Cybersecurity in the Payment Card Industry
Cybersecurity in the Payment Card Industry
Richard A. Epstein and Thomas P. Brown, Cybersecurity in the Payment Card Industry, 75 U.Chi. L. Rev. 203 (2008). Web
- Issues: Actors and Incentives; Attribution; Cybercrime; Financial Institutions and Networks; Regulation/Liability
Synopsis and Key Themes
The payment card industry has of late received an enormous level of critical academic scrutiny. The two issues that have dominated the literature are antitrust and consumer protection. The former deals with the various ways in which credit card companies structure themselves and their possible exposure to charges of monopolization. The latter deals with various forms of legislation that ask whether, and if so how, state regulation should mandate disclosure on the one hand and limit the substantive terms of consumer contracts on the other. From our classical liberal perspective, we think that these two jump ing-off points are odd places to begin the inquiry, given the high level of competition that exists everywhere in the credit card industry, both from established players and from new entrants.' Using a payment card (as opposed to some other form of payment) rests on voluntary decisions by consumers and merchants, as well as the banks with which they interact. Although it is theoretically possible to imagine government intervention improving on the outcome that these multiple parties are able to achieve through contract, in practice, a litany of political pressures and regulatory glitches make it highly unlikely that those results could be achieved.
Structure of Credit Card Transactions
Payment card transactions involve the co-ordination of activity across many different parties. A “simple” trans-action frequently involves five parties—the cardholder, the merchant, the cardholder’s bank, the merchant’s bank, and a network connecting the two financial institutions. Each link in the approval process relies on information that originates with the card presented by the cardholder, making the cards and the information they contain inherently valuable.
It is highly unlikely that any one person or institution qualifies as the cheapest cost avoider. Accordingly, any rational approach to loss prevention requires the coordination of multiple actors up and down the chain of credit card use. And someone has to define the responsi-bilities for each link in the chain and decide what each link needs to know.
For payment card information, the costs of keeping information secure and the benefits that flow from better security fall on the participants in the system. No public body outside the system is likely to have the information and ability to design a strategy for loss prevention that outperforms one that private parties can devise for themselves
In order for the overall system to be secure each individual unit within it has to be secure. The hackers and phishers will do very well indeed if they can break through the barriers at even one key target, for the information that they acquire there can be used, often most effectively, against other merchants. The law of large numbers therefore guarantees that some major security breakdowns are likely to happen, even if proper precautions are taken—and almost sure to happen if they are not. Retaining information needed first to process and then to verify each individual transaction speeds up transactions, however, it necessarily makes the system less secure. In fact, the more information one party to the transaction feels compelled to retain, the less secure the system becomes.
The costs associated with a breach come in two forms—fraud that arises from the use of the stolen data and efforts to reduce such fraud.
Some states have implemented laws allocating liability for a breach to the merchant. This new legislation will add a new layer of cost and uncertainty to the payment card system. The new statute appears to favor card issuers over retailers and processors. But in the long run, that state of affairs cannot last. Merchants do not, after all, have to accept payment cards sponsored by Visa and MasterCard in order to stay in business. Although payment cards offer many advantages over other forms of payment, particularly cash and checks, there are limits to the price that merchants will pay and the risks that they are willing to bear. Legislation of the sort adopted in Minnesota may have the effect of pushing merchants to adopt other forms of payment that do not pose some of the risks presented by payment cards. This legislation is likely to introduce serious distortions, first because of its high adminis-trative costs, and second because of its unintended incentives on the relevant parties.