[Dave Birch] Steve Mott, whose opinions I always value, wrote an article arguing that so far as US payment cards are concerned, security went wrong many years ago when the industry decided not to go to PIN. Of course, outside the US the migration to “chip &PIN” is steady if not spectacular. But it’s not making a big difference overall, because fraud is migrating to remote channels. He says this is testing” the resources and will of an industry still reluctant to abandon the gravy train of fees and interchange to commit to safer, better, and cheaper alternative payments”. He goes on to point out that the spends about a dollar in prevention for every $10 they lose in fraud, which he compares to the health care industry that has three times as much fraud but spends less than tenth as much on fraud prevention. My reaction to reading this was to think how the payment card industry might spend its anti-fraud budgets more effectively, but I don’t think that was the main point. The main point was that we’re not doing very well against fraud at a time when we’re introducing contactless payments and trying to shift transactions online. Perhaps one of the reasons is that by offering zero liability to consumers — no matter how reckless they might be — “a generation of consumers has been trained to disregard safe practices for use of financial accounts”. Steve says that…

it’s time to throw out the blanket zero-liability paradigm and get legitimate, responsible consumers to put some skin in the security game, too. The good ones appear to be ready to do what’s needed to protect themselves. Consumers who can’t should get restricted account access. Those who won’t should bear the specific costs of their misbehavior instead of loading their burden on the backs of the vast majority of responsible transactors.

Interesting, and different to my plan to make it the both the issuers and customers problem by changing the law so it’s not illegal to use someone else’s card. My plan delivers zero fraud, instantly.

Technorati Tags: , , , ,

Steve makes, as always, a lot of sense. But as Chris Skinner noted, when he was discussing the UK government’s “Get Safe Online” initiative, is that only 24% of UK online consumers think they should be primarily responsible for their own online safety. In other words, 76% think they’re not responsible for their own safety when shopping, banking or doing stuff online. Zero liability has, indeed, created a kind of moral hazard: products that were never meant to be used online are being shoehorned into channels where they are less than wholly safe where they are being used by consumers (like me) who don’t care about security because they are indemnified against loss. Hhhmmmm.

At the moment, neither the the banks, the consumer and the police aren’t sufficiently incentivized to stop identity theft, so who is? The merchant. In the case of CNP, it’s the merchants who are losing the money, but even so the take up of anti-fraud 3D Secure technology has been rather limited: apart from anything else, the merchants themselves don’t want to implement it for fear they will lose more from basket abandonment than fraud.

There’s a good article about the fraud/lost sale trade-off in this month’s Digital Transactions, by the way.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

2 comments

  1. My understanding is that the zero-liability deal with consumers came about because the card issuers petitioned the governments around the world for price protection. That is, they asked for a subsidy of protection for their contracts with merchants that forced all prices to be the same, and to get that the regulators insisted on no-liability or $50 liability caps for consumers.
    (I was too young to care about these stories, so I may be wild of the mark, but) in the good old days, the war was against cards. Small merchants offered discounts of 5-15% for cash, because it was cheaper for them. Large merchants had more economies of scale, of course. To get the small merchants into the card net they had to be foistered with an uncompetitive bargain.
    It might be worth considering that the phoney war on cash is simply the request for the removal of one subsidy that hurts the banks, today. That’s a fair deal if we get rid of the other subsidies too.
    Certainly the no-liability deal should go. European banks are doing it already, last I heard they are hitting the consumer for around 30% of the phishing losses.
    Question is, what are the banks prepared to give up?

  2. While I like many points in the article I’m responding, the suggestion that we should remove the accountholder’s zero-liability provision is a bad idea in the US for two reasons:
    1) Such thinking is based on a faulty premise. Research data does not show that zero-liability protections eliminate the accountholder’s motivation to protect against fraudsters. Consumers view the card or bank account as “their account”, and treat every violation as a personal issue with potential consequences that don’t simply end once fraud amounts are potentially reimbursed. 2) The backlash by consumer protection groups would be simply unbearable. Anyone ready for a page one story in the Times about how bank XYZ has finally gone over the top to stick it to the consumer?
    What we need is to empower the accountholder, giving power to their significant motivation to protect themselves and building on their unsurpassed individual knowledge of what makes for a legitimate transaction. We have the technology, yet its not being deployed.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: