Your card’s zero liability policy might not be something you care much about – until your account gets compromised and fraudulent transactions from five states away start popping up. At that point, zero liability protection – and the fine print surrounding it – will determine whether you get those transactions reversed.
MasterCard has announced a major change in its debit card zero liability protections, extending them to ATM transactions and PIN-based transactions at the point of sale. Those transactions will fall under the zero liability shield in October 2014.
This announcement might be surprising to cardholders who didn’t know that they might not be protected if a thief gained access to their debit card PIN. In fact, zero liability protection can be confusing. Although it’s often touted on banks’ websites as one of a card’s many benefits, it’s not airtight. Here’s what to know about this protection, in light of MasterCard’s announcement.
What is zero liability?
If a thief hacks a retailer’s systems, skims your credit or debit card at a gas station or plucks your card out of your pocket, you shouldn’t be responsible for the purchases they make, right? The card networks (Visa and MasterCard) agree under most conditions, and that’s why they give you zero liability protection (which is actually provided via the bank that issues your card) – a promise to reimburse you for fraudulent credit and signature-based debit card transactions, assuming you notify your bank in a timely manner.
The amount you’re legally on the hook for is different for credit and debit cards, due to the different federal regulations that govern each. The Fair Credit Billing Act governs credit cards and ensures you’re responsible only for $50 in charges made before you report a card lost or stolen or notice unauthorized purchases (although your bank may decide not to hold you responsible for anything). Visa and MasterCard have long extended zero liability protection to credit card transactions, thus eliminating the $50 potential cost to consumers, in order to create a sense of security and encourage more card usage.
The Electronic Funds Transfer Act, meanwhile, regulates debit card liability. If you report the card lost or stolen before any fraudulent charges turn up, you’re responsible for nothing. If you report a card lost or stolen within two days of learning of the loss or theft, you’re only on the hook for $50. Between two days of learning about the fraud and 60 days after you receive your statement, you’re responsible for up to $500. After 60 days (from the day your statement is sent to you), you could end up losing all the money a thief spent (although your bank might be more lenient). Visa and MasterCard have never extended this additional coverage to PIN-based debit card transactions, however.
What makes the MasterCard announcement significant is that it closes a loophole in zero liability when it comes to debit cards. As mentioned, neither Visa nor MasterCard (until now) has extended zero liability to debit card point of sale or ATM transactions completed with a PIN; only transactions completed with a signature are covered. The idea behind this distinction is that, in theory, only the true cardholder should have the PIN. The networks don’t want cardholders giving their PINs to friends and family members and then crying fraud when that friend or family member goes shopping. A debit transaction completed with a signature is more likely to fit the profile of a fraudster who stole (or cloned) a card, but didn’t get the PIN.
Signature transactions are also processed differently than PIN transactions. When you select “credit” on the point-of-service machine and opt to sign for a debit card purchase, it’s processed over the card’s network. If you use a PIN, however, the transaction is processed over electronic funds transfer (EFT) networks that are not operated by Visa or MasterCard. It’s worth noting that debit transactions processed on Visa- and MasterCard-run networks generally result in more money (via interchange fees from the merchant) for MasterCard and Visa.
Here’s MasterCard’s policy until the new one takes over in October:
And here’s Visa’s. Notice how it excludes all transactions “not processed by Visa” (ie, transactions processed over the EFT networks):
The upshot: If a thief obtains a card’s PIN, and uses it instead of signing for purchases, the real cardholder won’t be covered by Visa or MasterCard’s more generous zero liability umbrella.
However, the bank that issued your debit card has a say in the matter, too, and it might have more generous protections. At the very least, the consumer still is covered by the federal $50 liability limit if the fraud is reported within two days of fraudulent charges.
For example, Chase’s zero liability policy includes ATMs:
Spokespersons for both Wells Fargo and Bank of America also confirmed that those banks already include PIN and ATM transactions in their zero liability protections.
What MasterCard’s new protections mean
The new protections create a noteworthy safety net for debit card holders whose PINs were stolen by PIN-pad overlays installed on ATMs or by someone looking over their shoulder in the checkout line. MasterCard is also rolling out automatic free ID theft resolution assistance on all credit, debit, prepaid and small business cards in July, which will assist cardholders in the process of cancelling lost cards and alerting credit agencies. The service will also monitor cardholders’ personal data and alert them if it turns up online. Several other third-party services do this, but they charge monthly fees.
That said, the card network giant isn’t taking a huge risk for consumers’ sakes: It’s hard for thieves to get both a card and a PIN – even in the Target breach, the PINs stolen were encrypted. Plus, it’s the issuing banks that will provide refunds for the newly eligible fraudulent PIN and ATM transactions anyway (and, as noted above, some major issuers were already providing protections above and beyond what MasterCard required). So, while consumers are getting some new protections, MasterCard has the most to gain – likely customers switching over from Visa, until Visa is goaded into making similar changes.