The Economics of Credit Card Security

The WSJ has an interesting article today on the Target credit card security breach. As the article notes, the US card system is less secure than elsewhere in the world, most notably Europe, which has a “chip and PIN” system, which has a computer chip embedded in the card and requires the purchaser to insert a PIN as well to make a transaction. The Target security breach has led many to wonder–and implicitly the WSJ–why the US has lagged on adopting this more secure technology.

Well it turns out that the economics of credit card security is more complicated than it appears at first glance. But first, an important thing to keep in mind: historically the United States has been a high-trust, low-fraud country when it comes to payment card usage. For example, the conventional practice of handing over your credit card (or debit card) to a waiter in a restaurant and having him disappear into a back room with it is something that must strike people in other countries as somewhat bizarre. Nevertheless, we do it all the time and rarely does anything go wrong in this process. So, this makes a difference–in a high-trust, low-fraud country it generally is not necessary to invest in as elaborate security protections as elsewhere. As an analogy, consider that in the U.S. very few restaurants, stores, or hotels routinely post visible armed guards at their front door, whereas this precaution is not uncommon in other countries.

With that background in mind, the WSJ article contains some interesting numbers relative to the optimal level of credit card security.

First, consider the size of the potential dollar size:

But if the chip cards were used in the U.S., fraud losses could be halved, Aite Group estimates. U.S. merchants and banks had 2012 losses of $11.3 billion due to credit-card fraud, or 5 cents on every $100 spent, according to the Nilson Report, a payment-industry newsletter based in Carpinteria, Calif.

So, if that is correct, this obviously means that card issuers would save about $5.65 billion per year from adopting more secure technologies. So there is a strong incentive there to do so. According to the Washington Post, however, the amount saved from adopting more secure payments technologies is only $1.1 billion.

But this doesn’t include a whole bunch of excluded costs, especially the costs to consumers in the time, aggravation, and any out-of-pocket expense of dealing with security breaches and potential follow-on effects such as identity theft.

But there are costs on the other side as well:

A typical large issuer will spend about $1.30 to buy a chip card, compared with 10 cents for a traditional magnetic-stripe card, according to Aite Group.

And according to the article there are ”5.6 billion credit and debit cards in circulation in the U.S., only an estimated 15 million to 20 million are chip cards–issued mainly to people who travel overseas frequently.” So, holding all else constant, this would mean that the card issuers would have to replace some 5.4 billion cards at an increased cost of $1.20 per card for a one-time cost of $6.48 billion. So, in the short-run, this is a one-time $6.48 billion expenditure to save some $5.65 billion per year. And so it seems like it would be recovered in a year and a half. The Post story estimates the cost at $8 billion to switch over.

But according to this article by Bankrate, these the cost to  produce and distribute a traditional magnetic card to a customer is “under $2.” By contrast, the “cost to make and distribute a chip card to a customer is between $15 and $20,” according to  Andi Coleman, a member of the Accredited Standards Committee X9, “which determines the standards for the financial industry in the U.S.”

So, the numbers vary–a lot.  But they are big numbers.

But that’s incomplete as well.  First, that’s just the cost of issuing the cards. There is a whole other group of costs of upgrading all the technology to accept the cards. As Bankrate also notes:

And don’t expect retailers to be too eager to pay for a switch either, he says.

“You’re telling the merchant that they have to buy a new machine,” says Abagnale. “They’ve already purchased this one machine for $450. If you’re a Kroger store or a Safeway or someone, and you have thousands of these machines, they’re telling you now to go get a new machine.”

Because U.S. laws put most of the onus for paying for fraud on card issuers rather than retailers, says Abagnale, retailers have little incentive to make the steep investment required to implement the change.


So we are talking about huge network costs on all sides of the equation to transition from traditional magnetic stripe cards to chip and PIN. This isn’t to say that the cost and network effects are insurmountable. But it isn’t easy either.

But there is still another factor to consider–traditionally card issuers have essentially issued their cards for free to customers, in the sense that they do not charge you for actually producing, distributing, and activating the card for you. That makes sense if the cost of the card is relatively trivial (a dime or $2 or however we measure it).  But what if the cost is higher, as with chip and PIN? Then it is going to be harder to easily absorb those costs.

Moreover, people often use cards for awhile and then switch or they lose their cards and they need to be physically replaced. According to Federal Reserve data that I summarize in this article, in 2009 16.5% of credit card users discarded their cards and 29% of prepaid card users did so. Customer churn is especially high for prepaid card users, who often use their cards for only a short period or for a specified purpose. Churn is lowest for debit cards, because they are linked to bank accounts. But if the cost of issuing cards increases this will mean that issuers will need to recoup these higher fees in some way or another. In fact, one reason why general-purpose prepaid cards cost more to use than other payment systems is because of the need to recoup these fixed costs across a shorter time period and lower transaction volume. If chip and PIN becomes standard, it would be foreseeable that card issuers will begin charging a fee for card issuance or certainly for replacement cards.

Finally, this whole issue of new technology adoption becomes much more complicated when you move from credit cards to debit and prepaid cards. In particular, although the Durbin Amendment to Dodd-Frank supposedly permits a price allowance for “fraud,” it is unclear whether it would permit recovery for the costs of a recall and reissue of new cards with the technology. As Judge Leon emphasized in his opinion invalidating the Federal Reserve’s cost-recovery rule, the Durbin Amendment ties allowable recovery costs very closely to the cost of particular transactions, and it is not clear to what extent it would permit recovery of increased costs from issuing new cards. Moreover, even if investments in card security are recoverable, they are capped under the Durbin Amendment at one cent per transaction under 12 CFR 235.4(a). Indeed, I argued some time ago that one unintended consequence of the Durbin Amendment became effective that it would likely discourage investments in card security and other features (such as processing speed) by making it more difficult for issuers to recoup those costs.

So in the wake of the Target debacle, there appears to be an emerging belief that merchants and issuers have dragged their feet on increasing card security. In fact, the issue is much more complicated than that and has to do not only with whether the benefits of the transition (in the U.S.) exceed the costs, but also who bears the transitional and going-concern costs. Not to mention a healthy dose of special-interest politics involving the Durbin Amendment.