Target recently confirmed that over 40 million in-store shoppers’ debit and credit card data was stolen – everything from the cardholder’s name to the card number to the expiration date to the three-digit number on the back of the card. The data breach began on the Wednesday before Thanksgiving and continued until December 15th – a time period which includes the biggest online shopping day of the year, Black Friday. We’ll break down what you need to know about the data breach, how to protect yourself, and whether this could have been prevented.
What you need to do
Target says that the breach only affected in-store customers – online shoppers are unaffected. If you’ve shopped at Target this holiday season, check your credit and debit card statements right away to see if you have any unauthorized purchases.
If you see one, call your bank immediately to report that the card is compromised. Then, take a deep breath. You might not be on the hook for the whole amount. If you used a debit card, you aren’t liable for any fraudulent purchases provided that you still have the card in your possession (that is, it wasn’t lost or stolen) and you report it within 60 days of receiving your statement. If you used a credit card, you’re not liable for fraudulent transactions when you still have the card, no matter when it’s reported, unless the bank thinks you’ve been grossly negligent. On top of that, most credit cards have zero-liability policies that protect you from losing any money to fraud. Since you caught the problem early, you’ll be all right.
Lawmakers and banks recognize that if a thief manages to steal credit or debit card information during a point-of-sale transaction (when you swipe your card in a terminal), there’s not much your average consumer can do about it. As a result, you aren’t liable for as much as if you’d simply lost your card.
Could the data breach have been prevented with better technology?
You might have heard of EMV chip-and-PIN or chip-and-signature credit cards, which use a different verification method than the typical American magnetic stripe. EMV credit cards are widely adopted in Europe, and fraudulent point-of-sale transactions dropped drastically. For example, face-to-face fraud rates in England dropped by a full 63% between 2004 and 2010. It’s likely that if the US had adopted EMV technology already, we’d see lower fraud rates.
It’s reasonable to ask why few American cards use EMV chips. The answer has to do with interchange fees – the fee that a merchant pays to a card network, payment processor and bank every time you use plastic. These fees are usually around 2% of the total transaction amount, and tend to be higher for credit cards and lower for debit. This is compared to 0.5% in Australia, and in the European Union, 0.2% for debit and 0.3% for credit. Nominally, interchange fees are meant to offset fraud losses. When a network like Visa or MasterCard wants to justify its rate, it points to the high incidence of fraud. However, interchange revenue greatly exceeds fraud loss. In 2012, American merchants paid over $41.2 billion in interchange fees, but total US fraud losses were just $5.33 billion. This removes the incentive for banks to innovate on fraud protection. So while more banks and networks are warming up to the idea of American EMV cards, it’s still a long way away.