Failure: scale, security and ignorance

RELease 1.0, March 31, 1995

The price of success. The hardest part of creating new payment systems is handling failure well. Payment systems that don't will themselves fail, even if the service is free. Every new system must be at least as robust as the system it replaces.

Failures happen both accidentally and fraudulently; some kinds are expected, some are not. One common failure is simple non-payment of debt. Handling expected failures should be simple, but unexpected failures are always expensive.

The upper bound on aggregate transaction fees is in practice a small percentage of the transaction amount.(1) The cost of a failed transaction, however, can be enormous. First at risk is the entire amount of the transaction. Next is arguing over fault and blame, which involves staff and often lawyers; for small transactions, this cost is always larger than the transaction amount. Cascading transaction failure may lead to credit cost, loss of business, bankruptcy or even court-ordered damages worth more than the enterprise itself.

People are skittish about unreliable money systems. Too many breakdowns, which is likely not very many, reduce customer confidence in the system to unsustainably low levels. An unsellable system is a lost investment.

Scale variance. In a working and deployed payment system, accidental failure is more common that purposive failure. In a badly designed payment system, however, purposive failure quickly leads to massive fraud, system failure and acrimonious lawsuits.

The dilemma of every new payment mechanism is that a small trial deployment cannot accurately demonstrate the security of a full-scale system, and that a large deployment is not a trial but a product. A potential defrauder has negative incentive to point out flaws during a trial. Should a bank deploy a flawed system, the defrauder's income stream from fraud would be much larger and longer lasting. Thus payment systems are not testable in advance but only after implementation. The importance of understanding the systems thoroughly up front is difficult to overstate.

Any payment system, no matter how unwieldy or expensive, is better than no payment system for certain people and certain types of transactions. The initial success of a payment system says nothing about its long-term viability or its growth potential. Rapid initial growth is no proof of a concept's excellence but rather evidence of pent-up demand.

Optimist for a day. Any idiot can design a payment system that works when nothing goes wrong. Here's one: I'll write down how much money I have and you write down how much money you have. When we do a transaction, I subtract the amount of money I'm paying you from my balance and you add it to yours. When nothing goes wrong, this system works just fine.

I immediately hear complaints: What if I just change my balance? Well, something went wrong.

That pin-striped look. Bankers are notoriously conservative. Rather than taking this comment as an opportunity for stereotyping, we might rather view it as a starting place for understanding. Banks are intermediaries. They get in the middle of interactions. These intermediaries do not arise for specific transactions but persist through time. One does not instantiate a bank to perform a set of transactions as one might a corporation to make a movie or to build an office high-rise. Banks are a shared resource.

The result of shared mediation is that banks become centers. As long as everything works normally, there is no particular concern with centrality. Nevertheless, things go wrong. A failure in the center is much larger than a failure in the periphery. The notion of adequate responsibility has much greater consequences for banking than for other endeavors.

In the same way, banks as a group form a trustworthy network. Not only is individual reliability important, but also the robustness of the banking system as another center. Hence stem periodic concerns over various kinds of systemic risk.

Credit-card security. Credit-card use at the point of sale has changed little since inception. The customer presents a card; the clerk hands back a bill; the customer signs it. Electronic capture of the transaction information has changed the efficiency of the point of sale but not the basic interaction of the card with the customer. Possession of the card is still the basic security mechanism at the point of sale. At the outset, this was a perfectly reasonable process, but it has not scaled gracefully.

Credit cards have seen a steady increase in generality and use. As a result, the utility of fraud has increased as it became easier to use pilfered card information to defraud for goods. A veritable technological arms race is afoot: Cheap reproductions of fake cards have led to the use of holograms (now themselves pirated in southern China) and cardholder photographs. The card companies currently have the upper hand. Credit-card fraud, which peaked in 1992, has decreased for the last two years. Two recent changes led to the bulk of the decrease. The first was requiring the customer to activate the card after it has arrived. The second is pattern-recognition to detect unusual spending.