Sign up

The efficiency and integrity of payment card systems: industry views on the risks posed by data breaches.
Article Type:
Column
Subject:
Credit and debit card industry (Safety and security measures)
Credit and debit card industry (Laws, regulations and rules)
Data security (Analysis)
Data security (Laws, regulations and rules)
Credit card fraud (Prevention)
Authors:
Cheney, Julia S.
Hunt, Robert M.
Jacob, Katy R.
Porter, Richard D.
Summers, Bruce J.
Pub Date:
12/22/2012
Publication:
Name: Economic Perspectives Publisher: Federal Reserve Bank of Chicago Audience: Academic Format: Magazine/Journal Subject: Business; Economics Copyright: COPYRIGHT 2012 Federal Reserve Bank of Chicago ISSN: 1048-115X
Issue:
Date: Winter, 2012 Source Volume: 36 Source Issue: 4
Topic:
Event Code: 930 Government regulation; 940 Government regulation (cont); 980 Legal issues & crime; 260 General services Advertising Code: 94 Legal/Government Regulation Computer Subject: Data security issue; Government regulation
Product:
Product Code: 6020150 Consumer Bank Credit Card Svcs; 6141000 Nonbank Credit Card Firms; 9916270 Data Processing Security NAICS Code: 52221 Credit Card Issuing SIC Code: 6141 Personal credit institutions; 6153 Short-term business credit
Geographic:
Geographic Scope: United States Geographic Code: 1USA United States

Accession Number:
308294044
Full Text:
Introduction and summary

In this article, we consider the potential for data breaches that compromise the security of personal and account information to threaten consumer confidence in payment card systems in the United States. (1) In particular, we explore whether a large, well-targeted data breach (or a sequence of breaches over a relatively short period of time) might render inoperable a payment card system (for credit, debit, or prepaid cards), possibly resulting in its being abandoned, temporarily or otherwise, by a substantial number of consumers. (2) We recognize that, given the precautions that are in place in such systems, the probability of a catastrophic abandonment is quite low. But this probability is not zero. Recent events, as well as feedback from the industry, suggest that further study of such potential tail risks could be helpful. (3)

The shutdown or abandonment of one or more of these systems, even if the duration is relatively limited, might amount to a significant disruption in the flow of funds among consumers and businesses and, increasingly, from governments to households in the form of benefit payments. (4) Such transactions might be immediately shifted to alternative means of payment, but doing so could create substantial operational challenges for those payment systems. Sudden shifts away from payment card transactions to other payment methods might also invoke a policy response to an immediate crisis based on incomplete information--which would be less desirable than a response based on a process of carefully gathering and evaluating all the available information.

In the event of a crisis, the Federal Reserve maintains a legal and electronic infrastructure to provide liquidity to banks facing interbank settlement difficulties as a result of disruptions to the normal clearing and settlement cycles of card systems; however, this liquidity would have to quickly reach consumers and businesses, including nonfinaneial firms, that rely on these systems as a means to exchange value and whose payment behavior would be affected by even a temporary disruption in one of the card networks. To allow for efficient payment substitution in support of a smoothly functioning U.S. economy, there must also be multiple reliable ways to make and receive electronic payments.

For all of these reasons, researchers at the Federal Reserve Bank of Chicago and the Payment Cards Center at the Federal Reserve Bank of Philadelphia developed a series of questions and organized informal conversations with a variety of payment system participants, with the goal of better understanding the nature and significance of risks posed by data breaches to payment card systems. More specifically, to examine the adequacy of existing efforts to prevent, manage, and mitigate fraud in card-based payment systems, the Chicago Fed and Philadelphia Fed researchers conducted 17 industry interviews in 2009. The individuals interviewed represented a variety of domestic perspectives, including those of networks, banks, merchants, processors, independent sales organizations (ISOs), vendors, and information-sharing organizations. This article documents the insights gained through this exercise, but it does not identify individual organizations or respondents. Ideally, the information learned from these interviews would be helpful to other researchers considering the risks that data breaches may pose to retail payments in the United States, as well as how those risks can be mitigated in the most optimal manner.

In the next section, we provide an overview of the threat that fraud poses to the smooth operation of payment card systems in the United States. Then, we discuss specific measurements of losses due to payment card fraud, as well as the current scale and character of data breaches in the financial industry. After providing this background information, we summarize our industry interviews and discuss the lessons learned from them.

Accounting for payment fraud

Payment fraud can be broadly defined as any activity that uses confidential personal (and often financial) information for unlawful gain. For example, A masquerades as B and uses B's credentials to illicitly take B's funds or to obtain credit under B's name. Such fraud can occur with any type of noncash payment method, including credit and debit cards, checks, and automated clearinghouse (ACH) transactions. Payment fraud can be committed knowingly by a consumer (first-party fraud), or consumers can be victimized by others operating within financial institutions or as part of criminal enterprises (third-party fraud). (5)

Fraud is a threat to the payment system's efficiency because it degrades operational performance and increases costs--not only for the parties whose payments are compromised but also for all participants in the system. (6) Payment networks are potentially vulnerable to fraud at a number of points along the transaction chain. Criminals naturally opt to exploit the weakest links in payment chains. As a result, banks and other payment system operators and private firms using the payment system incur significant expenses to protect against fraud.

When successful, payment card fraud, which we focus on in this article, can give rise to adverse consequences for participants at different points along the payment chain. For example, when a criminal steals a payment card and uses it (or its information) to make a purchase, the legitimate cardholder's liability for the fraudulent transaction is limited by statute or regulation. It is downstream participants, such as the card-issuing bank and the merchant, that are likely to incur losses on fraudulent transactions. (7)

Although the cost of fraud losses might be limited by investing in stronger protections against criminal use of a stolen card, it is neither possible nor efficient to eliminate payment fraud entirely. Rather, in striving to achieve efficiency, payment system operators and users must balance the costs of preventing and mitigating fraud against the full set of costs that fraud generates, including, but not limited to, the actual monetary loss to society. (8) Ideally, individual participants would actively monitor the risks that their choices create.

An important input into this calculation is the confidence that private actors have in the payment methods they use. For example, consumers have come to expect that payment card systems will reliably and securely complete payments as instructed. Today, these systems are widely used to receive income and benefit payments, to purchase goods and services, and to pay bills. Over time, payment card systems have displaced more-costly paper-based systems, especially for purchases made at the point of sale (POS). Card systems have also been essential in facilitating payments in new sales channels, such as the Internet, where the buyer and seller do not transact in a face-to-face environment.

Without sufficient confidence among the parties involved, payment card systems cannot operate efficiently for all of them, nor will these systems be profitable to their owners. Card networks operate more efficiently in an environment where their services are offered ubiquitously and large numbers of consumers and merchants agree to utilize them. The presence of strong network effects in established card payment systems contributes to their resilience in the face of temporary shocks. (9) At the same time, these network effects imply that a sufficiently large shock to public confidence in a payment card system might result in a sufficiently large shift of transactions to other (potentially less efficient) forms of payment that cannot easily be reversed.

This shift would reduce the value of the payment card network because a reduction in the number of active cardholders may, in turn, lead to fewer merchants or businesses willing to incur the cost to accept payment card transactions.

Consumer payment systems usually function so smoothly that it is easy to underestimate their complexity. This complexity is due in part to the number of parties involved in completing a payment, the high degree of coordination required among these parties, and the ongoing investments that are required to ensure reliable performance. For example, a card-based payment transaction in the United States will involve some or all of the following parties: a cardholder; a merchant or biller; a card issuer, or simply an issuer; a card-acquiring bank, or an acquirer (which converts payment card receipts into bank deposits for merchants); (10) an electronic switch (which routes transaction information among various banks participating in a payment network); a payment network; one or more processors; a telecommunications company; and other third parties. Coordinating the activities of all these participants is a crucial payment system function, and such coordination takes on special significance in protecting the system from fraud and preserving the public's confidence in the system. (11)

Moreover, no single government entity has an exclusive or comprehensive regulatory or supervisory jurisdiction over U.S. retail payment systems or payment providers. The Board of Governors of the Federal Reserve System issues certain retail payment regulations, especially regarding checks. The recently established Consumer Financial Protection Bureau (CFPB) has jurisdiction over most federal consumer protection regulation for electronic payment transactions. As a prudential regulator, the Federal Reserve Board, as well as other federal financial supervisors, conducts exams; and these exams can entail a review of the financial institution's payment system security precautions, including those of its business partners.

Further, some of the organizations involved in operating networks and providing payment services to the public are banks, but many are not. Thus, additional regulators can be involved. For example, nonbanks operating under state money transmitter licenses are subject to state agency supervision. In addition, the CFPB may determine, by rule, that certain non-banks in markets for consumer financial products and services are "larger participants" and therefore subject to CFPB supervision. (12) A variety of state laws also address consumer rights in instances of identity theft or a data breach. (13)

Local, state, and federal law enforcement agencies investigate instances of fraud, identity theft, and data breaches. Consumer payments, whether made domestically or abroad, are potentially exposed to fraudulent activities orchestrated from anywhere in the world and, therefore, may fall under the investigative jurisdiction of foreign authorities. Therefore, regulation, supervision, policing, and investigation of retail payments and fraud in payment systems may be the responsibility of a variety of agencies at the international, federal, and state or local level.

In the private sector, five payment card networks--American Express, Discover Financial Services, JCB (Japan Credit Bureau) International, MasterCard Worldwide, and Visa Inc.--initially established individual data security standards for payment system participants. About six years ago, they joined forces to create a unified set of standards--the Payment Card Industry Data Security Standard (PCI DSS or, more simply, PCI)--to better secure payment card systems, and they founded the PCI Security Standards Council. For more information about PCI DSS and the council, see box 1 PCI Security Standards Council.

Several of these networks have also recently announced plans to support migration to an EMV (Europay, MasterCard, and Visa) payment infrastructure in the United States as a means to further increase the security of payment card transactions; EMV is a global standard for the interoperation of chip-based payment cards with POS devices and automated teller machines (ATMs). (14) While these plans are specific to the individual networks, the announcements suggest that the networks informally tried to develop plans with similar key dates and milestones to encourage merchants and issuers to adopt EMV payments. Nevertheless, there is an ongoing discussion about whether the existing levels of investment, coordination, information sharing, and management of incentives in securing payment card systems by firms and organizations in the private and public sectors are adequate to confront the threats arising from modern data breaches. (15) We explore the costs and consequences of data breaches in greater detail in the next section.

Measuring payment fraud and data breaches

A rough estimate of aggregate fraud losses related to U.S. payment cards was about $3.56 billion in 2010. (16) In 2011, reported credit card fraud losses were approximately 5 cents per $100 of transaction value. As a cost of doing business, these losses are not comparatively large, since they equate to roughly one-tenth of the charge-off rate associated with credit losses on credit cards. For debit and prepaid cards, the industry-wide fraud losses to all parties to a transaction were about 9 cents per $100 of transaction value in 2009, with issuers and merchants incurring about 5 cents and 4 cents of that total, respectively. (17) In addition, issuers will incur many other indirect costs related to efforts to detect and prevent incidences of fraud on their cards and to mitigate fraud losses. Indirect fraud costs are also borne by merchants and, in some instances, by consumers.

A primary focus of this article is on the consequences of data breaches--both in terms of the direct fraud losses incurred by card-issuing banks, merchants, and consumers and in terms of public confidence lost in payment card systems. According to Verizon's 2012 Data Breach Investigations Report, across all industries and categories in 2011, there were approximately 855 data breaches in the U.S. In total, those breaches may have compromised as many as 5 million card accounts. (18)

Ordinarily, only a small percentage of compromised payment card records ever result in fraudulent transactions. (19) But there are other indirect costs associated with a data breach, which can be substantial. For example, according to one 2009 survey by the Ponemon Institute, the average cost to firms responding to a data breach is about $200 per record compromised. (20) Our very imprecise estimate, based on the 2009 survey by the Ponemon Institute and the 2012 data breach report by Verizon, is that the indirect costs of payment card records compromised in 2011 might be as high as $1 billion.

Recent payment card data breaches are particularly notable for the sophistication of techniques employed by criminals. In recent years, breaches have occurred at large card processors, such as RBS WorldPay, Heartland Payment Systems, and Global Payments; at merchants, such as T. J. Maxx, Hannaford, and Sony; and at third-party vendors, such as Epsilon and RSA. (21) In many of these cases, breaches are not detected at the time of intrusion into the system, in part because the hackers wait for an opportune time to monetize the compromised information. But when they do act, recent experience suggests that they move quickly and, at times, employ a sophisticated (and possibly international) criminal organization. For example, in 2008, the RBS WorldPay breach resulted in a number of prepaid payroll cards being compromised. These cards were used to obtain $9 million in cash in one day from ATMs located in several dozen cities around the world. (22)

It is important to note that data breaches that result in payment fraud can occur at nonfinancial firms, such as universities and hospitals. Data breaches at any firm that collects and stores personal data can provide criminals with sufficient information, such as an individual's name, address, and Social Security number, to commit financial fraud. (23) This information can be used to compromise security protocols at financial institutions (resulting in account takeover) or to obtain credit in the victim's name (new-account fraud). Both are examples of identity theft.

Identity theft is an important aspect of payment fraud with potentially severe consequences for victims, including not only monetary loss but also a time-consuming process to revalidate credit and other transactional accounts. (24) The fear of identity theft is one reason why consumers might collectively react to an unprecedented rash of data breaches by losing confidence in a particular payment method and switching to a substitute method. In 2010, the Federal Trade Commission (FTC) received more than 250,000 complaints about instances of identity theft. In 9 percent of those complaints, consumers alleged that new credit card accounts had been opened in their names. Also, in 7 percent of those complaints, consumers alleged a takeover of one or more of their existing accounts. (25) A survey of consumers reports that as many as 11 million adults have at some point been a victim of identity theft. (26)

There is some qualitative evidence that consumers' concerns about data security can influence their choice of payment providers and methods of payment. According to a survey conducted by Gartner shortly after the 2008 RBS WorldPay data breach mentioned previously, 23 percent of respondents said that increased fears that financial data are not secure have been a factor in their decisions about which retail stores they patronize. In addition, concerns about security led 59 percent of respondents to change how they shop and pay online. (27)

Further, a recent paper by Kahn and Linares-Zegarra (2012) examining nationally representative survey data found that identity theft incidents increased adoption of money orders, traveler's checks, online bank bill payments, and prepaid cards while also boosting the number of cash and credit card transactions. The authors also reported a decrease in the use of checks after "mixed incidents" of identity theft. Mixed incidents refer to the subset of consumers reporting being a victim of identity theft as well as knowing other victims. Notably, these results reveal changes in the adoption and use of particular types of payments after an identity theft incident.

Such behavior is interesting in light of the significant regulatory and contractual protections from losses resulting from fraudulent transactions afforded to consumers in the United States. (28) These protections against monetary losses do not eliminate the less apparent costs associated with the pain and suffering consumers face (time costs, forgone financing opportunities, etc.) as a result of identity theft. (29) Accordingly, data breaches and identity theft appear to have an influence on consumer payment behavior, notwithstanding the legal protections that are in place for consumers.

To summarize, payment fraud is an ongoing concern for payment system participants--for the card issuers and merchants that bear most of the actual fraud losses and for processors, networks, and others that have an inherent interest in maintaining confidence in the payment system in which they participate. Some fraudulent activity is the result of data breaches that occur both within and without retail payment systems. There is some evidence that data breaches have created concerns about security in the minds of at least some consumers--concerns that, at the margin, may affect their choice of payment providers or methods.

Our experience to date suggests that data breaches have not caused consumers in any great number to lose confidence in card payments and switch to alternative means of payment. However, questions remain about the adequacy of investment, coordination, information sharing, and management of incentives in securing payment card systems against modern data breaches and the increasingly sophisticated and global criminal organizations that commit these crimes. In the next section, we describe the results of 17 interviews examining these questions.

Interview topics and results

Our conversations with payment system participants were loosely organized around three topics: payment trends and fraud (especially related to data breaches), liability (for fraud losses) and incentives (to prevent fraud), and coordination and information sharing. In the following subsections, we introduce each topic and describe the insights gained from our conversations with the interviewees.

Payment trends and fraud

Modern data storage systems, online information sharing, and the growing number and variety of firms using or offering access to payment card systems have increased the potential points of entry that might be exploited by sophisticated criminal organizations. The technology to secure those access points has improved over time, so the larger question is whether, on net, payment card systems are more or less vulnerable than in the past.

For example, today, more organizations may have a business need to retain personal consumer financial data, and any of these firms may be a potential target for criminals. Financial institutions must consider the data security practices of these firms when providing them payment-related services. Another characteristic of today's payment system is the demand by consumers for around-the-clock payment servicing, in the form of supporting either transaction processing (for example, online purchases) or access to account management functions (for example, online banking). To the extent that meeting this need requires alternative access points (such as the Internet or a mobile device) or alternative service providers (such as online security firms or cellular providers), the number of potential points or places at which data can be compromised increases. Potential access points must be made more secure to manage the increased risks. And if one access point is penetrated, the amount of data potentially at risk must be limited in order to control the potential scale of the damage.

In this complex environment, market participants and regulatory, supervisory, and oversight authorities must determine whether payment methods carry excessive fraud risk; who is liable when payment fraud occurs; how losses are allocated; what consumer protections should be in place; how notification of fraud should be handled; and how standards should be defined to manage the incidence of fraud. Additionally, payment providers must authenticate consumers whom they have never met and authorize electronic transactions from which they might be far removed. And increasingly, they must do these tasks in real time. Carrying out all of these tasks is quite a tall order, but necessary to prevent and mitigate fraud.

Interview results

Many respondents emphasized that as the number, types, and complexity of electronic payments grow, so too do the opportunities for committing fraud. Electronic payments are evolving in the locations or channels in which they might be used by consumers--for example, they can now be made at nonbank financial centers (such as check cashers or retail stores) or even vending machines. In addition, the physical forms of electronic payments are evolving--for example, some consumers can now use contactless cards (payment cards that use chip technology to allow for tap-and-go payments) and mobile devices to execute payments. (30)

Several interviewees stressed that while traditional card payments and transactional practices are important to study for fraud risks, it is also important to consider emerging payment practices. For example, one interviewee noted that ACH networks are moving from relatively safe, recurring payments with trusted payees to new forms of nonrecurring payments, which likely carry higher fraud risks because distinguishing between legitimate one-time (nonrecurring) payments and fraudulent ones is more difficult. Such issues warrant further study. Several other interviewees indicated that mobile payments are an emerging area that bears special attention; the focus should be on gaining a better understanding of the risks to retail payment systems and investigating whether these may be different from the risks in more-traditional card-initiated payments. (31) Another interviewee pointed to the gradual adoption of contactless payment cards in the United States. This interviewee said that while the back-end processing remains the same as in contact environments, an inappropriately configured contactless front end (for example, with weak encryption) at the point of sale might increase fraud risk.

Interviewees also highlighted changing consumer payment preferences and noted that these changes have a material bearing on the ongoing development of fraud-risk-management systems. For example, according to one interview with a large merchant, in 2003, PIN (personal identification number) debit accounted for only 10 percent of its total transactions, compared with 35 percent in 2009. Thus, static four-digit PINs designed for use at on-premise and later off-premise ATMs are now being used at a much larger number of POS terminals in very different and diverse physical environments. (32) As payment methods change and new types of payments or new types of providers emerge, security systems must adapt to these developments. Several interviewees discussed the challenge of balancing risk mitigation and support for innovation in the constantly evolving electronic payment system.

Along similar lines, interviewees held a consensus that criminals' ability to rapidly change their tools and adopt new tactics may significantly increase the threats posed to the payments system. Most interviewees noted that the management of fraud risk must be at least as dynamic as the adoption and use of new tools, techniques, and tactics by those engaged in fraudulent activity. Interviewees agreed that making one-time assessments of a company's systems and satisfying minimum security standards at one point in time were hardly sufficient. Hackers are committed to finding new ways to compromise systems and steal personal and card data, so weaknesses must be uncovered before they can be exploited.

Moreover, as certain types of organizations tighten security, criminals respond by changing their targets and points of attack. For example, one interviewee mentioned that payment processors and merchants are not the only targets for illegally obtaining payment information; payroll processors and other firms need to be aware of the problem as well. In addition, fraudsters recognize that institutions are tightening the security of data at rest, which are stored in internal systems. Thus, criminals have begun targeting vulnerabilities present when data are moved (or transmitted) either between payment nodes or within a company's internal systems.

Several interviewees said that companies cannot ignore threats that may result from a shortfall in internal controls or communication. Some interviewees noted an increase in internal fraud--that is, fraud committed by company employees or contractors. (33) Access controls and tracking mechanisms are important tools in limiting this risk. Similar issues arise among independent firms along the payment chain. One interviewee said that, for example, a lot of effort has been put into front-end security, where the payment transaction is made. However, some interviewees stated that much work still needs to be done in the communication between the merchant and the processor.

Liability and incentives

As consumers, merchants, and payment providers struggle with the issue of payment fraud, we recognize that it is not realistic to eliminate fraud entirely. Rather, the goal ought to be to encourage the adoption of risk-management practices that strike a balance between excluding unduly risky payment options and rigidly dictating payments choices. Collaboration within and among companies is a necessary aspect of successful payment fraud management, since security is expensive to achieve and maintain. In order to be effective, payment fraud prevention and mitigation efforts need to include all parties "touching" the payment transaction. To do this, the parties' incentives must be properly aligned.

In our interviews, we asked whether the current incentive structure for payment card systems best addresses data security risks. For example, do current network rules assign a larger share of liability for losses to those participants most able to take actions to minimize those losses for the system as a whole? And if the current rules fail to achieve this, are there incentive problems at the network level or is there another explanation? (34) If incentive problems exist, what is the nature of these problems?

Interview results

Merchants, banks, networks, and processors all share responsibilities for protecting a payment system against data breaches, but the extent to which these responsibilities are equitably distributed was a frequent point of discussion during our interviews. A number of interviewees contended that incentives to prevent fraud are misaligned. This sentiment was particularly strong among participants on the merchant and acquiring side of payment card processing. According to a number of interviewees, merchants have a vested interest in protecting data in order to maintain their reputations and brands as well as to avoid chargebacks, which occur when firms fail to comply with network rules. However, these interviewees noted that merchants do not feel that they have ownership over the fraud mitigation system with which they must comply, and they often feel that blame for fraud is somewhat arbitrarily placed on them. One merchant interviewee stated that "the payment system is not our system."

Other interviewees stated that the current system of shared liability, wherein both issuers and acquirers have some liability for fraud losses, appears to be effective: Incentives to prevent and mitigate fraud in that system have kept direct credit card fraud losses relatively modest for almost a decade. That said, these interviewees noted that this apparent level of success in managing fraud losses may limit the incentive to develop new innovative security measures, especially if they are expensive. For example, one representative from a large bank said that his organization assessed its fraud mitigation tactics as being successful and considered the addition of more sophisticated authentication procedures to be unnecessary at that time. However, fraud risks are constantly evolving, necessitating solutions that can predict or respond to new threats.

As part of the discussion about incentives to invest in data security, several interviewees noted that compared with small firms, large firms may have greater financial resources to make investments in data security. For example, our interviews suggested that large banks and big-box merchants may be better positioned financially to develop in-house security systems, to incorporate security products into their business processes, and to meet data security requirements imposed on them by private sector or public sector actors. Our interviews also suggested that small processors, small ISOs, and small merchants are likely to be more cost sensitive than their larger counterparts when considering investments in data security. Several interviewees noted that to the extent that data security costs become prohibitively expensive for these firms, a barrier to entry to payment card systems could be created.

Payment card fraud losses among issuers, as a percentage of transaction value, have remained relatively stable over the past decade. Nevertheless, the data breaches described previously suggest that hackers have developed increasingly sophisticated techniques for identifying and exploiting vulnerabilities. And these experiences indicate that criminals may be able to scale their fraud quickly. As a result, payment system participants are paying increased attention to the risks posed by data breaches.

According to our interviews, most large banks are employing fraud mitigation and data security programs that may be proprietary or other programs provided by third-party vendors and processors (or a combination of the two). Merchants, acquirers, and processors are also employing fraud prevention and data security systems that may already include or may soon include innovative solutions, such as end-to-end encryption and tokenization. (35)

Several interviewees stressed that incentives are also important for consumers in order to combat fraud. Some merchants argue that consumers lack sufficient incentives to protect their own data because of statutes or regulations that limit consumer liability for fraudulent transactions and zero liability rules and other protections offered by banks and card networks. According to this perspective, the problem is one of moral hazard. Put another way, even if consumers are best positioned to prevent fraud (by protecting their personal and account information), they may not be sufficiently motivated to do so because they bear little of the costs resulting from fraudulent transactions except in the case of identity theft. (36) Indeed, some interviewees argued that strong consumer protections from fraud losses might explain the relatively modest consumer reactions to large data breaches observed to date. Nevertheless, an interviewee from a large bank stated that a policy of shifting liability to consumers could backfire, since consumers might move away from payment cards that do not offer zero liability.

A number of interviewees expressed a related concern about the level of security associated with online payments initiated using consumers' computers. Several interviewees indicated that consumers' computers can be the weakest link in the data security chain. Setting security standards for personal and corporate computing is one way that the public sector could get involved to make consumer electronic payments safer. For example, one option suggested was to put additional responsibilities on Internet service providers (ISPs) for ensuring greater security in personal and corporate computing. (37) One interviewee also suggested that a restricted top-level domain, such as .bank, could add protection by offering greater controls and more regulated entry into businesses facilitating payments via the Internet.

Despite comments by some interviewees that incentives to prevent and mitigate fraud are misaligned, a number of interviewees also mentioned companies that have advanced fraud protection strategies. Indeed, some companies exist for the sole purpose of providing banks and others with security solutions.

Some interviewees argued that the provision of fraud protection is a profitable business that can offer a competitive advantage. For example, banks, merchants, networks, and processors may be able to advertise better security as a differentiating factor between them and their competitors. The ability to convey such a message may also act as an incentive for other companies to innovate. This is an example of using market dynamics to improve incentives to invest in better security. But there may also be a downside to this approach. Some interviewees argued that if establishing a competitive advantage in fraud prevention proves to be important, private firms may be reluctant to rapidly share their know-how and lessons learned from their own experiences combating fraud attacks. The result would be an uneven level of defenses across the industry.

Coordination and information sharing

As noted earlier, an aspect of the evolution of electronic payment systems in the United States over the past few decades has been a movement toward a more open environment, with multiple parties (including nonbanks) processing or "touching" cardholder information. These parties include, at a minimum, both card-acquiring and card-issuing banks, a number of independent payment networks (card networks, ACH networks, and PIN-debit-only electronic benefit transfer [EBT] networks), payment-card-accepting and other merchants, and third-party processors. These parties may also include nonbank intermediaries and providers of alternative financial services.

In the United States, the resulting industrial structure has become more complex, and the participants have become highly differentiated. Both developments may make effective coordination more difficult to achieve over time. (38) By contrast, European payment markets are relatively more concentrated and, therefore, may present an easier path to coordinating data protection policies. In addition, the network participants in Europe may be less specialized than those we observe in the United States. But it is also the case that European regulatory bodies have played a more active role than their U.S. counterparts with respect to supporting coordination on data security in payment systems. (39) But the European approach has its drawbacks, too. Adopting monolithic security solutions also poses certain risks. For example, if the security design is breached, the breach could be exploited almost immediately and at about the same scale as the payment system itself.

In the United States, there are examples of specially designed efforts in both the public sector (40) and the private sector (41) to share information related to identity theft and payment fraud. One example is the Information Sharing and Analysis Centers (ISACs) established under a presidential directive to improve information sharing about physical and cybersecurity threats. Several industry sectors, including the financial services industry, established ISACs in response to this mandate. The Financial Services Information Sharing and Analysis Center (FS-ISAC) provides an increasingly comprehensive information distribution system that allows a broad array of financial services companies, financial regulatory agencies, law enforcement and intelligence agencies, and nonbank firms integral to the financial sector to exchange information and receive alerts related to fraud, cybercrime, and data breaches, in a real-time or nearly real-time environment. (42) In addition, many U.S. states now require public disclosure of data breaches and notices sent to individuals whose records have been compromised. State laws establishing such requirements are designed primarily to mitigate harm to consumers after breaches have already occurred. Still, features such as credit report monitoring and credit freezes can help detect or prevent subsequent fraud attempts.

While FS-ISAC has played an important role in facilitating information sharing among firms in the financial services industry, data breaches can still occur at firms outside of this industry, and the data stolen in these breaches can result in financial fraud. Very rapid and detailed information sharing by breached parties across industry sectors might also help identify vulnerabilities before sensitive data are stolen from others and reduce the amount of information stolen. Additionally, speedy and thorough information sharing may lead to firms and industries quickly sharing best practices in response to a particular type of compromise. There are signs of ample demand for improved information sharing. In a recent survey, 93 percent of antifraud professionals agreed that information sharing helps prevent fraud, and 78 percent would like to see more information sharing. (43)

Today, in the United States, the mitigation of fraud risk in payment card systems is largely coordinated by network rules. These rules are determined by each network and must be adhered to by financial institutions (and their agents) that issue branded payment cards or acquire transactions made with those cards, merchants that accept payment cards, and third parties that process those cards. The revenues and profitability of payment card networks are generally increasing in transaction volumes. As a result, payment card networks have strong incentives to ensure the integrity of these electronic payment systems. In theory, they should also be able to shape the means of coordinating the incentives among their member institutions. Potential levers include technological standards, loss allocation rules, and variations in interchange fee rates, to name just a few. (44)

Further, as indicated earlier, the five major card networks have coordinated to establish uniform standards for data system security through the Payment Card Industry Data Security Standard. PCI DSS is the set of data security standards that all card network participants, including issuers, merchants, and processors, are required to meet. (45) (As of June 30, 2012, 97 percent of Visa's Level 1 merchants, 93 percent of Level 2 merchants, and 60 percent of Level 3 merchants were compliant with PCI DSS. Compliance among Level 4 merchants, however, remained "moderate.") (46) Unfortunately, several recent data breaches have occurred at firms designated by auditors as being PCI compliant; such breaches naturally raise the question of whether PCI DSS offers sufficient data protection for critical electronic payment systems. The networks and others have emphasized that PCI compliance is not a static concept; it is something that must be continuously monitored and addressed. Those within the industry continue to evaluate the effectiveness of PCI DSS, and the PCI Security Standards Council is working to improve upon the original requirements. (47)

Next, we describe the industry's views on whether the complexity of U.S. retail payment markets presents a barrier to private sector coordination of efforts to address data security issues. We also explore how policymakers might support such coordination efforts.

Interview results

Most interviewees stated that an increased level of cooperation among payment participants is needed to enhance security. They offered specific suggestions for improvement, including mechanisms to share best practices and coordinate with law enforcement. Some interviewees said that the public sector could play a role in facilitating information sharing in the payment card industry, although opinions differed on whether the government has the necessary legal authority or whether further action is required to support such a role. One representative from a large financial institution argued that at a minimum, the federal government had an opportunity to improve processes for shutting down Internet sites selling stolen consumer data. Another representative from a large bank stated that current information-sharing mechanisms are sufficient. While this interviewee acknowledged that cooperation in response to new information might not be immediate, he said a positive spirit of cooperation exists.

The issue of competitive advantage was raised by several interviewees when considering the current state of coordination and information sharing among payment card system participants. Many said that as long as data security is seen as a differentiating factor that can be profitable, information sharing and cooperation will be more difficult to achieve. Despite this concern, several interviewees said that large card-issuing banks share information in a variety of ways, including through network-supported mechanisms and organizations such as FS-ISAC. Our interviewees indicated that information sharing by acquirers and merchants was more fragmented and less coordinated. Some of these companies are hindered by confidentiality or nondisclosure agreements with clients and, thus, are not allowed to coordinate and share information. In addition, one processor interviewee stated that a history of distrust of the payment card networks creates the perception that sharing information and, ultimately, coordinating with the networks may result in adverse consequences for a firm that admits to a data breach or other data security event. Further, some interviewees noted that in the past, payment card networks did not always share data breach information with acquirers; rather, they only shared this information with card issuers.

Other interviewees noted that some acquirers and processors have prioritized information-sharing efforts. For example, according to our interviews, an information-sharing group was formed following a significant data breach, and details about malware used in this case were distributed to payment card processors. It turned out that this malware had been used by criminals in more than 650 breaches at 300 companies, compromising 200 million payment cards; yet, this particular vulnerability had not been widely understood.

Several interviewees noted that the public sector may be uniquely positioned to play a role in developing a framework supporting greater sharing of information about incidents of fraud and cybercrime--within the private sector and public sector and between them, as well as across different industries. They said that government agencies such as the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) are well positioned to disseminate information about cyberthreats or to issue alerts. These agencies could also leverage their positions to get more players to participate in an information-sharing infrastructure.

In addition to information-sharing efforts, coordination is also important in setting standards or best practices for data security. As noted earlier, the development of PCI DSS is an example of a private sector effort to develop data security standards for participants in payment card systems. Several interviewees said that payment card networks are best positioned to design and enforce standards and to develop an effective set of "carrots and sticks" to encourage the various payment system participants to comply with the standards. An interviewee from a large bank noted that determining the right standards is not as difficult as enforcing those standards, specifically noting that the penalties for non-compliance need to be clear and enforceable. At the same time, interviewees disagreed on how successful PCI DSS has been at equitably meeting the needs of the very diverse group of payment system participants. Merchant interviewees argued that the standard itself is flawed and that meeting a flawed standard defeats the purpose of better securing payment card systems. One interviewee suggested an alternative to PCI DSS by stating that there is a need for federal regulations or standards that would define data necessary to execute a transaction by the various parties to the transaction and parameters for how long the data should be held by those parties.

In regard to designing standards, several interviewees stressed the importance of providing all relevant participants an opportunity to evaluate the standards. (48) For example, these parties may have very different perspectives on the strength of compliance incentives (the "carrots and sticks") incorporated into the standards for improving data security.

Interviewees generally agreed that law enforcement has become much more aware of the complexity of payment fraud and that the industry is learning how to cooperate with the FBI, Secret Service, FTC, and local law enforcement. One interviewee noted that federal law enforcement used to view payment fraud as a one-off event; but today, it recognizes that data breaches may threaten not only payment system security but also potentially the country as a whole (for example, if payment fraud is used to finance terrorist activities). This appreciation for data breach risks was one of the reasons the George W. Bush administration established its Identity Theft Task Force; the Obama administration has continued to focus on these risks, with special attention paid to cybersecurity.

In addition, the increasingly global scope of payment fraud concerned a number of industry participants. Hackers are able to build and manage databases of compromised accounts across multiple locations, making their activities more difficult to track and their operations more difficult to dismantle. Criminals realize that they can launder money across a variety of international jurisdictions, taking advantage of differences in laws and regulations. Further, they are able to coordinate "money mules," who physically move money and goods around but do not necessarily understand that they are working for a criminal enterprise.

This degree of international activity poses a significant problem for law enforcement. Some of the most sophisticated criminal networks are well adapted for working across national borders, yet a few interviewees noted that state and national law enforcement agencies face more boundaries and less interagency cooperation. One interviewee stated that for fraud and cyber-crime solutions to be effective, law enforcement agencies across the globe need to address geopolitical differences. Individual governments are pursuing their own security initiatives, but this interviewee pointed out that there should be more discussion and collaboration among nations around the world to combat fraud and cybercrime. (49)

Variations in the legal definition of payment fraud are also important to consider, particularly given the global nature of payment card fraud. An interviewee offered this example: A phishing email directs a person to a fake website, one that looks exactly like the real site but is controlled by hackers. This technique encourages the phishing target (the consumer) to visit the fake website and enter personal information. In some international jurisdictions, simply maintaining the fake website constitutes fraud, but in other countries, fraud has not occurred until money is actually stolen. Given such differences, antifraud measures may often be more difficult to enforce across borders than within some of them.

Other issues facing the enforcement of antifraud statutes include minimum-value thresholds for fraud cases and overlapping jurisdictions of the various law enforcement agencies. One interviewee said that cases are only likely to be pursued if they involve the theft of $10,000 or more; cases involving smaller amounts are unlikely to be investigated. This interviewee also commented that the government is dramatically under-investing in cybercrime investigations. Another interviewee claimed that having multiple law enforcement authorities with differing jurisdiction over payment fraud can spread resources to fight fraud thin. The consensus among participants in these interviews was that more resources both in law enforcement and in the regulatory community are required.

Lessons from the interview results

The management of payment card fraud raises a number of difficult questions: Have changes in technology increased or decreased the vulnerability of payment card systems to data breaches that might undermine consumer confidence in them? Do payment card networks, their partners, and their customers have the appropriate incentives to take precautions to avoid card fraud? Are the costs of payment card fraud or of avoiding this fraud borne by the appropriate parties? For example, do nonfinancial firms that retain personal and account data have sufficient incentives to protect this information? Are payment card networks able to make efficient choices about managing fraud risks and implement antifraud measures in a timely manner? If not, are there reasons to believe that public authorities could facilitate better or timelier decisions? If such a role is appropriate, what information and expertise would government need to have?

The answers to these questions are not simple. (50) Taken as a whole, our interview results convey mixed views on most of these topics and, in particular, on the role that government should play or is capable of playing. That said, some general observations can be made with respect to areas of shared concern and insight among the interviewees.

Most interviewees recognized that payment card systems have benefited from dramatic advances in information, computing, and telecommunications technologies over the past four decades. These advances have helped create opportunities for new participants in payment card systems, such as nonbank payment providers, to introduce innovative products and services, like prepaid cards and Internet shopping. At the same time, these additions to the traditional payment card system model present new risks and require a reevaluation of the security protocols that were developed in the past.

Of course, criminals can also leverage technological advances to develop, test, and deploy their tools quickly. And when they find promising vulnerabilities, there is at least the possibility that their attacks will rapidly increase in scale. Several interviewees emphasized the adeptness of thieves to identify vulnerabilities and quickly exploit them. They also noted that the vulnerabilities may include a type of payment system participant and a point in the payment processing chain, as well as a data storage system risk and a software weakness. Any incremental risk that results from innovation should be offset by careful risk management and investments in new defenses, with an emphasis on dynamic and flexible data security approaches, rather than static ones. Several interviewees observed that a national focus on the security of the information and communications infrastructure in the United States could result in significant improvements in securing retail payment systems, including payment card systems.

The interviewees expressed very mixed views about the incentives to prevent fraud and to mitigate its consequences among various payment system participants. Respondents generally considered the incentives at their organizations to be better than those in other parts of the transaction chain. This is perhaps an indirect recognition of the interdependence

of payment participants in securing of the system and the importance of adequate coordination of their efforts.

A number of interviewees stated that the protections afforded to consumers from losses associated with fraudulent transactions limit consumers' incentives to protect their cards, personal information, and computers. Others pointed out that these protections do help to ensure public confidence in card payments and that diluting those protections may increase the likelihood of a mass abandonment of payment cards if a tail event as we described earlier were to occur.

There was widespread agreement that a key ingredient in protecting payment systems from fraud is coordination of fraud defenses among participants in these systems. For payment card systems, this coordination function is generally performed by the card networks. Many participants expressed the view that in the United States, payment applications have become so diverse and payment firms so specialized that effective coordination is becoming more difficult. Others questioned whether the networks had exactly the right motivations or were sufficiently well equipped to ensure that all payment participants had the right incentives. Such concerns led some interviewees to speculate about an increased role of government as a coordinator. Others wondered whether government was sufficiently nimble or adequately equipped to play such a role.

There was greater consensus about a number of roles in which government either is essential or could likely be more helpful. The first is in its law enforcement capacity, which may require additional resources. Given the international character of many modern electronic payment systems, interviewees recognized that law enforcement efforts must also take on a more international character. This too will require additional coordination--in this case, among governments around the world. Also, interviewees mentioned the need for more comprehensive information about the volume, character, and drivers of payment card fraud and data breaches. In general, interviewees supported expanding the collection and dissemination of data and new research, which governments can facilitate.

Most interviewees also said that the government could play a useful role in facilitating a more rapid dissemination of actionable information about new threats to the security of payment systems. Numerous information-sharing networks already exist, but some of our respondents contended that information exchanges remained too balkanized and too slow in many instances. The U.S. federal government is already an active participant in a number of these exchanges and, in some instances, contributes information obtained through various law enforcement and intelligence channels. (51)

Several respondents argued that the government can play a special role as both a participant and a facilitator of the exchange of actionable information about data breaches because it may be uniquely positioned to address private sector incentives in markets where security may be a source of competitive advantage. If maintaining a reputation as a secure provider of payment services is good for business, then firms will have incentives to invest in appropriate procedures and technologies. But the desire to maintain a competitive advantage may act to discourage private actors from sharing information about the nature of any new threats they are experiencing. Government does not face this tension. In addition, by acting as an important source of information while insisting on reciprocity, government can tip private sector incentives in the direction of sharing more information--and sooner. (52)

Conclusion

The evolution of our electronic payment networks provides greater flexibility, convenience, and efficiency for consumers, businesses, and governments. At the same time, advancements in these networks can lead to opportunities for fraudsters, including the potential for large-scale data breaches. To manage these new risks, payment system stakeholders must make security an integral part of the provision of retail payments. Our interview results suggest that to enable the smooth and efficient operation of the complex U.S. retail payment system, payment system participants need to find more ways to cooperate, share relevant information, and innovate to stay ahead of the criminal gangs that perpetrate payment fraud using an array of sophisticated tools and procedures.

REFERENCES

Abdul-Razzak, Nour, Katy Jacob, and Richard D. Porter, 2011, "Improving security for remote payments," Chicago Fed Letter, Federal Reserve Bank of Chicago, No. 293a, December, available at www.chicagofed.org/digital_assets/publications/ chicago_fed_letter/2011/cfldecember20112_293a.pdf.

Amromin, Gene, and Richard D. Porter, 2009, "Economic Perspectives special issue on payments fraud: An introduction," Economic Perspectives, Federal Reserve Bank of Chicago, Vol. 33, First Quarter, pp. 2-6, available at www.chicagofed.org/digital_assets/publications/economic_perspectives/2009/ep_1qtr2009_part1_amromindaorter.pdf.

Anderson, Ross, and Tyler Moore, n. d., "Information security economics--and beyond," University of Cambridge, Computer Laboratory, mimeo, available at www.cl.cam.ac.uk/~rjal4/Papers/econ_crypto.pdf.

Board of Governors of the Federal Reserve System, 2011 a, "Debit card interchange fees and routing," Federal Register, Vol. 76, No. 139, July 20, pp. 43478-43488, available at www.federalreserve.gov/reportforms/formsreview/RegII_20110720_ifr.pdf.

--, 2011b, "2009 interchange revenue, covered issuer cost, and covered issuer and merchant fraud loss related to debit card transactions," report, Washington, DC, June, available at www.federalreserve.gov/paymentsystems/files/debitfees_costs.pdf.

Bradford, Terri, Fumiko Hayashi, Christian Hung, Simonetta Rosati, Richard J. Sullivan, Zhu Wang, and Stuart E. Weiner, 2009, "Nonbanks and risk in retail payments: EU and U.S.," in Managing Information Risk and the Economics of Security, M. Eric Johnson (ed.), New York: Springer Science+Business Media, pp. 17-54.

CardLine, 2009, "Data fears influencing habits," American Banker, Vol. 174, No. 50, March 16, p. 10.

Cheney, Julia S., 2010, "Heartland Payment Systems: Lessons learned from a data breach," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP10-01, January, available at www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2010/19-2010-January-Heartland-Payment-Systems.pdf.

--, 2007, "An update on trends in the debit card market," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP07-07, June, available at www.philadelphiafed.org/consumercredit-and-payments/payment-cards-center/publications/discussion-papers/2007/D2007JuneUpdateDebitCardMarketTrends.pdf.

--, 2005, "Identity theft: Do definitions still matter?," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP05-10, August, available at www.philadelphiafed.org/consumer-creditand-payments/payment-cards-center/publications/discussion-papers/2005/identity-theft-definitions.pdf.

--, 2004, "Identity theft: Where do we go from here?," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP04-03, April, available at www.philadelphiafed.org/consumercredit-and-payments/payment-cards-center/events/conferences/2004/IdentityTheft_042004.pdf.

Cheney, Julia S., Robert M. Hunt, Katy R. Jacob, Richard D. Porter, and Bruce J. Summers, 2012, "The efficiency and integrity of payment card systems: Industry views on the risks posed by data breaches," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DPI 2-04, October, available at www.philadelphiafed.org/consumer-creditand-payments/payment-cards-center/publications/discussion-papers/2012/D-2012-Efficiency-andIntegrity-of-Payment-Card-Systems.pdf.

Consumer Financial Protection Bureau, 2012, "Consumer Financial Protection Bureau to supervise credit reporting," press release, Washington, DC, July 16, available at www.consumerfinance.gov/pressreleases/consumer-financial-protection-bureau-to-superivsecredit-reporting/.

Contini, Darin, Marianne Crowe, Cynthia Merritt, Richard Oliver, and Steve Mott, 2011, "Mobile payments in the United States: Mapping out the road ahead," Federal Reserve Bank of Atlanta, Retail Payments Risk Forum, white paper, March 25, available at www.frbatlanta.org/documents/rprf/rprf__pubs/110325_wp.pdf.

Discover Financial Services, 2012, "Discover implements 2013 EMV mandate in U.S., Canada and Mexico," Business Wire, March 15, available at www.businesswire.com/news/home/20120315005409/en/Discover-Implements-2013-EMV-MandateU.S.-Canada.

Federal Reserve Bank of Atlanta, Retail Payments Risk Forum, 2011, "The Role of Government in Payments Risk and Fraud--Conference summary," available at www.frbatlanta.org/news/conferences/11rprf_summary.cfm.

Federal Reserve Bank of Atlanta and Federal Reserve Bank of Boston, Mobile Payments Industry Workgroup, 2010, "Mobile payments industry roundtable summary," report, Atlanta, available at www.frbatlanta.org/documents/rprf/rprf_events/mobile-payments-roundtable-summary.pdf.

Federal Reserve System, 2011, The 2010 Federal Reserve Payments Study--Noncash Payment Trends in the United States: 2006--2009, report, Washington, DC, updated April 5, 201 I, available at www.frbservices.org/files/communications/pdf/press/2010_payments_study.pdf.

Federal Trade Commission, 2012, Consumer Sentinel Network Data Book for January--December 2011, February, available at www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2011.pdf.

Fnrletti, Mark, and Stephen Smith, 2005, "The laws, regulations, and industry practices that protect consumers who use electronic payment systems: Credit and debit cards," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP05-01, January, at www.philadelphiafed.org/consumer-creditand-payments/payment-cards-center/publications/ discussion-papers/2005/ConsumerProtectionPaper_CreditandDebitCard.pdf.

Herbst-Murphy, Susan, 2012, "Government use of the payment card system: Issuance, acceptance, and regulation," Federal Reserve Bank of Philadelphia, Payment Cards Center, conference summary, No. CS12-01, July, available at www.philadelphiafed.org/consumer-credit-and-payments/payment-cards- center/publications/conference-summaries/2012/C-2012Government-Use-of-the-Payment-Card-System.pdf.

Jacob, Katy, and Bruce J. Summers, 2008, "Assessing the landscape of payments fraud," Chicago Fed Letter, Federal Reserve Bank of Chicago, No. 252, July, available at www.chicagofed.org/digital_assets/publications/chicago_fed_letter/2008/cfljuly2008_252.pdf.

Javelin Strategy & Research, 2012, 2012 Identity Fraud Sltrvey Report: Social Media and Mobile Forming the New Fraud Frontier, Pleasanton, CA, February, available for purchase at https://www.javelinstrategy.com/brochure/239.

Kahn, Charles M., and Jose Manuel Linares-Zegarra, 2012, "Identity theft and consumer payment choice: Does security really matter?," University of Illinois at Urbana--Champaign and University of St Andrews, working paper, February 14, available at http://ssrn.com/abstract=2005694.

Keitel, Philip, 2008, "Legislative responses to data breaches and information security failures," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP08-09, December, available at www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/200g/D2008DecemberLegislativeResponsesToDataBreaches.pdf.

Kjos, Ann, 2007, "The merchant-acquiring side of the payment card industry: Structure, operations, and challenges," Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. DP07-12, October, available at www.philadelphiafed.org/consumer-credit-and-payments/payment-cardscenter/publications/discussion-papers/2007/D2007OctoberMerchantAcquiring.pdf.

Krebs, Brian, 2009, "Data breach led to multi-million dollar ATM heists," Washington Post, February 5, available at http://voices.washingtonpost.com/securityfix/2009/02/data_breach_led_to_multi-milli.html.

Lacey, John H., 2011, "RSA data breach the result of successful spear phishing," Massachusetts Data Privacy Law Blog, April 7, available at www.massdataprivacylaw.com/data-breach/rsa-data-breach-the-result-ofsuccessful-spear-phishing/.

Liu, Edward C., Gina Stevens, Kathleen Ann Ruane, Alissa M. Dolan, and Richard M. Thompson H, 2012, "Cybersecurity: Selected legal issues," CRS Report for Congress, Congressional Research Service, No. R42409, April 20.

MasterCard Worldwide, 2012, "MasterCard introduces U.S. roadmap to enable next generation of electronic payments," press release, Purchase, NY, January 30, available at http://newsroom.mastercard.com/press-releases/mastercard-introduces-u-s-roadmapto-enable-next-generation-of-electronic-payments/.

PCI Security Standards Council, 2010, "PCI Security Standards Council releases version 2.0 of the PCI Data Security Standard and Payment Application Data Security Standard," press release, Wakefield, MA, October 28, available at https://www.pcisecuritystandards.org/pdfs/pr_l01028_standards._2.0.pdf.

Ponemon Institute, 2010, 2009 Annual Study: Cost of a Data Breach, report, Traverse City, MI, January, available at www.ponemon.org/local/upload/fckjail/generalcontent/18/fileUS_Ponemon_CODB_09_012209_sec.pdf.

Rashid, Fahmida Y., 2011, "ID theft declined in 2010 but average losses increased: Survey," e WEEK, February 10, available at www.eweek.com/c/a/Security/ID-Theft-Declined-in-2010-but-AverageLosses-Increased-Survey-814461/.

Roberds, William, and Stacey L. Schreft, 2009, "Data breaches and identity theft," Journal of Monetary Economics, Vol. 56, No. 7, October, pp. 918-929.

Robertson, David (publisher), 2012, "Visa & MasterCard--U.S. 2011," Nilson Report, No. 988, February, pp. 1, 9-11.

--. 201 I, "U.S. leads the world in credit card fraud, states The Nilson Report: Global credit card fraud losses increased 10.2% over 2009," press release for Nilson Report, Carpinteria, CA, November 21, available at https://nilsonreport.com/pdf/news/112111.pdf.

RSA Conference, eFraud Network Forum Program Committee, 2009, 2009 Online Fraud Benchmark Report, April 15, available at https://365.rsaconference.com/docs/DOC-1895.

Schreft, Stacey L., 2007, "Risks of identity theft: Can the market protect the payment system?," Economic Review, Federal Reserve Bank of Kansas City, Fourth Quarter, pp. 5-40, available at www.kansascityfed.org/Publicat/ECONREV/PDF/4q07Schreft.pdf.

Sidel, Robin, 2012, "Card processor: Hackers stole account numbers," Wall Street Journal, April 2, available by subscription at http://online.wsj.com/ article/SB10001424052702304750404577318083097652936.html.

Striekler, Laura, and Aurora Ellis, 2011, "Secret Service investigates Epsilon data breach," CBSNews.com, April 4, available at www.cbsnews.com/8301-31727_162-20050575-10391695.html.

Sullivan, Richard J., 2010, "The changing nature of U.S. card payment fraud: Industry and public policy options," Economic Review, Federal Reserve Bank of Kansas City, Second Quarter, pp. 101-133, available at www.kansascity fed.org/Publicat/Econrev/pdf/10q2Sullivan.pdf.

The Clearing House, 2011, "Project Compas executive summary for NACHA," report, New York, April 4.

Verizon RISK Team, 2012, 2012 Data Breach Investigations Report, New York, available at www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012__en_xg.pdf.

Visa Inc., 2011, "Visa announces plans to accelerate chip migration and adoption of mobile payments," press release, San Francisco, August 9, available at http://corporate.visa.com/newsroom/press-releases/press1142.jsp.

NOTES

(1) This article is based on Cheney et al. (2012)--a discussion paper published by the Payment Cards Center at the Federal Reserve Bank of Philadelphia.

(2) Credit, debit, and prepaid card transactions account for about 60 percent of the number and 5 percent of the value of noncash transactions in the United States. They account for a much higher share of the value of transactions at the point of sale (POS). Today, with the exception of the remaining checks used to pay recurring bills, debit cards and automated teller machines (ATMs) are the principal means consumers use to access funds in their transaction accounts. See Federal Reserve System (2011, p. 13) and The Clearing House (2011).

(3) For the purposes of this article, we define tail risk to mean that there is uncertainty over the precise probability of the occurrence of a highly unlikely but catastrophic event. We consider the abandonment of payment card systems or instruments as an example of tail risk associated with data breaches.

(4) Governments of all levels are replacing the remaining benefit disbursements that occur via paper check with some form of prepaid card, whose functionality depends on the existing payment card infrastructure. See Herbst-Murphy (2012).

(5) For a general discussion of payment fraud, see the special edition of the Federal Reserve Bank of Chicago's Economic Perspectives published in the first quarter of 2009, with an introduction by Amromin and Porter (2009).

(6) In economic terms, fraud, like pollution, creates externalities. If fraud is largely nonexistent, one can operate more freely with less caution. However, when fraud is rampant, one must operate much more vigilantly--which is a relatively expensive course of action.

(7) The actual allocation of losses will depend on the circumstances of the transaction and payment card network rules.

(8) The full set of costs includes nonmonetary costs incurred by consumers--such as the opportunity cost of time spent to verify transactions and replace compromised payment cards and, in the case of identity theft, to monitor and confirm the validity of credit accounts opened in the victim's name.

(9) By network effects, we mean in this context that a payment method will be more attractive to consumers when there are more places that accept that particular method of payment. Moreover, merchants and other businesses will be more willing to incur the costs of accepting payment cards when they know that many of their customers are ready and willing to use them.

(10) For more details on the card-acquiring bank function (that is, the merchant-acquiring function), see Kjos (2007).

(11) For card-based systems, the coordination function is performed by the networks, that is, American Express, Discover Financial Services, JCB (Japan Credit Bureau) International, MasterCard Worldwide, and Visa Inc.

(12) The CFPB has supervisory (for example, examination) authority (for the purposes of ensuring compliance with many federal consumer protection statutes) over nonbanks of all sizes in the residential mortgage, private education lending, and payday lending markets. The CFPB may, by rule, define a set of nonbanks that it determines are "larger participants" in markets for consumer financial products and services and establish supervisory authority over these firms. For example, the CFPB adopted a rule on July 16, 2012, to begin

supervising consumer reporting agencies (for example, credit bureaus or credit reporting companies) that have more than $7 million in annual receipts. See Consumer Financial Protection Bureau (2012).

(13) For additional details, see Keitel (2008).

(14) See Visa Inc. (2011), MasterCard Worldwide (2012), and Discover Financial Services (2012). For more information on the EMV standard, see www.emvco.com

(15) For a discussion related to this topic, see Cheney (2010).

(16) See Robertson (2011). Also see Sullivan (2010); Sullivan's estimate of fraud losses is based on the sum of direct losses borne by card issuers; POS merchants; and merchants in Internet, mail order, and telephone transactions.

(17) We calculated the value for the 2011 credit card fraud losses using data from Robertson (2012) for four of the five major networks--American Express, Discover, MasterCard, and Visa. In 2010, the Federal Reserve Board surveyed issuers subject to Regulation II (Debit Card Interchange Fees and Routing). The data on debit and prepaid card fraud losses are for the 2009 calendar year and represent total fraud losses, as reported by the issuers, for PIN (personal identification number) debit, signature debit, and prepaid card transactions. The Board of Governors of the Federal Reserve System also published data for PIN debit, signature debit, and prepaid debit fraud losses separately. See Board of Governors of the Federal Reserve System (2011a, p. 43480) and the Board of Governors of the Federal Reserve System (2011b).

(18) This estimate is based on Verizon's estimate that these breaches involved 174 million potentially compromised records, but that only about 3 percent of those involved payment card data. See Verizon RISK Team (2012, p. 42).

(19) See Cheney (2007, pp. 8-9).

(20) This statistic is from the Ponemon Institute (2010, p. 12). About two-thirds of this cost results from attrition of existing customers and less success in obtaining new ones.

(21) For a detailed account of the breach at Heartland, see Cheney (2010). Less is known about the breach at Global Payments, but see Sidel (2012). For information about the Epsilon and RSA data breaches, see Strickler and Ellis (2011) and Lacey (2011),. respectively.

(22) See Krebs (2009)

(23) The Verizon RISK Team (2012, p. 42) found that the vast majority of records compromised in 2011 contained personal information. Also, according to the Verizon RISK Team (2012, pp. 10--11), the majority of all data breaches (54 percent) occurred among restaurants and hotels, but relatively few records are stolen this way. Retailers and financial firms also accounted for significant shares of brcaches (20 percent and 10 percent, respectively).

(24) According to Javelin Strategy & Research's 2011 Identity Fraud Survey Report, in 2010 it took victims an average of 33 hours to resolve issues related to identity fraud (Rashid, 2011). The full Javelin report is available for purchase at https://www.javelinstrategy.com/ rescarch/Brochure-209.

(25) See Federal Trade Commission (2012).

(26) See Javelin Strategy & Research (2012). For further information on identity theft, see Schreft (2007).

(27) See CardLine (2009).

(28) These protections are defined in the Fair Credit Billing Act and the Electronic Fund Transfer Act and in "zero liability" policies created by private payment networks. For details, see Furletti and Smith (2005).

(29) See Cheney (2005).

(30) Traditionally, fraud has been measured, managed, and mitigated within each independent payment channel (for example, checking and ACH). In recent years, payment providers have recognized a growing interdependence in fraud management across channels, since criminals have learned to exploit vulnerabilities detected in one channel to extract information or value in others.

(31) For an in-depth discussion of mobile payments issues, see Federal Reserve Bank of Atlanta and Federal Reserve Bank of Boston, Mobile Payments Industry Workgroup (2010). Also see Contini et al. (2011).

(32) One interviewee provided the example of PIN pads at gasoline pumps as a new type of physical acceptance environment for PIN payment cards. This company noted that new ways had to be considered (and some developed) to effectively limit PIN payment card fraud in this environment. For example, gas stations may use zip code verification during the authorization process at the gas pump machines.

(33) This observation is consistent with a rising trend in the share of breaches that involve internal employees over the years 2004-09 as reported in Verizon RISK Team (2012, figure 10, p. 16). The share of fraud events resulting from insiders fell significantly thereafter.

(34) These incentive problems are discussed in greater detail in Anderson and Moore (n. d). For a theoretical explanation of the potential incentive problems, see Roberds and Schreft (2009).

(35) Encryption involves masking the valuable private information so that it is too expensive to decrypt it even when the information is illicitly intercepted. Currently, the most powerful form of encryption available in web browsers is 128-bit encryption. Tokenization involves masking the valuable information, such as a credit card number, with a token. The token might be, for example, an arbitrary number or combination of numbers and letters. Without the token look-up key, the random information has no value if it is stolen.

(36) While liability incentives for consumers are limited by the various protections offered, there is some recognition that identity theft is an entirely different matter. Consumers appear to have a general, albeit basic, understanding that they are largely rcsponsible for restoring their good credit standing in the case of identity theft and that such a restoration is often quite expensive in terms of both time and money.

(37) The Australian government developed a framework to address the problem of compromised personal computers (PCs). In 2005, the Australian Communications and Media Authority (ACMA) developed the Australian Interact Security Initiative (AISI), which works with ISPs and consumers. AISI is a free service provided by the ACMA that monitors data feeds on compromised Australian PCs. The agency sends a list of customers with compromised PCs to the ISP, which is required to notify the customers. The ISP may contact the customers by phone or letter and provide advice to fix the problem, but in some cases, it may even disconnect customers to contain the spread of a malware threat.

(38) Coordination may include efforts to share information among payment system participants, as well as efforts to move participants toward better data protection practices.

(39) For more details on the evolution of regulatory structures in the European Union (EU) and the United States, see Bradford et al. (2009).

(40) For example, the FTC maintains the Identity Theft Clearinghouse, which provides law enforcement agencies with direct access to detailed incidence data recorded as part of the complaints and also allows the FTC to share aggregate data with consumers, other government agencies, and industry constituencies. For additional examples of identity theft information-sharing efforts, see Cheney (2004).

(41) Early Warning Services is an example of a limited liability bankowned company that essentially is a private sector data-sharing initiative. Its services include verifying identities and authenticating account holders' information, as well as screening potential new and existing customers for a prior history of fraud or account abuse. For more information on Early Warning Services, see www.earlywarningcom/about2.html.

(42) According to the FS-ISAC's website, the FS-ISAC "was established by the financial services sector in response to 1998's Presidential Directive 63. That directive--later updated by 2003's Homeland Security Presidential Directive 7--mandated that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure." For more information about FS-ISAC, see www.fsisac.com/about/. Other industries have also established ISACs. For example, the communications sector and the electricity sector have formed ISACs.

(43) See RSA Conference, eFraud Network Forum Program Committee (2009, p. 5).

(44) The Federal Reserve Board's Regulation II applies to debit card issuers with consolidated assets of $10 billion or more and allows debit card payment networks to vary interchange fee rates for transactions below the maximum interchange fee permitted by the Board's standards. Interchange fee is a term used in the payment card industry to describe a fee paid between banks for accepting card-based transactions. This fee is usually paid by a merchant's financial institution to a payor's financial institution.

(45) For more information on PCI, visit the PCI Security Standards Council's website, https://wwwpcisecuritystandards.org

(46) Level classifications vary by transaction volume. According to Visa's website, Level 1 merchants process over 6 million Visa transactions per year. Other merchants may be required to meet Level 1 PCI compliance requirements at Visa's sole discretion. Level 2 merchants process between I million and 6 million Visa transactions per year. Level 3 merchants process between 20,000 and 1 million Visa e-commerce transactions per year. Level 4 merchants comprise those that process fewer than 20,000 Visa e-commerce transactions and all other merchants that process up to 1 million Visa transactions per year. For more details, see http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The compliance rates for the different merchant levels are available at http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf (accessed on October 24, 2012).

(47) For example, in October 2010, the PCI Security Standards Council released version 2.0 of PCI DSS. See PCI Security Standards Council (2010).

(48) Box 1 (p. 133) provides a discussion of how the PCI Security Standards Council gets participating organizations involved in the process of evaluating and updating the PCI DSS. For more details on the rights and responsibilities of participating organizations, see https://www.pcisecuritystandards.org/get involved/rightsresponsibilities.php.

(49) The Federal Reserve Bank of Atlanta's Retail Payments Risk Forum addressed the need for improved international coordination among law enforcement organizations in its November 2011 payments conference--The Role of Government in Payments Risk and Fraud. For a summary of the conference discussion, see Federal Reserve Bank of Atlanta, Retail Payments Risk Forum (2011).

(50) For additional discussions of the policy issues related to fraud in consumer payments, see Abdul-Razzak, Jacob, and Porter (2011) Also see Sullivan (2010) and Jacob and Summers (2008).

(51) Recently, Congress has been considering a number of cybersecurity bills that aim to increase the dissemination of actionable information obtained in the public sector as well as improve incentives for private actors to share the information they have. For further details, see Liu et al (2012).

(52) This is analogous to the role that private credit bureaus play. In the United States, reporting to a credit bureau is not mandatory. Yet hundreds of thousands of organizations find it worthwhile to share their information in exchange for the ability to use information provided by all members.

Julia S. Cheney is manager of research and programming and Robert M. Hunt is vice president and director of the Payment Cards Center at the Federal Reserve Bank of Philadelphia. Katy R. Jacob is a business economist and Richard D. Porter is a vice president and senior policy advisor in the Economic Research Department at the Federal Reserve Bank of Chicago. Bruce J. Summers is an independent consultant on payment systems and technology management. The authors thank those who participated in the interviews described in the article. They also thank Anna Lunn and James van Opstal for their assistance and Darin Contini, Douglas Evanoff, Fumiko Hayashi, Joanna Stavins, Rick Sullivan, and Kirstin Wells for many helpful conversations. The views expressed are the authors' and do not necessarily reflect the views of the Federal Reserve Bank of Philadelphia.

Economic Perspectives is published by the Economic Research Department of the Federal Reserve Bank of Chicago. The views expressed are the authors' and do not necessarily reflect the views of the Federal Reserve Bank of Chicago or the Federal Reserve System.

Charles L. Evans, President; Daniel G. Sullivan, Executive Vice President and Director of Research; Spencer Krane, Senior Vice President and Economic Advisor; David Marshall, Senior Vice President, financial markets group; Daniel Aaronson, Vice President, microeconomic policy research; Jonas D. M. Fisher, Vice President, macroeconomic policy research; Richard Heckinger, Vice President, markets team; Anna L. Paulson, Vice President, finance team; William A. Testa, Vice President, regional programs; Richard D. Porter, Vice President and Economics Editor; Helen Koshy and Han Y. Choi, Editors; Rita Molloy and Julia Baker, Production Editors; Sheila A. Mangler, Editorial Assistant.

Economic Perspectives articles may be reproduced in whole or in part, provided the articles are not reproduced or distributed for commercial gain and provided the source is appropriately credited. Prior written permission must be obtained for any other reproduction, distribution, republication, or creation of derivative works of Economic Perspectives articles. To request permission, please contact Helen Koshy, senior editor, at 312-322-5830 or email Helen.Koshy@chi.frb.org.

ISSN 0164-0682
BOX 1

   PCI Security Standards Council

   The PCI Security Standards Council is composed of
   representatives from its five founding global payment
   card networks--American Express, Discover Financial
   Services, JCB International, MasterCard Worldwide,
   and Visa Inc. These companies have agreed to
   incorporate the PCI Data Security Standard in their
   respective data security compliance programs.

   All five payment card networks share equally in
   the council's governance, have equal input into the
   PCI Security Standards Council, and share responsibility
   for carrying out the work of the organization.
   Other industry stakeholders are encouraged to join
   the council as participating organizations and review
   proposed additions or modifications to the standards.

   The PCI Security Standards Council Board of
   Advisors (currently 21 members) is composed of
   representatives of participating organizations. This
   cross-industry group is chartered to ensure that all
   voices are heard in the ongoing development of PCI
   security standards; this group has representation from
   across the payment chain--that is, from merchants,
   financial institutions, processors, and others--as well
   as from around the world.

   Participating organizations are eligible to vote
   for (and to nominate) candidates for election to the
   board of advisors.

   Enforcement of compliance with the PCI DSS
   and determination of any noncompliance penalties
   are carried out by the individual payment card networks
   and not by the council.

   Source: PCI Security Standards Council website,
   https://www.pcisecuritystandards.org.
Gale Copyright:
Copyright 2012 Gale, Cengage Learning. All rights reserved.