In late 2013, a security breach at a major retailer exposed information on 40 million payment cards. The number of data breaches has increased in recent years, and the targeted use of exposed data suggests a decentralized "virtual fraud factory" driving payment fraud. The direct costs of third-party fraud are high for consumers, banks, and merchants, but the indirect costs could be even higher if these incidences undermine the public's confidence in non-cash payments. Sullivan examines trends in payment fraud, prevention, and data protection to evaluate recent security performance. He then highlights several options to improve security and prevent fraud, including coordinated changes to the control structure over payment risk. Policymakers will need a broad perspective to judge weaknesses in this structure and its ability to adapt as new fraud methods arrive.