Good question. The great credit card debacle that was that Target breakin was the force that finally pushed the US to have chips put in their cards, but the truth has always been that credit card companies would much rather spread the cost of fraud over interest rates and bank fees than actually mitigate it, after all a transaction is a transaction and if they can keep most of their fees its a win right?
I was in one of those fancy investment seminars and was seated next to a guy who either was or worked with the Chief Security Officer (CSO) of a big credit card issuer. I had asked how a credit card could justify charging 15 - 30% interest when the fed rate was below 2%. He explained that all of the fraud is covered by the fees and interest. They tune their systems to return the most money per dollar transacted and it is simpler to raise the interest rate across their base by 3% to cover any fraud obligations because they still make the money on the base transaction fee. While more complex security would cut their fraud losses it would also cut their earnings because it would reduce the overall transaction rate and the total number of dollars they process through a transaction.
Think about it this way, someone buys a $500 TV with a stolen or fraudulent CC. The CC company gets $10 from the company selling the TV (2% transaction charge) and covers the $500 "loss" out of interest payments above the cost of borrowing by other customers. End of the day they get their $10 and lose no money. What's not to like? Nobody will regulate them so that they cannot cover their "loss" of $500 by raising interest rates, and they still get their 2%.
It is a pretty classic case that their interests aren't really aligned with those of consumers.
What you describe matches my understanding perfectly.
Even if you leave finance charges out of it and are discussing debit cards - the interchange revenue is way more than enough to cover fraud liabilities. Throw in account fees, and you've got yourself a profitable product.
I was working at a small bank during ye old Target/Heartland breach years, and the only time I heard dissatisfaction expressed at the security status quo was when the breaches forced large-scale card reissuances. General fraud scaled proportionally with transaction volume, and was easy to deal with. Mass-reissuance didn't.
I was in one of those fancy investment seminars and was seated next to a guy who either was or worked with the Chief Security Officer (CSO) of a big credit card issuer. I had asked how a credit card could justify charging 15 - 30% interest when the fed rate was below 2%. He explained that all of the fraud is covered by the fees and interest. They tune their systems to return the most money per dollar transacted and it is simpler to raise the interest rate across their base by 3% to cover any fraud obligations because they still make the money on the base transaction fee. While more complex security would cut their fraud losses it would also cut their earnings because it would reduce the overall transaction rate and the total number of dollars they process through a transaction.
Think about it this way, someone buys a $500 TV with a stolen or fraudulent CC. The CC company gets $10 from the company selling the TV (2% transaction charge) and covers the $500 "loss" out of interest payments above the cost of borrowing by other customers. End of the day they get their $10 and lose no money. What's not to like? Nobody will regulate them so that they cannot cover their "loss" of $500 by raising interest rates, and they still get their 2%.
It is a pretty classic case that their interests aren't really aligned with those of consumers.