Should a business notify me about a compromised credit card?
The Bankrate promise
At Bankrate we strive to help you make smarter financial decisions. While we adhere to strict , this post may contain references to products from our partners. Here's an explanation for . The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired. Terms apply to the offers listed on this page. Any opinions, analyses, reviews or recommendations expressed in this article are those of the author’s alone, and have not been reviewed, approved or otherwise endorsed by any card issuer.
A hotel can get pre-authorization from you to place a hold on your card for your stay upfront and then actually bill you when your stay ends. How long after you depart can it continue to bill you, though? If a charge shows up at some distant point in the future, it is likely the card has been compromised.
For instance, reader Dan writes that 18 months after his hotel stay, the business charged his credit card: “Didn’t inform me, call, anything. Just charged me $300, 18 months later.” Dan has disputed the charge with his bank, had the card canceled and has received a replacement card but not a chargeback of the disputed amount. He is wondering if the hotel’s practice is legal.
Business reporting on compromised information
It appears likely that Dan’s card has been compromised. Maybe a rogue employee used the card information to make an unauthorized charge, for instance. Businesses have certain legal responsibilities to customers when they find out that a card has been compromised.
The Federal Trade Commission offers advice for businesses on what to do if information has been compromised: “If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused.”
Businesses should take into account various factors in deciding whom to notify and how to notify them. These include:
- State laws
- What sort of compromise it is
- What sort of information has been leaked
- How likely it is that the information will be misused
- The extent of damage in case the information is misused
Businesses should also provide details about the compromise. Based on state law, this could include:
- How the compromise came about
- What sort of information was leaked
- How the offenders have used the information (in case the business is aware of this)
- Any actions the business took to remedy the situation
- Input on what the business is doing to protect individuals (such as offering credit monitoring services)
- Contact information for appropriate people in the organization
The FTC also says businesses should inform customers about how they intend to contact them for follow up (for instance, by mail) including whether they will not be contacted at all. That way, customers can avoid being taken in by phishing scams from fraudsters that have their information.
Credit card procedures
Card issuers have their own protocol regarding how to deal with a compromised card situation. While different issuer guidance may vary, it’s important to notify your issuer if your account is compromised and cancel the card. This will reduce the potential for fraud as the compromised credentials will no longer be valid.
Considering networks such as Visa and MasterCard have zero liability protection policies, you will not be held responsible for unauthorized charges. However, you should report them immediately, so keep an eye on your account online to make sure you don’t miss any. You may have to file an affidavit of fraud with your financial institution. You could also be asked to file a police report to facilitate an investigation.
Issuers could give you a provisional chargeback of the disputed amount once they review a case and have all the documentation necessary to process a dispute.
Since your Social Security number is not compromised when someone has your card information, it seems identity theft is unlikely.
The bottom line
Dan, it seems the hotel compromised your card information in some way, leading to an unauthorized charge. If the hotel was aware of the situation, it should have followed the laws and informed you. You might consider discussing the situation with an attorney to see if you have a case against the hotel.
If it makes you feel better, you could also resort to credit monitoring services, offered for free by some financial institutions. And don’t forget to provide merchants who will bill you on a recurring basis, say for a digital streaming service, your new card information.
Contact me at email@example.com with your credit card-related questions.