Banking Blog

Finance Blogs » Banking Blog » 1.5M cards at risk in data breach

1.5M cards at risk in data breach

By Claes Bell ·
Monday, April 2, 2012
Posted: 3 pm ET

The good news? Only 1.5 million cardholders are at heightened risk of fraud.

As my colleague Janna Herron wrote last week, Global Payments, a major credit card and debit card processing firm, admitted last week that it had suffered a serious security breach earlier this year.

When the news broke Friday, security blogger Brian Krebs wrote that he was hearing from financial industry sources that the breach could involve as many as 10 million Visa and MasterCard customers. Visa quickly yanked its seal of approval from Global Payments pending an audit of the company's security procedures.

On Sunday, the company issued a press release putting the number of cards involved at "less than 1.5 million," and isolating the breach to North American cardholders. Also, the company is saying that only Track 2 data were stolen, meaning that while the thieves could use the information to print counterfeit cards, they would not have access to the cards' "security code" printed on the back, nor would they have access to users' personal data such as Social Security numbers or addresses.

While 1.5 million is a lot better than 10 million, I wouldn't break out the Champagne quite yet. Oftentimes, companies experiencing a breach later revise the number of affected customers upward as the full extent of the breach becomes known.

So what does this mean for U.S. debit card holders? The best thing you can do to avoid losing money to thieves is keeping a close eye on your account and reporting any transactions you don't recognize as quickly as possible.

Debit card fraud protection laws in the U.S. are heavily time sensitive; the faster you report fraudulent activity to your bank, the less you'll be on the hook for. If you report unauthorized purchases within 2 days, the maximum you'll pay out of pocket is $50. After that, it's $500, and after 60 days, your liability is unlimited. Your bank may have more consumer-friendly rules, but that's the protection mandated by law.

You'll want to do the initial reporting by phone, obviously, but follow up as soon as possible with a written communication such as an email or letter. Proving when and how you contacted your bank about the fraud could be key if the bank balks at restoring your funds.

Keep in mind, too, that your checking account will be missing those funds until the bank finishes whatever process it goes through before restoring ripped-off customers' money. That could cause checks to bounce or bills to rack up late charges, none of which are covered by the law.

Scenarios like the situation with Global Payments are always a reminder of how different consumer protection laws are for credit and debit cards. If your credit card information is stolen and used by thieves to make unauthorized purchases, your liability is limited to $50 regardless of how long it takes you to report it. And if the fraud comes as a result of stolen information, as it would in this case, your liability is zero.

Personally, I don't see why fraud protection for debit card holders should be any different than for credit card holders. I'd like to see Congress take action to give debit card holders the same rights.

What do you think? How often do you monitor your checking account? Should debit cards and credit cards have different fraud protection laws?

Follow me on Twitter: @ClaesBell.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.