Money has partnered with CardRatings.com and ConsumersAdvocate.org, among other companies, for our coverage of credit card products. Money, CardRatings.com, and ConsumersAdvocate.org may receive a commission from card issuers. For example, Money receives a commission from Citi when you apply and are approved for a Citi product through the links on this site.
Opinions expressed here are the author's alone, not those of any bank, credit card issuer, airline or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.
Retailers are gearing up for the holiday shopping season, but one thing has some consumers spooked: According to a new survey by CreditCards.com, 45% of respondents say they are less likely to shop at stores that have suffered a data breach, such as Target, Home Depot, or Michaels. Almost 30% say they will “probably” avoid stores that have been hacked, and 16% claim they “definitely” will.
While it’s hard to believe that half of all shoppers will actually skip the sales at major retailers come holiday season, Target did suffer a 5.5% decline in transactions last year after its data breach.
But shoppers, you’re being silly. You don’t need to avoid stores that have been hacked. Here’s why.
1) If someone steals your credit or debit card number, you have very limited liability.
You’ve got at least one reason to thank Congress: The Fair Credit Billing Act and the Electronic Fund Transfer Act cap how much money you’ll lose if someone steals your credit or debit card. If someone steals your card number but not your actual card — which could happen during a data breach — you are not liable for any fraudulent transactions. Read: You won’t lose any money. Just be sure to report any fraudulent debit card charges within 60 days of receiving your statement.
The rules are a little different if someone steals your physical card. With credit cards, you still won’t need to pay anything if you report the loss before a thief uses the card. Otherwise, your liability is capped at $50. With debit cards, you’ll only pay up to $50 if you report the theft within two days, or up to $500 if you report the theft within 60 days of receiving your statement.
There’s another reason to prefer credit over debit. When someone makes fraudulent charges on your credit card, you can challenge the bill when you receive it. But when someone else uses your debit card, that money comes straight out of your account, so it could take a little bit longer to recover your funds.
And if you’re really afraid, just stash the plastic. CreditCards.com reports that 48% of shoppers say data breaches have made them more likely to spend cash.
2) Avoiding these stores won’t protect you from the scariest kinds of identity theft.
When someone steals your credit card number and spends your money, that’s considered “existing account fraud.” Banks and credit card companies have gotten pretty good at identifying abnormal spending patterns, so you’re likely to catch existing account fraud early, and your liability is limited.
But if someone steals your Social Security number, opens a new credit card in your name, provides a new billing address, and runs up big charges, it might take you a while to notice. That’s called “new account fraud,” and it’s a real headache.
To catch new account fraud, check your credit report three times a year. It’s not hard to do, and it’s free. Your report will show all your accounts and debts, as well as your payment history. Check to make sure all of the information is accurate and all of the accounts actually belong to you. (Go. Do it now. Did you catch a problem? Here’s what to do.) If you’re afraid that your social security number has already been stolen, you can put a free fraud alert on your credit file to let lenders know or freeze your credit so that no one else can open new accounts in your name.
But you don’t give out your Social Security number every time you swipe your credit card, don’t worry about going shopping.
3) Safer cards are on the way.
Are you sick of all these data breaches? So are businesses — after all, they’re the ones on the hook for fraud, not you. That’s why Visa and Mastercard are sending out new “chip-and-pin” cards. These cards have embedded microchips, which are more secure than magnetic stripes. If you’ve ever traveled abroad, you might remember what chip-and-pin technology looks like; Europeans have been using this system since the 1990s. While not foolproof, these cards are a great improvement. President Obama signed an executive order last week requiring that all government credit cards use chip-and-pin technology.
Practically speaking, chip-and-pin cards won’t do much more to help consumers at point-of-sale — remember, you have limited liability. But starting Oct. 1, 2015, the liability will shift to whichever business has the oldest technology. If credit card companies don’t update their cards, they will be liable for any fraud; if retailers don’t offer chip-and-pin terminals, they’ll be on the hook. So everyone has an incentive to make payment systems more secure, which is ultimately in consumers’ best interest.
4) Retailers that got hacked are working harder to win back your trust.
Guess which retailer is installing chip-and-pin technology in all of its stores and on all of its branded cards — Target!
Guess which retailer offered free credit monitoring to all its customers — Target!
Guess which retailer just started offering free shipping — Target!
Given that there have been 606 data breaches already this year, according to the Identity Theft Resource Center, you can probably expect more to come. But the retailers that have already been hacked are beefing up security and offering free identity theft protection services to consumers, so you’re probably safer there than everywhere else.
If that doesn’t put your mind at ease, here are some more steps you can take:
- The one foolproof thing you can do to protect yourself from identity theft
- Is my data safe?
- What should I do if I have been the victim of a data breach?
- How can I protect myself from identity theft?
- What should I do if my identity is stolen?