Who Pays When Merchants Are Victims of Credit Card Fraud?

Lindsay KonskoJune 3, 2014

Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.

You aren’t liable for credit card fraud, but someone pays the tab.

There has been tons of publicity recently regarding credit card fraud and security, including a highly publicized breach of Target credit cards in late 2013. As a result of any credit card security breach, there are always going to be costs associated with the whole affair. It isn’t just fraudulent purchases, but each cost is borne by different entities, depending on the situation.

Banks take aim at large Target

Let’s start with something broad, like the Target story. In that case, the first string of losses occurs at Target, for any merchandise that was purchased and/or shipped. That could amount to millions of dollars in lost inventory.

Next comes the actual charges. Cardholders cannot be held liable by federal law, so they are not on the hook for those purchases. The banks that are partnered with the Target cards are the initial losers. Those charges were made by thieves who will obviously not pay the charges. The banks instead turn to Target and expect to be made whole, so that has resulted in a bunch of lawsuits.

So now the burden returns to Target, which is likely to be found responsible for the breach because of poor security. Target may lose up to a billion dollars.

But we’re not done. All those credit cards have to be replaced. Now we’re back to the banks, who have to issue all that new plastic. Yet, they will again look to Target to be made whole.

Big risks for small-business owners

The situation is worse for the small-business owners. Target won’t be happy about the massive losses, but small-business people can get destroyed. If fraudsters charge up a storm on stolen card data with a given merchant, and that merchant delivers his product, he’s out the product — and that’s just the start.

The banks may then look to him for reimbursement for permitting the fraudulent transactions. In addition, the payment processor will learn of the fraud and terminate his processing account. Once that happens, no other processing firm is likely to take his business. He’ll be put on a blacklist. So in this case, the merchant can just get destroyed.

Usually, however, it is the banks that get hurt the most. This includes small regional banks. Visa and MasterCard’s contracts generally put the burden of fraud reimbursement onto the bank. A small bank may get hit with a big fraud reimbursement if a breach is serious enough. Worse, if the merchant itself is somehow involved, it may make it impossible to recoup from the merchant.

What about debit card fraud?

Over in the debit card world, fraud is declining, down to about 0.04% of all activity. Fraud losses are usually shared between card issuers and merchants. The issuer has historically been stuck with about 60% of the loss, with almost all the rest going to the merchant. It’s rare the cardholder gets dinged — maybe less than 2% of all charges. Interestingly, the issuers picked up most of the losses when the card was present but was fraudulent, while merchants picked up the bulk of losses when cards were not present.

We want to hear from you and encourage a lively discussion among our users. Please help us keep our site clean and safe by following our posting guidelines, and avoid disclosing personal or sensitive information such as bank account or phone numbers. Any comments posted under NerdWallet’s official account are not reviewed or endorsed by representatives of financial institutions affiliated with the reviewed products, unless explicitly stated otherwise.