With the growth of e-commerce and m-commerce, remote payments fraud has grown in response.  In a letter released December 7, 2011 (available here), economists from the Federal Reserve Bank of Chicago argue that a centralized public sector organization is needed to establish standards governing security of electronic payments and coordinate with regulators and law enforcement on e-commerce anti-fraud initiatives.  The authors of the paper included Nour Abdul-Razzak, Katy Jacob, and Richard D. Porter.

While security vulnerabilities are the primary contributor to remote payments fraud, the authors lay some of the blame at the feet of the payment card industry, which they allege has been slow to address payments fraud in a comprehensive way.  The paper points out that PCI DSS (Payment Card Industry Data Security Standard) compliance has limited effect on payments fraud because data breaches still occur even when the entity suffering the breach is in compliance with the standard.  Moreover, the standard primarily protects the card networks, not the merchant (who is liable for losses due to remote payments fraud) or other participants in the payment system.  The paper also expresses concern that there are no accepted standards for the use of encryption across the payment system and discusses the limitation of authentication methods to detect fraud because legitimate users can make illegitimate transactions.

The paper further points out that it is difficult to pinpoint specific market failures that lead to remote payments fraud due to the lack of coordination between regulators that oversee retail payments, the multitude of players that are involved in a remote payment transaction, and the complexity of the payment system.  One of the primary reasons cited is that industry players do not compete on fraud security.  Other reasons cited are the failure to invest in new technologies that the industry does not believe will make a significant difference in fraud reduction and the lack of “skin in the game” by consumers (in the form of zero liability policies) who are careless with their PIN and other personal information.

The authors state that a central authority is needed to look at all aspects of the payments system because while new payments regulation (or participants acting on their own) may address some issues, other problems in the payment system may be exacerbated.  As an example, the authors point out that fraud rates increased when Visa and MasterCard pushed signature-based debit card transactions in lieu of PIN-based debit card transactions.

Participants at a payments fraud symposium held on September 26, 2011 and co-hosted by the Chicago Fed and the Secure Remote Payment Council mostly agreed that more payments security standards would be helpful to combat remote payments fraud.  The authors suggest that the following issues might be addressed through payments security standards:

  • The level, nature, and number of authentication techniques employed;
  • Best practices for encryption;
  • Support from underlying device makers (e.g., hardware manufacturers) to improve the bases on which the secure networks can be built;
  • Privacy issues, so that data used to combat fraud are not in turn used for marketing purposes;
  • Appropriate time frames for addressing fraud when it occurs, and support of real-time fraud detection;
  • Information-sharing on suspected fraud schemes;
  • Exploration of the use of biometric security measures; and
  • Best practices for increasing the interoperability of currently closed-loop, proprietary payment channels.