You, the consumer, typically aren’t liable for credit card fraud, but someone pays the tab.
So who foots the bill when a thief uses your credit card or its number to illegally buy stuff? The short answer is it’s typically the merchant where you bought something or the bank that issued the credit card. It depends on the circumstances.
Credit card fraud is no small problem. As the most common type of identity theft each year, reported dollar losses in 2019 were about $135 million, according to the U.S. Federal Trade Commission. If you haven’t yet been a victim of credit card fraud, count yourself lucky. If you have, it’s probably not your fault. Card numbers get stolen in a variety of ways, including credit card security breaches at major retailers.
Were you a victim of credit card fraud? Here are resources:
Here’s who pays when a thief illegally uses your credit card or its number to buy goods or services.
When cardholders pay
The short story is: rarely. If a credit card has been compromised, the card issuer typically cancels the old number and issues a new card with little fuss.
Why? It's because banks and credit card networks, such as Visa and Mastercard, have policies that promise consumers won’t be responsible for unauthorized charges, often termed "zero-liability policies."
“A card issuer typically cancels the old number and issues a new card with little fuss.”
Even better than their promise is U.S. federal law, specifically the Fair Credit Billing Act. It limits your liability for unauthorized use of your credit card to $50.
Again, as a practical matter, credit card networks waive even that $50 liability.
More broadly, however, U.S. credit card fraud over time raises retail prices for consumers, as businesses pass along the cost of fraud.
When merchants or banks pay
This can get tricky and could come down to whether the fraudulent transaction involved an actual card — called "card-present" fraud — or just the credit card number, called "card-not-present" fraud. Examples are a card dipped into a payment-card reader in a retail store versus paying for an online transaction by typing in a credit card number.
Generally, the bank is more likely to be liable for the fraud for card-present transactions, while the merchant might get stuck with the cost for transactions without a physical card. (Merchants using the older swipe payment terminals and not the newer chip readers also incur more liability.)
“The bank is more likely to be liable for the fraud for card-present transactions, while the merchant might get stuck with the cost for transactions without a physical card.”
The rules on liability are dictated by the credit card network the transaction used, such as Visa, Mastercard, American Express or Discover.
And there are additional internal system costs for disputing the fraudulent charge — called a chargeback. That could mean that regardless of liability, the bank, for example, could make a business decision not to pursue reimbursement for fraud from the merchant and simply absorb the cost.
In addition, major credit card issuers — typically banks — have many fraud-related business costs other than reimbursing the customer for a fraudulent purchase. They pay to operate fraud departments, employ customer service representatives to answer fraud calls from consumers and incur the cost to replace compromised cards with new ones, for example.
When networks pay
Networks, such as Visa and Mastercard, act as a clearinghouse for the transaction and typically aren't liable for unauthorized charges.
What about the thieves?
Arrest and conviction rates for credit card fraud are hard to come by, but it’s safe to say those rates are low. That means thieves don’t often pay.
What’s different with debit card fraud?
If you report an ATM or debit card missing before someone uses it, you aren't responsible for unauthorized transactions, according to the Electronic Fund Transfer Act.
If someone uses your card before you report it lost or stolen, your liability depends on how quickly you report it. It ranges from $50 to $500 or even unlimited liability.
Again, liability between the merchant and card issuer is dictated by the rules of the card network that processed the transaction. And the debit card’s network or card issuer might have additional protections beyond federal law.