We have debit card disputes from multiple customers where it appears that the debit card numbers have been stolen and new cards created. The source of the theft is not identified as of yet, but we have a business suspect that all these customers have transactions with. Is there a solution for us as a bank for dealing with these disputes that the regulation will allow (other than refunding all these transactions)? We have a feeling this is not the last we will hear of this.

Unless you can reasonably come to the conclusion that your cardholders are complicit in fraud, you have to complete investigations and, I'll assume, find that the transactions were unauthorized. Skimmed or stolen card numbers, when put on counterfeit cards, are not accepted access devices, and you will not be able to make your cardholders responsible for any part of an unauthorized transaction under such a circumstance. I imagine you have already done what you CAN do -- cancel and hot-card those numbers and, if of a mind to do so, reissued new cards.

Reg E and VISA/MasterCard Zero Liability are clear that the customer has no liability for these transactions. Generally, in the case of a counterfeit card, your chargeback rights are limited because all the acquiring merchant must do is provide a signed sales receipt to refute any chargeback request.

It is important that you report all fraudulent transactions to the Fraud Reporting Service (VISA issuers) or the System to Avoid Fraud Effectively (MasterCard Issuers). The card brands use this information to locate a common point of purchase and identify all of your at risk cards. Also, if the merchant is found to be negligent is safeguarding cardholder data, VISA/MasterCard have the right to hold the offending merchant liable for at least a portion of the fraudulent activity and require issuer reimbursement from the acquirer.

While it is frustrating to take these fraud losses, I will be hosting a webinar on Thursday Sept 20 on Fraud Loss Prevention as this is a concern that all debit card issuers face.

We report to Visa or MC as a CPP and also report to Law Enforcement. Caught a couple bad guys that way.


Also, if we detect a CPP, we block that merchant from future purchases until we determine the threat has passed & we close any other customers who also shopped there & reissue cards. (usually will "warm" the card until customer gets new card to prevent customer service issues)

I also recommend reviewing all of your cards(both debit and credit)for those that were used at that merchant during the compromise window. Automatically block and reissue that haven't had fraud yet; you could have a ticking timebomb.