April 28, 2000

By Hand Delivery

Office of the Secretary
Room 159-H
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

Re: Advisory Committee on Online Access and Security -- Comment, P004807

Dear Sir or Madam:

Visa U.S.A. ("Visa") is pleased to submit this comment letter to the Advisory Committee on Online Access and Security ("Advisory Committee") established by the Federal Trade Commission ("Commission") to provide advice and recommendations to the Commission regarding the implementation of fair information practices by domestic commercial Web sites. More specifically, our comments focus on the draft report on online access and security, issued on April 19, 2000.

Visa appreciates the ongoing and extensive efforts of the Commission in addressing issues relating to personal information collected for and about consumers in an electronic environment. In particular, we appreciate the Commission's concern for practices that could adversely impact the U.S. economy and, consequentially, all businesses and consumers in the United States.

Visa is the largest consumer payments system in the United States and in the world. Visa is part of a worldwide association of over 21,000 financial institution members that individually offer Visa-brand payment services. Consumers hold more than 800 million Visa-brand cards globally, and these cards are accepted at more than 16 million merchant locations and at more than 480,000 automated teller machines throughout the world. Visa -- which provides transaction authorization, clearing and settlement, and risk management services to its financial institution members -- supports more than $1.4 trillion in payment transactions annually around the globe. Visa's transaction volume in the United States alone is approximately $720 billion per year. At peak volume, Visa's systems process nearly 3,000 card-related transactions per second.

To address recent concerns regarding Internet security, Visa enhanced its efforts to protect cardholder security on the Internet, as well as its efforts to prevent Internet fraud. Visa has long successfully controlled mail order, telephone order and other "card not present" risks using a variety of methods, including several network systems and best practice standards. As a result, overall card fraud losses in the Visa system are currently at an all-time low of 0.06% of the total transaction volume. This figure is down from 0.07% in 1998 and 0.15% in 1993. Visa expects that its experience with the Internet will be similar to that in other areas; although the Internet is a new channel of commerce, Visa has a proven track record of managing risk presented by new mediums.


The Advisory Committee identified three alternative approaches to addressing issues involving online access -- the default rule approach, the total-access approach and the case-by-case approach. As we understand it, the default rule approach is derived from the key principles of the BBBOnLine certification program established by the Better Business Bureau. That is, the scope of access would be guided by the premise that consumers should be given as much access to their personally identifiable information as practicable, given the applicable operational and economic limitations. The total-access approach goes far beyond the default rule approach; it would include in the scope of data that can be accessed by consumers, data derived and collected offline as well as data collected online, and would grant broad access to information gathered offline. The case-by-case approach would treat information differently depending upon the particular content, holder, source, and likely use of the information, and would assign different access rights to different data.

Visa appreciates the Advisory Committee's general recognition that a "one-size fits all" approach might be impracticable, and supports certain elements of the three approaches to online access identified by the Advisory Committee. Nevertheless, Visa opposes many aspects of the identified approaches. For example, Visa opposes any recommendations by the Committee that would extend consumer access principles to information generated or maintained by organizations in an offline context. The Commission created the Advisory Committee to address access and security in an online context, and it is important that the Advisory Committee limit its focus to information collected in an online context. Given the different operational and economic factors presented in an offline context, and given the extensive privacy provisions incorporated into the Financial Services Modernization Act of 1999 (the "Gramm-Leach-Bliley Act"), signed into law on November 12, 1999, any recommendations to the Commission should focus solely on any perceived issues in the online environment that give rise to the Advisory Committee's mandate. Moreover, the Commission and six other regulatory agencies are already in the process of promulgating extensive rules addressing the privacy and security of personal financial information, and the Advisory Committee should refrain from any recommendations that would address this already complex area of the law.

Visa also believes that many of the issues regarding online access and security should be directed to and addressed by the agencies specifically charged with the responsibility of monitoring such developments under the Gramm-Leach-Bliley Act. For example, online access and security issues relating to financial information should be addressed by the Federal Reserve Board and the Comptroller of the Currency and the other federal banking agencies that are familiar with and regulate financial institutions and financial information.

Additionally, we think it is critically important to clarify that where consumer access is appropriate, it need only be provided as to facts regarding the individual, not to analyses or formulas. More specifically, a company should not be required to provide access to confidential or derived proprietary data or confidential scoring models or formulas. Providing access to such proprietary information would be detrimental to businesses while providing little, if any, benefit to consumers.

Visa also believes that it is essential that the Advisory Committee and the Commission appropriately balance the needs of individuals to obtain access to information held by an organization with the need to protect that organization from costly or repetitive requests for information.


The draft report contains five options for addressing security standards that range from a highly regulated approach to a far more flexible approach. In balancing the need for adequate security with the cost of implementing specific security standards, the Advisory Committee recommends in the draft report that the Commission encourage all commercial Web sites to adopt and maintain security procedures that are appropriate under the circumstances. Additionally, the report recommends that the Commission consider whether a notice informing individuals that the organization has adopted security procedures is really necessary, and whether such a notice provides any real benefit to consumers.

Visa believes that the flexibility encompassed in this recommended approach is essential. The recommended approach allows organizations to implement security procedures necessary to address challenges that may arise without impeding the establishment of online relationships. In this regard, Visa and its member institutions are already actively involved in a broad range of security initiatives designed to protect both consumers and Visa's members, as well as the merchants that accept Visa-branded cards.

Once again, Visa appreciates the significant efforts of the Advisory Committee in developing the draft report, and of the Commission with respect to online security in general. If you have any questions concerning these comments, or if we can otherwise be of assistance in connection with this matter, please do not hesitate to contact me at (650) 432-3111.

Sincerely yours,

Russell W. Schrader