In the wake of Target’s disclosure that upwards of 40 million cards were compromised, a tsunami of public outrage and public opinions have been raised in discussions about how this happened and what Target should have done to stop it. According to the Wall Street Journal Target has already reported that sales are down as shoppers stay away out of fear. Consumers are still cautious about Target, and they are afraid of making purchases there. But should they be?
Are consumers liable?
On Christmas Eve, Visa took out a full page ad in the Wall Street Journal advertising their Zero Liability policy. A quick check on Visa’s policy advertises three steps. 1. Shop worry-free. 2. Report Suspicious Charges. 3. Get quick resolution and provisional credit. A similar check on Mastercard’s website spells out a similar policy. They in fact also call it the zero-liability policy.
Visa and Mastercard absolutely dominate the credit and debit card market in the U.S. with a combined total of roughly 85% market share. What this means for affected Target shoppers is that for any cards that have been stolen and fraudulently used they will have effectively zero financial liability for bad purchases.
So if the card holder isn’t liable, then who is? The answer often depends on where the criminals use the cards.
Online versus physical stores matter in fraud
For companies with a physical retail location, as long as they followed standard card issuer procedure by asking for ID and collecting a signature during checkout, then most of the time the card issuer will absorb the costs. For online companies though any orders purchased with stolen data will be charged against the online store.
For online companies, this means that for the time being they have to operate under the premise that there are an additional 40 million bad cards circulating in the US market, and that any one of them could be used against them and cost their business if they don’t stop the transaction.
Now for some perspective, according to a recent joint study by the U.S. Census Bureau and Experian among others, there are roughly 1.5 billion active credit cards in circulation in the U.S. This equals out to about 5 cards for every U.S. citizen. This is a double edged sword for online merchants. The good news is that there are a significant amount of legitimate cards ready to make purchases, and credit cards are still the easiest way for online merchants to accept payment. The bad news is that with so many cards in circulation, online merchants have a plethora of potentially bad transactions coming their way. The real card holder may not even be aware their card is being used fraudulently if it is not their primary credit or debit card.
So who is most liable?
So who’s really at risk because of Target’s data breach? It’s not the hackers who stole the data. These stealthy online criminals almost never use their stolen information, instead using online marketplaces to sell off the card numbers to less technical criminals who then use them to make purchases or drain accounts. It also generally is not merchants with physical locations, because criminals realize that their stolen data has a time limit before the real card holder cancels the account and shopping in person takes time and risk. Target and web based merchants are the real victims. In fee’s alone it is estimated that Target will have to pay the card issuers $3.6 billion for exposing consumer data. But it is the online merchants who are primarily at risk, and they are liable for every stolen Target card that they process.
For months or even years now, these web based business will have to take a little extra care to validate each order from their purchases to ensure that they don’t process a transaction from a stolen card until all the stolen Target cards are cancelled or out of circulation. That is until the next breach.