Visa currently uses digital signature technology to enable safe and secure Visa card transactions over the Internet and with smart cards. The use of this technology is provided for in pre-existing agreements between all of the parties to these Visa payment transactions.
Inconsistent digital signature requirements of the various states, as well as those being developed by various countries, threaten the realization of the full benefits of this technology for Visa, its 2 1,000 financial institution Members, their 5 80 million cardholders and 14 million merchants.
Visa supports S. 1594, the SEAL legislation, because it authorizes financial institutions to use electronic authentication (including digital signature) technologies where all parties to the transaction are governed by agreements that accommodate these technologies, it resolves the problems posed by inconsistent state digital signature statutes, and it establishes a process to begin to address the problems raised by the digital signature requirements of other countries. The SEAL legislation does all of this while appropriately recognizing a broad range of electronic authentication technologies, private agreements, existing federal and state consumer protections, and existing state commercial law.
Visa urges Congress to enact the SEAL legislation promptly. Visa also urges the federal
government to promptly and forcefully promote, through bilateral discussions and international
forums, an international environment that supports the use of digital signature and other
electronic authentication technologies on a worldwide basis.
Visa U.S.A. appreciates the opportunity to present this statement to the Subcommittee on
Financial Services and Technology in connection with its March I 1, 1998 hearing on S. 1594,
the Digital Signature and Electronic Authentication Law (SEAL) of 1998.
Visa constitutes the world's largest consumer payment system. Visa is an association of nearly 21,000 financial institutions from around the world that issue Visa brand cards and acquire Visa-related transactions. More than 600 million Visa payment cards have been issued around the world. They are accepted at more than 14 million merchant locations and 380,000 automated teller machines worldwide. Visa - which provides transaction authorization, clearing and settlement, risk management and related services to Member financial institutions - supports more than $1 trillion in Visa-related payment transactions annually throughout the world. Visa's transactions volume in the United States is approximately $470 billion per year. At peak volume, Visa systems process over 2,400 card-related transactions per second.
In addition to these card payments, Visa also operates the only privatesector automated clearing house system that. provides settlement on a nationwide basis in the United States. Visa annually processes approximately 310 million automated clearing house transactions with a value of approximately $979 billion.
The authentication of the various parties participating in the Visa payment system, including cardholders, merchants, and Member financial institutions, is essential to the operation and integrity of this enormous payment network. Currently, the primary means of authentication in support of a transaction is through the presentment of a plastic payment card and the use of a hand-written signature or personal identification numbers ("PINs"). The physical card and the cardholder's signature or PIN authenticate the individual initiating the transaction. In addition, cryptographic and other techniques are used by Visa to confirm and authenticate the identity of the processors, merchants and Member financial institutions that transmit payment and other data through the Visa system, as well as to secure the data while it is being transmitted.
In the future, electronic authentication, including digital signatures and other techniques, will increasingly be used to provide secure and cost effective market responses to authenticate parties to a payment transaction and to ensure the security and integrity of the payment message. The drivers of electronic authentication will include opportunities for reductions in cost, improved convenience and efficiency, and the potential reduction in risk to all parties involved.
Visa and its Members expect to leverage their existing infrastructure to take full advantage of electronic authentication technology. To illustrate this point, think of today's more than one-half billion Visa payment cards in circulation as physical representations of certificates issued by financial institutions on behalf of their customers. Visa cards display the name of the issuing financial institution. This financial institution can be thought of as a first level certificate authority. In addition to that first level certificate authority, the VISA brand provides a higher level certificate authority associated with that card by authenticating the issuing financial institution as authorized to issue a VISA brand card. The VISA brand, certain physical security devices appearing on the card such as the hologram, magnetic stripe information, and the entire set of rules and agreements supporting Visa transactions, including the authorization of transactions and related risk management systems, provide the infrastructure to support transactions using this physical certificate.
While it is impossible to predict all of the possible applications of electronic authentication such as digital signatures in the context of the Visa system, this technology is critical to enabling two current important Visa initiatives -- Internet payments and chip or "smart" cards.
Security and authentication are especially important when it comes to electronic commerce conducted over the Internet. Because electronic networks, particularly open networks like the Internet, are not inherently secure, a payment card system that functions on the Internet must be able to ensure the following:
(i) authentication of the parties to the transaction and their responsibilities relative to that
transaction;
(ii) authorization of the transaction by these parties;
(iii) integrity and security of the payment message; and
(iv) assurance that the transaction can be tied back to the originating party.
These principles are easily understood using a hypothetical payment transaction between a Visa merchant and a Visa cardholders In a traditional, face-to-face transaction, a customer walks into the store and hands the merchant a Visa card. The merchant, by a few simple observations (comparing the customer's signature, noting the distinctive appearance of the card and certain physical security mechanisms appearing on the card) verifies the authenticity of the card and the customer's authority to initiate the transaction. Similarly, the consumer, by observing the Visa decal on the store window and the processing of the card through the merchant's tenninal, gains assurance that he or she is dealing with a legitimate Visa merchant. In processing the transaction based on preexisting rules, the merchant and cardholder are assured of an expected level of service and specified procedures supporting the payment transaction.
On an open network like the Internet, however, a merchant cannot as readily ascertain that the customer at the other end of the line who claims to be Jane Smith actually is Jane Smith or that the purported cardholder account information is validly assigned to Jane Smith. The uncertainty also works the other way. The cardholder has an equally difficult time confirming that the person they are communicating with over the Internet is an authentic merchant, and not a 12-year old working out of her bedroom or, even worse, someone masquerading as a merchant in order to collect credit card numbers. Thus, the ability to authenticate both parties to the payment transaction is of paramount importance to the growth of commerce on the Internet.
To address these concerns, Visa along with MasterCard (and leading technology vendors like VeriSign, IBM, Microsoft and Netscape) has developed a protocol for securely conducting payment transactions over insecure networks like the Internet. This protocol is called Secure Electronic Transaction, commonly known by its acronym, SET. The SET protocol uses digital signature technology to authenticate the parties in a payment transaction. It uses digital signatures to tie the payment transaction to the party and ensure that the payment information has not been altered. In order to authenticate the digital signatures used in the SET protocol, Visa and Visa Members undertake to confirm the identity of the individual cardholders to whom digital signatures have been issued as part of the SET protocol.
Furthermore, the SET protocol incorporates encryption during transmission over the Internet in order to shield during that transmission confidential payment information from access by unauthorized parties. Indeed, the SET protocol even allows a merchant to accept card payments without the need to know a cardholder's account number -- an additional level of security not even provided in today's physical card environment. As a result, the SET protocol has been endorsed by the financial industry and the payment card industry as the standard for payment transactions on the Internet. Indeed, Visa cardholders and merchants already are implementing SET in more than twenty-five countries around the world to conduct electronic commerce. And serious consideration is being given to the eventual extension of this technology to bill payment and other applications.
Another electronic payment product developed by Visa and its Members that utilizes digital signature technology is Visa Cash. Visa Cash is a prepaid, storedvalue card embedded with a computer chip that stores electronic value data. Consumers use Visa Cash as a substitute for currency or coins, primarily in making small dollar purchases. The computer chips located in both the Visa Cash cards and the merchant terminals that accept Visa Cash cards utilize digital signature technology to authenticate Visa Cash card transactions.
Visa Cash was introduced in the United States by three Visa Member financial institutions (First Union, NationsBank and Wachovia) in July 1996 at the Summer Olympic Games. Visa Cash is part of another currently ongoing multiinstitution pilot program in New York City, in conjunction with Citibank, Chase Manhattan Bank and MasterCard. Outside the United States, consumers in Argentina, Australia, Brazil, Canada, Colombia, Germany, Hong Kong, Italy, Japan, Spain and the United Kingdom are using Visa Cash cards. As of January 1998, 7.7 million Visa Cash cards had been issued globally.
As indicated above, Visa has already started to use digital signatures as an added security feature for its payment products, within the context of pre-existing, private relationships among Member financial institutions, merchants and cardholders. Within this private system, Visa and Members have implemented a hierarchical structure providing a trusted chain linking the parties to the payment transaction. Member banks with customer relationships will continue to validate and support the authority of their customers, while Visa will continue to provide certification as to the membership status of the issuing and acquiring financial institutions within the trusted chain. Visa will use electronic authentication simply to reinforce, the security of this private "closed" system,
In addition to the foregoing description of how Visa uses and anticipates using digital signature technology, it also is important to describe what it does not intend to do with this technology. First, Visa does not plan to become a "public" certificate authority. That is, Visa does not plan to initiate large-scale certifications or authentications of individuals or companies outside of Visa's traditional payment business. Instead, Visa is implementing electronic authentication of its existing payment products in the context of its pre-existing, private relationship between Member financial institutions and their customers.
Second, Visa does not intend to use electronic authentications to create new agreements or other binding transactions or relationships between cardholders and merchants. As mentioned above, a well-defined relationship already exists through the pre-existing interlocking agreements between the cardholder and its bank, the merchant and its Member financial institutions, these Members and Visa, and the Visa system's rules. The enforceability of these pre-existing agreements and Visa system rules would not and should not be affected by the use of electronic authentication technology to enhance the security of Visa payment transaction, but rather these agreements would be governed by otherwise applicable state law.
Third, Visa's use of electronic authentication to authenticate and secure a Visa payment card transaction does not alter the liability of the consumer for the amount of the payment transaction in the event that the transaction is incorrectly processed by the merchant or the card issuer, or there is an unauthorized transfer by a person other than the
cardholder (such as a thief using a stolen credit card number). Rather, the limits on potential cardholder liability are already established under existing federal and state payments law. The federal Truth in Lending Act ("TILA") and the Federal Reserve's Regulation Z establish federal limits on the liability of a credit cardholder for both unauthorized credit card transactions and billing errors. Similarly, the federal Electronic Fund Transfer Act ("EFTA") and the Federal Reserve's Regulation E establish federal limits on the liability of a debit cardholder for both unauthorized card transactions and electronic funds transfer errors. In addition to these federal rules, various states have adopted state consumer credit codes and state electronic funds transfer acts that provide complementary or additional protections to credit cardholders and debit cardholders. respectively. Recent Visa rule changes provide Visa credit and debit cardholders even greater consumer protections than are required under these federal and state laws. All of these consumer protections should continue to apply whenever a Visa credit card or debit card is used, regardless of any authentication techniques that Visa and its Members may use to secure the transaction.
For the reasons discussed above, digital signature technology (and potentially other electronic authentication technology) offers important advantages to Visa, its Members, and their cardholders and merchants. These advantages can be fully realized, however, only if this technology can be employed nationally -- and globally -- in a predictable and consistent manner.
The Problem: State Digital Signature Requirements
Currently, over forty states have enacted or are considering legislation to recognize and/or regulate the use of digital signatures. Visa recognizes the significant and thoughtful effort these initiatives represent. We also recognize that regulation of certain uses of digital signature technology as provided in at least some of these state statutes may be necessary to provide the legal framework in which certain aspects of electronic commerce can develop. For example, in an open system, the parties exchanging digital signatures in an electronic commerce transaction do not have any prior agreement or system rules that provide an underlying framework for the acceptance and recognition of their digital signatures. Rather, they must rely on the existing framework of statutory and common law covering contracts, signatures, commercial practices, "writings", etc. It accordingly may be appropriate for new laws to establish the validity and enforceability of either parties' digital signatures to the transaction.
However, that same need does not exist for private uses of digital signatures in closed systems, such as the arrangements that Visa and its Members have implemented. In a closed system, the parties have previously agreed to a set of terms and conditions for the acceptance and recognition of digital signatures and the documents authenticated by, or signed with, such signatures. Because a closed system such as the
arrangements supported by Visa and its Members currently provides in its agreements and rules the appropriate terms and conditions for the use of digital signatures, it would not be necessary for state or federal authorities to fill in these terms for the parties. Moreover, assuming these system rules and agreements are enforceable under federal and state law of general applicability (such as the Uniform Commercial Code) and do not implicate federal or state consumer protection laws (such as the Electronic Fund Transfer Act or Truth in Lending Act), the terms of these system rules and agreements addressing digital signatures should be legally recognized and validated.
Beyond not being needed for a closed system such as the Visa system, these state digital signature laws, while well intentioned, are creating problems for the Visa system. As discussed above, the benefits of digital signature technology can be maximized for the Visa system only if this technology can be used in the same way throughout the United States. Inconsistent requirements from one state to the next undermine Visa's ability to do so. Just as one example -- Utah and Washington state impose different standards for the suspension of a digital certificate. Under Utah law, for example, the suspension is limited to a period not exceeding 48 hours, while the Washington law authorizes consumers to request a suspension for up to 96 hours. It is simply not possible to develop a uniform nationwide system that can comply with both the Utah and Washington suspension rules.
Visa is concerned that inconsistent state law requirements will continue to proliferate as more and more states enact non-uniform digital signature statutes, and as more and more state regulatory authorities implement these statutes in different ways. Moreover, even if the digital signature statute and regulation is uniform across states, Visa is concerned that the state courts in different states will interpret these requirements in different ways.
Perhaps to avoid these problems, many states have emphasized that their statutes are voluntary. In practice, however, this "voluntariness" may be illusory because most states' statutes and bills create powerful incentives to "opt-in" to the state scheme. For instance, many state statutes limit liability only if the state requirements are followed. Many of these statutes also grant a presumption of validity to certificates issued in accordance with the state scheme, and expressly exclude from this presumption certificates that do not comply with this scheme.
In addition to the problems of inconsistency discussed above, another unfortunate and perhaps unintended effect of certain of the current states' initiatives has been to impose by the force of statute business requirements and/or technical standards that may prove inconsistent with the rapid change in the business and technology environment. These statutory standards will be difficult to revise as technology changes, and as market forces develop new products and useful roles for electronic authentication.
The inability of state statutes to adjust for the different uses of digital signature technology, as well as the different contexts in which that technology may be utilized, could impose unnecessary costs on Visa payment transactions and preclude the full development of this technology to support the security of these payment transactions.
The Problem: International Requirements
The importance of a consistent approach to electronic authentication is not limited only to transactions within the United States. In our case, Visa payment cards are today truly a global means to conduct commerce.
Several foreign governments are actively looking to adopt, and in some cases have enacted, laws establishing requirements for the use of digital signature and other electronic authentication technology. Similar to the individual states in the United States, these international efforts generally reflect well intentioned and diligent attempts to address complex and evolving technology issues. Unfortunately, the result in some cases has been to create barriers and unnecessary costs in the use of this technology on an international basis to provide additional security for payment transactions.
As one example, some foreign governments such as Malaysia have
implemented, and others such as the European Union are considering, requiring the registration and licensing or certification of all parties acting as certificate authorities, with no distinction given to the operation of private closed systems such as the one being implemented by Visa Members. Such an approach might require registration by any Visa Member whose cardholders did business using digital signature technology with merchants in that country. Indeed, since Members do not know where or how their cardholders will use their cards, this approach might require all issuers of Visa cards to register in that country - a scenario that would be very difficult for Visa Members to manage.
The Solution: The SEAL Legislation
Visa supports the SEAL legislation because it effectively addresses the impediments to the use of digital signature technology in the context of the Visa payment system discussed above. Specifically, we support the SEAL legislation because it:
Visa also supports that the SEAL legislation because it accomplishes these objectives with the minimum possible intrusion on business practices or other federal or state laws governing these business practices. Specifically, we support the SEAL legislation because it recognizes:
The International Problem: More Needs To Be Done
While the SEAL legislation for the reasons discussed above will be helpful in promoting a solution to the international problem, it alone will not address this problem. More needs to be done. Specifically, the federal government must act quickly and forcefully through bilateral discussions and international forums to clarify and
simplify the legal framework needed to support the use of digital signature and other electronic authentication technology on a worldwide basis. Insofar as banking institutions are concerned, these international initiatives would benefit from leveraging the existing bank supervisory infrastructure to address matters concerning banking institutions.
In addition to enacting the SEAL legislation, Congress also should help to ensure that the federal government appropriately addresses the important issues discussed in this statement in the international context.
Conclusion
Visa commends Chairman Bennett for introducing the SEAL legislation, and the Subcommittee
for considering this very important legislation and the issues it addresses. The SEAL legislation -- along with a forceful federal government response in the international arena -- will enable Visa,
its 2 1,000 financial institution Members, 5 80 million cardholders and 14 million merchants to
enjoy the full benefits of digital signature technology. We urge the Subcommittee to take action
on the SEAL legislation as soon as possible.
Home | Menu | Links | Info | Chairman's Page