A hacked credit card is one of the biggest problems consumers face. Someone who is not authorized to use a card can gain access to the credit card number, the name on the card, and the PIN. They can then use this information to make unauthorized purchases. Alternatively, hacked credit card information is sold to thieves through online black markets. Buyers of hacked credit card information often use the ill-begotten credit card information to commit fraud.

But how do thieves get access to this information in the first place? How do they hack credit cards, and is it a common occurrence? Below is an overview of the most common ways that cyber thieves gain access to credit card information.

How Credit Card Information Gets Hacked

Hacked data systems are one of the leading sources of leaked credit card information. The hack could occur at:

• the point-of-sale device located at a merchant’s store.
• the processor of the transaction, i.e., the network associated with the company who processes the credit card transaction could be hacked into.
• a point-of-sale service company or vendor, i.e., the company whose technology facilitates the credit card transaction.
• At an online merchant’s e-store.

The likelihood of a consumer learning about a hacked credit card at any one of the above identified levels is low. Hacks are difficult to detect, and liability for the security breach is often something that is difficult to pin down. Furthermore, banks and credit card companies often do not tell their customers the source of the data security breach without some sort of legal interference that requires them to do so. Banks issue new credit or debit cards to affected customers with no explanation other than a security breach occurred and that the customer may have been affected.

How Common is Credit Card Fraud?

CreditCards.com reported that 82% of credit card fraud was committed due to credit card hacks. This was prior to the requirements that all credit cards include a computer chip in them. The chip technology, known as EMV (Europay, Mastercard, and Visa), is designed to make credit card hacking significantly more difficult by generating a unique transaction code for each purchase that cannot be reused.

Legal Protections for Victims of Credit Card Fraud

Consumers who discover that their credit card information has been hacked have important legal protections. Understanding those protections — and the limits of those protections — matters for anyone affected by payment card fraud.

The Fair Credit Billing Act

The Fair Credit Billing Act (FCBA), 15 U.S.C. § 1666, limits consumer liability for unauthorized credit card charges to $50 per card. In practice, most major card issuers have zero-liability policies that waive even this $50 limit for unauthorized purchases. The FCBA applies to credit cards; it does not cover debit cards in the same way.

To invoke FCBA protections, a consumer must notify the card issuer of the unauthorized charge in writing within 60 days of the date the issuer sent the statement showing the charge. The card issuer must then investigate the dispute and either reverse the charge or explain in writing why the charge is valid. During the investigation, the consumer is not required to pay the disputed amount, and the issuer may not report that amount to credit bureaus as delinquent.

The Electronic Fund Transfer Act

Debit cards and other electronic fund transfers are governed by the Electronic Fund Transfer Act (EFTA), 15 U.S.C. §§ 1693 et seq. Debit card consumers have weaker fraud protections than credit card holders. Consumer liability under the EFTA depends on how quickly the consumer reports the loss or theft:

• If the consumer reports the loss or theft before any unauthorized transfers are made, liability is $0.
• If the consumer reports within 2 business days of learning about the loss, liability is capped at $50.
• If the consumer reports between 2 and 60 business days after receiving the statement, liability can be up to $500.
• If the consumer fails to report within 60 days of receiving the statement, liability is unlimited.

These timelines make prompt reporting critical for debit card holders. A consumer who waits to review a bank statement can lose all legal protection for transfers made more than 60 days before they report the problem.

Credit Freeze Rights Under the FCRA

When credit card fraud is part of a broader identity theft incident — where the thief obtains enough personal information to open new accounts in the victim’s name — the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681c-1, gives consumers the right to place a free security freeze on their credit file with each of the three major credit reporting agencies: Equifax, Experian, and TransUnion. A security freeze prevents the bureaus from releasing the consumer’s credit report to potential new creditors, effectively blocking the opening of new fraudulent accounts.

Consumers can also place a free fraud alert on their credit file, which requires creditors to take extra steps to verify the identity of anyone applying for new credit in the consumer’s name. An initial fraud alert lasts one year. An extended fraud alert, available to victims of identity theft who have filed a police report, lasts seven years.

Civil Claims Against Negligent Merchants

When a merchant’s failure to maintain adequate payment security results in the exposure of customer credit card data, affected customers may have civil claims against the merchant beyond the dispute rights available through the card issuer. Courts have recognized negligence claims, breach of implied contract claims, and claims under state consumer protection statutes in data breach cases. The viability of these claims depends heavily on the specific facts, including the merchant’s knowledge of security vulnerabilities before the breach, its compliance or non-compliance with PCI-DSS standards, and the actual harm suffered by affected consumers.

Class actions are the most common litigation vehicle in payment card breach cases. When thousands of consumers are affected by a single breach event, class certification is often appropriate because the common issues — the merchant’s security practices, the breach event itself, the categories of data exposed — predominate over individual issues. Several major retail data breaches, including the Target breach in 2013, resulted in class action settlements worth hundreds of millions of dollars.

Steps Consumers Should Take After a Credit Card Hack

• Report the fraud immediately. Contact the card issuer as soon as unauthorized charges are discovered. For debit cards, the timing of your report directly affects your legal liability.
• Review all recent statements. Credit card hackers often test stolen cards with small charges before making larger purchases. Review statements carefully for any unfamiliar transactions, however small.
• Place a credit freeze or fraud alert. If your personal information may have been exposed along with your payment card number, place a security freeze or fraud alert on your credit reports with all three bureaus.
• File a police report. A police report creates a legal record of the identity theft and is required to obtain an extended fraud alert. It may also be useful in disputing fraudulent accounts or charges.
• Consult an attorney. If you have suffered significant financial losses due to a credit card hack connected to a merchant data breach, an attorney can advise whether you have viable claims against the merchant, the breach notification obligations that may apply, and how to preserve your rights.

Contact Revision Legal

Revision Legal represents both consumers and businesses in data breach matters. If you have been affected by a credit card hack and need guidance on your legal options, or if your business has experienced a payment system breach and needs help navigating notification obligations and litigation exposure, contact the data breach attorneys at Revision Legal today.