People assume the big security shifts in payments came from regulators. Mostly they did not. They came from a subtler and more powerful lever: changing who eats the loss. Move the liability, and the market upgrades itself — no mandate, no enforcement, just self-interest doing the work a law would have struggled to do.
The cleanest example is the American chip-card rollout. For years the US ran on magnetic stripes while Europe used chips, and no amount of scolding changed it — the upgrade was expensive and nobody wanted to pay first. Then, in 2015, the card networks changed one rule: after a certain date, if counterfeit fraud happened at a merchant who could have used a chip and didn't, that merchant — not the issuing bank — would eat the loss. No law. No deadline enforced by any government. Just a relocated liability. Within a couple of years the countertops of America sprouted chip readers, because suddenly the cost of not upgrading landed squarely on the person who could fix it.
Once you notice the pattern, you see it everywhere. 3-D Secure — the bank step-up at online checkout — spread because a successfully authenticated transaction shifts chargeback liability from the merchant to the issuer. Tokenization spread because it moves the cost of a breach off the merchant. The rule underneath all of it: liability follows the weakest link, and whoever holds the loss buys the lock.
Where the pattern breaks
For years I would have told you, flatly, that every security mandate in the card world was a liability shift and not a regulation. In the card world, that holds. But it is worth being precise, because the most interesting recent development is the exception. Instant bank rails — UPI, Pix, Faster Payments — are push-and-final. They have no chargeback to relocate. When authorized-push-payment scams exploded on them, there was no liability to shift, so the market did nothing. It took an actual regulator: in October 2024 the UK made banks reimburse most APP-scam victims by law. A year in, the independent review found scam losses down roughly £73 million and reimbursement rates up — because, exactly as with the chip, once the banks owned the loss they funded the controls. Same logic, different lever: this time the liability had to be assigned by rule, because the rail offered no natural place for it to land.
That is the whole trick, and its limit. If you want a payment system to get safer, the fastest path is rarely a technical mandate. It is to find the party who could prevent the loss and make sure the loss lands on them. Cards do it with network rules. Where the rails leave no room for that — the new, final, irreversible ones — the state has to step in and do by law what liability used to do by design. Watch the loss, and you can predict the lock.