Who Pays For Credit Card Fraud?

More than 65% of all credit card holders have fallen victim to fraud at one point in their lives. Credit card fraud in the US resulted in roughly $5.72 billion in losses last year alone. 

The rate at which credit card fraud has grown in recent years is alarming. But with billions in losses, this begs the question—who foots the bill?

In short, consumers are rarely liable for credit card fraud. The merchant that processed the transaction or the bank that issued the card is usually liable for the charge. 

If your business has fallen victim to processing fraudulent transactions, you need to read this guide. You’ll learn more about when it’s your responsibility to pay for credit card fraud and when the liability shifts to another person or entity. 

We’ll also break down the different types of credit card fraud and explain the differences between credit card fraud and debit card fraud. Let’s dive in.

Types of Credit Card Fraud

Credit card fraud is a broad statement that can apply to a wide range of scenarios. These are the most common forms of credit card fraud:

• Card-Not-Present (CNP) Fraud — CNP fraud occurs when fraudsters have someone’s credit card information but don’t have the physical card. The fraud occurs when they use this information to make unauthorized purchases, typically online or over the phone. 
• Lost or Stolen Cards — If a physical card is lost, stolen, or falls into the wrong hands, the criminal can fraudulently use the card to make transactions both online or in-person. 
• Phishing — Phishing scams trick consumers into providing passwords or account numbers to scammers via compromised sites. This usually occurs via email or text message and then allows cybercriminals to gain access to sensitive credit card information. 
• Account Takeover — An account takeover refers to a scenario when a cybercriminal assumes ownership of a third-party account using stolen login credentials. Once they’re into an account, they may attempt to change the password or get a new card issued.
• Identity Theft — Identity theft happens when a cybercriminal uses someone’s personal information (usually a social security number) to commit fraud or other crimes. With a stolen social security number, criminals can open new credit accounts, buy a car, obtain a loan, and more.
• Skimming — Skimming occurs when criminals illegally collect credit card information using scanning devices. These devices are commonly placed on gas pumps, ATM machines, and POS terminals. Once the information is collected, the scammers can print fake credit or debit cards using those numbers. 

All of these scenarios can lead to a fraudulent transaction being processed by a merchant, unbeknown to the consumer or the business. 

Who is Liable For Credit Card Fraud?

In most situations, the business or the card issuing bank is held liable for credit card fraud. But beyond the merchant and bank, there are other situations when the cardholder, fraudster, or insurance company might pay for credit card fraud.

We’ll break down the situations when each of these entities would have to pay for the fraudulent charges. 

When Cardholders Pay For Credit Card Fraud

Consumers are rarely liable if a credit card number has been compromised or used to make unauthorized purchases. That’s because most credit card networks have zero-liability policies that strongly favor the cardholder. 

With a quick call or a few simple clicks from the web or mobile app, the cardholder can report an unauthorized charge, get refunded, and have a new card issued almost instantly. 

Even if a cardholder is forced to pay for a fraudulent charge, the Fair Credit Billing Act under US federal law limits this liability to just $50. They’re not responsible for anything over that amount, and credit card networks often waive the $50 liability for the consumer. 

Consumers may indirectly pay for credit card fraud as merchants across every industry raise prices so that a certain percentage of fraud is baked into their bottom line. This is one way that businesses attempt to pass the cost of credit card fraud to customers without actually holding them responsible for specific transactions. 

Cardholders may also be held liable for credit card fraud if it’s determined that the charge is “friendly fraud.”

Friendly fraud occurs when a consumer reports a transaction as unauthorized, but the charge was actually legitimate. This commonly occurs if the merchant’s name on the consumer’s credit card statement differs from the business name—causing the consumer to not recognize the charge. Sometimes friendly fraud can occur if a customer attempts to file a chargeback rather than returning an item directly to the merchant. 

When Merchants Pay For Credit Card Fraud

Merchants are often held responsible for credit card fraud if they are using outdated equipment or technology. The transaction environment and type of card used can also impact the merchant’s liability. 

For card-present fraud, the merchant is typically liable if an EMV chip-enabled card is swiped or manually keyed instead of being dipped or tapped. That’s because using the chip is a more secure way to process the transaction. So if a merchant opts for a less secure way to process the card, the liability tends to fall on the business. 

The credit card networks all have different liability rules for credit card transactions, and businesses agree to these terms when they sign a merchant agreement. 

Merchants are also more likely to pay for credit card fraud if the transaction occurred online. Again, this is due to the fact that online transactions are less secure than card-present transactions. 

Even if the merchant is doing everything right, including using the most updated technology, remaining PCI compliant, and doing everything they can to collect additional data to prevent fraudulent charges, merchants are still often held liable for the charge. Not only do they have to pay for the amount, but the business also loses out on the cost of goods sold. 

When Banks Pay For Credit Card Fraud

If a merchant isn’t held liable, then the bank will likely absorb the cost of credit card fraud. 

Due to the way credit card processing works, the card issuing bank is the first entity that actually loses money on the charge. That’s because they front the cash to make the purchase before they’re reimbursed by collecting funds from the cardholder. But once it’s determined that the transaction is fraudulent, the cardholder doesn’t have to pay, and the money has already been sent to the merchant. 

While this isn’t a 100% firm rule, this liability shift diagram typically explains when the merchant pays compared to when the bank pays. 

The “no liability” parts of the chart refer to the merchant’s liability. Simply put, whenever the merchant is not liable for the fraud, the bank assumes liability. 

There are exceptions to this rule, but it’s a good rule of thumb to follow. 

When Insurance Companies Pay For Credit Card Fraud

It’s rare, but there are some situations when insurance companies will pay for credit card fraud. 

Some merchants have insurance policies that cover cybersecurity and cyber attacks. So in the event of a breach where credit card information is stolen, the merchant may not be held liable for the repayments, and the insurance policy might kick in. 

These policies can potentially cover lawsuits and even legal fees for a data breach. 

But it wouldn’t apply to a standard one-off fraudulent charge where a stolen credit card number was used to buy a pair of sneakers online.  

When Thieves Pay For Credit Card Fraud

While credit card fraud is on the rise, arrests and convictions are dropping by as much as 24%. It’s unlikely that a fraudster will get caught or convicted. But if they do, the judge could hold them responsible for paying back the business or consumer who was ripped off.

Since cardholders are rarely held liable, they don’t tend to file police reports or pursue prosecution for whoever stole their card information. 

Most businesses don’t have the time or resources to do this either. Even when police reports are filed, it’s tough to find the fraudsters—especially if the transactions were conducted online. 

Credit Card Fraud vs. Debit Card Fraud

Debit card fraud has different liability rules compared to credit card fraud. That’s because debit cards or ATM cards are tied directly to the cardholder’s checking account. So the money is coming from the cardholder’s account as opposed to the issuing bank’s account.

According to the Electronic Fund Transfer Act, if a cardholder reports a debit card or ATM card missing before it’s used, they are not responsible for any authorization transactions.

If there’s an unauthorized charge on a debit or ATM card before it’s reported lost or stolen, the cardholder’s liability can range from anywhere from $50 to $500. In some cases, the cardholder is fully responsible, depending on how long they wait to report the charge. 

What Happens If Someone Uses a Stolen Credit Card at Your Business?

If someone uses a stolen credit card to buy something from your business and the transaction is successful, there’s a good chance the merchant will be responsible for the charges.

Once the cardholder recognizes the fraudulent charge, they’ll contact their bank to issue a chargeback. Beyond the transaction amount, the merchant may also incur additional fees or charges associated with the chargeback.

However, if someone uses a stolen credit card at your business but the card has previously been reported as lost or stolen by the cardholder, then the bank will decline the transaction. If it’s an in-person attempt, the card terminal may even prompt you to confiscate the card.

Final Thoughts

Merchants and card-issuing banks are the two most likely entities to be held responsible for credit card fraud. The liability almost always comes down to which party used less secure technology to process the transaction. 

Cardholders are rarely responsible for paying. Even if they are held responsible, US law protects their liability to just $50 per fraudulent transaction. 

Since it’s so tough to catch and prosecute thieves using stolen credit card information, businesses shouldn’t rely on getting justice. In many cases, they just need to take the loss and move on. 

To help reduce your liability of paying for fraudulent charges, make sure staying PCI compliant and that all of your hardware and technology is up-to-date with the latest standards. Avoid manually keying cards or swiping cards that have an EMV chip. If those transactions are fraudulent, you’ll almost always be held responsible for the charges.