Payments Security: As Strong as the Weakest Link
Third Quarter 2011
Reports of data breaches and identity theft have become an all-too-common fixture in today's headlines. Indeed, the first half of 2011 alone featured several high-profile data breaches in the United States, including PIN pad tampering at several Michaels Stores and stolen user information from Sony's PlayStation Network.
In "Payments Security: As Strong as the Weakest Link," Payments Risk Analyst Jennifer Windh looks at the issue of data breaches from an economist's perspective. Featured in the third-quarter issue of EconSouth, the article explains why payments systems are vulnerable to fraud and what the industry can do to better protect personal data.
One economist's view comes from Will Roberds, a research economist and senior policy adviser at the Atlanta Fed, who noted that personal data collection creates externalities, or unintended side effects, in the normal course of enabling payments. In the payments arena, the negative consequences occur when banks and other payments providers collect personal data to verify payer identities. "As more and more of that data is assembled and it becomes more and more extensive, it becomes a [broad] target for theft," said Roberts.
At the same time that banks may be over-collecting personal data, they may not be doing enough to protect it. Security is what economists refer to as a weakest link public good, meaning that the payment system is only as secure as its weakest point. In other words, "the level of protection that consumers get is determined by whoever makes the least effort to maintain their portion of the system," Windh writes.
Governments in many countries play a central role in managing payments because they view the system as essential shared infrastructure. In contrast, the United States takes more of a free-market approach, in which mechanisms like pricing, insurance, and self-regulation help manage risks, Windh explains. This approach has many benefits, but it also leaves the payments system more vulnerable to data breaches. "Well-designed regulation can support industry efforts to coordinate risk management and enforce standards," she writes. For instance, governments can offer incentives for private companies to improve their data security while also creating disincentives for negative externalities.