Slashdot

I've been thinking about the economics of website security recently. This started after seeing another report (one of many) of a poorly implement website which had a database full of credit card numbers stolen.

I began to reflect upon why this seems to happen way too frequently, and I think I have hit upon an answer. There is no economic incentive for companies to secure there credit card database except for that associated with bad PR. This is the fault of the fraud model used by credit card companies.

Credit card companies charge merchants a fee per transaction which is partly based upon number of charge backs against the merchants account. Thus, if you as a merchant accept a stolen credit card, you not only loose the cost of sale but also have higher overhead on all future credit card transactions. Thus this is a very strong economic incentive not to accept stolen credit cards.

There is no similar economic incentive to prevent your customers credit card from being stolen. If these stolen cards are used at another merchant, that merchant become the victim (and pays the real economic cost) of your poor security.

In general, I think displaced costs such as this and the reason that spam has become so prevalent is one of the biggest problems that free markets currently face. My next journal entry will probably be on the problems we as a society face due to displaced costs.