Adam Shostack posts on The Recent History of the Future of Cash. He points out that the choice between cash and electronic payment systems is influenced by questions of trust. In some countries with high inflation, people don't trust cash. But people also don't trust complex and unreliable electronic systems.
Lack of trust increases transaction costs. If I am constantly on guard because of unexpected charges on my account - whether this is due to error or fraud, or simply because the service provider is pocketing a fee for something - then I may have to maintain transaction archives, or copy every transaction into a separate spreadsheet or database. Adam links to a post by Gary Leff, who prints out everything he can think of because he is expecting to be cheated out of some complicated deal on frequent flier miles. This kind of thing is symptomatic of the shallow and short-sighted version of the Support Economy.
Meanwhile, when I buy a book from my local bookshop, the shop accepts cash or debit cards. But if I use a card, the bank will take a cut of the transaction (from the shop). So I prefer to pay cash if I can: cash doesn't really cost me any more than card, but I prefer the shop to get all the money.
Some people feel safer just carrying a card, because cash can be lost or stolen. But which is the greater risk - being mugged by a drug addict in the street, or being ripped off by a major corporation? Different people balance those risks differently.
Showing posts with label transaction cost. Show all posts
Showing posts with label transaction cost. Show all posts
Saturday, July 12, 2008
Friday, April 29, 2005
Dividing Risk
Responsibility for security of credit card transactions is divided between credit card companies and merchants. The credit card companies don't entirely trust the merchants, and want to ensure they take every possible precaution against fraud.
Credit card companies are larger and fewer, so they call the shots. Some elements of risk are unilaterally exported onto the merchant. In case of doubt, the merchant bears the financial burden. This is surely an example of asymmetric trust.
So who is responsible for specifying the security requirements, and designing the security mechanisms? Steven Hofmeyr argues that the credit card companies should leave this as a problem for the merchants to solve. "My suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure." He favours incentives for companies to secure their systems, "without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way", on the grounds that this will encourage innovation in defence, and notes how legislation or regulation often generates such incentives. Hofmeyr's suggestion is endorsed by Adam Shostack.
Given the asymmetry of power, any requirements imposed on merchants by credit card companies are effectively equivalent to regulations. Leaving merchants free to interpret these regulations (and suffer the consequences if their interpretations aren't good enough) may affect the security of the whole ecosystem in some interesting ways.
Firstly, each merchant is faced with fear, uncertainty and doubt. The big companies probably know much more about the possible security mechanisms, and their advantages and disadvantages, but the small companies have to decide for themselves - and woe betide them if they get it wrong. This anxiety effect tends to erode confidence and trust in the network, thus reducing economic efficiency and ethical balance.
Secondly, we may expect considerable diversity of security mechanisms. This diversity may be one of the factors leading to the innovation argued by Hofmeyr. But at the same time, diversity may impede the communication and adoption of innovation, so the effective innovation benefits are not clearcut. Very occasionally, a centrally coordinated development effort may be both more cost-effective and more innovative than a large number of independent parallel developments. So it remains an open question whether the credit card companies should provide more specific guidance, whether they should "own" the security requirements.
Thirdly, the greater the diversity of security mechanism, the smaller the proportion of merchants likely to be affected by any given attack. This appears to be beneficial for the population of merchants as a whole, since it reduces the risk for any individual merchant, and makes some form of mutual insurance viable. Above all, it is beneficial to the credit card companies, whose business would only be seriously threatened by the loss of a significant number of merchants in one incident. However, given the incessant search for new modes of attack, this benefit depends on the collective ability to develop new forms of defence.
In a complex collaboration, a careful division of risk requires detailed analysis, robust negotiation, and attentive governance. Redistribution of risk-responsibility can have a huge effect on the total shared risk within the system, generating both economic and ethical benefits.
Technorati Tags: asymmetry innovation regulation requirements risk security trust
Credit card companies are larger and fewer, so they call the shots. Some elements of risk are unilaterally exported onto the merchant. In case of doubt, the merchant bears the financial burden. This is surely an example of asymmetric trust.
So who is responsible for specifying the security requirements, and designing the security mechanisms? Steven Hofmeyr argues that the credit card companies should leave this as a problem for the merchants to solve. "My suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure." He favours incentives for companies to secure their systems, "without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way", on the grounds that this will encourage innovation in defence, and notes how legislation or regulation often generates such incentives. Hofmeyr's suggestion is endorsed by Adam Shostack.
Given the asymmetry of power, any requirements imposed on merchants by credit card companies are effectively equivalent to regulations. Leaving merchants free to interpret these regulations (and suffer the consequences if their interpretations aren't good enough) may affect the security of the whole ecosystem in some interesting ways.
Firstly, each merchant is faced with fear, uncertainty and doubt. The big companies probably know much more about the possible security mechanisms, and their advantages and disadvantages, but the small companies have to decide for themselves - and woe betide them if they get it wrong. This anxiety effect tends to erode confidence and trust in the network, thus reducing economic efficiency and ethical balance.
Secondly, we may expect considerable diversity of security mechanisms. This diversity may be one of the factors leading to the innovation argued by Hofmeyr. But at the same time, diversity may impede the communication and adoption of innovation, so the effective innovation benefits are not clearcut. Very occasionally, a centrally coordinated development effort may be both more cost-effective and more innovative than a large number of independent parallel developments. So it remains an open question whether the credit card companies should provide more specific guidance, whether they should "own" the security requirements.
Thirdly, the greater the diversity of security mechanism, the smaller the proportion of merchants likely to be affected by any given attack. This appears to be beneficial for the population of merchants as a whole, since it reduces the risk for any individual merchant, and makes some form of mutual insurance viable. Above all, it is beneficial to the credit card companies, whose business would only be seriously threatened by the loss of a significant number of merchants in one incident. However, given the incessant search for new modes of attack, this benefit depends on the collective ability to develop new forms of defence.
In a complex collaboration, a careful division of risk requires detailed analysis, robust negotiation, and attentive governance. Redistribution of risk-responsibility can have a huge effect on the total shared risk within the system, generating both economic and ethical benefits.
Technorati Tags: asymmetry innovation regulation requirements risk security trust
Subscribe to:
Comments (Atom)