 months ending March 31, 1997, worldwide Visa debit card transactions increased 40 percent to a record $305 billion. As of March 31, 1997, Visa’s financial institution members had issued 119 million Visa debit cards had been issued, up 36.7 percent from a year earlier. In the United States, as of June 30, 1997, approximately 50 million Visa debit cards have been issued by Visa’s financial institution members and transactions volume exceeded $80 billion on an annual basis. One out of every four Visa transactions in the U.S. is a debit card transaction.

Consumers are attracted to Visa debit cards as a replacement for cash and checks. They can use their Visa debit cards to access their checking accounts to pay for goods and services at the point of sale at any of the more than 14 million merchant locations where Visa is accepted throughout the world. These locations include grocery stores, retail stores, gasoline stations and restaurants. Consumers also can use their Visa debit cards to obtain cash at any of 350,000 ATMs bearing the Visa mark.

Using a debit card frees the consumer from carrying cash. Using a debit card instead of writing a check saves the consumer from having to show identification or give out personal information at the time of the transaction, and avoids the problem of an out-of-state or foreign merchant refusing to accept the consumer’s check. A debit card transaction at the point of sale also is faster than a check transaction. Using a debit card also means the consumer no longer has to stock up on traveler’s checks or cash when traveling. Debit cards operate like cash or personal checks, but provide the convenience of ATM cash withdrawal or cards that can be used only to obtain cash at ATMs or credit cards transactions. According to a recent Gallup poll, for example, almost three quarters of all respondents recognized these benefits of debit cards over cash and checks. In summary, it is convenient access to checking account funds, widespread acceptance by merchants, and security, without hassle, that consumers tell us they like about debit cards.

For all these reasons, Visa expects that debit card use in the United States will continue to climb. By the year 2000, two-thirds of American households are expected to have a debit card.

To support Notwithstanding this exploding volume of debit card transactions, Visa has in place a number of fraud detection and avoidance programs that it has developed and refined over the years. As a result of these programs – and Visa’s close cooperation with law enforcement officials – unauthorized transactions or other types of fraud is not a significant problem. dDollar losses from fraud of all types is less than one tenth of one percent of transaction volume. As a result of the fraud detection and avoidance programs Visa has developed and refined over the years – and Visa’s close cooperation with law enforcement officials –Moreover, this the ratio of fraud to sales is coming down significantly. Indeed, the absolute number of fraudulent transactions has actually been reduced, even as transactions volume has risen dramatically. Attached to this statement is a summary of the Visa fraud detection and avoidance programs that Visa believes are effectively addressing fraud concerns.

II. DESCRIPTION OF VISA DEBIT CARDS

Visa member banks issue two different types of Visa debit cards. Visa’s on-line debit cards are Interlink cards, and its off-line debit cards are called Visa check cards. From the consumer’s perspective, tThe distinguishing characteristic between an off-line and an on-line debit card transaction is whether the consumer is required to enter a personal identification number (PIN). For an off-line transaction, the consumer does not enter a PIN, but rather typically signs a sales receipt. The off-line transaction is in this regard like a credit card transaction. For an on-line transaction, the consumer is required to enter a PIN. The on-line transaction is in this regard like a traditional ATM card transaction to obtain cash at an ATM.

Many Visa debit cards can be used for either off-line or on-line transactions, depending upon the set up at the merchant’s point of sale. If the merchant has a PIN pad at the point of sale and the consumer enters his or her PIN, the transaction is processed as an on-line transaction through the Interlink network. If the merchant either does not have a PIN pad at the point of sale or the consumer effects the transaction without entering his or her PIN (but rather signs the sales receipt), the transaction is processed as an off-line transaction, like a credit card transaction.

The ability to make Visa debit card purchases by signing the sales receipt (and not also entering a PIN) enables the debit card to be accepted at the approximately 14 million merchants worldwide that accept Visa cards. If a PIN were required for all debit card transactions, only about one million merchants in the U.S. that accept Visa credit cards would be capable of accepting Visa debit cards. The remaining merchants do not have the requisite PIN pads and related technology to accept PIN-based transactions. Based on Visa’s research, it is apparent that the wide acceptance of debit cards enabled by signature-based transactions is essential to the past and future success of Visa debit cards. Consumers have voted with their card usage – they want debit cards that can be used both for PIN-based and signature-based transactions.

It is important to emphasize that debit cards (both off- and on-line debit cards) are very different from credit cards. This difference is as fundamental as the difference between debit and credit. When consumers use debit cards, in effect, they subtract money from their own accounts. When consumers use credit cards, a bank or other financial institution makes credit available to them, which the consumer must pay back in accordance with the terms and conditions of his or her credit agreement.

III. Current consumer regulation of debit cards

The Electronic Fund Transfer Act (the "EFTA") and the Federal Reserve Board’s Regulation E establish at the federal level the consumer’s rights with regard to off-line debit cards, on-line debit cards and ATM cards. It should be noted that the following discussion describes only the federal law applicable to debit and credit cards. A number of states have enacted state laws that supplement the consumer protections of the EFTA and TILA. These federal and state laws are further supplemented by voluntary safeguards offered by card issuers and the card associations like Visa and MasterCard.

The EFTA establishes complex rules to calculate the consumer’s liability for unauthorized debit or ATM card transactions. This statement summarizes the maximum potential consumer liability for unauthorized transactions, regardless of the amount and timing of the unauthorized transactions.

If the consumer reports to the card issuer that a debit or ATM card has been lost or stolen within two business days of discovering that the card has been lost or stolen, the maximum amount of the consumer’s liability is $50. If the consumer does not notify the card issuer within this two day period but does so within 60 days after the card issuer’s transmittal of the periodic statement on which the unauthorized transaction(s) appeared, the maximum amount of the consumer’s liability is $500. If the consumer fails to notify the card issuer within this 60 day period, there is no maximum limit on the amount of the consumer’s liability. These liability limitations apply to both debit card (on- and off-line) and ATM card transactions.

For an on- or off-line debit card transaction at the point of sale, the debit card issuer must under the EFTA provisionally recredit the consumer’s account for the alleged unauthorized transaction(s) within 20 business days of receiving notice from the consumer of the transaction(s). For ATM transactions (including ATM transactions with a debit card), this maximum recrediting period is 10 business days. The card issuer may condition these provisional recredits for alleged POS and ATM unauthorized transactions on the receipt of written confirmation from the consumer of his or her oral notification.

Under the EFTA and Regulation E, debit and ATM card issuers must provide an initial disclosure to the consumer at the time he or she contracts for the card or before the first card transaction. This initial disclosure must include specified information, including: (1) a description of the consumer’s liability for unauthorized card transactions; (2) a telephone number and address of the person or office to be notified when the card has been lost or stolen or the consumer believes an unauthorized card transaction has been or may be made; and (3) a notice substantially similar to a model promulgated by the Federal Reserve Board that instructs the consumer how to contact the card issuer in the event he or she has questions about a receipt or periodic statement or believes a receipt or periodic statement is in error. Under Federal Reserve Board rules, a card issuer that sends on an unsolicited basis a Visa debit card, in replacement of a consumer’s existing traditional ATM card that can be used only for ATM transactions, also must provide these initial disclosures for the replacement Visa debit card.

In addition to these initial disclosures, each periodic statement must include the address and telephone number for the consumer to call in the event of inquiries about or errors on the statement. The card issuer also must send an error resolution notice satisfying certain Federal Reserve Board standards to the consumer at least once each calendar year, or alternatively include an abbreviated notice on each periodic statement. These initial and subsequent disclosure requirements apply equally to all (on- and off-line) debit cards and ATM cards.

Credit card transactions are subject at the federal level to the Truth in Lending Act (the "TILA") and Federal Reserve Board Regulation Z. Under TILA, a consumer’s maximum liability for unauthorized credit card transactions is $50. Upon notifying the card issuer of the unauthorized credit card transaction(s) and pending completion of the card issuer’s investigation, the consumer is not required to pay the alleged unauthorized transaction(s).

As with the EFTA for debit cards, TILA requires the credit card issuer to disclose the consumer’s rights regarding unauthorized transactions prior to the consumer’s first transaction with the credit card. These disclosures also must be provided to the consumer once each calendar year, at intervals of not less than 6 months nor more than 18 months. As an alternative to this annual notice, the card issuer may include on each periodic statement a summary disclosure of these rights. In addition, the address for the consumer to contact in the event of an unauthorized credit card transaction must be included on each periodic statement.

IV. Visa’s New Debit Card Rules

Visa recognizes that, notwithstanding its extensive efforts to avoid Visa debit card fraud that are discussed in the attachment to this statement, unfortunate events inevitably will occur. Visa also is cognizant of the concerns that have been expressed in the media and elsewhere about the potential under current law for consumer losses from non-PIN signature-based Visa check card transactions. To ensure continued consumer comfort with and market success for the Visa check card, Visa has approved a number of rule changes that address these concerns.

Under these new Visa rules, which are binding on each Visa debit card issuer, a Visa debit cardholder will have no liability for an unauthorized transaction with his or her debit card, if he or she reports to the card issuer that the card has been lost or stolen within two business days of his or her discovery of the loss or theft. In all other cases, the Visa debit cardholder’s liability is limited to a maximum of $50.

These new Visa unauthorized transaction rules apply not only to Visa check cards (Visa off-line debit cards), but also to Interlink cards (Visa on-line debit cards) and Visa credit cards. Visa determined to apply these rules to all Visa debit and credit cards so that the consumer’s liability for all Visa cards used at the point of sale – the channel of access at which the concerns described above have been directed – are identical. As a result of these rules, the consumer can use any Visa debit or credit card to make a purchase, and not worry about different protections or liability if that card is used for unauthorized transactions.

These Visa rules do not, however, apply to ATM cash withdrawals, which would continue to be governed by the EFTA rules described above. These ATM cash withdrawals are all PIN protected and are typically subject to relatively low transaction and daily limits. Perhaps as a result of these reasons, ATM cash withdrawal transactions have not raised the same concerns as point of sale transactions.

The new Visa rules, like the EFTA, provide an incentive to the cardholder to report a lost or stolen Visa card promptly (so as to incur no liability rather than up to $50 of liability). Visa believes this to be an appropriate responsibility for the cardholder. Prompt reporting of lost and stolen cards enables card issuers to take action to thwart thieves and others from profiting at the expense of innocent parties.

The new Visa rules also provide that, for Visa check cards, the card issuer must at least provisionally recredit the cardholder’s account for a transaction the cardholder has advised is unauthorized within five business days of receipt of the cardholder’s notification, unless the card issuer determines that circumstances or account history warrant a delay to the EFTA-required recrediting periods. As under the EFTA, the card issuer may require the cardholder to provide written confirmation of the unauthorized transaction prior to provisionally recrediting the cardholder’s account.

It should be emphasized that the $50 and five day requirements of the new Visa rules are outside maximum limits. Visa members often do better for their customers in appropriate circumstances, and Visa encourages them to do so.

Also under the new Visa rules, all unsolicited Visa check cards (including Visa check cards sent by the card issuer to replace a cardholder’s existing traditional ATM card that can be used only for ATM transactions) cannot be activated until the cardholder requests activation of the card. Visa did not extend this non-activation rule to other cards that the consumers are expecting. The consumer’s looking out for the anticipated card, combined with Visa’s fraud prevention and detection programs described in the attachment to this statement, should appropriately address fraud concerns in this scenario.

These new Visa rules provide Visa debit cardholders substantial protections from unauthorized transactions beyond those provided by the EFTA. A chart comparing these Visa rules with the comparable EFTA rules is attached to this statement. These new Visa rules also provide as much – and in certain instances greater – consumer protection from unauthorized transactions than is provided for credit cardholders under TILA.

As for disclosure to the consumer of these protections, Visa believes that the current requirements of the EFTA (for debit cards) and TILA (for credit cards) discussed above ensure that consumers get the information they need in this regard at appropriate times and in appropriate ways. Visa does not believe that any changes to these disclosure requirements are needed.

Beyond the requirements of the federal law, market forces powerfully incent Visa and Visa card issuers to make these important features of Visa cards known in the marketplace. Visa and its members have gone, and will continue to go, to great lengths to ensure that Visa cardholders are aware of their rights and responsibilities in connection with their Visa cards. For example, Visa is currently preparing an educational brochure with the National Consumers League that will be widely distributed to consumers to explain debit cards, including the consumer’s rights in the event his or her debit card is used in an unauthorized transaction.

V. Additional federal legislation / regulation is not NEEDED OR appropriate at this time

Visa strongly believes there should be no additional legislation or regulation at this time to address unauthorized debit card transactions. As indicated above, Visa has in place a number of fraud detection and avoidance programs to combat unauthorized debit card transactions.due to Visa’s fraud detection and prevention programs, unauthorized debit card transactions are not a significant problem. Visa’s new rules – along with existing federal and state law – effectively address any potential problem.

Indeed, the new Visa rules incorporate all of the requirements of the bill introduced by Congressmen Schumer and Gonzalez, H.R. 2234, and the bill introduced in the Senate by Senator Reed, S. 1154, and many of the requirements of the bill introduced by Congressman Barrett and others, H.R. 2319. Like H.R. 2234 and S. 1154, the new Visa rules provide that the consumer’s maximum liability for unauthorized Visa check card transactions is $50. Again like H.R. 2234 and S. 1154, the new Visa rules require unsolicited Visa check cards to be issued as unvalidated cards. These Visa rules also are consistent with the bill recently introduced by Senator D’Amato and others, S. 1148, addressing counterfeit access devices.

The existing disclosure requirements of the EFTA, along with the efforts Visa and its members have underway such as the National Consumer League initiative, will adequately and appropriately advise consumers of their new rights under the new Visa rules.

Visa recognizes that the Visa rules apply, of course, only to Visa cards. As MasterCard will testify, MasterCard also has made rule changes to address MasterCard debit cards. Visa and MasterCard debit card transactions together account for a majority of all debit card transactions. The remaining transactions are primarily ATM network card transactions at the point of sale. While Visa encourages the ATM networks to consider the issues discussed in this statement, the failure of any or all of these ATM networks to make comparable rule changes certainly does not justify additional legislative or regulatory intervention. ATM cards are all on-line, typically requiring the cardholder to enter a PIN to conduct a transaction with the card. As indicated by the legislative proposals that have been introduced to date, the concerns that have been raised relate to the off-line cards issued by Visa and MasterCard members that utilize cardholder signatures in lieu of PINs. In addition, most ATM card transactions are used at ATMs for cash withdrawal purposes, for which as discussed above the same types of consumer concerns have not been raised.

Not only is additional legislation or regulation not needed, Visa is extremely concerned that any legislation or regulation could have unanticipated adverse consequences for the new payment devices Visa and others currently are developing that are now made possible for the first time because of recent technological advances. While Visa believes its new rules described above are appropriate for, and will work well with, existing Visa debit cards, there is a great degree of uncertainty as to the right rules for the new payment devices described below. Memorializing in legislation or regulation what could turn out to be inappropriate consumer rules for those of these devices subject to this legislation or regulation could impede, or even stop entirely, the development of these devices. This problem could be particularly acute given the difficulty and time that it takes to change enacted statutes or regulations.

Indeed, Visa is concerned that even consideration of such legislation or regulation could have a chilling effect on the development of these new devices. Visa already has observed skewing in the marketplace from the Federal Reserve Board’s Regulation E proposed rules for stored value cards. Certain stored value card issuers have, for example, already artificially limited the maximum value of their stored value cards to $100, to take advantage of the Federal Reserve Board’s proposed exemption from Regulation E for stored value cards of $100 or less.

Examples of emerging Visa payment devices the development of which could be adversely affected in this way include:

1. Visa Cash. Visa Cash is a prepaid stored value card embedded with a computer chip that stores electronic value data. Consumers use Visa Cash as a substitute for currency or coins, primarily in making small dollar purchases. Visa Cash was introduced in the United States by three Visa member financial institutions (First Union, NationsBank and Wachovia) in July 1996 at the 1996 Summer Olympic Games. Smart card interoperability will be tested in the United States shortly through a multi-institution pilot program in New York City.

2. Visa TravelMoney. Visa TravelMoney is a disposable, replaceable, instantaneously-activated prepaid stored value card with PIN protection that a consumer uses during travel to withdraw local currency from any of the approximately 350,000 Visa/PLUS ATMs worldwide. Visa TravelMoney recently completed a successful pilot program in the United States and selected other countries, and is now being launched on a worldwide basis.

3. Remote Banking and Bill Payment Services. Visa operates the interbank clearing and settlement services that support its members’ bill payment and other remote banking services. Visa currently is in the process of introducing an enhancement to these services that allows merchants and others to send invoices electronically to consumers.

4. Secure Electronic Transaction (SET). The SET standard, developed by Visa and a number of other payments and technology companies, allows payment card transactions to take place over open computer networks, such as the Internet, with the highest level of security and privacy. In addition to the security and privacy features of SET, it also provides authentication of all parties involved in the transaction. SET also adds convenience for cardholders and reduces operational expenses in the processing of transactions, as it becomes no longer necessary for merchants who handle card-not-present transactions to manually enter account information. SET also allows the merchant to accept card payments without knowing card account numbers. Pilot testing of SET recently has begun in the United States.

5. EMV Standards. Visa, along with MasterCard and Europay, was instrumental in the development of EMV standards for basic chip card architecture and processing protocols that enable the worldwide compatibility of chip or smart cards. Smart card interoperability will be tested in the United States shortly through a multi-institution pilot program in New York City.

Each of these new payment devices has the potential to significantly benefit consumers. Consumers will benefit from their ease of use, convenience and increased transaction speed compared with cash or checks. These devices also will make possible for consumers new types of transactions, such as purchases over the Internet or other computer networks. Given their embryonic stage of development, adopting legislative or regulatory consumer protections that could apply to at least certain of these devices could chill or skew their development and, ironically, undermine full realization of their potential benefits for consumers.

Another adverse consequence of additional legislation or regulation to address unauthorized debit card transactions is the effect it would have on future voluntary industry efforts to respond to these types of concerns. Codifying in legislation or regulation the actions Visa voluntarily has taken, or imposing more onerous requirements, will serve as a powerful disincentive for future voluntary action of this nature. This type of voluntary action should be encouraged, not discouraged.

As a final matter, Visa has heard it said that while the Visa (and MasterCard) rules satisfactorily address the concerns that have been raised with debit cards generally and off-line debit cards specifically, Visa (and MasterCard) can take away these new consumer protections by changing their rules in the future. As indicated above, Visa adopted the new rules to ensure continued customer comfort with and market acceptance of the Visa check card. In light of its spectacular success, the Visa check card has become a very important Visa payment device. It is hard to envision that Visa would risk the success of Visa check cards, and its most important asset – the trust of consumers (and others) in the Visa brand – by taking away the important consumer rights provided in these new rules.

VI. Conclusion

There should at this time be no legislation or regulation to address unauthorized debit card transactions. The recent Visa rule changes address the concerns that have been raised in this regard. Moreover, any legislation or regulation of this type runs the risk of adversely impacting, or even at the extreme stopping, the development of the emerging stored value, Internet and other payment devices discussed in this statement from which Visa believes consumers will greatly benefit.

Comparison of Consumer Debit Card Protections
Under Federal EFTA and New Visa Rules

SUMMARY OF VISA FRAUD DETECTION AND PREVENTION PROGRAMS

Visa has developed a varied arsenal of fraud control programs. Visa has developed these programs over many years, and is continuously refining them to respond to new or anticipated frauds. These fraud programs are summarized below.

Address Verification Service (AVS)

A fraudulent use prevention system that allows mail-order/telephone-order merchants to automatically verify that a billing address provided by a cardholder is the same as the cardholder's billing address currently on file with the Issuer. This service helps merchants minimize the risk of accepting fraudulent mail and telephone order transactions.

Card Activation

An alternative bank card delivery method in which Issuers wait to confirm that a card has been received by the valid cardholder before activating the account. Cards are blocked at the time of mailing; for a card to be activated, the cardholder must call the Issuer to confirm receipt and provide positive proof of identity.

Card Security Features

Alphanumeric, pictorial, and other design and functional elements on bank cards. The exact physical dimensions and placement of these features are specified by the Visa U.S.A. Operating Regulations and are difficult to copy exactly. Card security features are checked by merchants at the point of sale to ensure the card is valid.

Card Verification Value (CVV)

A unique three-digit "check number" encoded on the magnetic stripe of all valid cards. The number is calculated by applying an algorithm 3/4 a mathematical formula 3/4 to the stripe-encoded account information and is verified on-line at the same time a transaction is authorized.

Cardholder Risk Identification Service (CRIS)

A transaction scoring and reporting service that employs neural network technologies to develop risk-scoring models that identify fraudulent transaction patterns. The service, available by subscription through Visa, can be used by Issuers as a stand-alone fraud detection system or as a complement to their internal fraud detection methods.

Exception File

Visa's worldwide data base of account numbers of lost/stolen or other cards Issuers have listed for pickup, referral, or other special handling. The account numbers for all transactions routed to Visa's stand-in processing system are checked against the Exception File.

Issuers' Clearinghouse Service (ICS)

A bank card application verification system shared by Visa with MasterCard. ICS verifies an applicant's address, phone and Social Security numbers, and whether he or she has a history of excessive applications or credit card fraud or abuse. ICS is a mandated service for U.S. card issuers that are Visa members.

NRI Reporting

A computer program developed by Visa for reporting Not Received Items (NRI). All Visa Issuers are required to report NRI mailing information, whether or not fraud has occurred. Visa will then forward this information along with reported NRI fraud transactions to the U.S. Postal Service on a daily basis. This information will allow the Postal Service to conduct investigations in a more timely manner.

Recovered Account Analysis

Assistance to law enforcement for recovered account numbers due to arrests and/or searches. Individual Issuers are identified, contacted and requested to provide information directly back to the investigating law enforcement agency.

Risk Identification Service (RIS)

The Risk Identification Service identifies concentrations of fraud activity at merchant locations. RIS monitors activity such as reported fraud transactions, suspicious fraud activity, and merchant deposits. By carefully monitoring such activity and imposing timely corrective measures, Visa members can reduce their exposure to fraud and subsequent financial losses.

VisaLine

A subscription service providing an interactive computer network dedicated to the communication of time-sensitive risk management and business information between Visa and its members and their third-party processors.