Card issuers passing on fraud costs to retailer

Although plastic payment devices - notably credit cards and debit cards - offer convenience and allow for a detailed analysis at the end of every month as to why you no longer have any money left, they also present risk.

Fortunately for consumers, most of the risk falls on card issuers. That's because the Truth in Lending Act - for credit cards - and the Electronic Funds Transfer Act - for debit cards - greatly limit cardholder liability for unauthorized use. As long as an unauthorized debit card transaction is promptly reported, a cardholder's liability is limited to $50. For credit cards, the limit is $50 regardless of when the unauthorized transaction is reported.

Card issuers, however, tired of losing millions of dollars every year to plastic payment fraud, are fighting back. They are doing so in part through contracts with merchants that accept plastic cards in payment for goods or services and with banks that process payments for these merchants. If these parties don't follow strict rules concerning security, they can find themselves paying contractual fines and having to reimburse card issuers for the costs they incur when a cardholder reports a fraudulent transaction generated through the use of stolen data.

In addition to passing the risk of plastic payment fraud on to others through contracts, some card issuers are pursuing a legislative strategy. Over the past couple of years, bills have been introduced in several state legislatures, and in Congress, that would impose liability on merchants and processors who fail to adhere to prescribed security procedures. So far, one such bill has made it through the legislative gantlet and become law. This law, called the Plastic Card Security Act, was enacted last year by the Minnesota Legislature.

Lobbied into existence principally by Minnesota's credit unions, the Plastic Card Security Act, among other things, makes a merchant liable for costs incurred by card issuers when the merchant allows information of the type contained in the magnetic strip on a plastic card to be retained and then stolen. These costs include having to cancel and reissue cards, close accounts, make refunds to cardholders, and notify cardholders that data from their card may have been compromised.

The Minnesota law was passed at the same time that TJX Companies, owner of TJ Maxx and Marshalls stores, was reeling from a multiyear theft of something like 47.5 million credit card numbers. This security breach, in addition to generating a federal investigation, has resulted in steep contractual fines and more than a dozen lawsuits, including class actions aimed at holding TJX liable for losses experienced by financial institutions involved in card issuing and/or card payment processing.

Critics of the Plastic Card Security Act say this law wasn't necessary because the plastic card industry already has in place a data security protocol (officially known as the Plastic Card Industry Data Security Standard, or PCI DSS), and contractual arrangements to enforce it, that are adequate to deal with the issue. Nonetheless, the new Minnesota law gives merchants another reason to take seriously the protection of data contained on and associated with plastic card payment devices.

Jim Flynn is a local attorney. Contact him c/o The Gazette, P.O. Box 1779, Colorado Springs 80901; fax 578-8836 or e-mail jtflynn@hotmail.com. Not all questions can be answered.