[t0mbstone]

Because credit card companies are run by imbeciles who don't understand security. Instead of actually solving their security issues, they just crunch the numbers and mitigate their risks with accountants. They are still raking in buttloads of money (like 3% of every transaction), so even with all the theft, they are insanely profitable.

[mikeash]

I don't know that they are stupid. Security is a tradeoff, and if their optimal profit level is one where fraud happens at a decent level, is that really wrong?

This reminds me of the Potato Paradox article posted on the front page. Imagine if the card company comes up with some way to cut fraud by 50%, while the added hassle has a minor impact on legitimate transactions, reducing them by 1%. That's likely to be a significant net loss for them, because of the relative proportion of legitimate to fraudulent transactions in the first place.

[t0mbstone]

Percentages are percentages. If you gain 1% in profits from lower fraud, but lose 1% of transactions due to the security measures on the credit cards being harder to use, you are still basically breaking even.

They would also be saving tons of money from being able to reduce their fraud analysis and recovery staff, and they would build goodwill with not only their merchants but also their customers. I know plenty of people who still dislike using credit cards because of the potential for fraud and having their number stolen.

When you think about it, it's pretty insane how many people you probably hand your credit card to every week. Any one of those people could have a smart phone or something with the camera on, capturing the numbers on the front and back of the card. Credit card numbers are so insecure right now, it's ridiculous. If you are going to use a credit card as a consumer, you pretty much need to keep a non-stop eye on your statements. And when you actually DO get your number stolen, you have to deal with the hassle of disputing the charge and going back and forth.

Who knows? Maybe they would actually have a big upswing in credit card usage (and the resulting transaction percentage profits) if they released a "new, more secure card"?

[mikeash]

Recasting fraud reduction as "1% in profits" is extremely misleading, because fraud is a tiny proportion of overall activity. Reducing fraud by 1% of profits would require a huge improvement in your ability to fight fraud, whereas reducing legitimate transactions by 1% of profits is much easier.

And it's not like card companies do absolutely nothing. The US is finally moving to chips, which will cut down a lot. Notably it's just chips, not chip-and-PIN, because they want to keep that friction low. But when they are able to fight fraud while still keeping friction low, they do it.

I think the market is competitive enough that if people wanted more security, someone would offer it and it would gain in popularity. We do see this to an extent, with security features like sending transactions to your phone as they happen. In fact, a very few banks will issue you a chip-and-PIN card right now if you want it. Or you can get a debit-only card, with no credit features, so that a PIN is always required. Mostly people don't seem to care, though.