Content area
Full Text
In late 2013, a breach of the cashier system at a major retailer exposed information on 40 million debit and credit cards. That fraudsters can use the payment card numbers harvested in this breach to cre- ate fraudulent payments underscores one of many security weaknesses that can lead to payment fraud. The direct cost of fraud on Automated Clearinghouse (ACH), debit card, and credit card payments reached $6.1 billion in 2012. Investments and ongoing expenses for prevent- ing, detecting, monitoring, and responding to payment fraud add con- siderably to direct costs. Fraud and security weaknesses in payments can have an indirect cost as well if they cause concerned consumers and businesses to choose less efficient forms of payment. More broadly, the public's loss of confidence in payments has had significant nega- tive economic consequences in the past. A constant stream of news re- ports on data breaches, phishing attacks, spoofed websites, payment card skimmers, fraudulent ATM withdrawals, computer malware, and infiltrated retail point-of-sale systems should concern policymakers be- cause it indicates weak payment security and undermines confidence in payments.
Payment participants-end-users who make payments, financial institutions and nonbanks that provide payment services, and networks and service providers that process payments-all have considerable in- centive to secure payments and deter fraud. They value the convenience of non-cash payments and wish to avoid the inconvenience and losses of payment fraud. Under ideal conditions, these incentives would pro- vide a level of payment security that best benefits society. Incentives do not work well, however, when accurate information about security solutions is unavailable, when the consequences of security failures spill over to innocent parties, or when effective security requires difficult coordination of many disparate parties.
Consequently, public and private institutions have evolved a "con- trol structure" to ensure payment security and deter fraud. The control structure takes a variety of forms, such as setting rules that allocate losses resulting from payment fraud, regulating and supervising the ac- tivities of some payment participants, designing operational procedures that embed security protocols, and coordinating security efforts. Poli- cymakers must assess how well a payment system manages fraud risks given constantly changing threats and complex interdependencies that can cause misaligned incentives. A proper assessment is crucial because improvements to payment security are costly...