The role of innovation and incentives in keeping payments safe
Last week I attended a forum on digital payments, hosted by the Electronic Transactions Association. One thing that really stuck with me was just how useful, from a consumer perspective, the credit card system is, and how much of this usefulness was a result of regulations setting a high standard for consumer protection but leaving room and creating incentives for innovation – and the ability of the market to take advantage of that flexibility.
Credit cards are governed by numerous laws and regulations that seek to protect consumers by forcing disclosures and limiting liability for unauthorized charges. On its own, current laws make credit cards “safe” for consumers in the sense that there was limited liability. Still, this doesn’t mean cards would be useful.
To be useful, credit cards must be broadly accepted by merchants, reliable, and inherently secure enough to keep cards and data free from compromise. After all, even if a consumer is not ultimately responsible for a fraudulent charge, after a certain point the risk of identity theft and the general hassle factor that accompany a data breach would make credit cards unattractive. Merchants would not accept cards as a means of payment if they faced too frequent a risk of seeing their sales clawed-back. The government can make it so consumers aren’t on the hook for a fraudulent charge, but they can’t make your favorite merchants want to take cards or consumers want to use them.
So why does the credit card system work so well? While the laws provide minimum standards and generally assign liability away from the consumer, they also allow the market broad latitude on how to function. This has resulted in the market’s developing greater protections and consumer rights, sophisticated security protocols, and a system of carrots and sticks to encourage merchants, payment processors and banks to prioritize customer safety, all via contractual agreement.
An example of this is how retailers, especially online retailers, handle “card not present” transactions (i.e. transactions online or over the phone where the card is not swiped). Merchants have developed sophisticated algorithms and verification regimes that balance ease of use (since they don’t want the customer to become frustrated and abandon the transaction) with fraud prevention (since the retailer is ultimately on the hook). These procedures are often at least somewhat unique to the company using them (though there are also robust industry-wide standards), where each retailer is trying to create a better security mousetrap. Compared to the customer experience in countries where the process is prescribed by regulations (which often requires users to leave the commerce site for their bank and then come back), the fraud rates are about the same, but customer drop off rates are lower, a compelling benefit to merchants who take innovative, customer-focused steps to prevent fraud.
Another example of innovative anti-fraud systems are “EMV” (Europay, MasterCard, and Visa) cards. EMV cards use a chip embedded in the card to transmit a transaction code unique to each transaction, making it much harder for counterfeiters to capture and reuse an EMV card’s payment data (unlike magnetic strip cards that use static data). The EMV standard was a collaborative, voluntary effort initiated in 1994 between Europay, MasterCard, and Visa initiated to reduce fraud. While used in Europe for two decades, EMV has had very limited penetration in the United States.
However, in 2015 we will see a major shift in the United States towards the use of EMV cards, and it is not the result of a government mandate. The major card networks have decided to shift the liability for fraudulent transactions involving EMV cards to the party that prevented the chip from being used. That is to say if a merchant refuses to get a point of sale terminal that works with EMV, or a bank refuses to issue EMV cards and a fraudulent transaction occurs, the merchant or bank would be responsible for the costs (both getting the customer their money back and at least some portion of any subsequent losses caused by the data breach). This is all done via contractual agreement. Accepting these terms is a requirement to use a credit card brand’s network. While voluntary, this system allows merchants to do their own cost-benefit analysis on whether to make the switch to EMV-compliant equipment. The shift in liability incentives is likely to influence participants throughout the credit card space.
These innovations are the result of the market’s being able to respond to a need in new and innovative ways. They also indicate how much good regulators can do when they allow room for innovation and experimentation, even if they are placing clear and significant requirements or limitations on market participants (“the customer is almost never liable” is a pretty strong requirement). It also implicates the possible harm overly prescriptive regulations can cause. If instead of being able to innovate, market participants had been provided a strict recipe of anti-fraud procedures and had to wait for regulations to be updated to make a change, it is doubtful that credit cards would offer the same combination of safety and convenience consumers and merchants currently enjoy.