The Internet presents many opportunities for the user to purchase merchandise using a credit card or bank card. However, until planned security measures for the Internet are proven to be effective, a question is raised: Who will pay for the loss if a criminal diverts the bank card data used by a consumer over the Internet? Two federal statutes generally prevent banks and credit card associations from charging consumers for losses incurred by fraudulent use of bank cards. The 1970 amendment to the Federal Consumer Protection Act (FCPA) and the Electronic Funds Transfer Act of 1978 (EFTA) contain provisions that invariably preclude banks and credit card companies from charging consumers for fraudulent credit and debt card charges. Under the credit card fraud section of the FCPA, a user may be held liable for an unauthorized use if: the card holder has accepted the card; the liability does not exceed fifty dollars; the card issuer gives the card holder notice of the potential liability; the issuer provides the card holder with a description of the means by which the card holder can notify the issuer of loss or theft of the card; the unauthorized use occurs before the card holder has notified the issuer of the loss or theft; and the issuer has provided a method by which the card holder can be identified as the person authorized to use the card. However, if a credit card holder asserts that a charge was unauthorized, the burden of proof is on the card issuer to show each of the above elements. The EFTA establishes a similar comprehensive framework of consumer rights and liabilities for debit card transaction. However, unlike the FCPA which capped liability at fifty dollars, the EFTA has two exceptions regarding the amount of liability. The first exception states that a consumer may be liable for up to five hundred dollars for an unauthorized use if the consumer did not notify his or her financial institution within two business days after he or she discovers the loss or theft of the EFT card or Personal Identification Number. The second exception is that no ceiling on liability exists for unauthorized transfers if the consumer fails to notify the financial institution within sixty-days after the transmittal of a periodic statement to the consumer which shows the unauthorized transfer. The FCPA and the EFTA also apply to the Internet and the Internet consumer's liability. When a cyber-theft has occurred, the bank issuing the card bears the loss if 1) the stolen credit card data is used successfully by the cyber-thief or by an individual who purchased a stolen card from a cyber-thief; and 2) no authentication procedures are violated upon card use. This result is dictated by the traditional contractual arrangements adhered to among bank card organizations, banks, and merchants. Credit card companies are now in the process of adopting new rules governing Internet transactions. Absent such rules, the companies continue to use the outdated rules regarding default. As a result, consumers should not be concerned about potential theft of their bank card data because the federal statutes prevent the consumer from incurring liability for any significant misuse of the card data.
Randy Gainer, Allocating the Risk of Loss for Bank Card Fraud on the Internet, 15 J. Marshall J. Computer & Info. L. 39 (1996)