Security issues in credit card business

inSight

23 Feb 2006

Security issues in credit card business

Improving authentication arrangements and tightening data security are two ways to make credit card business safer.

There have recently been a couple of large-scale leaks of credit card data. The leaks were only discovered when the cards were used fraudulently in hundreds of transactions involving hundreds of thousand of dollars. The relevant parties took prompt action to contain the damage as soon as the problem was identified, by suspending or cancelling the many cards that might have been affected. But the recurrence of such cases is a matter for concern even though the affected card holders have - rightly - not been held accountable for the fraudulent transactions. The inconvenience caused to the card holders and the effect of these events on the integrity of the credit card system could undermine user confidence.

I am sure the relevant parties will sort out the problems expeditiously. As long as consumers are not held responsible for fraudulent transactions, and they can still use other convenient means of payment and obtaining credit, there seems to be no good reason for the official sector to intervene. In any case, in the credit card business, most, if not all, of the key parties are not subject to any existing system of regulation. There is a limit to the amount of losses arising from fraudulent card use that credit card issuers and related parties can absorb by raising finance charges or merchant fees. Both are already far too high for the comfort of some. Perhaps beyond a certain threshold, credit card holders - and merchants - behaviour might change abruptly to the extent that using credit cards for payment and obtaining credit becomes less popular. It may therefore be beneficial for the parties concerned to quickly focus their minds on how to make the authorisation and authentication arrangements more robust.

Currently, the authentication process is very loosely organised. In many cases, the desire for convenience in completing transactions, with the aid of advanced telecommunications technology, is achieved through compromising the need for authentication. What little authentication requirement there is - for example, a simple code at the back of the credit card for telephone orders, which admittedly may not be entirely effective - is sometimes dropped. This I fear has become an incentive for criminals to try to obtain systematic, unauthorised access to credit card data, which are then used fraudulently. This incentive obviously needs to be removed, and I think this can be achieved by improving the authentication arrangements.

Another way to remove the incentive is to tighten data security at places where such data are transmitted, processed or stored. A number of parties are involved in the credit card payment system. Apart from the credit card holder, the merchant and the credit card issuer, there are the less-known network operator, service provider and merchant acquirer. They all have access to credit card data. Some of these parties, for example, the service provider, have much more concentrated access to the data than the others. This makes them more vulnerable to systematic, unauthorised access, and they should therefore be a lot more careful about ensuring tight security. But obviously, whether or not as a result of the recent events, all concerned should exercise great care in protecting credit card information.

The credit card business is a big business. It is also a global business and therefore it is difficult to use regulation to resolve problems, because laws are usually only of domestic, rather than international, application. This may be one of the reasons why this business is so prone to fraud. It may also be the reason for some other apparent anomalies. I am sure readers will have noticed the significant discount one can get when using certain credit cards at certain places. One way of looking at these discounts is that those who are using cash or other means of payment, and who are therefore not offered the discounts, are subsidising the credit card users. There are also the fees charged by the credit card issuers, merchant acquirers, and the network operators, which arguably make goods and services more expensive than they should be, at least for those not requiring credit. Are people with good credit - so good that they do not require it - subsidising those who are less credit-worthy and have to borrow to consume - These are difficult issues, and they are worth studying. But I am not suggesting regulatory interference. The business is big enough for the stakeholders to sort out their problems while ensuring that credit card holders continue to be protected. The market should be able to take care of this one.

Joseph Yam

23 February 2006


Click here for previous articles in this column.

Document in Word format

Latest inSight
Last revision date : 23 February 2006