East Coast grocery chain security breach

Rob' message

Rob,

I work in a financial institution and the law is very clear. You cannot be held liable for unauthorized debit card transactions, even if they are PIN based. The law goes on to say that even the people who write their PIN numbers on their debit card sleeves cannot be held liable if someone uses the card and PIN.

Whoever is giving you this information is incorrect. You are absolutely not liable for PIN based fraud.

from

from http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.shtm
seems like "cannot be held liable" has some out clauses that can cost you "$50", "$500", or "unlimited loss".

"ATM or Debit Card Loss or Fraudulent Transfers (EFTA). Your liability under federal law for unauthorized use of your ATM or debit card depends on how quickly you report the loss. If you report an ATM or debit card missing before it's used without your permission, the EFTA says the card issuer cannot hold you responsible for any unauthorized transfers. If unauthorized use occurs before you report it, your liability under federal law depends on how quickly you report the loss.

For example, if you report the loss within two business days after you realize your card is missing, you will not be responsible for more than $50 for unauthorized use. However, if you don't report the loss within two business days after you discover the loss, you could lose up to $500 because of an unauthorized transfer. You also risk unlimited loss if you fail to report an unauthorized transfer within 60 days after your bank statement containing unauthorized use is mailed to you. That means you could lose all the money in your bank account and the unused portion of your line of credit established for overdrafts. However, for unauthorized transfers involving only your debit card number (not the loss of the card), you are liable only for transfers that occur after 60 days following the mailing of your bank statement containing the unauthorized use and before you report the loss."

response

The article you posted is taken directly from Regulation E which is a consumer protection law. If you read the part that says you may be liable for up to $500.00, it says "if you don't report it within two business days after you discover the loss". This is impossible to prove. Think about it, if you knew there was fraud on your debit card and didn't report it for three days, would you tell the bank you knew for three days or just found out? All you have to say is "I just found out" and you're covered. As for the $50.00 minimum amount you can be held liable for, I don't know of any financial institutions that enforce that. For the benefit of our customers, we refund from the first dollar.

The 60 days to report fraud is actually 60 days from when you discover it (when you receive a statement that the fraudulent transactions are on). What this means is that if you had fraud on your account on March 2nd and didn't get that statement containing the fraudulent transactions until April 7th, you have 60 days after April 7th to report the claim and be reimbursed.

Consumers are definitely well-protected when it comes to these security breaches and any type of fraudulent transactions on debit cards.

I will also tell you that the big losers as a result of these compromises are financial institutions. We are not a large bank but a Credit Union. What they don't tell you in the news is that any fraud that occurs on our customer's cards as a result of these breaches is directly paid back by us. Yes, that's correct. The financial institutions are the ones who are losing all of the money when fraud occurs on debit cards. If a class action law suit is filed and won, we receive a very small amount of the claim. We reissued 3000 cards for the TJX breach, had thousands and thousands of dollars in fraud and received $1,200.00 as part of the lawsuit but the compromise cost us well over $40,000.00 (not very fair, is it?). We repay our customers for any fraudulent transactions that have occurred and we also pay to reissue thousands and thousands of cards. This has a direct effect on our product pricing and servicing to our members when we are hit with loss after loss due to card compromises.

The customers are not the losers here, the retailers who expose the data do not lose that much either - the financial institutions these cards are drawn on are the big losers in the end.

The customers are not the

The customers are not the losers?
so, when a credit union gives a consumer a debit card using a system full of security issues, and the consumer has his account emptied due to some downstream breach (retailer, data service, visa, pin pad switch) and the consumer has the mortgage check bounce and maybe gets a late payment credit rpt ding or a collection or a foreclosure which the consumer then has the responsibility to fix which can take months or years, you're saying "poor bank"????

The customers are not the

That's only the beginning. To add further insult to injury, once the mortgage check bounces, the banks report this to each other and lower your credit rating and once this happens the interest on your credit card accounts will skyrocket to unthinkable rates driving the "stake" even deeper possibly to the point of no return Yeah Right...Poor Bank.

I never meant to imply this

I never meant to imply this was not inconvenient for consumers. I've had fraud occur on a credit card and it certainly is a big hassle to correct it.

I will say, however, that I'm not sure what institutions you belong to but all of the situations you mention above are fixed by us. We write letters if you bounce checks, we fix your credit report and we reverse any fees from other institutions you were charged also. A foreclosure notice won't be sent until your mortgage is 90 days late. The law says that we have 7 days to give you provisional credit when you report fraud (we give it the next day). You would have the mortgage money back in your account to make the payment by then.

I am really not trying to sound like "poor bank" here, really. I just happen to spend an exorbitant amount of time when we get these breaches pulling all of my employees together to cancel cards, reissue cards, mail letters and go through the entire reissue process. I can't even explain the amount of time it takes to effectively manage one of these breaches, leaving everything else by the wayside when it happens.

I have every sympathy for anyone who has to go through fraud occurring on their account and filling out the paperwork, waiting for a new card, trying to explain to creditors why a check bounced, etc. Really, I do. I was only trying to make you aware that the newspapers make it sound like VISA and the retailer where the fraud occur accept the responsibility. Truthfully, they don't. The amount of fraud that occurs as a result of these breaches is paid for by the banks, not VISA and not the retailers who had the faulty systems.

Sorry if I sounded unsympathetic to consumers. No one should have to go through that. I was only trying to explain that financially, the burden does not fall where it should which is completely on the retailer where the breach occurred.