Consumers are being warned about an uptick in the number of fraudulent purchases being made at Walmart, which in some cases has resulted in their financial institution moving to deny debit card transactions unless a PIN is used.
The alerts started to circulate earlier this summer, but the number of incidents has remained steady in some parts of the U.S.
In all, there have been alerts issued for 16 states and Walmart has been named as the location where the compromised cards were being used.
In some cases, Walmart was also a common point of purchase (prior to the card being used by crooks), but given that it's Walmart – such an indicator shouldn't immediately lead one to assume that Walmart's card processing network has been compromised.
The most recent alert was sent on October 10. Philadelphia Federal Credit Union told customers that the non-profit has been made aware of fraudulent activity at Walmart locations throughout the country.
"The fraud pattern includes charges $50.00 and under which are being processed as "Pinless Debit" transactions. During these transactions, your card is swiped, but you are not asked to enter your PIN (Personal Identification Number) or sign for the transaction," the notice says.
As a result, all debit transactions at Walmart that are conducted without a PIN will be rejected. But Pennsylvania isn't the only state with consumer warnings and debit card fraud.
In Maryland, Provident State Bank (PSB) issued a warning about debit card fraud in September, informing customers that unless the transaction is completed using a PIN, it will be denied. A follow-up alert from PSB noted, "Effective immediately, you must provide your PIN number for all debit card transactions at any Walmart or Super Walmart."
Front Royal Federal Credit Union, in Virginia, also has an active notice about compromised cards, linking their warning to the "large volume of fraud at Walmart."
The FRFCU alert says that customers will be limited to purchases of $200.00 or less. Purchases over that minimum will require prior authorization in order to protect the account.
In Florida, several credit unions reported an upswing in debit card fraud, and in each case the common link was Walmart.
"In our initial statement about our recent debit card fraud, we stated that the compromise was suspected to be at a local merchant. Since then, we have learned some other Central Florida credit unions are reporting similar debit card fraud. This validates our suspicion that the compromise was at a local merchant or group of merchants," an alert from Launch Federal Credit Union stated.
The Launch FCU alert was issued in August; followed a short time later by a similar one from AVB Bank in Oklahoma. Due to fraud, AVB customers attempting to use their debit cards at Walmart locations in Arizona or Maryland would see the transaction denied completely – PIN or no PIN.
In July, Heritage South Community Credit Union in Tennessee added to the list of states where debit card fraud was tracked to Walmart, identifying their own state, as well as California, Georgia, Illinois, Nevada, New Jersey, North Carolina, Ohio, Washington, and Wisconsin, as places where transactions without a PIN would be denied.
Reports of fraud in 16 states is an alarming trend that's worth paying attention to, but again - this doesn't mean Walmart's card processing network has been compromised.
Right now, the larger picture is that since July, criminals have been using compromised cards at Walmart locations across the U.S., and because they've kept the purchases small – they've been flying below the radar.
This is why it is important that you keep an eye on your balances and monthly statements. Check to make sure each purchase and transaction is legitimate. If you can, use the financial institution's notification settings whenever possible.
Why does this happen?
What the criminals are doing when this type of fraud happens is cashing out on the value of their stolen cards. They make small purchases, such as the ones mentioned in each of the warnings, and use the card until it is drained of its balance or flagged and disabled.
However, most crooks will use the card two or three times before tossing it away or reselling the data. This lowers the chances of them being caught. After they've cashed out the card, the items purchased are either resold (it's all profit at this point to the criminal) or they're kept for personal use.
Activity such as this is usually seen in the aftermath of a retail data breach. Similar jumps in card fraud were noted shortly after the Target and Home Depot data breaches. The criminal market was flooded with freshly stolen cards, and the criminals had to move quick to cash out before they were disabled and replaced.
As a consumer, you should rarely – if ever – use your card as a debit card. You should always go for the credit option, as you'll benefit from the fraud protections offered by your bank and the card brand. If debit is the only option available, remember to use a PIN, and monitor your account balances and statements.
Some banks have larger liabilities when it comes to debit purchases, and there is a timeline at play as well. If you don't catch the fraud within 60-days and notify the bank or credit union, your liability for fraud could jump from $0-50.00 to $500.00. After that, you may be liable for the entire amount.
EMV, a new layer of security on most cards (that's the chip you see embedded in some newly issued cards), is supposed to help fight card fraud, but it will take time before consumers and retailers are using the system fully.
Retailers were supposed to be up and running with EMV on October 1, but there are plenty of places where the terminal isn't configured to handle EMV processing. The video below explains the basics of how EMV works.
If you haven't gotten a new card from your financial institution that contains an EMV chip, you should consider asking them to send you one. While you're at it, ask them about how they're going to protect you and your money from card fraud and theft online.
Sometimes the best security is to remain informed.