The efficiency and integrity of payment card systems: industry views on the risks posed by data breaches.
Cheney, Julia S. ; Hunt, Robert M. ; Jacob, Katy R. 等
Introduction and summary
In this article, we consider the potential for data breaches that
compromise the security of personal and account information to threaten
consumer confidence in payment card systems in the United States. (1) In
particular, we explore whether a large, well-targeted data breach (or a
sequence of breaches over a relatively short period of time) might
render inoperable a payment card system (for credit, debit, or prepaid
cards), possibly resulting in its being abandoned, temporarily or
otherwise, by a substantial number of consumers. (2) We recognize that,
given the precautions that are in place in such systems, the probability
of a catastrophic abandonment is quite low. But this probability is not
zero. Recent events, as well as feedback from the industry, suggest that
further study of such potential tail risks could be helpful. (3)
The shutdown or abandonment of one or more of these systems, even
if the duration is relatively limited, might amount to a significant
disruption in the flow of funds among consumers and businesses and,
increasingly, from governments to households in the form of benefit
payments. (4) Such transactions might be immediately shifted to
alternative means of payment, but doing so could create substantial
operational challenges for those payment systems. Sudden shifts away
from payment card transactions to other payment methods might also
invoke a policy response to an immediate crisis based on incomplete
information--which would be less desirable than a response based on a
process of carefully gathering and evaluating all the available
information.
In the event of a crisis, the Federal Reserve maintains a legal and
electronic infrastructure to provide liquidity to banks facing interbank
settlement difficulties as a result of disruptions to the normal
clearing and settlement cycles of card systems; however, this liquidity
would have to quickly reach consumers and businesses, including
nonfinaneial firms, that rely on these systems as a means to exchange
value and whose payment behavior would be affected by even a temporary
disruption in one of the card networks. To allow for efficient payment
substitution in support of a smoothly functioning U.S. economy, there
must also be multiple reliable ways to make and receive electronic
payments.
For all of these reasons, researchers at the Federal Reserve Bank
of Chicago and the Payment Cards Center at the Federal Reserve Bank of
Philadelphia developed a series of questions and organized informal
conversations with a variety of payment system participants, with the
goal of better understanding the nature and significance of risks posed
by data breaches to payment card systems. More specifically, to examine
the adequacy of existing efforts to prevent, manage, and mitigate fraud
in card-based payment systems, the Chicago Fed and Philadelphia Fed
researchers conducted 17 industry interviews in 2009. The individuals
interviewed represented a variety of domestic perspectives, including
those of networks, banks, merchants, processors, independent sales
organizations (ISOs), vendors, and information-sharing organizations.
This article documents the insights gained through this exercise, but it
does not identify individual organizations or respondents. Ideally, the
information learned from these interviews would be helpful to other
researchers considering the risks that data breaches may pose to retail
payments in the United States, as well as how those risks can be
mitigated in the most optimal manner.
In the next section, we provide an overview of the threat that
fraud poses to the smooth operation of payment card systems in the
United States. Then, we discuss specific measurements of losses due to
payment card fraud, as well as the current scale and character of data
breaches in the financial industry. After providing this background
information, we summarize our industry interviews and discuss the
lessons learned from them.
Accounting for payment fraud
Payment fraud can be broadly defined as any activity that uses
confidential personal (and often financial) information for unlawful
gain. For example, A masquerades as B and uses B's credentials to
illicitly take B's funds or to obtain credit under B's name.
Such fraud can occur with any type of noncash payment method, including
credit and debit cards, checks, and automated clearinghouse (ACH)
transactions. Payment fraud can be committed knowingly by a consumer
(first-party fraud), or consumers can be victimized by others operating
within financial institutions or as part of criminal enterprises
(third-party fraud). (5)
Fraud is a threat to the payment system's efficiency because
it degrades operational performance and increases costs--not only for
the parties whose payments are compromised but also for all participants
in the system. (6) Payment networks are potentially vulnerable to fraud
at a number of points along the transaction chain. Criminals naturally
opt to exploit the weakest links in payment chains. As a result, banks
and other payment system operators and private firms using the payment
system incur significant expenses to protect against fraud.
When successful, payment card fraud, which we focus on in this
article, can give rise to adverse consequences for participants at
different points along the payment chain. For example, when a criminal
steals a payment card and uses it (or its information) to make a
purchase, the legitimate cardholder's liability for the fraudulent
transaction is limited by statute or regulation. It is downstream
participants, such as the card-issuing bank and the merchant, that are
likely to incur losses on fraudulent transactions. (7)
Although the cost of fraud losses might be limited by investing in
stronger protections against criminal use of a stolen card, it is
neither possible nor efficient to eliminate payment fraud entirely.
Rather, in striving to achieve efficiency, payment system operators and
users must balance the costs of preventing and mitigating fraud against
the full set of costs that fraud generates, including, but not limited
to, the actual monetary loss to society. (8) Ideally, individual
participants would actively monitor the risks that their choices create.
An important input into this calculation is the confidence that
private actors have in the payment methods they use. For example,
consumers have come to expect that payment card systems will reliably
and securely complete payments as instructed. Today, these systems are
widely used to receive income and benefit payments, to purchase goods
and services, and to pay bills. Over time, payment card systems have
displaced more-costly paper-based systems, especially for purchases made
at the point of sale (POS). Card systems have also been essential in
facilitating payments in new sales channels, such as the Internet, where
the buyer and seller do not transact in a face-to-face environment.
Without sufficient confidence among the parties involved, payment
card systems cannot operate efficiently for all of them, nor will these
systems be profitable to their owners. Card networks operate more
efficiently in an environment where their services are offered
ubiquitously and large numbers of consumers and merchants agree to
utilize them. The presence of strong network effects in established card
payment systems contributes to their resilience in the face of temporary
shocks. (9) At the same time, these network effects imply that a
sufficiently large shock to public confidence in a payment card system
might result in a sufficiently large shift of transactions to other
(potentially less efficient) forms of payment that cannot easily be
reversed.
This shift would reduce the value of the payment card network
because a reduction in the number of active cardholders may, in turn,
lead to fewer merchants or businesses willing to incur the cost to
accept payment card transactions.
Consumer payment systems usually function so smoothly that it is
easy to underestimate their complexity. This complexity is due in part
to the number of parties involved in completing a payment, the high
degree of coordination required among these parties, and the ongoing
investments that are required to ensure reliable performance. For
example, a card-based payment transaction in the United States will
involve some or all of the following parties: a cardholder; a merchant
or biller; a card issuer, or simply an issuer; a card-acquiring bank, or
an acquirer (which converts payment card receipts into bank deposits for
merchants); (10) an electronic switch (which routes transaction
information among various banks participating in a payment network); a
payment network; one or more processors; a telecommunications company;
and other third parties. Coordinating the activities of all these
participants is a crucial payment system function, and such coordination
takes on special significance in protecting the system from fraud and
preserving the public's confidence in the system. (11)
Moreover, no single government entity has an exclusive or
comprehensive regulatory or supervisory jurisdiction over U.S. retail
payment systems or payment providers. The Board of Governors of the
Federal Reserve System issues certain retail payment regulations,
especially regarding checks. The recently established Consumer Financial
Protection Bureau (CFPB) has jurisdiction over most federal consumer
protection regulation for electronic payment transactions. As a
prudential regulator, the Federal Reserve Board, as well as other
federal financial supervisors, conducts exams; and these exams can
entail a review of the financial institution's payment system
security precautions, including those of its business partners.
Further, some of the organizations involved in operating networks
and providing payment services to the public are banks, but many are
not. Thus, additional regulators can be involved. For example, nonbanks
operating under state money transmitter licenses are subject to state
agency supervision. In addition, the CFPB may determine, by rule, that
certain non-banks in markets for consumer financial products and
services are "larger participants" and therefore subject to
CFPB supervision. (12) A variety of state laws also address consumer
rights in instances of identity theft or a data breach. (13)
Local, state, and federal law enforcement agencies investigate
instances of fraud, identity theft, and data breaches. Consumer
payments, whether made domestically or abroad, are potentially exposed
to fraudulent activities orchestrated from anywhere in the world and,
therefore, may fall under the investigative jurisdiction of foreign
authorities. Therefore, regulation, supervision, policing, and
investigation of retail payments and fraud in payment systems may be the
responsibility of a variety of agencies at the international, federal,
and state or local level.
In the private sector, five payment card networks--American
Express, Discover Financial Services, JCB (Japan Credit Bureau)
International, MasterCard Worldwide, and Visa Inc.--initially
established individual data security standards for payment system
participants. About six years ago, they joined forces to create a
unified set of standards--the Payment Card Industry Data Security
Standard (PCI DSS or, more simply, PCI)--to better secure payment card
systems, and they founded the PCI Security Standards Council. For more
information about PCI DSS and the council, see box 1 PCI Security
Standards Council.
BOX 1
PCI Security Standards Council
The PCI Security Standards Council is composed of
representatives from its five founding global payment
card networks--American Express, Discover Financial
Services, JCB International, MasterCard Worldwide,
and Visa Inc. These companies have agreed to
incorporate the PCI Data Security Standard in their
respective data security compliance programs.
All five payment card networks share equally in
the council's governance, have equal input into the
PCI Security Standards Council, and share responsibility
for carrying out the work of the organization.
Other industry stakeholders are encouraged to join
the council as participating organizations and review
proposed additions or modifications to the standards.
The PCI Security Standards Council Board of
Advisors (currently 21 members) is composed of
representatives of participating organizations. This
cross-industry group is chartered to ensure that all
voices are heard in the ongoing development of PCI
security standards; this group has representation from
across the payment chain--that is, from merchants,
financial institutions, processors, and others--as well
as from around the world.
Participating organizations are eligible to vote
for (and to nominate) candidates for election to the
board of advisors.
Enforcement of compliance with the PCI DSS
and determination of any noncompliance penalties
are carried out by the individual payment card networks
and not by the council.
Source: PCI Security Standards Council website,
https://www.pcisecuritystandards.org.
Several of these networks have also recently announced plans to
support migration to an EMV (Europay, MasterCard, and Visa) payment
infrastructure in the United States as a means to further increase the
security of payment card transactions; EMV is a global standard for the
interoperation of chip-based payment cards with POS devices and
automated teller machines (ATMs). (14) While these plans are specific to
the individual networks, the announcements suggest that the networks
informally tried to develop plans with similar key dates and milestones
to encourage merchants and issuers to adopt EMV payments. Nevertheless,
there is an ongoing discussion about whether the existing levels of
investment, coordination, information sharing, and management of
incentives in securing payment card systems by firms and organizations
in the private and public sectors are adequate to confront the threats
arising from modern data breaches. (15) We explore the costs and
consequences of data breaches in greater detail in the next section.
Measuring payment fraud and data breaches
A rough estimate of aggregate fraud losses related to U.S. payment
cards was about $3.56 billion in 2010. (16) In 2011, reported credit
card fraud losses were approximately 5 cents per $100 of transaction
value. As a cost of doing business, these losses are not comparatively
large, since they equate to roughly one-tenth of the charge-off rate
associated with credit losses on credit cards. For debit and prepaid
cards, the industry-wide fraud losses to all parties to a transaction
were about 9 cents per $100 of transaction value in 2009, with issuers
and merchants incurring about 5 cents and 4 cents of that total,
respectively. (17) In addition, issuers will incur many other indirect
costs related to efforts to detect and prevent incidences of fraud on
their cards and to mitigate fraud losses. Indirect fraud costs are also
borne by merchants and, in some instances, by consumers.
A primary focus of this article is on the consequences of data
breaches--both in terms of the direct fraud losses incurred by
card-issuing banks, merchants, and consumers and in terms of public
confidence lost in payment card systems. According to Verizon's
2012 Data Breach Investigations Report, across all industries and
categories in 2011, there were approximately 855 data breaches in the
U.S. In total, those breaches may have compromised as many as 5 million
card accounts. (18)
Ordinarily, only a small percentage of compromised payment card
records ever result in fraudulent transactions. (19) But there are other
indirect costs associated with a data breach, which can be substantial.
For example, according to one 2009 survey by the Ponemon Institute, the
average cost to firms responding to a data breach is about $200 per
record compromised. (20) Our very imprecise estimate, based on the 2009
survey by the Ponemon Institute and the 2012 data breach report by
Verizon, is that the indirect costs of payment card records compromised
in 2011 might be as high as $1 billion.
Recent payment card data breaches are particularly notable for the
sophistication of techniques employed by criminals. In recent years,
breaches have occurred at large card processors, such as RBS WorldPay,
Heartland Payment Systems, and Global Payments; at merchants, such as T.
J. Maxx, Hannaford, and Sony; and at third-party vendors, such as
Epsilon and RSA. (21) In many of these cases, breaches are not detected
at the time of intrusion into the system, in part because the hackers
wait for an opportune time to monetize the compromised information. But
when they do act, recent experience suggests that they move quickly and,
at times, employ a sophisticated (and possibly international) criminal
organization. For example, in 2008, the RBS WorldPay breach resulted in
a number of prepaid payroll cards being compromised. These cards were
used to obtain $9 million in cash in one day from ATMs located in
several dozen cities around the world. (22)
It is important to note that data breaches that result in payment
fraud can occur at nonfinancial firms, such as universities and
hospitals. Data breaches at any firm that collects and stores personal
data can provide criminals with sufficient information, such as an
individual's name, address, and Social Security number, to commit
financial fraud. (23) This information can be used to compromise
security protocols at financial institutions (resulting in account
takeover) or to obtain credit in the victim's name (new-account
fraud). Both are examples of identity theft.
Identity theft is an important aspect of payment fraud with
potentially severe consequences for victims, including not only monetary
loss but also a time-consuming process to revalidate credit and other
transactional accounts. (24) The fear of identity theft is one reason
why consumers might collectively react to an unprecedented rash of data
breaches by losing confidence in a particular payment method and
switching to a substitute method. In 2010, the Federal Trade Commission
(FTC) received more than 250,000 complaints about instances of identity
theft. In 9 percent of those complaints, consumers alleged that new
credit card accounts had been opened in their names. Also, in 7 percent
of those complaints, consumers alleged a takeover of one or more of
their existing accounts. (25) A survey of consumers reports that as many
as 11 million adults have at some point been a victim of identity theft.
(26)
There is some qualitative evidence that consumers' concerns
about data security can influence their choice of payment providers and
methods of payment. According to a survey conducted by Gartner shortly
after the 2008 RBS WorldPay data breach mentioned previously, 23 percent
of respondents said that increased fears that financial data are not
secure have been a factor in their decisions about which retail stores
they patronize. In addition, concerns about security led 59 percent of
respondents to change how they shop and pay online. (27)
Further, a recent paper by Kahn and Linares-Zegarra (2012)
examining nationally representative survey data found that identity
theft incidents increased adoption of money orders, traveler's
checks, online bank bill payments, and prepaid cards while also boosting
the number of cash and credit card transactions. The authors also
reported a decrease in the use of checks after "mixed
incidents" of identity theft. Mixed incidents refer to the subset
of consumers reporting being a victim of identity theft as well as
knowing other victims. Notably, these results reveal changes in the
adoption and use of particular types of payments after an identity theft
incident.
Such behavior is interesting in light of the significant regulatory
and contractual protections from losses resulting from fraudulent
transactions afforded to consumers in the United States. (28) These
protections against monetary losses do not eliminate the less apparent
costs associated with the pain and suffering consumers face (time costs,
forgone financing opportunities, etc.) as a result of identity theft.
(29) Accordingly, data breaches and identity theft appear to have an
influence on consumer payment behavior, notwithstanding the legal
protections that are in place for consumers.
To summarize, payment fraud is an ongoing concern for payment
system participants--for the card issuers and merchants that bear most
of the actual fraud losses and for processors, networks, and others that
have an inherent interest in maintaining confidence in the payment
system in which they participate. Some fraudulent activity is the result
of data breaches that occur both within and without retail payment
systems. There is some evidence that data breaches have created concerns
about security in the minds of at least some consumers--concerns that,
at the margin, may affect their choice of payment providers or methods.
Our experience to date suggests that data breaches have not caused
consumers in any great number to lose confidence in card payments and
switch to alternative means of payment. However, questions remain about
the adequacy of investment, coordination, information sharing, and
management of incentives in securing payment card systems against modern
data breaches and the increasingly sophisticated and global criminal
organizations that commit these crimes. In the next section, we describe
the results of 17 interviews examining these questions.
Interview topics and results
Our conversations with payment system participants were loosely
organized around three topics: payment trends and fraud (especially
related to data breaches), liability (for fraud losses) and incentives
(to prevent fraud), and coordination and information sharing. In the
following subsections, we introduce each topic and describe the insights
gained from our conversations with the interviewees.
Payment trends and fraud
Modern data storage systems, online information sharing, and the
growing number and variety of firms using or offering access to payment
card systems have increased the potential points of entry that might be
exploited by sophisticated criminal organizations. The technology to
secure those access points has improved over time, so the larger
question is whether, on net, payment card systems are more or less
vulnerable than in the past.
For example, today, more organizations may have a business need to
retain personal consumer financial data, and any of these firms may be a
potential target for criminals. Financial institutions must consider the
data security practices of these firms when providing them
payment-related services. Another characteristic of today's payment
system is the demand by consumers for around-the-clock payment
servicing, in the form of supporting either transaction processing (for
example, online purchases) or access to account management functions
(for example, online banking). To the extent that meeting this need
requires alternative access points (such as the Internet or a mobile
device) or alternative service providers (such as online security firms
or cellular providers), the number of potential points or places at
which data can be compromised increases. Potential access points must be
made more secure to manage the increased risks. And if one access point
is penetrated, the amount of data potentially at risk must be limited in
order to control the potential scale of the damage.
In this complex environment, market participants and regulatory,
supervisory, and oversight authorities must determine whether payment
methods carry excessive fraud risk; who is liable when payment fraud
occurs; how losses are allocated; what consumer protections should be in
place; how notification of fraud should be handled; and how standards
should be defined to manage the incidence of fraud. Additionally,
payment providers must authenticate consumers whom they have never met
and authorize electronic transactions from which they might be far
removed. And increasingly, they must do these tasks in real time.
Carrying out all of these tasks is quite a tall order, but necessary to
prevent and mitigate fraud.
Interview results
Many respondents emphasized that as the number, types, and
complexity of electronic payments grow, so too do the opportunities for
committing fraud. Electronic payments are evolving in the locations or
channels in which they might be used by consumers--for example, they can
now be made at nonbank financial centers (such as check cashers or
retail stores) or even vending machines. In addition, the physical forms
of electronic payments are evolving--for example, some consumers can now
use contactless cards (payment cards that use chip technology to allow
for tap-and-go payments) and mobile devices to execute payments. (30)
Several interviewees stressed that while traditional card payments
and transactional practices are important to study for fraud risks, it
is also important to consider emerging payment practices. For example,
one interviewee noted that ACH networks are moving from relatively safe,
recurring payments with trusted payees to new forms of nonrecurring
payments, which likely carry higher fraud risks because distinguishing
between legitimate one-time (nonrecurring) payments and fraudulent ones
is more difficult. Such issues warrant further study. Several other
interviewees indicated that mobile payments are an emerging area that
bears special attention; the focus should be on gaining a better
understanding of the risks to retail payment systems and investigating
whether these may be different from the risks in more-traditional
card-initiated payments. (31) Another interviewee pointed to the gradual
adoption of contactless payment cards in the United States. This
interviewee said that while the back-end processing remains the same as
in contact environments, an inappropriately configured contactless front
end (for example, with weak encryption) at the point of sale might
increase fraud risk.
Interviewees also highlighted changing consumer payment preferences
and noted that these changes have a material bearing on the ongoing
development of fraud-risk-management systems. For example, according to
one interview with a large merchant, in 2003, PIN (personal
identification number) debit accounted for only 10 percent of its total
transactions, compared with 35 percent in 2009. Thus, static four-digit
PINs designed for use at on-premise and later off-premise ATMs are now
being used at a much larger number of POS terminals in very different
and diverse physical environments. (32) As payment methods change and
new types of payments or new types of providers emerge, security systems
must adapt to these developments. Several interviewees discussed the
challenge of balancing risk mitigation and support for innovation in the
constantly evolving electronic payment system.
Along similar lines, interviewees held a consensus that
criminals' ability to rapidly change their tools and adopt new
tactics may significantly increase the threats posed to the payments
system. Most interviewees noted that the management of fraud risk must
be at least as dynamic as the adoption and use of new tools, techniques,
and tactics by those engaged in fraudulent activity. Interviewees agreed
that making one-time assessments of a company's systems and
satisfying minimum security standards at one point in time were hardly
sufficient. Hackers are committed to finding new ways to compromise
systems and steal personal and card data, so weaknesses must be
uncovered before they can be exploited.
Moreover, as certain types of organizations tighten security,
criminals respond by changing their targets and points of attack. For
example, one interviewee mentioned that payment processors and merchants
are not the only targets for illegally obtaining payment information;
payroll processors and other firms need to be aware of the problem as
well. In addition, fraudsters recognize that institutions are tightening
the security of data at rest, which are stored in internal systems.
Thus, criminals have begun targeting vulnerabilities present when data
are moved (or transmitted) either between payment nodes or within a
company's internal systems.
Several interviewees said that companies cannot ignore threats that
may result from a shortfall in internal controls or communication. Some
interviewees noted an increase in internal fraud--that is, fraud
committed by company employees or contractors. (33) Access controls and
tracking mechanisms are important tools in limiting this risk. Similar
issues arise among independent firms along the payment chain. One
interviewee said that, for example, a lot of effort has been put into
front-end security, where the payment transaction is made. However, some
interviewees stated that much work still needs to be done in the
communication between the merchant and the processor.
Liability and incentives
As consumers, merchants, and payment providers struggle with the
issue of payment fraud, we recognize that it is not realistic to
eliminate fraud entirely. Rather, the goal ought to be to encourage the
adoption of risk-management practices that strike a balance between
excluding unduly risky payment options and rigidly dictating payments
choices. Collaboration within and among companies is a necessary aspect
of successful payment fraud management, since security is expensive to
achieve and maintain. In order to be effective, payment fraud prevention
and mitigation efforts need to include all parties "touching"
the payment transaction. To do this, the parties' incentives must
be properly aligned.
In our interviews, we asked whether the current incentive structure
for payment card systems best addresses data security risks. For
example, do current network rules assign a larger share of liability for
losses to those participants most able to take actions to minimize those
losses for the system as a whole? And if the current rules fail to
achieve this, are there incentive problems at the network level or is
there another explanation? (34) If incentive problems exist, what is the
nature of these problems?
Interview results
Merchants, banks, networks, and processors all share
responsibilities for protecting a payment system against data breaches,
but the extent to which these responsibilities are equitably distributed
was a frequent point of discussion during our interviews. A number of
interviewees contended that incentives to prevent fraud are misaligned.
This sentiment was particularly strong among participants on the
merchant and acquiring side of payment card processing. According to a
number of interviewees, merchants have a vested interest in protecting
data in order to maintain their reputations and brands as well as to
avoid chargebacks, which occur when firms fail to comply with network
rules. However, these interviewees noted that merchants do not feel that
they have ownership over the fraud mitigation system with which they
must comply, and they often feel that blame for fraud is somewhat
arbitrarily placed on them. One merchant interviewee stated that
"the payment system is not our system."
Other interviewees stated that the current system of shared
liability, wherein both issuers and acquirers have some liability for
fraud losses, appears to be effective: Incentives to prevent and
mitigate fraud in that system have kept direct credit card fraud losses
relatively modest for almost a decade. That said, these interviewees
noted that this apparent level of success in managing fraud losses may
limit the incentive to develop new innovative security measures,
especially if they are expensive. For example, one representative from a
large bank said that his organization assessed its fraud mitigation
tactics as being successful and considered the addition of more
sophisticated authentication procedures to be unnecessary at that time.
However, fraud risks are constantly evolving, necessitating solutions
that can predict or respond to new threats.
As part of the discussion about incentives to invest in data
security, several interviewees noted that compared with small firms,
large firms may have greater financial resources to make investments in
data security. For example, our interviews suggested that large banks
and big-box merchants may be better positioned financially to develop
in-house security systems, to incorporate security products into their
business processes, and to meet data security requirements imposed on
them by private sector or public sector actors. Our interviews also
suggested that small processors, small ISOs, and small merchants are
likely to be more cost sensitive than their larger counterparts when
considering investments in data security. Several interviewees noted
that to the extent that data security costs become prohibitively
expensive for these firms, a barrier to entry to payment card systems
could be created.
Payment card fraud losses among issuers, as a percentage of
transaction value, have remained relatively stable over the past decade.
Nevertheless, the data breaches described previously suggest that
hackers have developed increasingly sophisticated techniques for
identifying and exploiting vulnerabilities. And these experiences
indicate that criminals may be able to scale their fraud quickly. As a
result, payment system participants are paying increased attention to
the risks posed by data breaches.
According to our interviews, most large banks are employing fraud
mitigation and data security programs that may be proprietary or other
programs provided by third-party vendors and processors (or a
combination of the two). Merchants, acquirers, and processors are also
employing fraud prevention and data security systems that may already
include or may soon include innovative solutions, such as end-to-end
encryption and tokenization. (35)
Several interviewees stressed that incentives are also important
for consumers in order to combat fraud. Some merchants argue that
consumers lack sufficient incentives to protect their own data because
of statutes or regulations that limit consumer liability for fraudulent
transactions and zero liability rules and other protections offered by
banks and card networks. According to this perspective, the problem is
one of moral hazard. Put another way, even if consumers are best
positioned to prevent fraud (by protecting their personal and account
information), they may not be sufficiently motivated to do so because
they bear little of the costs resulting from fraudulent transactions
except in the case of identity theft. (36) Indeed, some interviewees
argued that strong consumer protections from fraud losses might explain
the relatively modest consumer reactions to large data breaches observed
to date. Nevertheless, an interviewee from a large bank stated that a
policy of shifting liability to consumers could backfire, since
consumers might move away from payment cards that do not offer zero
liability.
A number of interviewees expressed a related concern about the
level of security associated with online payments initiated using
consumers' computers. Several interviewees indicated that
consumers' computers can be the weakest link in the data security
chain. Setting security standards for personal and corporate computing
is one way that the public sector could get involved to make consumer
electronic payments safer. For example, one option suggested was to put
additional responsibilities on Internet service providers (ISPs) for
ensuring greater security in personal and corporate computing. (37) One
interviewee also suggested that a restricted top-level domain, such as
.bank, could add protection by offering greater controls and more
regulated entry into businesses facilitating payments via the Internet.
Despite comments by some interviewees that incentives to prevent
and mitigate fraud are misaligned, a number of interviewees also
mentioned companies that have advanced fraud protection strategies.
Indeed, some companies exist for the sole purpose of providing banks and
others with security solutions.
Some interviewees argued that the provision of fraud protection is
a profitable business that can offer a competitive advantage. For
example, banks, merchants, networks, and processors may be able to
advertise better security as a differentiating factor between them and
their competitors. The ability to convey such a message may also act as
an incentive for other companies to innovate. This is an example of
using market dynamics to improve incentives to invest in better
security. But there may also be a downside to this approach. Some
interviewees argued that if establishing a competitive advantage in
fraud prevention proves to be important, private firms may be reluctant
to rapidly share their know-how and lessons learned from their own
experiences combating fraud attacks. The result would be an uneven level
of defenses across the industry.
Coordination and information sharing
As noted earlier, an aspect of the evolution of electronic payment
systems in the United States over the past few decades has been a
movement toward a more open environment, with multiple parties
(including nonbanks) processing or "touching" cardholder
information. These parties include, at a minimum, both card-acquiring
and card-issuing banks, a number of independent payment networks (card
networks, ACH networks, and PIN-debit-only electronic benefit transfer
[EBT] networks), payment-card-accepting and other merchants, and
third-party processors. These parties may also include nonbank
intermediaries and providers of alternative financial services.
In the United States, the resulting industrial structure has become
more complex, and the participants have become highly differentiated.
Both developments may make effective coordination more difficult to
achieve over time. (38) By contrast, European payment markets are
relatively more concentrated and, therefore, may present an easier path
to coordinating data protection policies. In addition, the network
participants in Europe may be less specialized than those we observe in
the United States. But it is also the case that European regulatory
bodies have played a more active role than their U.S. counterparts with
respect to supporting coordination on data security in payment systems.
(39) But the European approach has its drawbacks, too. Adopting
monolithic security solutions also poses certain risks. For example, if
the security design is breached, the breach could be exploited almost
immediately and at about the same scale as the payment system itself.
In the United States, there are examples of specially designed
efforts in both the public sector (40) and the private sector (41) to
share information related to identity theft and payment fraud. One
example is the Information Sharing and Analysis Centers (ISACs)
established under a presidential directive to improve information
sharing about physical and cybersecurity threats. Several industry
sectors, including the financial services industry, established ISACs in
response to this mandate. The Financial Services Information Sharing and
Analysis Center (FS-ISAC) provides an increasingly comprehensive
information distribution system that allows a broad array of financial
services companies, financial regulatory agencies, law enforcement and
intelligence agencies, and nonbank firms integral to the financial
sector to exchange information and receive alerts related to fraud,
cybercrime, and data breaches, in a real-time or nearly real-time
environment. (42) In addition, many U.S. states now require public
disclosure of data breaches and notices sent to individuals whose
records have been compromised. State laws establishing such requirements
are designed primarily to mitigate harm to consumers after breaches have
already occurred. Still, features such as credit report monitoring and
credit freezes can help detect or prevent subsequent fraud attempts.
While FS-ISAC has played an important role in facilitating
information sharing among firms in the financial services industry, data
breaches can still occur at firms outside of this industry, and the data
stolen in these breaches can result in financial fraud. Very rapid and
detailed information sharing by breached parties across industry sectors
might also help identify vulnerabilities before sensitive data are
stolen from others and reduce the amount of information stolen.
Additionally, speedy and thorough information sharing may lead to firms
and industries quickly sharing best practices in response to a
particular type of compromise. There are signs of ample demand for
improved information sharing. In a recent survey, 93 percent of
antifraud professionals agreed that information sharing helps prevent
fraud, and 78 percent would like to see more information sharing. (43)
Today, in the United States, the mitigation of fraud risk in
payment card systems is largely coordinated by network rules. These
rules are determined by each network and must be adhered to by financial
institutions (and their agents) that issue branded payment cards or
acquire transactions made with those cards, merchants that accept
payment cards, and third parties that process those cards. The revenues
and profitability of payment card networks are generally increasing in
transaction volumes. As a result, payment card networks have strong
incentives to ensure the integrity of these electronic payment systems.
In theory, they should also be able to shape the means of coordinating
the incentives among their member institutions. Potential levers include
technological standards, loss allocation rules, and variations in
interchange fee rates, to name just a few. (44)
Further, as indicated earlier, the five major card networks have
coordinated to establish uniform standards for data system security
through the Payment Card Industry Data Security Standard. PCI DSS is the
set of data security standards that all card network participants,
including issuers, merchants, and processors, are required to meet. (45)
(As of June 30, 2012, 97 percent of Visa's Level 1 merchants, 93
percent of Level 2 merchants, and 60 percent of Level 3 merchants were
compliant with PCI DSS. Compliance among Level 4 merchants, however,
remained "moderate.") (46) Unfortunately, several recent data
breaches have occurred at firms designated by auditors as being PCI
compliant; such breaches naturally raise the question of whether PCI DSS
offers sufficient data protection for critical electronic payment
systems. The networks and others have emphasized that PCI compliance is
not a static concept; it is something that must be continuously
monitored and addressed. Those within the industry continue to evaluate
the effectiveness of PCI DSS, and the PCI Security Standards Council is
working to improve upon the original requirements. (47)
Next, we describe the industry's views on whether the
complexity of U.S. retail payment markets presents a barrier to private
sector coordination of efforts to address data security issues. We also
explore how policymakers might support such coordination efforts.
Interview results
Most interviewees stated that an increased level of cooperation
among payment participants is needed to enhance security. They offered
specific suggestions for improvement, including mechanisms to share best
practices and coordinate with law enforcement. Some interviewees said
that the public sector could play a role in facilitating information
sharing in the payment card industry, although opinions differed on
whether the government has the necessary legal authority or whether
further action is required to support such a role. One representative
from a large financial institution argued that at a minimum, the federal
government had an opportunity to improve processes for shutting down
Internet sites selling stolen consumer data. Another representative from
a large bank stated that current information-sharing mechanisms are
sufficient. While this interviewee acknowledged that cooperation in
response to new information might not be immediate, he said a positive
spirit of cooperation exists.
The issue of competitive advantage was raised by several
interviewees when considering the current state of coordination and
information sharing among payment card system participants. Many said
that as long as data security is seen as a differentiating factor that
can be profitable, information sharing and cooperation will be more
difficult to achieve. Despite this concern, several interviewees said
that large card-issuing banks share information in a variety of ways,
including through network-supported mechanisms and organizations such as
FS-ISAC. Our interviewees indicated that information sharing by
acquirers and merchants was more fragmented and less coordinated. Some
of these companies are hindered by confidentiality or nondisclosure
agreements with clients and, thus, are not allowed to coordinate and
share information. In addition, one processor interviewee stated that a
history of distrust of the payment card networks creates the perception
that sharing information and, ultimately, coordinating with the networks
may result in adverse consequences for a firm that admits to a data
breach or other data security event. Further, some interviewees noted
that in the past, payment card networks did not always share data breach
information with acquirers; rather, they only shared this information
with card issuers.
Other interviewees noted that some acquirers and processors have
prioritized information-sharing efforts. For example, according to our
interviews, an information-sharing group was formed following a
significant data breach, and details about malware used in this case
were distributed to payment card processors. It turned out that this
malware had been used by criminals in more than 650 breaches at 300
companies, compromising 200 million payment cards; yet, this particular
vulnerability had not been widely understood.
Several interviewees noted that the public sector may be uniquely
positioned to play a role in developing a framework supporting greater
sharing of information about incidents of fraud and cybercrime--within
the private sector and public sector and between them, as well as across
different industries. They said that government agencies such as the
Federal Bureau of Investigation (FBI) and the National Security Agency
(NSA) are well positioned to disseminate information about cyberthreats
or to issue alerts. These agencies could also leverage their positions
to get more players to participate in an information-sharing
infrastructure.
In addition to information-sharing efforts, coordination is also
important in setting standards or best practices for data security. As
noted earlier, the development of PCI DSS is an example of a private
sector effort to develop data security standards for participants in
payment card systems. Several interviewees said that payment card
networks are best positioned to design and enforce standards and to
develop an effective set of "carrots and sticks" to encourage
the various payment system participants to comply with the standards. An
interviewee from a large bank noted that determining the right standards
is not as difficult as enforcing those standards, specifically noting
that the penalties for non-compliance need to be clear and enforceable.
At the same time, interviewees disagreed on how successful PCI DSS has
been at equitably meeting the needs of the very diverse group of payment
system participants. Merchant interviewees argued that the standard
itself is flawed and that meeting a flawed standard defeats the purpose
of better securing payment card systems. One interviewee suggested an
alternative to PCI DSS by stating that there is a need for federal
regulations or standards that would define data necessary to execute a
transaction by the various parties to the transaction and parameters for
how long the data should be held by those parties.
In regard to designing standards, several interviewees stressed the
importance of providing all relevant participants an opportunity to
evaluate the standards. (48) For example, these parties may have very
different perspectives on the strength of compliance incentives (the
"carrots and sticks") incorporated into the standards for
improving data security.
Interviewees generally agreed that law enforcement has become much
more aware of the complexity of payment fraud and that the industry is
learning how to cooperate with the FBI, Secret Service, FTC, and local
law enforcement. One interviewee noted that federal law enforcement used
to view payment fraud as a one-off event; but today, it recognizes that
data breaches may threaten not only payment system security but also
potentially the country as a whole (for example, if payment fraud is
used to finance terrorist activities). This appreciation for data breach
risks was one of the reasons the George W. Bush administration
established its Identity Theft Task Force; the Obama administration has
continued to focus on these risks, with special attention paid to
cybersecurity.
In addition, the increasingly global scope of payment fraud
concerned a number of industry participants. Hackers are able to build
and manage databases of compromised accounts across multiple locations,
making their activities more difficult to track and their operations
more difficult to dismantle. Criminals realize that they can launder
money across a variety of international jurisdictions, taking advantage
of differences in laws and regulations. Further, they are able to
coordinate "money mules," who physically move money and goods
around but do not necessarily understand that they are working for a
criminal enterprise.
This degree of international activity poses a significant problem
for law enforcement. Some of the most sophisticated criminal networks
are well adapted for working across national borders, yet a few
interviewees noted that state and national law enforcement agencies face
more boundaries and less interagency cooperation. One interviewee stated
that for fraud and cyber-crime solutions to be effective, law
enforcement agencies across the globe need to address geopolitical
differences. Individual governments are pursuing their own security
initiatives, but this interviewee pointed out that there should be more
discussion and collaboration among nations around the world to combat
fraud and cybercrime. (49)
Variations in the legal definition of payment fraud are also
important to consider, particularly given the global nature of payment
card fraud. An interviewee offered this example: A phishing email
directs a person to a fake website, one that looks exactly like the real
site but is controlled by hackers. This technique encourages the
phishing target (the consumer) to visit the fake website and enter
personal information. In some international jurisdictions, simply
maintaining the fake website constitutes fraud, but in other countries,
fraud has not occurred until money is actually stolen. Given such
differences, antifraud measures may often be more difficult to enforce
across borders than within some of them.
Other issues facing the enforcement of antifraud statutes include
minimum-value thresholds for fraud cases and overlapping jurisdictions
of the various law enforcement agencies. One interviewee said that cases
are only likely to be pursued if they involve the theft of $10,000 or
more; cases involving smaller amounts are unlikely to be investigated.
This interviewee also commented that the government is dramatically
under-investing in cybercrime investigations. Another interviewee
claimed that having multiple law enforcement authorities with differing
jurisdiction over payment fraud can spread resources to fight fraud
thin. The consensus among participants in these interviews was that more
resources both in law enforcement and in the regulatory community are
required.
Lessons from the interview results
The management of payment card fraud raises a number of difficult
questions: Have changes in technology increased or decreased the
vulnerability of payment card systems to data breaches that might
undermine consumer confidence in them? Do payment card networks, their
partners, and their customers have the appropriate incentives to take
precautions to avoid card fraud? Are the costs of payment card fraud or
of avoiding this fraud borne by the appropriate parties? For example, do
nonfinancial firms that retain personal and account data have sufficient
incentives to protect this information? Are payment card networks able
to make efficient choices about managing fraud risks and implement
antifraud measures in a timely manner? If not, are there reasons to
believe that public authorities could facilitate better or timelier
decisions? If such a role is appropriate, what information and expertise
would government need to have?
The answers to these questions are not simple. (50) Taken as a
whole, our interview results convey mixed views on most of these topics
and, in particular, on the role that government should play or is
capable of playing. That said, some general observations can be made
with respect to areas of shared concern and insight among the
interviewees.
Most interviewees recognized that payment card systems have
benefited from dramatic advances in information, computing, and
telecommunications technologies over the past four decades. These
advances have helped create opportunities for new participants in
payment card systems, such as nonbank payment providers, to introduce
innovative products and services, like prepaid cards and Internet
shopping. At the same time, these additions to the traditional payment
card system model present new risks and require a reevaluation of the
security protocols that were developed in the past.
Of course, criminals can also leverage technological advances to
develop, test, and deploy their tools quickly. And when they find
promising vulnerabilities, there is at least the possibility that their
attacks will rapidly increase in scale. Several interviewees emphasized
the adeptness of thieves to identify vulnerabilities and quickly exploit
them. They also noted that the vulnerabilities may include a type of
payment system participant and a point in the payment processing chain,
as well as a data storage system risk and a software weakness. Any
incremental risk that results from innovation should be offset by
careful risk management and investments in new defenses, with an
emphasis on dynamic and flexible data security approaches, rather than
static ones. Several interviewees observed that a national focus on the
security of the information and communications infrastructure in the
United States could result in significant improvements in securing
retail payment systems, including payment card systems.
The interviewees expressed very mixed views about the incentives to
prevent fraud and to mitigate its consequences among various payment
system participants. Respondents generally considered the incentives at
their organizations to be better than those in other parts of the
transaction chain. This is perhaps an indirect recognition of the
interdependence
of payment participants in securing of the system and the importance
of adequate coordination of their efforts.
A number of interviewees stated that the protections afforded to
consumers from losses associated with fraudulent transactions limit
consumers' incentives to protect their cards, personal information,
and computers. Others pointed out that these protections do help to
ensure public confidence in card payments and that diluting those
protections may increase the likelihood of a mass abandonment of payment
cards if a tail event as we described earlier were to occur.
There was widespread agreement that a key ingredient in protecting
payment systems from fraud is coordination of fraud defenses among
participants in these systems. For payment card systems, this
coordination function is generally performed by the card networks. Many
participants expressed the view that in the United States, payment
applications have become so diverse and payment firms so specialized
that effective coordination is becoming more difficult. Others
questioned whether the networks had exactly the right motivations or
were sufficiently well equipped to ensure that all payment participants
had the right incentives. Such concerns led some interviewees to
speculate about an increased role of government as a coordinator. Others
wondered whether government was sufficiently nimble or adequately
equipped to play such a role.
There was greater consensus about a number of roles in which
government either is essential or could likely be more helpful. The
first is in its law enforcement capacity, which may require additional
resources. Given the international character of many modern electronic
payment systems, interviewees recognized that law enforcement efforts
must also take on a more international character. This too will require
additional coordination--in this case, among governments around the
world. Also, interviewees mentioned the need for more comprehensive
information about the volume, character, and drivers of payment card
fraud and data breaches. In general, interviewees supported expanding
the collection and dissemination of data and new research, which
governments can facilitate.
Most interviewees also said that the government could play a useful
role in facilitating a more rapid dissemination of actionable
information about new threats to the security of payment systems.
Numerous information-sharing networks already exist, but some of our
respondents contended that information exchanges remained too balkanized
and too slow in many instances. The U.S. federal government is already
an active participant in a number of these exchanges and, in some
instances, contributes information obtained through various law
enforcement and intelligence channels. (51)
Several respondents argued that the government can play a special
role as both a participant and a facilitator of the exchange of
actionable information about data breaches because it may be uniquely
positioned to address private sector incentives in markets where
security may be a source of competitive advantage. If maintaining a
reputation as a secure provider of payment services is good for
business, then firms will have incentives to invest in appropriate
procedures and technologies. But the desire to maintain a competitive
advantage may act to discourage private actors from sharing information
about the nature of any new threats they are experiencing. Government
does not face this tension. In addition, by acting as an important
source of information while insisting on reciprocity, government can tip
private sector incentives in the direction of sharing more
information--and sooner. (52)
Conclusion
The evolution of our electronic payment networks provides greater
flexibility, convenience, and efficiency for consumers, businesses, and
governments. At the same time, advancements in these networks can lead
to opportunities for fraudsters, including the potential for large-scale
data breaches. To manage these new risks, payment system stakeholders
must make security an integral part of the provision of retail payments.
Our interview results suggest that to enable the smooth and efficient
operation of the complex U.S. retail payment system, payment system
participants need to find more ways to cooperate, share relevant
information, and innovate to stay ahead of the criminal gangs that
perpetrate payment fraud using an array of sophisticated tools and
procedures.
REFERENCES
Abdul-Razzak, Nour, Katy Jacob, and Richard D. Porter, 2011,
"Improving security for remote payments," Chicago Fed Letter,
Federal Reserve Bank of Chicago, No. 293a, December, available at
www.chicagofed.org/digital_assets/publications/
chicago_fed_letter/2011/cfldecember20112_293a.pdf.
Amromin, Gene, and Richard D. Porter, 2009, "Economic
Perspectives special issue on payments fraud: An introduction,"
Economic Perspectives, Federal Reserve Bank of Chicago, Vol. 33, First
Quarter, pp. 2-6, available at
www.chicagofed.org/digital_assets/publications/economic_perspectives/2009/ep_1qtr2009_part1_amromindaorter.pdf.
Anderson, Ross, and Tyler Moore, n. d., "Information security
economics--and beyond," University of Cambridge, Computer
Laboratory, mimeo, available at
www.cl.cam.ac.uk/~rjal4/Papers/econ_crypto.pdf.
Board of Governors of the Federal Reserve System, 2011 a,
"Debit card interchange fees and routing," Federal Register,
Vol. 76, No. 139, July 20, pp. 43478-43488, available at
www.federalreserve.gov/reportforms/formsreview/RegII_20110720_ifr.pdf.
--, 2011b, "2009 interchange revenue, covered issuer cost, and
covered issuer and merchant fraud loss related to debit card
transactions," report, Washington, DC, June, available at
www.federalreserve.gov/paymentsystems/files/debitfees_costs.pdf.
Bradford, Terri, Fumiko Hayashi, Christian Hung, Simonetta Rosati,
Richard J. Sullivan, Zhu Wang, and Stuart E. Weiner, 2009,
"Nonbanks and risk in retail payments: EU and U.S.," in
Managing Information Risk and the Economics of Security, M. Eric Johnson
(ed.), New York: Springer Science+Business Media, pp. 17-54.
CardLine, 2009, "Data fears influencing habits," American
Banker, Vol. 174, No. 50, March 16, p. 10.
Cheney, Julia S., 2010, "Heartland Payment Systems: Lessons
learned from a data breach," Federal Reserve Bank of Philadelphia,
Payment Cards Center, discussion paper, No. DP10-01, January, available
at www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2010/19-2010-January-Heartland-Payment-Systems.pdf.
--, 2007, "An update on trends in the debit card market,"
Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion
paper, No. DP07-07, June, available at
www.philadelphiafed.org/consumercredit-and-payments/payment-cards-center/publications/discussion-papers/2007/D2007JuneUpdateDebitCardMarketTrends.pdf.
--, 2005, "Identity theft: Do definitions still matter?,"
Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion
paper, No. DP05-10, August, available at
www.philadelphiafed.org/consumer-creditand-payments/payment-cards-center/publications/discussion-papers/2005/identity-theft-definitions.pdf.
--, 2004, "Identity theft: Where do we go from here?,"
Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion
paper, No. DP04-03, April, available at
www.philadelphiafed.org/consumercredit-and-payments/payment-cards-center/events/conferences/2004/IdentityTheft_042004.pdf.
Cheney, Julia S., Robert M. Hunt, Katy R. Jacob, Richard D. Porter,
and Bruce J. Summers, 2012, "The efficiency and integrity of
payment card systems: Industry views on the risks posed by data
breaches," Federal Reserve Bank of Philadelphia, Payment Cards
Center, discussion paper, No. DPI 2-04, October, available at
www.philadelphiafed.org/consumer-creditand-payments/payment-cards-center/publications/discussion-papers/2012/D-2012-Efficiency-andIntegrity-of-Payment-Card-Systems.pdf.
Consumer Financial Protection Bureau, 2012, "Consumer
Financial Protection Bureau to supervise credit reporting," press
release, Washington, DC, July 16, available at
www.consumerfinance.gov/pressreleases/consumer-financial-protection-bureau-to-superivsecredit-reporting/.
Contini, Darin, Marianne Crowe, Cynthia Merritt, Richard Oliver,
and Steve Mott, 2011, "Mobile payments in the United States:
Mapping out the road ahead," Federal Reserve Bank of Atlanta,
Retail Payments Risk Forum, white paper, March 25, available at
www.frbatlanta.org/documents/rprf/rprf__pubs/110325_wp.pdf.
Discover Financial Services, 2012, "Discover implements 2013
EMV mandate in U.S., Canada and Mexico," Business Wire, March 15,
available at www.businesswire.com/news/home/20120315005409/en/Discover-Implements-2013-EMV-MandateU.S.-Canada.
Federal Reserve Bank of Atlanta, Retail Payments Risk Forum, 2011,
"The Role of Government in Payments Risk and Fraud--Conference
summary," available at
www.frbatlanta.org/news/conferences/11rprf_summary.cfm.
Federal Reserve Bank of Atlanta and Federal Reserve Bank of Boston,
Mobile Payments Industry Workgroup, 2010, "Mobile payments industry
roundtable summary," report, Atlanta, available at
www.frbatlanta.org/documents/rprf/rprf_events/mobile-payments-roundtable-summary.pdf.
Federal Reserve System, 2011, The 2010 Federal Reserve Payments
Study--Noncash Payment Trends in the United States: 2006--2009, report,
Washington, DC, updated April 5, 201 I, available at
www.frbservices.org/files/communications/pdf/press/2010_payments_study.pdf.
Federal Trade Commission, 2012, Consumer Sentinel Network Data Book
for January--December 2011, February, available at
www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2011.pdf.
Fnrletti, Mark, and Stephen Smith, 2005, "The laws,
regulations, and industry practices that protect consumers who use
electronic payment systems: Credit and debit cards," Federal
Reserve Bank of Philadelphia, Payment Cards Center, discussion paper,
No. DP05-01, January, at
www.philadelphiafed.org/consumer-creditand-payments/payment-cards-center/publications/ discussion-papers/2005/ConsumerProtectionPaper_CreditandDebitCard.pdf.
Herbst-Murphy, Susan, 2012, "Government use of the payment
card system: Issuance, acceptance, and regulation," Federal Reserve
Bank of Philadelphia, Payment Cards Center, conference summary, No.
CS12-01, July, available at
www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-
center/publications/conference-summaries/2012/C-2012Government-Use-of-the-Payment-Card-System.pdf.
Jacob, Katy, and Bruce J. Summers, 2008, "Assessing the
landscape of payments fraud," Chicago Fed Letter, Federal Reserve
Bank of Chicago, No. 252, July, available at
www.chicagofed.org/digital_assets/publications/chicago_fed_letter/2008/cfljuly2008_252.pdf.
Javelin Strategy & Research, 2012, 2012 Identity Fraud Sltrvey
Report: Social Media and Mobile Forming the New Fraud Frontier,
Pleasanton, CA, February, available for purchase at
https://www.javelinstrategy.com/brochure/239.
Kahn, Charles M., and Jose Manuel Linares-Zegarra, 2012,
"Identity theft and consumer payment choice: Does security really
matter?," University of Illinois at Urbana--Champaign and
University of St Andrews, working paper, February 14, available at
http://ssrn.com/abstract=2005694.
Keitel, Philip, 2008, "Legislative responses to data breaches
and information security failures," Federal Reserve Bank of
Philadelphia, Payment Cards Center, discussion paper, No. DP08-09,
December, available at
www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/200g/D2008DecemberLegislativeResponsesToDataBreaches.pdf.
Kjos, Ann, 2007, "The merchant-acquiring side of the payment
card industry: Structure, operations, and challenges," Federal
Reserve Bank of Philadelphia, Payment Cards Center, discussion paper,
No. DP07-12, October, available at
www.philadelphiafed.org/consumer-credit-and-payments/payment-cardscenter/publications/discussion-papers/2007/D2007OctoberMerchantAcquiring.pdf.
Krebs, Brian, 2009, "Data breach led to multi-million dollar
ATM heists," Washington Post, February 5, available at
http://voices.washingtonpost.com/securityfix/2009/02/data_breach_led_to_multi-milli.html.
Lacey, John H., 2011, "RSA data breach the result of
successful spear phishing," Massachusetts Data Privacy Law Blog,
April 7, available at
www.massdataprivacylaw.com/data-breach/rsa-data-breach-the-result-ofsuccessful-spear-phishing/.
Liu, Edward C., Gina Stevens, Kathleen Ann Ruane, Alissa M. Dolan,
and Richard M. Thompson H, 2012, "Cybersecurity: Selected legal
issues," CRS Report for Congress, Congressional Research Service,
No. R42409, April 20.
MasterCard Worldwide, 2012, "MasterCard introduces U.S.
roadmap to enable next generation of electronic payments," press
release, Purchase, NY, January 30, available at
http://newsroom.mastercard.com/press-releases/mastercard-introduces-u-s-roadmapto-enable-next-generation-of-electronic-payments/.
PCI Security Standards Council, 2010, "PCI Security Standards
Council releases version 2.0 of the PCI Data Security Standard and
Payment Application Data Security Standard," press release,
Wakefield, MA, October 28, available at
https://www.pcisecuritystandards.org/pdfs/pr_l01028_standards._2.0.pdf.
Ponemon Institute, 2010, 2009 Annual Study: Cost of a Data Breach,
report, Traverse City, MI, January, available at
www.ponemon.org/local/upload/fckjail/generalcontent/18/fileUS_Ponemon_CODB_09_012209_sec.pdf.
Rashid, Fahmida Y., 2011, "ID theft declined in 2010 but
average losses increased: Survey," e WEEK, February 10, available
at www.eweek.com/c/a/Security/ID-Theft-Declined-in-2010-but-AverageLosses-Increased-Survey-814461/.
Roberds, William, and Stacey L. Schreft, 2009, "Data breaches
and identity theft," Journal of Monetary Economics, Vol. 56, No. 7,
October, pp. 918-929.
Robertson, David (publisher), 2012, "Visa &
MasterCard--U.S. 2011," Nilson Report, No. 988, February, pp. 1,
9-11.
--. 201 I, "U.S. leads the world in credit card fraud, states
The Nilson Report: Global credit card fraud losses increased 10.2% over
2009," press release for Nilson Report, Carpinteria, CA, November
21, available at https://nilsonreport.com/pdf/news/112111.pdf.
RSA Conference, eFraud Network Forum Program Committee, 2009, 2009
Online Fraud Benchmark Report, April 15, available at
https://365.rsaconference.com/docs/DOC-1895.
Schreft, Stacey L., 2007, "Risks of identity theft: Can the
market protect the payment system?," Economic Review, Federal
Reserve Bank of Kansas City, Fourth Quarter, pp. 5-40, available at
www.kansascityfed.org/Publicat/ECONREV/PDF/4q07Schreft.pdf.
Sidel, Robin, 2012, "Card processor: Hackers stole account
numbers," Wall Street Journal, April 2, available by subscription
at http://online.wsj.com/
article/SB10001424052702304750404577318083097652936.html.
Striekler, Laura, and Aurora Ellis, 2011, "Secret Service
investigates Epsilon data breach," CBSNews.com, April 4, available
at www.cbsnews.com/8301-31727_162-20050575-10391695.html.
Sullivan, Richard J., 2010, "The changing nature of U.S. card
payment fraud: Industry and public policy options," Economic
Review, Federal Reserve Bank of Kansas City, Second Quarter, pp.
101-133, available at www.kansascity
fed.org/Publicat/Econrev/pdf/10q2Sullivan.pdf.
The Clearing House, 2011, "Project Compas executive summary
for NACHA," report, New York, April 4.
Verizon RISK Team, 2012, 2012 Data Breach Investigations Report,
New York, available at
www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012__en_xg.pdf.
Visa Inc., 2011, "Visa announces plans to accelerate chip
migration and adoption of mobile payments," press release, San
Francisco, August 9, available at
http://corporate.visa.com/newsroom/press-releases/press1142.jsp.
NOTES
(1) This article is based on Cheney et al. (2012)--a discussion
paper published by the Payment Cards Center at the Federal Reserve Bank
of Philadelphia.
(2) Credit, debit, and prepaid card transactions account for about
60 percent of the number and 5 percent of the value of noncash
transactions in the United States. They account for a much higher share
of the value of transactions at the point of sale (POS). Today, with the
exception of the remaining checks used to pay recurring bills, debit
cards and automated teller machines (ATMs) are the principal means
consumers use to access funds in their transaction accounts. See Federal
Reserve System (2011, p. 13) and The Clearing House (2011).
(3) For the purposes of this article, we define tail risk to mean
that there is uncertainty over the precise probability of the occurrence
of a highly unlikely but catastrophic event. We consider the abandonment
of payment card systems or instruments as an example of tail risk
associated with data breaches.
(4) Governments of all levels are replacing the remaining benefit
disbursements that occur via paper check with some form of prepaid card,
whose functionality depends on the existing payment card infrastructure.
See Herbst-Murphy (2012).
(5) For a general discussion of payment fraud, see the special
edition of the Federal Reserve Bank of Chicago's Economic
Perspectives published in the first quarter of 2009, with an
introduction by Amromin and Porter (2009).
(6) In economic terms, fraud, like pollution, creates
externalities. If fraud is largely nonexistent, one can operate more
freely with less caution. However, when fraud is rampant, one must
operate much more vigilantly--which is a relatively expensive course of
action.
(7) The actual allocation of losses will depend on the
circumstances of the transaction and payment card network rules.
(8) The full set of costs includes nonmonetary costs incurred by
consumers--such as the opportunity cost of time spent to verify
transactions and replace compromised payment cards and, in the case of
identity theft, to monitor and confirm the validity of credit accounts
opened in the victim's name.
(9) By network effects, we mean in this context that a payment
method will be more attractive to consumers when there are more places
that accept that particular method of payment. Moreover, merchants and
other businesses will be more willing to incur the costs of accepting
payment cards when they know that many of their customers are ready and
willing to use them.
(10) For more details on the card-acquiring bank function (that is,
the merchant-acquiring function), see Kjos (2007).
(11) For card-based systems, the coordination function is performed
by the networks, that is, American Express, Discover Financial Services,
JCB (Japan Credit Bureau) International, MasterCard Worldwide, and Visa
Inc.
(12) The CFPB has supervisory (for example, examination) authority
(for the purposes of ensuring compliance with many federal consumer
protection statutes) over nonbanks of all sizes in the residential
mortgage, private education lending, and payday lending markets. The
CFPB may, by rule, define a set of nonbanks that it determines are
"larger participants" in markets for consumer financial
products and services and establish supervisory authority over these
firms. For example, the CFPB adopted a rule on July 16, 2012, to begin
supervising consumer reporting agencies (for example, credit
bureaus or credit reporting companies) that have more than $7 million in
annual receipts. See Consumer Financial Protection Bureau (2012).
(13) For additional details, see Keitel (2008).
(14) See Visa Inc. (2011), MasterCard Worldwide (2012), and
Discover Financial Services (2012). For more information on the EMV
standard, see www.emvco.com
(15) For a discussion related to this topic, see Cheney (2010).
(16) See Robertson (2011). Also see Sullivan (2010);
Sullivan's estimate of fraud losses is based on the sum of direct
losses borne by card issuers; POS merchants; and merchants in Internet,
mail order, and telephone transactions.
(17) We calculated the value for the 2011 credit card fraud losses
using data from Robertson (2012) for four of the five major
networks--American Express, Discover, MasterCard, and Visa. In 2010, the
Federal Reserve Board surveyed issuers subject to Regulation II (Debit
Card Interchange Fees and Routing). The data on debit and prepaid card
fraud losses are for the 2009 calendar year and represent total fraud
losses, as reported by the issuers, for PIN (personal identification
number) debit, signature debit, and prepaid card transactions. The Board
of Governors of the Federal Reserve System also published data for PIN
debit, signature debit, and prepaid debit fraud losses separately. See
Board of Governors of the Federal Reserve System (2011a, p. 43480) and
the Board of Governors of the Federal Reserve System (2011b).
(18) This estimate is based on Verizon's estimate that these
breaches involved 174 million potentially compromised records, but that
only about 3 percent of those involved payment card data. See Verizon
RISK Team (2012, p. 42).
(19) See Cheney (2007, pp. 8-9).
(20) This statistic is from the Ponemon Institute (2010, p. 12).
About two-thirds of this cost results from attrition of existing
customers and less success in obtaining new ones.
(21) For a detailed account of the breach at Heartland, see Cheney
(2010). Less is known about the breach at Global Payments, but see Sidel
(2012). For information about the Epsilon and RSA data breaches, see
Strickler and Ellis (2011) and Lacey (2011),. respectively.
(22) See Krebs (2009)
(23) The Verizon RISK Team (2012, p. 42) found that the vast
majority of records compromised in 2011 contained personal information.
Also, according to the Verizon RISK Team (2012, pp. 10--11), the
majority of all data breaches (54 percent) occurred among restaurants
and hotels, but relatively few records are stolen this way. Retailers
and financial firms also accounted for significant shares of brcaches
(20 percent and 10 percent, respectively).
(24) According to Javelin Strategy & Research's 2011
Identity Fraud Survey Report, in 2010 it took victims an average of 33
hours to resolve issues related to identity fraud (Rashid, 2011). The
full Javelin report is available for purchase at
https://www.javelinstrategy.com/ rescarch/Brochure-209.
(25) See Federal Trade Commission (2012).
(26) See Javelin Strategy & Research (2012). For further
information on identity theft, see Schreft (2007).
(27) See CardLine (2009).
(28) These protections are defined in the Fair Credit Billing Act
and the Electronic Fund Transfer Act and in "zero liability"
policies created by private payment networks. For details, see Furletti
and Smith (2005).
(29) See Cheney (2005).
(30) Traditionally, fraud has been measured, managed, and mitigated
within each independent payment channel (for example, checking and ACH).
In recent years, payment providers have recognized a growing
interdependence in fraud management across channels, since criminals
have learned to exploit vulnerabilities detected in one channel to
extract information or value in others.
(31) For an in-depth discussion of mobile payments issues, see
Federal Reserve Bank of Atlanta and Federal Reserve Bank of Boston,
Mobile Payments Industry Workgroup (2010). Also see Contini et al.
(2011).
(32) One interviewee provided the example of PIN pads at gasoline
pumps as a new type of physical acceptance environment for PIN payment
cards. This company noted that new ways had to be considered (and some
developed) to effectively limit PIN payment card fraud in this
environment. For example, gas stations may use zip code verification
during the authorization process at the gas pump machines.
(33) This observation is consistent with a rising trend in the
share of breaches that involve internal employees over the years 2004-09
as reported in Verizon RISK Team (2012, figure 10, p. 16). The share of
fraud events resulting from insiders fell significantly thereafter.
(34) These incentive problems are discussed in greater detail in
Anderson and Moore (n. d). For a theoretical explanation of the
potential incentive problems, see Roberds and Schreft (2009).
(35) Encryption involves masking the valuable private information
so that it is too expensive to decrypt it even when the information is
illicitly intercepted. Currently, the most powerful form of encryption
available in web browsers is 128-bit encryption. Tokenization involves
masking the valuable information, such as a credit card number, with a
token. The token might be, for example, an arbitrary number or
combination of numbers and letters. Without the token look-up key, the
random information has no value if it is stolen.
(36) While liability incentives for consumers are limited by the
various protections offered, there is some recognition that identity
theft is an entirely different matter. Consumers appear to have a
general, albeit basic, understanding that they are largely rcsponsible
for restoring their good credit standing in the case of identity theft
and that such a restoration is often quite expensive in terms of both
time and money.
(37) The Australian government developed a framework to address the
problem of compromised personal computers (PCs). In 2005, the Australian
Communications and Media Authority (ACMA) developed the Australian
Interact Security Initiative (AISI), which works with ISPs and
consumers. AISI is a free service provided by the ACMA that monitors
data feeds on compromised Australian PCs. The agency sends a list of
customers with compromised PCs to the ISP, which is required to notify
the customers. The ISP may contact the customers by phone or letter and
provide advice to fix the problem, but in some cases, it may even
disconnect customers to contain the spread of a malware threat.
(38) Coordination may include efforts to share information among
payment system participants, as well as efforts to move participants
toward better data protection practices.
(39) For more details on the evolution of regulatory structures in
the European Union (EU) and the United States, see Bradford et al.
(2009).
(40) For example, the FTC maintains the Identity Theft
Clearinghouse, which provides law enforcement agencies with direct
access to detailed incidence data recorded as part of the complaints and
also allows the FTC to share aggregate data with consumers, other
government agencies, and industry constituencies. For additional
examples of identity theft information-sharing efforts, see Cheney
(2004).
(41) Early Warning Services is an example of a limited liability
bankowned company that essentially is a private sector data-sharing
initiative. Its services include verifying identities and authenticating
account holders' information, as well as screening potential new
and existing customers for a prior history of fraud or account abuse.
For more information on Early Warning Services, see
www.earlywarningcom/about2.html.
(42) According to the FS-ISAC's website, the FS-ISAC "was
established by the financial services sector in response to 1998's
Presidential Directive 63. That directive--later updated by 2003's
Homeland Security Presidential Directive 7--mandated that the public and
private sectors share information about physical and cybersecurity
threats and vulnerabilities to help protect the U.S. critical
infrastructure." For more information about FS-ISAC, see
www.fsisac.com/about/. Other industries have also established ISACs. For
example, the communications sector and the electricity sector have
formed ISACs.
(43) See RSA Conference, eFraud Network Forum Program Committee
(2009, p. 5).
(44) The Federal Reserve Board's Regulation II applies to
debit card issuers with consolidated assets of $10 billion or more and
allows debit card payment networks to vary interchange fee rates for
transactions below the maximum interchange fee permitted by the
Board's standards. Interchange fee is a term used in the payment
card industry to describe a fee paid between banks for accepting
card-based transactions. This fee is usually paid by a merchant's
financial institution to a payor's financial institution.
(45) For more information on PCI, visit the PCI Security Standards
Council's website, https://wwwpcisecuritystandards.org
(46) Level classifications vary by transaction volume. According to
Visa's website, Level 1 merchants process over 6 million Visa
transactions per year. Other merchants may be required to meet Level 1
PCI compliance requirements at Visa's sole discretion. Level 2
merchants process between I million and 6 million Visa transactions per
year. Level 3 merchants process between 20,000 and 1 million Visa
e-commerce transactions per year. Level 4 merchants comprise those that
process fewer than 20,000 Visa e-commerce transactions and all other
merchants that process up to 1 million Visa transactions per year. For
more details, see http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The compliance rates for the different merchant levels are
available at http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf (accessed on October 24, 2012).
(47) For example, in October 2010, the PCI Security Standards
Council released version 2.0 of PCI DSS. See PCI Security Standards
Council (2010).
(48) Box 1 (p. 133) provides a discussion of how the PCI Security
Standards Council gets participating organizations involved in the
process of evaluating and updating the PCI DSS. For more details on the
rights and responsibilities of participating organizations, see
https://www.pcisecuritystandards.org/get
involved/rightsresponsibilities.php.
(49) The Federal Reserve Bank of Atlanta's Retail Payments
Risk Forum addressed the need for improved international coordination
among law enforcement organizations in its November 2011 payments
conference--The Role of Government in Payments Risk and Fraud. For a
summary of the conference discussion, see Federal Reserve Bank of
Atlanta, Retail Payments Risk Forum (2011).
(50) For additional discussions of the policy issues related to
fraud in consumer payments, see Abdul-Razzak, Jacob, and Porter (2011)
Also see Sullivan (2010) and Jacob and Summers (2008).
(51) Recently, Congress has been considering a number of
cybersecurity bills that aim to increase the dissemination of actionable
information obtained in the public sector as well as improve incentives
for private actors to share the information they have. For further
details, see Liu et al (2012).
(52) This is analogous to the role that private credit bureaus
play. In the United States, reporting to a credit bureau is not
mandatory. Yet hundreds of thousands of organizations find it worthwhile
to share their information in exchange for the ability to use
information provided by all members.
Julia S. Cheney is manager of research and programming and Robert
M. Hunt is vice president and director of the Payment Cards Center at
the Federal Reserve Bank of Philadelphia. Katy R. Jacob is a business
economist and Richard D. Porter is a vice president and senior policy
advisor in the Economic Research Department at the Federal Reserve Bank
of Chicago. Bruce J. Summers is an independent consultant on payment
systems and technology management. The authors thank those who
participated in the interviews described in the article. They also thank
Anna Lunn and James van Opstal for their assistance and Darin Contini,
Douglas Evanoff, Fumiko Hayashi, Joanna Stavins, Rick Sullivan, and
Kirstin Wells for many helpful conversations. The views expressed are
the authors' and do not necessarily reflect the views of the
Federal Reserve Bank of Philadelphia.
Economic Perspectives is published by the Economic Research
Department of the Federal Reserve Bank of Chicago. The views expressed
are the authors' and do not necessarily reflect the views of the
Federal Reserve Bank of Chicago or the Federal Reserve System.
Charles L. Evans, President; Daniel G. Sullivan, Executive Vice
President and Director of Research; Spencer Krane, Senior Vice President
and Economic Advisor; David Marshall, Senior Vice President, financial
markets group; Daniel Aaronson, Vice President, microeconomic policy
research; Jonas D. M. Fisher, Vice President, macroeconomic policy
research; Richard Heckinger, Vice President, markets team; Anna L.
Paulson, Vice President, finance team; William A. Testa, Vice President,
regional programs; Richard D. Porter, Vice President and Economics
Editor; Helen Koshy and Han Y. Choi, Editors; Rita Molloy and Julia
Baker, Production Editors; Sheila A. Mangler, Editorial Assistant.
Economic Perspectives articles may be reproduced in whole or in
part, provided the articles are not reproduced or distributed for
commercial gain and provided the source is appropriately credited. Prior
written permission must be obtained for any other reproduction,
distribution, republication, or creation of derivative works of Economic
Perspectives articles. To request permission, please contact Helen
Koshy, senior editor, at 312-322-5830 or email
[email protected].
ISSN 0164-0682
