Debit Card Scam
According to this story, potentially thousands of shoppers at a mall in British Columbia may have had their debit card and PIN data stolen. In a way, this underlies a fundamental problem with the security of non-chip based cards. Making merchants liable may be one way to address this issue.
According to the story:
Thieves swapped debit machine PIN pads with units able to record customers’ debit card information. They would then use the data to create fake debit cards, essentially giving them free access to bank accounts.
Source: CTV News
I am not sure exactly how liable a customer is for fraudulent transactions involving a debit card, but credit cards typically have zero liability features that protect the consumer, making them a potentially safer alternative from the consumer’s perspective. That being said, my understanding of the migration of credit cards to the EMV standard includes credit card associations possibly passing some measure of liability to the merchant for fraudulent card use. Considering the fees merchants pay, I find this passing of liability an erosion of the value credit cards provide a merchant (when, in my opinion, credit card associations should be enhancing the value they provide the merchant thus justifying the interchange fees).
However, in the case of debit cards where data is stolen at the POS, it seems to make sense that the merchant bear some liability. As the story reports:
At least one unaffected business at the mall took the step of changing every single debit card terminal, in case any others were altered.
I think merchants need to be responsible for maintaining and ensuring the physical security of their POS systems and their customers’ data. That would include some degree of liability for this kind of debit card fraud.
