No one wants to have their credit card stolen or see fraudulent charges on their debit card. But it happens. Over 40% of adult Americans have experienced a fraudulent charge on their credit cards, and in 2020 there were around 460,000 reported cases of credit card fraud or credit card identity theft reported to the Federal Trade Commission.
What can you do if you suspect credit or debit card fraud on your balance statements?
You might have seen warnings from your credit or debit card company telling you that if your card is stolen or you believe there is credit card or debit card fraud, you need to let them know as soon as possible. Many of those timelines are actually driven by legal protections you may have as a cardholder, and you can lose those protections if you don’t act quickly enough. For these reasons, it’s important to become familiar with basic legal card liability rules to keep your online payments secure.
Trying to understand financial regulations and card network rules can be confusing. While this blog doesn’t count as legal advice, we’ve summarized some of the key laws, regulations, and card liability rules you should be aware of. We cover the following:
- Legal Protections for: Consumer Debit Card Fraud, Business Debit Card Fraud, and Credit Card Fraud
- Card Network Zero Liability Policies
- Exercising Your Card Fraud Rights
- Using Privacy Cards To Keep Online Payments Secure
As you’ll read below, these protections can be useful, but they don’t save you from dealing with the fallout of fraud or theft. However, there are tools you can use to reduce your chances of getting caught up in credit and debit card fraud in the first place.
Do Credit and Debit Cards Have Fraud Protection?
The type of legal protections you may have on a card depend on the card type. In particular, protections vary based on whether a card is designed for consumers or businesses, and whether it’s a debit card or credit card.
Legal Protections for Consumer Debit Card Fraud
Generally, consumer debit cards are regulated by the Electronic Fund Transfer Act (EFTA). The law was passed in 1978 to give consumers rights and outline their liabilities whenever they use debit cards or other electronic transaction methods like ACH.
The EFTA sets high-level rules, so regulators need to fill in the gaps, which they do by creating more detailed laws. The EFTA, for example, was implemented by Regulation E, so you might hear the two referred to interchangeably.
Because of these laws and regulations, consumer debit cardholders have limited liability if there are unauthorized transactions on their cards. “Unauthorized transactions” typically include the use of a card by someone who’s not the cardholder and who doesn’t have permission from the cardholder to use the card. Practically, this definition includes fraudulent transactions and/or transactions by someone who steals or takes your card.
Under the EFTA and Regulation E, consumer debit cardholders have the following limits on their liability for unauthorized transactions:
- Cardholders are only liable up to $50 if they notify their card company within two business days after they find out about the fraud or loss or theft of their card.
- Cardholders are only liable up to $500 if they notify their card company between three business days and 60 business days after discovering the fraud or loss or theft of their card.
- After 60 days, cardholders can be liable for all of the unauthorized transactions that happen until the point they notify their card company about it.
As you can see, while there are some legal card liability protections for consumer debit cardholders, you may still be legally liable to pay out of pocket if you don’t act quickly after you discover the fraud. However, you still have another line of defense as a consumer. You might be fully protected by card network rules, which we'll discuss below. There are also other options, like virtual cards, that help reduce the chance of fraud occurring in the first place, allowing you to avoid the hassle of working with your bank and replacing your card.
Legal Protections for Business Debit Card Fraud
Unlike consumer debit cards, commercial debit cards aren’t covered by the EFTA and Regulation E. Business debit cards normally don’t receive the same legal protections as consumer debit cards, and may have to absorb losses associated with card theft or fraudulent charges. Some banks provide business debit card fraud protection via voluntary zero liability policies, but even then, the resolution process can be lengthy. If you want to protect your business from debit card fraud, consider using a virtual card to reduce the chances of your online payments being compromised in the first place.
Legal Protections for Credit Card Fraud
Credit cards are generally regulated under different laws than debit cards. Specifically, credit cards are regulated by the Truth in Lending Act (TILA), which was implemented by Regulation Z. TILA was passed in 1968 to require credit disclosures so consumers knew the actual cost of credit products (aka, interest rates and fees), and to help increase competition among credit card companies.
TILA protects credit cardholders by limiting their liability for unauthorized transactions to $50, and this liability limit applies regardless of when you identify and report the unauthorized use. Importantly, TILA’s liability protections apply to both consumer and business credit cards.
You can see TILA generally gives credit card users better coverage, compared to the legal protections offered to debit cardholders, since debit cards have time limits for reporting fraud and the debit cardholder can potentially be fully liable if they don’t report it. However, as we will discuss below, you might be fully protected by card network rules and not be responsible for any credit card fraud transaction amount.
Even if your liability is legally limited, you still have to deal with the hassle of contacting your card issuer, waiting for a replacement card, and updating your billing information everywhere that the card had been previously stored. Privacy’s Virtual Cards, discussed below, can help prevent fraud from happening at all so you don’t have to deal with that hassle.
Card Network Zero Liability Policies
While laws and regulations like the EFTA and TILA offer fraud liability protections for certain types of cards, the card networks (e.g., Visa and Mastercard) have their own “zero liability” policies. Card networks encourage people to use and trust their network by giving certain cards full protection against fraudulent charges. So even if a debit cardholder is liable for, say, $50 under the EFTA, that might not matter if that cardholder is fully protected by Visa or Mastercard’s zero liability policies.
For example, Visa and Mastercard have zero liability policies that generally say cardholders are not liable for any amount of any transaction that results from card theft, loss, or fraud. To be eligible for the zero liability protection, cardholders need to take reasonable care of their card. This means, for instance, not sharing a picture of your card on social media. Cardholders also need to notify their issuing bank or card company as soon as they find out about the theft, loss, or fraud.
However, these zero liability policies normally do not apply to commercial debit or credit cards. They also typically do not apply to certain anonymous prepaid cards that don’t require the cardholder to register their identity (e.g., many types of gift cards). You should refer to your card’s specific terms for whether or not your card is covered by your card network’s zero liability policy.
Exercising Your Card Fraud Rights
The rights you have under laws or card network rules don’t kick in automatically; you have to exercise them. In practice, this means contacting the company that issued your card through their customer support phone number or email.
While card companies are normally responsive to fraud claims, you still have to spend the time identifying the fraud, contacting your card company, and potentially submitting supporting documentation about why a charge was fraudulent.
Using Privacy Virtual Cards To Keep Online Payments Secure
While there are legal and card network protections that may apply to card theft, loss, or fraud events that happen to your card, it’s much easier and less stressful to avoid those incidents altogether. Business cardholders in particular need to consider alternative ways to protect themselves because these types of cards often don’t have the same legal or card network protections when it comes to fraud liability.
There are many ways to help protect your debit card and credit card from fraud. We recommend using a Privacy Virtual Card for yourself or for your business to mask your true card number or bank information, essentially providing a layer of protection between your sensitive financial data and the merchants you shop at. With Privacy, you also have the option to create a Merchant-Locked Card that “locks” to the first merchant it's used at. If the merchant is breached or your card number is stolen, any attempt to run it at another merchant will automatically be declined.