SLIDE 1
❊❝♦♥♦♠✐❝s ♦❢ ❈②❜❡rs❡❝✉r✐t②
Case study: payment card security
Tyler Moore
Two-sided market structure
Cardholder Merchant Issuing bank Acquiring bank
s rsrt Case study: payment card security - - PowerPoint PPT Presentation
s rsrt Case study: payment card security - - PowerPoint PPT Presentation
s rsrt Case study: payment card security Tyler Moore Two-sided market structure Cardholder Merchant Issuing bank Acquiring bank In the beginning There was no protection for
SLIDE 2
SLIDE 3
In the beginning
◮ There was no protection for cardholders against fraud ◮ Then the US passed the Truth in Lending Act of 1968,
implemented by Federal Reserve as Regulation Z, which absolved consumers of liability for fraud
◮ While the banks didn’t like it initially, consumer adoption of
credit cards accelerated as a a result
SLIDE 4
Security in a two-sided market
◮ Two-sided markets impose extensive barriers to entry ◮ This makes displacing successful ones, like payment-card
networks, very difficult
◮ Hard for the dominant platform to justify investing in more
secure technologies
◮ Assigning responsibility for security is fraught with difficulty,
and can easily degenerate into a fight over liability dumping
SLIDE 5
Towards improved card security? The case of EMV
◮ Credit cards encode the number in the card’s magnetic stripe
and rely on a signature for verification
◮ Fraudsters can copy the number and forge a signature ◮ The payment card industry developed a more secure
standard, EMV, using smartcards and PIN-based verification
◮ Adoption was slow, because merchants did not want to
spend large sums of money on upgrading terminals when the cost of fraud was borne by issuers.
◮ Adoption took off only when liability rules were changed to
make merchants reimburse fraud from non-EMV payments
◮ But did the investment in security pay off?
SLIDE 6
But does EMV improve security?
Data from UK Payments Administration; figure courtesy Steven Murdoch
SLIDE 7
PCI DSS as ex ante self regulation
◮ In addition to improving the security of payment cards
themselves, one can also focus on the operational security of participants
◮ The Payment Card System Data Security Standard (PCI
DSS) is a self-regulatory approach designed to improve
- perational security of merchants
◮ Merchants who fail to get PCI accreditation are assigned
liability for fraud
SLIDE 8
What about breach disclosure?
◮ Many data breaches in the news involve payment cards ◮ We know about these due to breach-disclosure laws ◮ These laws correct an information asymmetry between
cardholders and merchants
◮ They definitely pressure companies to invest in security
SLIDE 9
But what about card fraud losses?
◮ Disclosing when a merchant loses customer payment card
information gives an indication of the threat
◮ But doesn’t the amount of fraud carried out matter more? ◮ A few countries publish this information, but not all ◮ Its wider publication could be used to evaluate security
investments like EMV
SLIDE 10
Beware indirect costs of insecurity
◮ Payment card fraud losses matter – they eat into bank
profits and finance criminal operations
◮ Yet we must also consider indirect costs, which may dwarf
the direct losses
◮ If people refuse to shop online or limit the use of card
payments due to fears of fraud, the costs to society likely dwarf what the criminals make
◮ These costs should be considered when weighing security
investments
SLIDE 11