The United States retail payments industry is in the middle of a transition in regard to information security. A substantial number of data breaches have occurred over the last five years, despite substantial compliance with the industry standard, the Payment Card Industry Data Security Standard. There will need to be a move to a higher level of security, and the major challenge is institutional. How can the industry organize itself to move collectively toward this goal? Without recommending any particular technical solution, this paper proposes one way to meet this institutional challenge. Drawing on the experience of Europe and the United Kingdom in moving to a chip and PIN environment, I recommend a public-private partnership where industry, government and civil society jointly work through the technical, economic and public policy issues that need to be solved if we are to have improved information security in the industry.
This paper is organized as follows. In Part II, I look at the information externalities in the retail payment system. This section provides some industry and legal background. It discusses information security as a third-party indirect liability regime, and it assesses the system externalities and liability rules that create misaligned incentives for investments in information security. In Part III, I review the Payment Card Industry Data Security Standard, including examples of its data security rules. I discuss levels of compliance and validation, and review some of the data security breaches that have occurred despite the success in moving the industry toward compliance. In Part IV, I discuss some public policy issues including mandated cost recovery schemes, data notifications laws, specific security laws, action by the Federal Trade Commission to treat security lapses as unfair acts, and general security laws that require reasonable levels of security. In Part V, I discuss end-to-end encryption and chip and PIN as possible upgrades to the current system, and conclude with a recommendation for a public private partnership to explore ways to move the system forward to higher levels of information security. In Part VI, I conclude with a recommendation for a way forward involving government as an active convener of public-private coordinating groups seeking to guide industry upgrades in information security.