Economists use the term “ externality” to describe a situation where economic agents’ decisions are distorted by the fact they do not have to pay for some of the costs of their actions. This is usually addressed by regulation. The textbook example is pollution, but I find security to be at least as interesting.

In the US, the level of security associated with credit cards and credit reporting is abysmal. Most of Europe has switched to smart cards for their credit cards over a decade ago, leading to a much more secure system for offline purchases (which must be authenticated by the smart card and a PIN), rather than easy to tamper magnetic strips (which are kept, to allow visiting US tourists to make purchases). As the PIN code must be entered by the cardholder, a waiter in a restaurant verifies the card at the dining table and does not have the opportunity to engage in skimming.

There is usually no national credit bureau equivalent to Experian, Equifax or Trans Union in most European countries, because these would fall afoul of privacy laws. For this reason, credit card fraud is much rarer in Europe than in the US, and identity theft is almost unheard of.

In both cases, the externality is lax security, leading to lost time for consumers, whether simply an annoyance (credit card fraud) or a serious nightmare (identity theft). Credit reporting services do not bear most of the cost of identity theft, the hapless victims do. For online purchases, merchants are liable for fraud they have limited means to detect, and to add injury to insult, they also have to pay fees for the chargeback. Credit card companies figure the cost of processing claims and absorbing what little fraud they are liable for is less than the cost of upgrading the whole card reader infrastructure to use smart cards. They also think keeping perfunctory verification procedures will reduce barriers to impulse spending and thus increase profits.

They can do this, of course, because industry lobbying groups have been very effective at defeating consumer-friendly legislation in Congress or state legislatures. The time for action has come, however, because credit card fraud is now a primary source of funds for terrorists, whether abroad or in the US. To quote an interesting article in The Economist, it seems Al-Qaeda sometimes acts as a kind of venture capitalist for terror:

Units of his organisation are believed to raise money through financial and other sorts of crime. For example, Ahmed Ressam, an Algerian who plotted to bomb Los Angeles airport but later co-operated with American authorities, says he was given $12,000 of seed-money to set up his operation. When he asked for more cash, he was advised to finance himself by credit-card fraud.

For the sake of all, the credit industry cannot be allowed to continue in its complacent ways any more.

Updated 2003-06-02 following comments from “Saffiyya” regarding merchant liability