PIN fraud: what do you need to know?

julia kukiewicz
By Julia Kukiewicz

credit card pin shield©

For consumers there's no greater card fraud risk, in terms of personal liability, than PIN fraud.

That's because it's one of the few forms of fraud where consumers are often not entitled to compensation from their bank, even when they didn't actually commit the fraud themselves.

PIN fraud: the risk

If the cardholder is deemed to have acted with gross negligence with their PIN, it will result in their being liable for the full amount of any unauthorised transaction.

If, on the other hand, the card has been lost or stolen and fraud is committed before the customer informs their provider or someone else who knows the PIN uses the card, the customer will be liable for up to £50 of the fraud.

86% of those questioned in a Which? survey said that they would always expect to get their money fully refunded if they were a victim of card fraud: that's not true.

What counts as gross negligence?

Banks and card providers are not obliged to refund money to card holders if they can prove that the holder had not kept their PIN secure.

The PIN is not secure if:

Santander also specify that customers must use a separate PIN number for each of their bank cards.

"Too many consumers are putting their finances in jeopardy by not taking simple precautions," Martyn Saville of Which? has said.

"Writing down your PIN is like leaving your door open when you leave the house."

Even so, however, it is up to the bank to prove that their customer did leave the door open. See 'asking for proof' below.

How card providers should protect you

The way that cardholders should protect themselves is pretty simple, then.

But card providers also need to take some responsibility for PIN security.

The Lending Code sets out three precautions that subscribers should take with customer's PIN numbers. They should:

  1. Issue the customer's PIN separately from the card
  2. Allow customers to change their PIN easily
  3. Offer guidance on keeping the card and PIN safe

Asking for proof

In addition to being entitled to these precautions, consumers should be aware that the burden of proof in such cases falls on the card provider.

That is, card providers must prove gross negligence in order to hold the cardholder liable and ask for up to £50 of the amount fraudulently obtained.

Card providers often ask consumers to help with their investigation into PIN fraud and typically question the customer about his or her movements around the time of the disputed withdrawal or purchase, as well as their typical spending behaviour.

But it is not up to the cardholder to prove that they didn't commit fraud.

Currently, according to Financial Conduct Authority (FCA) research released in March 2014, 10% of consumers are wrongly held liable when they lose money as a result of fraud and should have been refunded by their bank instead.

In cases where, after an investigation of at least eight weeks, the provider alleges fraud which the cardholder disputes, the consumer has the right to take the decision to the Financial Ombudsman Service (FOS).

Useful Links
Fraud victims' rights here
Fraud statistics here
Stop ID theft here
Phone banking fraud here
Lost and stolen cards what to do

The FOS is an independent adjudicator which can consider the case again using all of the evidence from both parties and taking into consideration the card terms and conditions and any relevant sections of the Consumer Credit Act 1974 (where the withdrawal was made from a credit or overdraft facility).

Each case is considered on its merits but the FOS has said in the past that it takes a hard line with providers in such cases.

"We view gross negligence as being more than carelessness - and bordering on recklessness," the FOS guidance says.

More problematic than liability, for some, is the timescale over which disputes are resolved.

Neither the Lending Code nor the Consumer Credit Act is specific about the period of time during which complaints must be resolved in full.

How many people risk PIN fraud?

According to the survey carried out by Which? in 2010, one in ten cardholders are putting themselves at risk of fraud by sharing their PIN number.

According to the same survey, a third of those who had written down their PIN kept the reminder in their wallet or handbag, an open invitation to card fraud.

Another 2010 survey by also found a fairly high proportion of card users writing down their PIN number and then leaving it alongside their cards.

A further 36% said they kept their PIN written down at home and 9% admitted that they'd jotted it down at the office.

Additionally, the survey found that one in five card users use their birthday as their PIN number.

The same survey suggested that 21% of those surveyed admitted that they'd given their PIN to a friend and 3% have told a work colleague what it is.

64% of those in relationships said that their partner knows their PIN number.

More on PIN fraud

PIN fraud abroad

Credit card fraud losses fell by 11% in 2013, according to fraud monitoring service CIFAS.

Globally, the fall in fraud over the past few years can be attributed, in large part, to the roll out of chip and PIN, which makes it much harder for criminals to commit counterfeit card fraud.

However, cardholders are still advised to try and keep their cards in sight at all times when making payments abroad.

In addition, consumers shouldn't assume that countries that haven't rolled out PIN, such as the US, are also free of fraud.

In fact, FICO told us, where signatures are used to verify transactions it can be much easier for criminals that find a card to use it without the cardholder's knowledge.

False fraud: forgotten the PIN?

A forgotten PIN number is a particularly aggravating experience for any credit card user, although many credit card providers now allow users to request a new number online or through a 24-hour hotline.

Many credit card users are unaware that it's possible to reset their PIN number at an ATM by selecting 'PIN services'.

However, as noted above, setting PIN numbers on all cards to one code is ill-advised.


19 October 2015

I had 14,000 stolen from my business and personal accounts. I let my son use the card to access the hole in the wall and on a few occasions he has been accompanied by another member of staff. When I discovered the money stolen the said employee admitted to the theft of over 79 transactions. Is it a worthless battle to get my money back? The man has since been arrested and awaiting sentence.