Month: October 2015

Who actually pays for credit card fraud? (part II)

[continued from part I, which provides background]

The answer to the burning question of who gets to pay for fraudulent credit-card transactions is influenced by many factors. On the one hand there are the particulars of the situation that vary between each incident: whether it was a stolen card, where the charges took place and how quickly the card-holder contacted their financial institution. At the other extreme, there are large-scale policy issues decided for the entire ecosystem by regulatory regimes for consumer protection. For example in Europe, part of the reason EMV adoption happened in a hurry is that banks seized the opportunity to shift presumption of guilt to consumers. This so-called “liability shift” was predicated on the assumption that because EMV cards are very unlikely to be cloned or used without knowledge of the PIN (an incorrect assumption on many levels, it turns out due to vulnerabilities in the design that are being exploited in the wild) the burden of proof is on the card-holder to prove that they did not in fact.

In the US, there is a belief that consumers are not liable for credit-card fraud. It is a simple message to communicate, which makes it a common refrain for advertising/PR campaigns encouraging consumers to swipe those cards liberally without fear. It sounds reassuring. It is also not entirely accurate.

On the one hand, it is true that the US model starts out with a presumption of innocence. When the card-holder contests a charge, the bank temporarily suspends it while an investigation is under way. But more importantly, the burden of proof on consumer side is much lower. Unless the retailer can prove that the customer in fact made the purchase or at least show they have done due diligence by producing a signed receipt, they are on the hook. (That also means for card-not-present purchases such as those happening on the Internet, the merchant is very likely going to be the one eating the loss.) If there is evidence of card-holder participation, it is now between issuer and consumer to decide. The signature on the receipt could have been forged, indicating a cloned card, or perhaps the merchant authorized a different amount than originally agreed. In all cases, unless the parties in question can prove conclusively that a card-holder knowingly authorized that exact charge, the losses are absorbed by issuing bank or merchant.

In theory this is a very consumer-friendly regime. All the while surprising that it has gained traction in the US, while Europe with its tradition of consumer protection would favor the opposite. It places incentives for combating fraud on the parties most capable of taking action. Issuers can refine their statistical models to better distinguish legitimate vs fraudulent activity, meanwhile merchants can implement policies based on their risk/benefit calculations. For example online merchants may refuse to ship to addresses other than the billing address on the card, retailers may ask to check ID for large purchases, meanwhile Starbucks can define its own threshold above which signatures are required even if it means slowing down the line. That still leaves open one question: what happens to the losses that issuers and merchants still incur after all of these mitigations have been implemented?

Indiscriminate insurance

Imagine a car insurance company that charges all drivers the same rate, regardless of their demographics (no over-charging young people living alone to subsidize older married couples), past driving record or the current value of their vehicle. This is in effect how credit-card losses are distributed throughout the payment system.

Not being directly liable for fraudulent charges is not the same as being completely off the hook. US regulatory frameworks may have conspired with the card networks’ own business model to off-load losses away from card holders and towards merchants & issuers. But there is no rule that dictates those parties may not pass those costs on to consumers in the form of higher prices. In fact this concern comes up for merchants even in the absence of fraud.  Recall that a credit-card purchase could involve upwards of 3% fee compared to a cash purchase. (If that sounds negligible, consider that some retailers such as grocery stores have razor-thin profit margins less than 5%. In effect they are giving up half of their profit, which goes a long way towards explaining why Wal-Mart, Target etc. were highly motivated to spearhead a merchant consortium to create alternative payment rails.) The economically rational behavior would be to introduce a surcharge for credit card purchases. The reason that did not happen in practice is that it ran afoul of Visa/MasterCard rules until recently. In 2013 a court settlement finally allowed merchants to start passing on costs to consumers but only in certain states.

A similar situation applies to dispersing the effect of fraud. If merchants are setting prices based on the expectation that they will lose a certain percent of revenues to fraud, all customers are sharing in that cost. The bizarre part is that customers are not even subsidizing each other any longer, but complete strangers with no business relationship to the retailer. Imagine consumer Bob has his credit-card information stolen and used at some electronics retailer for a fraudulent purchase, even though Bob himself never shops there. When consumer Alice later frequents the same store, she is in effect paying a slightly higher price to make up for the charge-back caused by crooks using Bob’s card.

Moral hazard?

Same calculus applies on the issuer side, except there is arguably a greater element of individual responsibility. This time it is not about a specific “price” charged to consumers per se, but subtle adjustments to terms of credit for accommodating expected losses. For example, the annual fee for the privilege of carrying the card might be a little higher, its APR on balances set to a few basis points higher or the rewards program a little less generous. If Alice and Bob were both customers of the same bank and Bob experiences fraudulent charges because he typed his credit-card information into a phishing page, Alice is indirectly paying for that moment of carelessness.

Whatever one might say about the virtues of this system, fairness is not one of its defining features. The system provides Bob with peace of mind in the same way that insurance will pay for repairing a car after the owner repeatedly drives it into a ditch. Unlike car insurance, costs are not reflected on specific individuals with increased premiums. Instead fraud losses are socialized across the entire customer base. Now in fairness to Bob, he may not have been responsible for the breach. Even the most cautious and responsible card-holder has little control over whether Target or Home Depot point-of-sale terminals have been compromised by malware that captures card details in the course of a routine purchase. What could be more routine than using a credit card at a reputable nation-wide retailer in an actual bricks-and-mortar store? Neither can Bob compensate for fundamental design weaknesses in payment protocols, such as the ease of cloning magnetic stripes by unilaterally upgrading himself to chip&PIN card.

[continued]

CP

Who actually pays for credit card fraud? (part I)

In the aftermath of a credit-card breach, an intricate dance of finger-pointing  begins. The merchant is already presumed guilty because the breach typically happened due to some vulnerability on their systems. Shifting the blame is difficult but one can take a cue from innovative strategies such as the one Target employed in suggesting that fraud could have been mitigated if only US credit-card companies switched to chip & PIN cards, which are far more resilient to cloning by malicious point-of-sale terminals. (In reality the story is not that simple, because the less secure magnetic-stripe is still present even on chip cards for backwards compatibility.) But credit card companies will not take that sitting down: it is all the merchants’ fault— in other words the Targets of the world—they will respond. What is the point of issuing chip cards when stores have archaic cash registers that can only process old-fashioned “swipe” transactions where the chip is not involved?

They have a point. October 1st 2015 was the deadline set by Visa/MasterCard for US retailers, partly in response to large-scale breaches such as Target and Home Depot, for all retailers and banks to switch to chip cards. Payment networks may have thrown down the gauntlet but by all appearances their bluff was called: less than half the cards in circulations have chips and barely a quarter of merchants can leverage them, according to a Bloomberg report. That state of affairs sows a great deal of confusion around why so little has been done to improve the security of the payment system. After all EMV adoption happened in Europe a decade earlier by comparison and at much faster clip. This feeds conspiracy theories to the effect that banks/merchants/name-your-villain does not care  because they are not on the hook for losses. This post is an attempt to look into the question of how economic incentives for security are allocated in the system.

Payment networks

Roles in payment network

Roles in a typical payment network

Quick recap of the roles in a typical credit card transaction:

  • Card-holder is the person attempting to make a payment with their card
  • Merchant is the store where they are making a purchase. This could be a bricks-and-mortar store in meatspace with a cash register or an online ecommerce shop accepting payments from a web page.
  • Issuing bank: This is the financial institution who provided the consumer with their card. Typically the issuer
  • Acquiring bank: The counterpart to the acquirer, this is the institution that holds funds in custody for the merchant when payments are made
  • Payment network, in other words Visa or MasterCard. This is the glue holding all of the issuers and acquirers together, orchestrating the flow of funds from acquirers to issuers. One note about American Express and Discover: In these networks, the network itself also operates as issuer and acquirer. While they partner with specific banks to issue co-branded cards (such as a “Fidelity AmEx” card”) with revenue-sharing on issuer fees, the transaction processing is still handled by the network itself.

In reality there can be many more middle-man in the transaction vying for a cut of the fees, such as payment processors who provide merchants with one-stop solutions that include all the hardware and banking relationships.

Following the money

Before delving into what happens with fraudulent transactions, let’s consider the sunny-day path. Merchant pays some percent of the purchase, typically 2-3% for credit transactions depending on type of card, much lower for debit cards routed through the different PIN-debit network, for the privilege of accepting cards in return for the promise of higher sales and reduced overheads managing unwieldy bundles of cash. Lion’s share of that goes to the issuer— after all, they are the ones on the hook for actual credit risk– the possibility that having made a purchase and walked out of the store with their shiny object on borrowed money, the consumer later defaults on the loan and does not pay their credit card bill. (That also explains why debit cards can be processed with much lower overhead and why retailers are increasingly pushing for debit: in that case the transaction only clears if the card-holder already has sufficient funds deposited in their bank account. There is no concern about trying to recoup the payment down the road with interest.) Remainder of that fee is divvied up between acquirer, payment network and payment processors facilitating the transaction along the way.

When things go wrong

What about fraudulent transactions? First note that issuing bank itself is in the loop for every transaction. So the bank has an opportunity to decline any purchase if the issuer decides that the charge is suspicious and unlikely to be authorized by the legitimate cardholder. (That alone should be a cue that issuers in fact have a stake in preventing fraud: otherwise they should cynically take the position that every purchase is revenue opportunity, the higher the sum the greater the commission, and green-light everything and let someone else worry about fraud.) But those systems are statistical in nature, predicated on identifying large deviations from spending patterns while also trying to avoid false-positives. If a customer based in Chicago has suddenly starts spending large sums in New York, is that a stolen card or are they on vacation? Some amount of fraud inevitably gets past the heuristics. When the consumer calls up their bank at the end of the month and contests a particular charge appearing on their bill, the fundamental question stands: who will be left holding the bag?

[continued in part II]

CP