So, maybe you are among the 40,000,000 Target shoppers whose credit and debit card accounts have been compromised by a security breach that took place over the three weeks after Thanksgiving. In response, consumers are being warned to do everything from close their accounts to pay for credit card “monitoring” services. Some of this advice seems a bit extreme to me.
This is a good time to get reacquainted with the legal protections that exist for consumer (i.e., non-business) credit and debit accounts. Thanks to the National Consumer Law Center (NCLC), U.S Public Interest Research Group (PIRG), and Consumer Action for publishing a summary of the rules.
Credit cards: Under our friend the Truth-in-Lending Act (TILA), previously discussed in this space, your responsibility for unauthorized credit card charges is
limited to $50 or amounts charged before you notify the card issuer of the unauthorized use, whichever is less. And VISA and MasterCard have voluntary “zero liability” policies, at least as to one security breach within a year.
Debit cards: Debit cards are covered by a wholly different law, the Electronic Funds Transfer Act (EFTA). Your responsibility for debit card fraud charges is a bit more:
• up to $50 if you notify the bank within 2 days of the loss or theft of a card, and up to $500 afterwards. But if the physical debit card itself has not been lost or stolen, you are not liable for any unauthorized charges if you report them within 60 days after your bank sends out its statement showing an unauthorized transaction.
(Another problem with debit card fraud is that when your account is debited without authorization, you can’t use that money until the issue is resolved and the debit is reversed.)
The most important thing to do if your account has been compromised by a seller’s security breach is to check your statements carefully for several months. Chances are, no unauthorized charges will appear, but if they do, you will know to challenge them promptly and to close the account if the card issuer doesn’t do so spontaneously.
Be especially vigilant for “micro-charges” — unfamiliar charges so small that you might not normally trouble yourself to complain about them. Crime rings trying to show that cards are still active, in order to boost their value on the black market, sometimes do this by initiating a charge of a dollar or two because normally the card user would overlook it. Larger unauthorized charges then follow.
If the card you used at Target was a debit card, changing your PIN is also a good precaution and not an intolerable convenience — though personally, blessed with an ancient four-digit telephone number, I would hate, hate to have to change that PIN!
What about credit report monitoring? Simply put, it is not likely to be useful in this circumstance. It won’t tell you anything about misuse of a debit card. As for a credit card, consider that the worst consequence of ID theft, which a credit report would reveal — the opening and use of new credit accounts based on your personal information — is unlikely to result from a point-of-sale security breach because your Social Security number is not part of the information that was passed to the seller’s network. So do not pay money for credit card monitoring. The Attorney General’s Office is trying to get Target to agree to provide this service free for affected customers. It’s always a good idea to obtain your free report annually (www.annualcreditreport.com) and review it just to make sure there are no errors on it. But paying for this service as a result of the Target mess-up strikes me as allowing yourself to be victimized twice.