How Federal Laws and Industry Practices Limit Losses From Cyberattacks


September 12, 2016

Cyber Attacks

When criminals make unauthorized purchases using stolen payment card numbers or other information, federal consumer laws and financial industry practices protect victims from losses under certain circumstances. Here are key details to remember.

If your credit card number is accessed by cyber-thieves

"Under federal law, a consumer's liability is normally capped at $50 for all unauthorized transactions on each card. However, if your credit card number is stolen, but not the card, you are not liable for any unauthorized use," said Richard Schwartz, a counsel in the FDIC's Consumer Compliance Section. "In addition, credit card losses are typically absorbed by the card issuer because of zero-liability policies, which preclude consumers from having to pay any amount of an unauthorized charge.  These policies are set by the card industry."

If your debit card or the card number is used to withdraw money from a checking or savings account

To minimize your losses, you should contact your bank as soon as possible if you discover that your debit card has been lost or stolen. Your maximum liability under federal law is $50 if you notify your bank within two business days after learning of the loss or theft of your card. But if you notify your bank after those first two days, under the law you could lose more.

What if your debit card number (not the card itself) is stolen in an online hacking incident? Remember to check your account activity regularly. Timing is critical because under federal law you will not be liable for the transaction if you report it within 60 days after your account statement showing the transaction is sent to you. But if the charge goes unreported for more than 60 days, all your money in the account could be lost. However, remember to check with your bank about the payment card networks' zero-liability policy, which may protect you.

If you have a debit card for a business account that is used fraudulently

Debit cards issued for business use have different loss protections than debit cards for consumers. The Uniform Commercial Code (UCC), which sets many rules for businesses, requires a standard of "ordinary care" by the card holder in order to avoid liability for losses from online fraud. "This can be a technical area, so check with an attorney to make sure you are managing your business account consistent with the UCC rules," Schwartz advised.

If a prepaid card account is used fraudulently

Prepaid cards have money deposited onto them, and they usually aren't linked to a checking or savings account. In terms of legal protections against losses as a result of fraud, the rules vary depending on the type of prepaid card:

  • Prepaid cards used by employers to pay their employees are covered under the same laws described earlier for consumer debit cards. 
  • General-purpose "reloadable" prepaid cards, which display a network brand such as American Express, Discover, MasterCard or Visa, currently have no protections limiting liability under federal law but do, in most cases, include in their contracts with customers the same protections as those for consumer debit cards. However, regarding liability for losses, the Consumer Financial Protection Bureau (CFPB) in November 2014 proposed a rule that would include reloadable prepaid cards under the federal law for consumer debit cards. Visit the CFPB website for updates.
  • Prepaid gift cards for purchases at stores are typically not registered and, therefore, are not subject to federal consumer liability rights and protections. And, issuers of prepaid gift cards generally do not provide their own fraud liability coverage to card holders. "If you lose your gift card, you will probably lose the entire value of that card," Schwartz said.

This article was written by the FDIC and was licensed with permission.

The views of the author of this article do not necessarily represent the views of First Republic Bank.