Chase relaxes limits on debit cards used at Target

December 24, 2013: 10:52 AM ET
target chase restrictions
Chase upped its ATM withdrawal limits to $250 and debit purchases to $1,000 after imposing stricter limits in the wake of the Target breach.
NEW YORK (CNNMoney)

JPMorgan Chase has loosened the security restrictions it put on debit cards used at Target during the retailer's massive breach.

The bank said customers can withdraw up to $250 per day in cash from ATMs, and they can spend up to $1,000 using their Chase debit cards.

On Saturday, Chase had imposed much stricter limits of $100 in cash and $300 in purchases. Chase customers can withdraw more money if they show up in person at a bank branch.

In a customer service notice, Chase said the restrictions were made to "defend against fraud" and "to help keep Chase accounts safe."

"Our focus right now is protecting the accounts," said JPMorgan Chase (JPM) spokeswoman Patricia Wexler. "We continue to monitor this fluid situation closely."

Related story: Lawsuits piling up on Target over hack

Multiple security experts, as well as Target officials, say that PIN numbers on debit cards were not part of the breach. That means it is very unlikely that thieves would be able to withdraw money from ATMs, even if they made a counterfeit debit card using a customer's stolen account information.

Chase is the lone major bank to impose limitations on debit cards.

Who hacked Target?

The restrictions will limit Chase's exposure, according to Avivah Litan, financial fraud analyst at Gartner.

That's because when cash is withdrawn from an ATM or debit card purchases are made with a PIN entry, that money is gone -- no bank, merchant or credit card company can reverse the transaction.

And if the money was withdrawn fraudulently, banks with "zero liability" fraud agreements, including Chase, are ultimately responsible for refunding the customer.

On the other hand, when fraudulent charges are made on credit cards, the merchant is almost always left with the bill.

Here's how it works with credit card fraud: Visa (V) and MasterCard (MA) make the customer and the bank whole. They then recover the money that was fraudulently charged by fining the merchant or raising the merchant's swipe fees.

Chase is in the process of replacing debit cards that were affected by the Target breach, so the restrictions are only temporary.

Ultimately, Target (TGT) will be on the hook for fraudulent charges made as a result of the breach -- and then some.

The actual fraudulent charges are likely to total less than $25 million, Litan estimates. But Target will likely be charged more than twice that in bank fees and fines to cover customer service charges and the cost of replacing cards, she said.

Chase, for instance, opened thousands of branches on Sunday to accommodate customers who needed to take out more cash than the imposed ATM limits would allow them to.

If history is any indication, Target's costs will ultimately be much more than $50 million.

In its 2007 breach of 94 million customer accounts, Marshalls and TJ Maxx parent company TJX (TJX) took a $256 million charge for legal fees, repair its point of sale systems and to make customers whole. It also settled with Visa and MasterCard for an additional $41 million.

Join the Conversation

Search for Jobs