Cybersecurity in the payment card industry

University of Chicago Law Review

Volumn 75, Issue 1, 2008, Pages 203-223

  Epstein, Richard A ^a,b   Brown, Thomas P ^c  

^a UNIVERSITY OF CHICAGO   (United States)

^b STANFORD UNIVERSITY   (United States)

^c O'Melveny and Myers ^*

Author keywords

[No Author keywords available]

Indexed keywords

EID: 41449116360     PISSN: 00419494     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Conference Paper

References (74)

1. For our view on the antitrust issue, see generally Richard A. Epstein and Thomas P. Brown, The War on Plastic, 29 Reg 12 (2006) (arguing that markets provide sufficient rate regulation and that antitrust threatens to stifle the competition that it seeks to foster);
2. Richard A. Epstein, Behavioral Economics: Human Errors and Market Corrections, 73 U Chi L Rev 111 (2006) (analyzing consumer-credit behavior and concluding that even devotees of a soft form of paternalism should propose no protection beyond that which a truth-in-lending law affords against misleading representations);
3. Richard A. Epstein, The Regulation of Interchange Fees: Australian Fine-tuning Gone Awry, 2005 Colum Bus L Rev 551 (analyzing the Reserve Bank of Australia's attempt, and ultimate failure, to impose credit rate restrictions and arguing that voluntary arrangements supply superior alternatives to antitrust regulation).
4. We thus largely exclude from this discussion other important dangers that include denial of service attacks, viruses, and loss of state secrets.
5. For a discussion of currently accepted models for addressing data leaks, see Paul M. Schwartz and Edward J. Janger, Notification of Data Security Breaches, 105 Mich L Rev 913, 932-45 (2007) (arguing that current models are insufficient and advocating for the creation of a coordinated response architecture as well as a critical organization monitoring credit security performance).
6. For the relevant materials, see Gaius, The Institutes of Gaius, bk III, §§ 195-97 at 219 (Clarendon 1946) (Francis de Zulueta, ed). For a general discussion,
7. see Barry Nicholas, An Introduction to Roman Law 211-15 (Clarendon 1962) (lamenting the complexities of the Roman law of theft, detailing the offense's particular history, and explaining the distinctions between different theft offenses).
8. Gaius, The Institutes of Gaius bk III, § 189 at 215-16 (cited in note 4) (stating that the penalty for theft was capital and required enslavement to the person from whom the thief had stolen or, if the thief was a slave, death).
9. Id bk III, §§ 186-87 at 214 (distinguishing between furtum conceptum, where a stolen thing has been sought and found on a man's premises in the presence of a witness, and furtum oblatum, where a stolen thing has been passed off by someone and has been found on a man's premises rather than his own).
10. For an exposition of the evolution of larceny away from its roots in trespass, see generally George P. Fletcher, The Metamorphosis of Larceny, 89 Harv L Rev 469 (1976) (arguing that the transformation from the common law has expanded the range of circumstances that can provoke intrusive prosecutorial scrutiny).
11. For the variations, see Model Penal Code § 223.1(1) (ALI 1962) (calling for the consolidation of theft offenses).
12. Id § 223.0(6) (defining property as anything of value).
13. See Economic Espionage Act of 1996, Pub L No 104-294, 110 Stat 3488, codified as amended at 18 USC §§ 1831-39 (2000 & Supp 2002) (broadly covering the conversion of trade secrets "related to or included in a product that is produced for or placed in interstate or foreign commerce," which covers just about every commercial secret). For an explanation of fines and imprisonment,
14. see id § 1832(a).
15. For criminal forfeiture, see id § 1834.
16. Id § 1832(a)(3).
17. For the Roman rules, see Gaius, The Institutes of Gaius bk III, §§ 203-08 at 221-22 (cited in note 4) (explaining that a theft action is available to those who have an interest in the safety of the thing stolen, including collateral interests).
18. The text describes a typical Visa or MasterCard card transaction. See David S. Evans and Richard Schmalensee, Playing with Plastic: The Digital Revolution in Buying and Borrowing 9-10 (MIT 2d ed 2005). American Express and Discover transactions omit a couple of steps in the approval process by dealing directly with merchants and cardholders.
19. Over the last thirty years, a highly specialized payment business in the United States has developed, which relies on third-party data processors to help banks on both the cardholder and merchant sides. The increase in the number of parties to a transaction to seven decreases the total processing time.
20. See id at 247-51 (discussing the evolution of payment processing and identifying the different entities involved in a payment card transaction).
21. For a discussion of the role of Russian mafia, see text accompanying notes 41-42.
22. For a similar view about cybersecurity issues more generally, see Robert W. Hahn and Anne Layne-Farrar, The Law and Economics of Software Security, 30 Harv J L & Pub Policy 283, 286 (2006) (noting that the cure is often worse than the disease).
23. For a somewhat different take, see Schwartz and Janger, 105 Mich L Rev at 960-70 (cited in note 3) (suggesting the need for a "coordinated response agent" to deal with information security concerns).
24. For the latest version, see generally Mary T. Monahan, 2007 Identity Fraud Survey Report: Identity Fraud Is Dropping, Continued Vigilance Necessary ("2007 Javelin Survey") (Javelin Strategy & Research, Feb 2007).
25. Id at 1.
26. Id.
27. Total Number of Fraud Complaints & Amount Paid: Calendar Years 2004 through 2006, ConsumerSentinel (Feb 7, 2007), online at http://www.consumer.gov/sentinel/Sentinel_CY_2006/ total_fraudcomplaints_amountpaid.pdf (visited Jan 12, 2008).
28. For discussion, see also Joseph Pereira, Bill Would Punish Retailers for Leaks of Personal Data, Wall St J B1 (Feb 22, 2007) (reporting on a proposed Massachusetts statute that would require retailers to pay for losses when hackers and thieves breach their security systems).
29. See, for example, Visa USA, Inc, Quarterly Performance Data Fourth Quarter 2006, online at http://www.usa.visa.com/download/about_visa/ press_resources/statistics/Q42006.pdf (visited Oct 2, 2007).
30. See id (providing data on total volume for 2006 and the percentage of net fraud).
31. In 2005, for example, Visa estimated that it was planning to increase spending to combat fraud by $200 million over the following four years. Visa USA, Inc, Visa USA Annual Report 2005 1-2, online at http://usa.visa.com/download/about_visa/annual_report.pdf (visited Oct 2, 2007) (discussing challenges from and responses to fraud for Visa).
32. Visa dispensed with the signature authorization requirement to expand acceptance of its cards at quick service restaurants such as McDonald's and Taco Bell. Typically, quick service restaurants needed to capture signatures at the point of sale in order to avoid liability for fraudulent transactions; a major disadvantage for payment cards relative to cash. Two years ago, however, Visa persuaded issuers to eliminate the requirement and to accept liability for fraudulent transactions, and acceptance in the category has increased dramatically.
33. For a vivid description of this market, see Stephen J. Dubner and Steven Levitt, Identity Crisis, NY Times Mag 24-25 (Mar 11, 2007) (detailing the ease with which personal identity can be obtained, often in internet chat rooms).
34. 2007 Javelin Survey at 30 (cited in note 17).
35. See generally Richard J. Sullivan, Risk Management and Nonbank Participation in the US Retail Payments System, 92(2) Economic Review 5 (2007).
36. Id at 15 table 2 (providing percentages of publicly reported data breaches across sectors of the economy).
37. Id (reporting 19.9 percent and 22.6 percent of all breaches for retail and education respectively and 61,288322 and 40,691,306 records compromised for retail and processors of financial data respectively compared with, for example, 6,352,711 records compromised for education).
38. 2007 Javelin Survey at 5 (cited in note 17) (explaining that the average victim of an existing account fraud paid $587 out of pocket in consumer costs, but if the thief opened a new account in the victim's name, the average consumer had to pay $792).
39. See Visa Reaches Major Technology Milestones-Paves the Way for Global Growth and Innovation, Bus Wire (Sept 27, 2006) (reprinting the VISA press release).
40. See PCI Security Standards Council, About the PCI Data Security Standard (PCI DSS), online at https://www.pcisecuritystandards.org/tech/ index.htm (visited Jan 12, 2008).
41. See PCISSC, PCI Security Standards Council Appoints Robert M. Russo, Sr. as General Manager (Mar 27, 2007), online at https://www. pcisecuritystandards.org/pdfs/03-27-07.pdf (visited Jan 12, 2008).
42. See About the PCI Data Security Standard (PCI DSS) (cited in note 32).
43. See, for example, Visa USA, Inc, What to Do if Comprised: Visa USA Fraud Investigations and Incident Management Procedures 1, online at http://usa.visa.com/download/merchants/cisp_what_ to_do_if_compromised.pdf (visited Jan 12, 2008).
44. Visa USA, Inc, Cardholder Information Security Program, online at http://usa.visa.com/ merchants/risk_management/cisp_if_compromised.html?it=12|/ merchants/risk_management/cis_ overview.html|If%20Compromised (visited Jan 12, 2008).
45. Visa USA, Inc, Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data (Dec 12, 2006), online at http://corporate.visa.com/ md/nr/press667.jsp (visited Jan 12, 2008). MasterCard's website only offers this cryptic warning: "If a merchant does not meet the applicable compliance requirements of the SDP Program, then MasterCard may levy a noncompliance assessment on the responsible MasterCard member." MasterCard Worldwide, Compliance Considerations, online at http://www.mastercard.com/us/sdp/ merchants/compliance_ considerations.html (visited Jan 12, 2008).
46. Visa USA, Inc, Visa USA Pledges $20 Million (cited in note 37).
47. The TJX Companies, Inc, Form 10-K for the Year Ending January 27, 2007 at 2, 7 (providing a brief discussion of the company's market position and information about the computer intrusion).
48. Joseph Pereira, Breaking the Code: How Credit-Card Data Went Out Wireless Door-In Biggest Known Theft, Retailer's Weak Security Lost Millions of Numbers, Wall St J Al (May 4, 2007).
49. Id (describing the methods and technology by which the information was intercepted).
50. Id (quoting a source identified as a "person familiar with TJX's internal probe").
51. See TJX Companies, Inc, Form 10-K at 9 (cited in note 39) (indicating that the "security data included in the magnetic stripe on payment cards required for card present transactions ('track 2' data)" was no longer stored on the system after September 2, 2003).
52. See Larry Greenemeier, TJX Stored Customer Data, Violated Visa Payment Rules, Info Week (Jan 29, 2007), online at http://www.informationweek.com/ story/showArticle.jhtml? articleID=197001447 (visited Jan 12, 2008) (criticizing the length for which TJX stored its customer data and detailing how information is intercepted).
53. TJX Companies, Form 10-K at 9 (cited in note 39).
54. Id at 8.
55. Id.
56. See Jaclyn Giovis, 6 Held in Credit ID Theft Case; Authorities Link S. Florida Suspects to TJX Cos. Breach, Ft Lauderdale Sun-Sentinel ID (Mar 24, 2007).
57. A stored value card looks like a typical general purpose payment card, but instead of accessing a credit limit or a checking account, it accesses an electronic purse.
58. Evan Schuman, Stolen TJX Data Used in $8M Scheme before Breach Discovery, eWeek.com (Mar 21, 2007), online at http://www.eweek.com/ article2/0,1895,2106149,00.asp (visited Jan 12,2008).
59. Matt Hines, Data from TJX Security Breach Fuels Fraud Scheme, CSO (Mar 21, 2007), online at http://www2.csoonline.com/blog_view.html?CID=32617 (visited Jan 12, 2008).
60. Id.
61. 15 USC § 1643(a)(1)(B) (2000).
62. See Visa USA, Inc, Visa Security Program, online at http://usa.visa.com/personal/ security/visa_security_program/zero_liability.html (visited Jan 12, 2008).
63. Class Action Complaint, In re Retail Security Breach Litigation, No 07-101621 3 (D Mass filed Apr 25, 2007).
64. Id ¶¶ 72-74.
65. Id ¶ 81.
66. See, for example, Pennsylvania State Employees Credit Union v Fifth Third Bank, 398 F Supp 2d 317, 322-23 (MD Pa 2005).
67. Id at 338.
68. Id at 332-37.
69. See Pennsylvania State Employees Credit Union v Fifth Third Bank, 2006 WL 1724574, *1 (MD Pa) (memorandum opinion).
70. See also Cumis Insurance Society, Inc v BJ's Wholesale Club, Inc, Civil Action No 05-1158, *2 (Mass Super Ct filed Dec 1,2005) (memorandum opinion) (rejecting a similar claim in Massachusetts).
71. See Act of May 21, 2007, 2007 Minn Laws 108, to be codified at Minn Stat Ann § 325E.64 (West 2007) (mandating a forty-eight hour limit on the retention of personal information following a transaction).
72. Pub L No 107-204, 116 Stat 745 (Supp 2002).
73. Michael Bloomberg and Charles Serhumer, Sustaining New York's and the US' Global Financial Services Leadership 19-20, online at http://www.senate.gov/~schumer/SchumerWebsite/ pressroom/special_reports/2007/ NY_REPORT%20_FINAL.pdf (visited Jan 12, 2008).
74. See generally Roberta Romano, The Sarbanes-Oxley Act and the Making of Quack Corporate Governance, 114 Yale L J 1521 (2005) (noting that Sarbanes-Oxley represents a change in regulation regimes, moving from disclosure requirements to substantive corporate governance mandates and arguing that the change resulted from hasty decisionmaking, not careful legislative deliberation).