'The Efficiency and Integrity of Payment Card Systems: Industry Views on the Risks Posed by Data Breaches' (Federal Reserve Bank of Philadelphia - Payment Cards Center Discussion Paper No. 12-04) by Julia Cheney, Robert Hunt, Katy Jacob, Richard Porter &
Bruce Summers
comments that
Consumer confidence in payment card systems has been built up over many decades. Cardholders expect to use their cards to execute payment instructions in a reliable and timely manner. Data breaches that degrade the perceived safety and reliability of payment cards may weaken consumer confidence in those systems and potentially cause cardholders to shift to other, and perhaps less efficient, forms of payment. A sizable shift away from payment cards — induced by the consequences of one or more data breaches is unlikely. Even so, the probability of such an outcome is uncertain. In other words, this could be an example of “tail risk” for payment card systems. The authors informally interviewed a number of market participants and several experts to better understand the risks presented by data breaches, the efforts to protect payment card systems against data breaches, and areas where more might be done to secure these systems. In particular, the authors investigated whether existing levels of investment, coordination, information sharing, and management of incentives in securing payment card systems by firms and organizations in the private and public sectors are adequate to confront the threats arising from modern data breaches. The lessons learned from these conversations are described in this paper. These insights may also be helpful in considering the risks that data breaches may broadly pose to retail payments in the United States.
The authors note that
The management of payment card fraud raises a number of difficult questions: Have changes in technology increased or decreased the vulnerability of payment card systems to data breaches that might undermine consumer confidence in them? Do payment card networks, their partners, and their customers have the appropriate incentives to take precautions to avoid card fraud? Are the costs of payment card fraud or of avoiding this fraud borne by the appropriate parties? For example, do nonfinancial firms that retain personal or account data have sufficient incentives to protect this information? Are payment card networks able to make efficient choices about managing fraud risks and to implement antifraud measures in a timely manner? If not, are there reasons to believe that public authorities could facilitate better or timelier decisions? If such a role is appropriate, what information and expertise would government need to have?
The answers to these questions are not simple. Taken as a whole, our interview results convey mixed views on most of these topics and, in particular, on the role that government should play or is capable of playing. At the same time, some general observations can be made with respect to areas of shared concern and insight among the interviewees.
Most interviewees recognized that payment card systems have benefited from dramatic advances in information, computing, and telecommunications technologies over the past four decades. These advances have helped create opportunities for new participants in payment card systems, such as nonbank payment providers, to introduce innovative products and services, such as prepaid cards and Internet shopping. At the same time, these additions to the traditional payment card system model present new risks and require a re-evaluation of the security protocols that were developed in the past.
Of course, criminals can also leverage technological advances to develop, test, and deploy their tools quickly. And when they find a promising vulnerability, there is at least the possibility that their attacks will rapidly increase in scale. Several interviewees emphasized the adeptness of thieves to identify vulnerabilities and quickly exploit them. They also noted that the vulnerabilities may include a type of payment system participant and a point in the payment processing chain, as well as a data storage system risk and a software weakness. Any incremental risk that results from innovation should be offset by careful risk management and investments in new defenses, with an emphasis on dynamic and flexibledatasecurityapproachesratherthanstaticones. Severalintervieweesobserved that a national focus on the security of the information and communications infrastructure in the United States could result in significant improvements in securing retail payment systems, including payment card systems.
The interviewees expressed very mixed views about the incentives to prevent fraud and to mitigate its consequences among various payment system participants. Respondents generally considered the incentives at their organizations to be better than those in other parts of the transaction chain. This is perhaps an indirect recognition of the interdependence of payment participants in securing the system and the importance of adequate coordination of their efforts.
A number of interviewees stated that the protections afforded to consumers from losses associated with fraudulent transactions limit consumers’ incentives to protect their cards, personal information, and computers. Others pointed out that these protections do help to ensure public confidence in card payments and that diluting those protections may increase the likelihood of a mass abandonment of these instruments if a “tail event” as we described earlier were to occur.
There was widespread agreement that a key ingredient in protecting payment systems from fraud is coordination of fraud defenses among participants in these systems. For payment card systems, this coordination function is generally performed by the networks. Many participants expressed the view that, in the U.S., payment applications have become so diverse and payment firms so specialized that effective coordination is becoming more difficult. Others questioned whether the networks had exactly the right motivations or were sufficiently well equipped to ensure that all payment participants had the right incentives. Such concerns led some interviewees to speculate about an increased role of government as a coordinator. Others wondered whether government was sufficiently nimble or adequately equipped to play such a role.
There was greater consensus about a number of roles in which government either is essential or could likely be more helpful. The first is in its law enforcement capacity, which may require additional resources. Given the international character of many modern electronic payment systems, interviewees recognized that law enforcement efforts must also take on a more international character. This too will require additional coordination — in this case, among governments around the world. Also, interviewees mentioned the need for more comprehensive information about the volume, character, and drivers of payment card fraud and data breaches. In general, interviewees supported expanding the collection and dissemination of data and new research.
Most interviewees also said that the government could play a useful role in facilitating a more rapid dissemination of actionable information about new threats to the security of payment systems. Numerous information-sharing networks already exist, but some of our respondents contended that information exchanges remained too balkanized and too slow in many instances. The U.S. federal government is already an active participant in a number of these exchanges and, in some instances, contributes information obtained through various law enforcement and intelligence channels.
Several respondents suggested that the government can play a special role as both a participant and a facilitator of the exchange of actionable information about data breaches because it may be uniquely positioned to address private-sector incentives in markets where security may be a source of competitive advantage. If maintaining a reputation as a secure provider of payment services is good for business, then firms will have incentives to invest in appropriate procedures and technology. But the desire to maintain a competitive advantage may act to discourage private actors from sharing information about the nature of any new threats they are experiencing. Government does not face this trade-off. In addition, by acting as an important source of information while insisting on reciprocity, government can tip private-sector incentives in the direction of sharing more information — and sharing it sooner.