Wednesday, January 21, 2009

Yet Another Card Data Breach

Photo by d70focus

Watch your credit card and bank debit statements carefully over the next few months. The New York Times reports that a major processor of card transactions (Heartland Payment Systems) has disclosed that unencripted data was "sniffed" by thieves over the past several months at the point in transactions where the processor asks for authorization from the issuer network (VISA, MasterCard, Discover, AmEx). Tens of millions of credit and debit cardholders are potentially exposed to card data theft and subsequent fraud.

Heartland has set up a website explaining what happened and noting that "Cardholders are not responsible for unauthorized fraudulent charges made by third parties." Recall that the Truth in Lending Act (TILA) § 133 (codified at 15 U.S.C. § 1643) shields credit card holders from liability for unauthorized charges beyond the first $50, and I suspect Heartland's release reflects the credit card issuer networks' near universal policy these days to waive even the first $50 of liability. As for debit card fraud, at least for consumer accounts, the Electronic Fund Transfers Act (EFTA) § 909 (codified at 15 U.S.C. § 1693g) provides more or less parallel protection, though with some complicated expansions of liablity for consumers who are not vigilant about reporting fraudulent activity. Though the Heartland release mentions only "charges" (not debits), I understand that the major debit processing networks have a similar "zero liability" policy for fraudulent debits, waiving the first $50 and perhaps the expanded liability, as well.

All of this does the victimized consumer little good, though, if s/he doesn't notice and report the fraud (either to avoid paying a fraudulent charge or to request a refund of a fraudulent debit). So watch your statements carefully, and be thankful we're not in Europe, whose laws generally do not protect consumer card users as generously as TILA and EFTA.

No comments: