Edward A. Morse of Creighton and Vasant Raval of Creighton Business have written Private Ordering in Light of the Law: Acheiving Consumer Protection through Payment Card Security Measures, 10 DePaul Business & Commercial Law Journal 213 (2012). Here's the abstract:
A private ordering regime has developed within the payment card industry to define appropriate security practices and to monitor compliance by network participants. Market demands for trustworthy systems upon which consumers and merchants could rely provide incentives for security, which the card brands supplement by privately designed fines and sanctions imposed through contract. Although private ordering has functioned sufficiently well to make payment cards a trusted payment method, the system is not completely secure, as data security breaches continue to occur. This is not surprising, as complete security is not a feasible goal. Nevertheless, some have questioned whether additional government regulation is necessary to protect consumers. This article explores the effects of legal intervention, including disclosure laws, on this private ordering system. It questions whether additional government intervention would enhance consumer welfare, particularly when consumers will likely bear the ultimate costs of such regulation. It recommends modifications in breach disclosure laws to eliminate individual notice requirements in favor of public notices, which may reduce costs and enhance consumer welfare. It challenges “bounty” enforcement regimes, such as FACTA, which offer little marginal benefit to consumers while substantially raising costs. It identifies practical and political problems presented by the different capacities of large and small firms to bear security costs, which are not easily solved under either private ordering or legislative approaches. Finally, it offers a set of policy issues as a possible agenda for consideration by policy makers and researchers in this domain.