Card number leaked, any consequences?

Question

Someone I know made their credit card number available for a large audience. As described in this question, one can bill without CCV code.

So, given the card number and no other info (no CCV, no expiry date, no card holder name - she's not the card owner), can someone do any harm / purchase stuff using the card? Basically, what could be the consequences if someone is ill-minded and has resources?

I suppose expiry date is not a big deal since there are not many options (usually cards expire in 24 months, right?).

@RobertMennell hm, not sure, I found the Amazon-related post and though this SE is a good fit — Alexander Mikhalchenko, Jul 15 '16 at 21:37
Probably someone here can(and already has) answer it, but financial is where those types of people frequent. I'd still say cancel the card just in case.(I just realized I made it sound like credit card thieves frequent financial stack...) — Robert Mennell, Jul 15 '16 at 21:40

score 9 · Accepted Answer · answered Jul 15 '16 at 21:37

A merchant can authorize and validate monetary transactions with only the credit card number. The only reason they collect the CVV, name, address, etc. is to protect themselves from fraud.

That being said, any transaction that a merchant submits can be disputed (by you) within 60 days. The bank must respond within 30 days. Meanwhile you are not liable for the amount. The bank can perform what is called a "chargeback" to get the money back from the merchant-- if the merchant does not have adequate proof, it is pretty simple for the bank to get the money back. If a merchant gets too many chargebacks, their merchant status is revoked and they can no longer use the Visa system. Meanwhile your liability is zero.

If a malicious person has gotten your CC number, but nothing else, and that malicious person is not a Visa merchant, chances are he will not be able to do much with it, because, as stated earlier, merchants require the additional information to protect themselves.

Thank you John! BTW would the recent opening of Visa API somehow affect this? — Alexander Mikhalchenko, Jul 15 '16 at 21:40
According to the [VISA API documentation](https://developer.visa.com/products/cybersource/thingstoknow), "Before moving to production and running real transactions, you must have a merchant account from an acquiring (merchant) bank that can process the credit card payments." So, no, it wouldn't. — John Wu, Jul 16 '16 at 02:13

score 3 · Answer 2 · answered Jul 15 '16 at 23:44

The main consequence is not in the technical parts but in the liability you may face if “something happens”

I would notify the bank about the leak. And keep a record of telling them. The bank may decide it's worth to issue a new card. Or that there's no significant risk, and do nothing unless there are fraud signs.

Now, the risk is probably tiny. But if there is fraudulent activity with your card and your bank learns about this disclosure (as you should assume they will), they may (partially) disclaim the responsibility on that, for not following some secure practises (see your contract with the bank for what you agreed to do or not to).

However, as soon as you notify them, you are no longer liable for fraudulent transactions that happen from this point on (even if the crooks had all the information).

Your case is a bit blurry, but that may still have bad consequences to you if this ended up at court. Reporting what happened to the bank let's you avoid the risk in either case.

Card number leaked, any consequences?

2 Answers2

Linked