A Chip Off the Old Block or a New Direction for Payment Cards Security? The Chip & PIN Debate, Apple Pay, and the Law & Economics of Preventing Payment Card Fraud

ABSTRACT:

The issue of consumer payments and data security has reached a high level of public and regulatory interest as a result of a number of recent high-profile data breaches that compromised consumer payment card numbers, such as at Target, Home Depot, and Michael’s. In addition, the ecosystem of consumer payments security has changed dramatically in recent years as a result of the introduction and rapid spread of contactless payment technologies, such as ApplePay. In response to growing concerns about payments fraud, payment card networks in the United States have moved toward the rapid replacement of traditional magnetic stripe payment card technology to new EMV computer chip-based technology, which creates a unique encrypted identifier for each transaction, thereby making it more difficult for thieves to steal card numbers and create counterfeit cards. Notably, however, American card issuers and networks have chosen not to adopt the PIN method of verification that has been standard in the United Kingdom and much of Europe for the past decade or so, but instead have adopted signature as the preferred method of customer verification. Many large retail chains and retail trade associations have nevertheless lobbied for regulatory or statutory action to impose a PIN-verification requirement in addition to the addition of EMV chips. This article conducts an economic analysis of the regulation of consumer payment cards and payment cards fraud. We examine the marginal benefits from heightened levels of payment cards security (such as requiring PIN verification for purchases) and marginal costs as well, such as the impact on speed, convenience, and functionality for consumers and merchants, especially uptake of electronic payments by smaller merchants. We examine the dynamic evolution of payment cards anti-fraud technology over time and suggest that there is little evidence of market failure in the provision of payments security by card networks and issuers and little reason to believe that mandating one exclusive, decades old, static verification technology (namely Chip & PIN) would be likely to improve overall consumer welfare and economic efficiency today. We conclude that rather than blindly adopting the particular verification technology Europe put into place many years ago, U.S. regulators should be alert to the evolving and contemporary nature of consumer payments and fluid nature of threats to data privacy and not freeze or hamper the adaptability of the payments system.