By Gerri Detweiler
Card numbers for as many as 1.5 million MasterCard and Visa cards were compromised in a recent data breach of payment processor Global Payments Inc. As a result, issuers are cancelling cards and reissuing new ones for customers, while MasterCard and Visa are doing their best to reassure cardholders that they won’t be held responsible for fraudulent charges.
While the fact that cardholders aren’t responsible for fraudulent charges is true, it’s not as though we don’t have anything to worry about when these kinds of breaches happen. Here are three serious problems you may not have heard about:
1. A Credit Card Breach Can Be A Real Hassle
Last week I logged onto my credit card issuer’s online card centre only to discover that my credit card account had completely disappeared from the website. There was no explanation, and no message to contact the card issuer. It was just gone.
[Credit Check Tool: Try Credit.com’s Free Credit Report Card]
I called the issuer immediately and, after several attempts at navigating through the automated phone system (there is no option to “press 9 if your account has disappeared”), I finally got through to a customer service representative.
There is nothing to be concerned about, he reassured me. I should just pay my bill with the statement I receive in the mail. “But I haven’t received paper statements for five years,” I shot back.
At that point, I was getting terse. I heard him clicking more keyboard buttons as he attempted to help me. After what seemed like an eternity, he told me that there was a “restriction” on my account and he would transfer me to someone who could help me resolve it.
After being transferred, cut off, and then calling back, I was finally able to speak with someone who told me there was some kind of breach involving a number of accounts. She informed me that my account had been temporarily suspended, and that a new card would be mailed out promptly. She also told me that my online account would be restored once my new card was issued. (I later wondered what would happened if my bill was due that day. Would that have waived the fee for a payment by phone? I didn’t think to ask.)
Fortunately I don’t use that card often so there’s not a lot for me to worry about. But other cardholders may have more work to do, such as changing account numbers for automatic bill payments or for websites where they have stored the card numbers.
[Related Article: What to Do When You’re a Victim of a Data Breach]
2. Vigilance May Be In Order
Initial reports of the Global Payment Inc. breach indicated that two types of account information may have been compromised: Track 1 (which contains personal information) and Track 2 (card numbers only). The company has since announced that only card information – and not personal information – was improperly downloaded. Still, the fact remains that cardholders simply don’t know who got a hold of their information, and what they intend to do with it. If the intention was (or still is) identity theft, then you can’t be too careful. Barrett Burns, president of VantageScore and a Credit.com contributor, says:
“In the event of a security breach such as this, to protect their credit profile, consumers should immediately contact both the lenders and the credit reporting companies (CRCs) to be sure that there have not been any fraudulent transactions reported. Consumers should take detailed notes regarding when they contacted the lender and CRCs, what was discussed and with whom. It is important to be sure there aren’t any fraudulent credit inquiries and credit applications reported as well. In the event that either of these actions did occur, both lenders and the CRCs have processes in place that will remove any negative information that has been reported as a result of the fraud. Credit card fraud victims should also take steps to be sure another account will be issued so that their credit history is preserved.”
3. We’re Not Just Being Nice
Card issuers are going out of their way to emphasise that consumers won’t be responsible for any fraudulent charges as a result of a breach. That’s true. MasterCard and Visa both have pretty robust “zero liability” policies. But although they make a point of emphasising that their policies go beyond the requirements of federal law, in this case, the laws themselves offer comprehensive protection.
Under the Fair Credit Billing Act, which protects consumers in the case of credit card fraud, federal law limits liability for fraudulent charges to $50 in most cases. But if the card is not presented in the actual transaction; i.e. the card number is stolen and used online, then cardholders aren’t responsible for any fraudulent charges.
[Related Article: 6 Tips to Protect Your Personal Data After a Breach]
Debit cards are covered by a different law, the Electronic Funds Transfer Act. Under the EFTA, consumers have no liability for unauthorised access when the card (or “access device”) was not lost or stolen.
I am not implying that card issuers would try to hold consumers liable for fraudulent transactions as the result of a data breach. But cardholders who do run into any problems as the result of one should realise that federal law is on their side.