Protecting consumers’ personally identifiable information is essential during a payment transaction. Lawmakers are threatening to dismember these privacy protections by authorizing the Federal Reserve to implement new regulations on credit card transactions while hiding under the façade of “promoting competition.”
Legislation, such as the previously introduced Credit Card Competition Act (CCCA), would require that all networks expose their tokenization technology to competitors. Token domain restrictions are safeguards put in place to protect consumers from fraudulent activity. The provisions in this bill would put consumer privacy at risk.
A consent order issued by the Federal Trade Commission (FTC) proves the enactment of the CCCA would force payment card networks to give up their proprietary technology to competitors. The order requires Mastercard to share consumers’ primary account numbers “so that merchants may route tokenized transactions using Mastercard-branded debit cards to the available network of their choosing.” The justification for this order is based on section 1075 of the Dodd-Frank Act, which authorized the Federal Reserve to produce regulations that would force networks to reveal their proprietary technology for debit card transactions. The FTC’s order is a gross intrusion into a company’s ability to safeguard consumer data, but if section 1075 had never been enacted, the grounds for the consent order would have never materialized.
The CCCA does not strengthen the security of the U.S. payments system. The bill includes a provision that would require payment card networks to expose their proprietary cybersecurity and tokenization technology for credit card transactions to their competitors. This will disincentivize investment in future technologies and fail to protect consumers’ card numbers from bad actors.
Instead of promoting a free market, the CCCA erodes it.
Some special interest groups claim that the CCCA preserves consumer security because it prevents China UnionPay or other state-owned payment card networks from operating in the U.S. This is simply not true. The bill directs the Federal Reserve to issue regulations to “establish a public list” of payment card networks that “pose a risk to the national security of the United States” or is “owned, operated, or sponsored by a foreign state entity.” Creating a list of payment networks is a far cry from a bill that explicitly bans payment card networks under the influence of totalitarian regimes.
Legislation to prohibit state-owned networks from operating in the U.S. would be welcome news. However, coupling this prohibition with the provisions in the CCCA that deteriorate fraud protections would cut off one’s nose to spite one’s face.
The CCCA could also limit the supply of available credit cards equipped with Europay, Mastercard, and Visa (EMV) chips. The EMVtechnology “makes transactions less susceptible to fraud.” According to an article in The Washington Post, the shortage of semiconductors used in EMV chips has made it especially hard for “credit unions and regional banks” to distribute new cards to customers.
Consumers rely on EMV cards. In fact, “From July 2021 to June 2022, chip-enabled cards were swiped in 85 percent of transactions made in the United States.” A paper written by the Federal Reserve Bank of Atlanta reiterated that “EMV chip cards appear to have mitigated counterfeit card fraud.” However, because it took longer for the U.S. to adopt EMV chip cards than other countries, card fraud rates were “higher than in those markets that had migrated to EMV earlier.”
Additional impediments to enhanced cybersecurity, such as the CCCA, could put the U.S. at a competitive disadvantage to foreign countries.
The CCCA’s goal is not to offer multiple networks in case one of them malfunctions, it is to require at least two unaffiliated networks on every credit card so large merchants can pick the cheapest option. The cost of reissuing these cards to comply with these requirements could be as much as $5 billion. This would make credit cards “more expensive, not less” and combined with the chip shortage would “make such a task complicated.”
The bill is self-serving for special interest groups and not intended to benefit consumers.
Congress should crack down on state-owned networks and explore ways to deregulate payment transactions to incentivize investment in fraud protection that could improve upon current tokenization technology. Unfortunately, the CCCA fails on both accounts and ends up weakening cybersecurity protections for consumers.
Bryan Bashur is a federal affairs manager at Americans for Tax Reform and executive director of the Shareholder Advocacy Forum.
Join the conversation as a VIP Member