“Credit of debit?” It’s all very confusing for American shoppers. But the news about a massive point-of-sale data theft at Target makes one thing very, very clear: Always choose “credit” when possible!
Note: This article is about the American financial system. Other systems in other countries are very, very different.
Credit and Debit
The American financial services industry has changed radically since Bank of America sent unsolicited Visa cards to 60,000 residents of Fresno in 1958. But the most radical change was the introduction of debit “check cards” in the 1980’s. Since then, merchants have been pushing customers to choose debit at the register, avoiding credit card transaction fees and pocketing the difference.
Let me explain the difference between credit and debit cards first:
- Credit transactions pass from the point of sale terminal (“cash register”) through a transaction network to the issuing bank. There, the transaction is added to a customer’s bill, which they (hopefully) pay at the end of the month. There are a few important elements I should mention here:
- These transactions are credit – that is, the bank pays the merchant and bills the customer later
- The credit card association (Visa, American Express, etc) and issuing bank (Chase, Bank of America, etc) withhold a fee of up to 5% on each transaction
- Lots of people don’t pay their bills on time, dispute charges, and otherwise leave the banks holding the bag, and everyone gets ripped off by the companies in return, typically paying over 20% interest
- In case of fraud, US law limits customer liability to just $50, and many cards offer 100% fraud coverage
- Debit transactions go directly from the point of sale terminal (“cash register”) through a transaction network to the customer’s bank account. The money is immediately removed from the account at the time of sale.
- These transactions are debits – the customer pays the merchant
- Fees for debit card transactions are much lower, dramatically increasing profit margin for merchants
- Although debit fraud is widespread, consumers have responsibility to monitor and report fraud or banks and networks are off the hook; the length of time and amount of protection varies
Debit Cards That Look Like Credit Cards
The situation got much more complicated in the last decade as debit cards began appearing with Visa, MasterCard, and American Express logos. These are still debit cards, but they function slightly differently than before. Transactions can now pass through the traditional PIN debit system (EFTPOS) or the credit card network.
With these “check cards”, consumers can choose whether to use the debit or credit network for their transactions. And the choice they make has a massive impact on their liability and financial issues in case of fraud.
- Select “Debit” and the terminal will ask you to enter your PIN. It will also give you the opportunity to receive cash back, which is not possible through the credit network. This is a traditional EFTPOS debit as outlined above, and is very risky (as we’ll discuss in a moment).
- Select “Credit” and the transaction will become an “offline debit” in industry parlance. This means it will take a few days to “post” to your account and will pass through the credit card network. The terminal may ask for a signature, but this is becoming less common for small transactions these days.
Do Not Select Debit!
Can you spot the differences? There are two huge issues with selecting “debit”:
- You have given up your ATM PIN to an unknown (and often poorly-protected) point-of-sale computer
- Money is immediately transferred from your bank account and you are on the hook to detect any fraud
Thieves recently stole 4 million transactions from Target stores, apparently swiping data over the network directly from cash registers. This allows them to clone all of the cards, regardless of whether they were credit cards, traditional debit cards, or credit-logo debit cards. They definitely swiped PINs used for debit transactions, and they may have swiped lots more information, including card verification codes and personal information. There have been many similar cases of “point of sale systems” (which are typically poorly-maintained computers running outdated Windows versions) being infected with thieving malware.
If customers selected “debit” at these stores, thieves can pull money directly out of their accounts from any ATM or store on the planet. Although Target will likely take the initiative to notify customers and banks, it is legally the customer’s responsibility to identify and report fraud. Even if banks detect and reverse charges, there can be long delays in putting money back into customer accounts, causing a huge hassle as checks bounce. And customers are on the hook for overdraft fees in this case, though banks may be willing to waive them on request.
Using the same card at the same store, if customers had selected “credit”, the story would be very different. Credit card companies will be on the lookout for fraud regardless, and these accounts will get special scrutiny. Since it is unlikely that these cards have been used yet (the theft having been detected and reported quickly), they will likely block suspicious transactions before any money is withdrawn. Even if the thieves used the cards in the last few weeks, customers are only liable for $50 at most, and money is generally returned quicker by credit card networks.
Credit card networks are much better at detecting and blocking fraudulent transactions in any case. Pressing “credit” protects your PIN and bank account and means that the same systems that detect traditional credit card fraud will be on the lookout for these card numbers if they are stolen. Even though all affected cards will likely be replaced preemptively by banks, many people reuse the same PIN and these are now “in the wild” for thieves to try.
Why Do Merchants Prefer PIN Debit Transactions?
Considering the nightmare scenario outlined here, why are merchants so willing to push PIN debit transactions over credit? After all, credit is quicker (no waiting for customers to enter a PIN) and more secure for consumers. Yet stores like Wal-Mart “assume” debit on all transactions, non-intuitively requiring customers to press “cancel” if they want transactions to go through the credit network.
Simply put, merchants make much more money on PIN debit transactions than credit cards or credit/debit cards. The difference in profit is often 2% to 3% of the total transaction, which equals or exceeds the “traditional” margin for some stores! Plus, they get the money immediately rather than waiting a few days (for credit/debit) or a week (for traditional credit cards). Who can blame Wal-Mart for preferring “profitable but insecure and slow”?
And it’s getting harder for consumers to choose credit. As mentioned, many terminals now “hide” credit transaction options, requiring special processing. And the Dodd-Frank law now allows merchants to set minimum purchase requirements for credit card transactions, something the credit card companies long resisted. Plus, many customers like getting cash back at the store rather than going to the ATM.
Never select “debit” rather than “credit”. It’s that simple.
Image credit: perfectdepth