❊❝♦♥♦♠✐❝s ♦❢ ❈②❜❡rs❡❝✉r✐t② Case study: payment card security Tyler Moore
Two-sided market structure Cardholder Merchant Issuing bank Acquiring bank
In the beginning ◮ There was no protection for cardholders against fraud ◮ Then the US passed the Truth in Lending Act of 1968, implemented by Federal Reserve as Regulation Z, which absolved consumers of liability for fraud ◮ While the banks didn’t like it initially, consumer adoption of credit cards accelerated as a a result
Security in a two-sided market ◮ Two-sided markets impose extensive barriers to entry ◮ This makes displacing successful ones, like payment-card networks, very difficult ◮ Hard for the dominant platform to justify investing in more secure technologies ◮ Assigning responsibility for security is fraught with difficulty, and can easily degenerate into a fight over liability dumping
Towards improved card security? The case of EMV ◮ Credit cards encode the number in the card’s magnetic stripe and rely on a signature for verification ◮ Fraudsters can copy the number and forge a signature ◮ The payment card industry developed a more secure standard, EMV, using smartcards and PIN-based verification ◮ Adoption was slow, because merchants did not want to spend large sums of money on upgrading terminals when the cost of fraud was borne by issuers. ◮ Adoption took off only when liability rules were changed to make merchants reimburse fraud from non-EMV payments ◮ But did the investment in security pay off?
But does EMV improve security? Data from UK Payments Administration; figure courtesy Steven Murdoch
PCI DSS as ex ante self regulation ◮ In addition to improving the security of payment cards themselves, one can also focus on the operational security of participants ◮ The Payment Card System Data Security Standard (PCI DSS) is a self-regulatory approach designed to improve operational security of merchants ◮ Merchants who fail to get PCI accreditation are assigned liability for fraud
What about breach disclosure? ◮ Many data breaches in the news involve payment cards ◮ We know about these due to breach-disclosure laws ◮ These laws correct an information asymmetry between cardholders and merchants ◮ They definitely pressure companies to invest in security
But what about card fraud losses? ◮ Disclosing when a merchant loses customer payment card information gives an indication of the threat ◮ But doesn’t the amount of fraud carried out matter more? ◮ A few countries publish this information, but not all ◮ Its wider publication could be used to evaluate security investments like EMV
Beware indirect costs of insecurity ◮ Payment card fraud losses matter – they eat into bank profits and finance criminal operations ◮ Yet we must also consider indirect costs , which may dwarf the direct losses ◮ If people refuse to shop online or limit the use of card payments due to fears of fraud, the costs to society likely dwarf what the criminals make ◮ These costs should be considered when weighing security investments
Thank you for your attention! Please post any questions you may have on our discussion forum.
Recommend
More recommend
