At Monday's Senate Banking Committee hearing on what to do about the Target and other recent data breaches, Senators led by subcommitee chairman Mark Warner (VA) endorsed our longtime U.S. PIRG platform that all plastic -- debit or credit -- should have the same consumer protections. Right now, debit card users have "zero liability" promises from their banks, but credit card users have strong protections by law. As Bloomberg quoted Senator Warner:
“I would support legislation that would equalize consumer protection for all forms of plastic,” Warner said in an interview. “The notion that you have one set of protections for credit cards and a different one for debit -- I didn’t know that three weeks ago and that ought be addressed."
The 1968 Truth In Lending Act protects credit card users in a variety of ways. Its fraud loss limit is $50 maximum by law. It also provides for strong billing dispute error rights and gives consumers the ability to order their credit card company to investigate whenever purchased goods and services either don't arrive or don't work as promised (See more on the Fair Credit Billing Act).
Conversely, the 1977 Electronic Funds Transfer Act, which regulates debit cards (as well as direct deposits and other electronic transfers), has a 3-tiered shared liability system and neither of the other protections. As we explained a few weeks ago in our Target breach tips:
Credit Cards: Under federal law, your responsibility for unauthorized credit card charges is limited to $50, and in some cases would be $0.
Debit Cards: Your responsibility for debit card fraud charges is a bit more:
- $50 if you notify the bank within 2 days.
- Up to $500 afterwards.
- Unlimited if you fail to report the fraud charges within 60 days after you receive your bank statement.
- However, if the physical debit card itself is not lost or stolen, you are not liable for any fraud charges if you report them within 60 days of your bank statement.
As I testified to the committee, I believe that the historical basis for the shared liability may be that when the EFTA was passed, ATM cards could only be used in ATM machines with a PIN number, meaning that Congress wanted consumers to protect their PIN number so it gave them some liability. Later, local PIN-debit networks such as the Star network were rolled out by a number of vendors. Remember when you could use your debit card at the grocery store, but only with a PIN?
But over the years, the big banks (which at one time wholly-owned the Mastercard and Visa networks and still own a large share of the now-publicly traded firms), sought to earn greater swipe fee, or interchange, revenue from merchants from their own massive, nationwide credit card payment platform, which relies on signatures, not PINs. So, they rolled out signature debit around 1997. When the little machine asks "credit or debit?" it is really asking: "signature credit platform or (safer) PIN debit platform?"
At that time, only after U.S. PIRG and Consumers Union raised a hue and cry (NY Times page 1, "Handy? Surely, But Debit Card Has Risks, Too" July 1997) about exposing bank accounts to an inherently unsafe platform did the networks add their "zero liability" promise. But it is still a promise, not the law. As the authoritative National Consumer Law Center points out, there are a variety of "conditions" and exceptions involved in the zero liability policies. And, of course, there is another problem. When a consumer is a victim of debit card fraud, she has money missing from her bank account while she waits for the bank to reimburse her (if it does). As I told the committee, by increasing bank liability we won't solve that problem, but we will "focus the minds" of the banks on protecting our information better, so fraud will happen less often.
The hearing also focused on a number of other important issues:
-- We argued against any federal breach law standard that preempts stronger state breach protections, or, particularly, that also includes a Trojan Horse provision preempting any additional state data security rules.
-- We urged Congress to investigate the activities of the bank/card network body that sets the so-called PCI security standards. We urged Congress to ensure that, going forward, performance standards are developed that encourage innovation and new methods of protecting information.
-- Along with the merchants, we pointed out that the PCI body is rolling out a weak "Chip and signature" card to replace the obsolete 50-year old magnetic stripe cards that the current system relies on. We pointed out that Europe and Canada already use a higher standard, known as Chip and PIN," so why are U.S. merchants and consumers going to be conned by a weaker standard?
You can watch the hearing on C-Span or read the testimony here. The committee has another hearing Thursday, when the financial regulators will come in to explain their responses to the data security debacle. At yesterday's hearing, the Secret Service and the FTC testified, along with me, the banks, the PCI body and the merchants.
Oh, and while we believe the banks and their obsolete cards are a large part of the problem, we don't let Target off with any sort of free pass. Target should be held accountable. And, as I told Target's hometown paper, the Star-Tribune (MN):
“Target’s drips-and-dregs method of slow-walking consumer notification of the extent of its breach has not served it well in the court of public opinion,” said Ed Mierzwinski of the Federation of State Public Interest Research Groups. “Did it comply with existing state breach notification laws? We’ll wait to see what state attorneys general say. Further, Target should be offering more to its customers to restore their good faith than a paltry credit monitoring service.”