This site is an independent educational resource. We are not a bank, card issuer, payment processor, financial advisor, or affiliate of any merchant or issuer mentioned. Information about Regulation E (12 CFR 1005), Regulation Z (12 CFR 1026), Regulation II (12 CFR 235), the Electronic Fund Transfer Act, and the Truth in Lending Act is sourced from the Consumer Financial Protection Bureau, the Federal Reserve, and the Federal Trade Commission as of April 2026. Rules change; verify with your card issuer or a licensed advisor before acting. Nothing on this site is personalised legal, tax, or financial advice.

creditcardvsdebitcard.com
🛡️Use Credit

Updated May 2026

Credit Card vs Debit Card Fraud Liability: $50 vs tiered, explained

Two federal statutes set the floor: TILA 15 USC 1643 for credit cards and EFTA 15 USC 1693g for debit cards. Two voluntary network policies sit on top: Visa Zero Liability and Mastercard ID Theft Resolution. The statutes and the network policies do not agree on what unauthorised means, when the clock starts, or who pays during the investigation. Here is the actual mechanic.

The statutory floor: TILA vs EFTA

Credit Card -- TILA 15 USC 1643

$50 max

Statutory maximum cardholder liability for unauthorised use under the Truth in Lending Act. Reg Z 12 CFR 1026.12(b) implements the cap. Applies if the issuer has provided a means to identify the cardholder (signature, PIN, photo) and has notified the cardholder of the maximum liability and the procedure for reporting loss or theft.

Debit Card -- EFTA 15 USC 1693g

$50 / $500 / unlimited

Tiered under the Electronic Fund Transfer Act. Reg E 12 CFR 1005.6(b) implements the tiering. Three tiers, with the cap rising sharply at the 2-business-day and 60-day boundaries from the date of statement or loss.

The Reg E debit tiering, in detail

  • Tier 1: report within 2 business days of learning of loss or theft -- $50 max. The cap matches the credit card cap. The 2 business days are calendar working days excluding weekends and federal holidays. The clock starts when the consumer learns of the loss, not when the bank learns.
  • Tier 2: report after 2 business days but within 60 days of statement -- $500 max. Most consumers who review statements monthly are already in Tier 2 for any unauthorised transaction that occurred more than 2 days before the statement was sent. The 10x increase in exposure happens by default.
  • Tier 3: report after 60 days of statement -- unlimited. The consumer is liable for the full amount of any unauthorised transaction that occurred after the 60-day window closed, plus any earlier transaction the consumer failed to report. There is no statutory cap in Tier 3.

The Reg E tiering is the single biggest structural protection difference between credit and debit. The reasonable-care obligation embedded in the tiering (the duty to review statements promptly) shifts financial risk to the consumer in a way that Reg Z does not.

Network zero-liability: a voluntary floor below the statute

Visa and Mastercard both publish zero-liability policies that apply to most US-issued cards in their networks. The policies promise the cardholder zero liability for reported unauthorised use, subject to conditions. The conditions matter, because they are the basis on which an issuer can deny a zero-liability claim and fall back to the statutory floor.

Visa US Zero Liability requires: (1) the cardholder exercise reasonable care in safeguarding the card, (2) report unauthorised use promptly, and (3) not have made the disputed transaction. The policy specifically does not apply to transactions not processed by Visa, certain commercial cards, or anonymous Visa prepaid cards. The policy explicitly applies to both Visa credit and Visa debit transactions, although the recovery mechanics under Reg E vs Reg Z still differ during the investigation period.

Mastercard Zero Liability operates similarly with three conditions: the cardholder's account is in good standing, the cardholder exercised reasonable care in safeguarding the card from loss or theft, and the cardholder has not reported two or more unauthorised events in the past 12 months. The "two-or-more" condition is rare and rarely affects ordinary cardholders. Mastercard's ID Theft Resolution service adds an extended-help element (credit-monitoring referral, document-replacement assistance) that the Visa policy does not have.

American Express and Discover both operate their own closed-loop zero-liability programs. Amex's Fraud Protection Guarantee is contractually broader than the network programs because Amex is both the network and the issuer; there is no separate issuer to push back on Amex's zero-liability extension. Discover's $0 Fraud Liability Guarantee operates the same way. For consumers with Amex or Discover cards, the practical fraud-liability exposure is structurally lower than for Visa or Mastercard cardholders, although the difference rarely matters in practice because Visa and Mastercard zero-liability claims are almost always paid as filed.

What counts as unauthorised: case law and edge cases

The statutory definitions of unauthorised use are narrow. TILA 15 USC 1602(p) defines it as use by a person other than the cardholder who does not have actual, implied, or apparent authority. Reg E 12 CFR 1005.2(m) defines unauthorised EFT as a transfer initiated by a person other than the consumer, without the consumer's authority, from which the consumer receives no benefit. Notice the three-prong test in both cases: someone else used the card, that person did not have authority, the consumer did not benefit.

The "no benefit" prong is where many disputes fall apart. If the consumer gave their card to a partner who then over-charged a shared purchase, the partner's use was authorised at the moment the card was handed over, and any benefit (even partial) the consumer received takes the dispute out of the unauthorised category. A consumer who paid for dinner on a date and later disputed the charge as a relationship soured does not have a valid unauthorised-use claim under either statute.

"Apparent authority" is another common failure mode. If the consumer's spouse has had access to the card for years and routinely makes household purchases, a sudden series of large purchases by the spouse during a contested divorce will likely be deemed authorised based on apparent authority. The Federal Reserve's Reg E Commentary (the official agency interpretation) takes a strict reading of this prong: prior knowing access to the card creates apparent authority for subsequent use.

Scam categories that have produced significant case law: romance scams where the consumer voluntarily sent funds, business-email-compromise scams where the consumer authorised a wire to a fraudulent account, and grandparent / impersonation scams where the consumer voluntarily provided card credentials. None of these are unauthorised use under either statute, because the consumer initiated the transaction even if they were deceived about the recipient. The CFPB has used its UDAP authority to pressure banks (notably the Zelle network in 2023-2024) to reimburse some authorised-but-induced scam victims, but the underlying statutory definitions have not changed.

CFPB Consumer Complaint Database: what the numbers say

The CFPB Consumer Complaint Database (consumerfinance.gov/data-research/consumer-complaints) is the single largest public record of consumer-bank fraud disputes in the US. The data is available as a public download. Querying the database for product = credit card or product = checking or savings account, with sub-issue = unauthorised use or fraud-related, reveals a consistent pattern across the past four years.

Credit-card unauthorised-use complaints resolve in the consumer's favour at a higher rate than checking-account unauthorised-EFT complaints, even though the underlying statute is more favourable to debit-card consumers in Tier 1 (the 2-business-day window). The gap reflects two structural factors: credit-card disputes are processed under Reg Z's 90-day clock with the charge withheld, while debit-card disputes are processed under Reg E's investigation window with the consumer's cash already removed, and consumers under cash-flow pressure are more likely to settle a partially favourable resolution rather than wait for full investigation.

The other pattern: monetary-relief outcomes are slightly higher on credit-card disputes (the median resolution includes a monetary refund) than on debit-card disputes (the median resolution is non-monetary, often a policy change or apology). The amount at stake per dispute is also higher on credit (typical disputed amount in the hundreds to low thousands) than on debit (typical disputed amount in the low hundreds), which reflects the underlying transaction-size mix between the two products.

None of this proves credit cards are better in every fraud scenario. It does establish that the structural advantages of Reg Z (charge withheld during dispute, no cash impact, broader definition of dispute) translate into measurable consumer outcomes in the regulator's own dataset. The consumer who relies on the statute, not the network policy, gets the strongest protection on a credit card.

Common questions

What is the maximum I can owe if my credit card is stolen?
$50 under the Truth in Lending Act 15 USC 1643 and Regulation Z 12 CFR 1026.12(b). Visa, Mastercard, American Express, and Discover all operate zero-liability network policies that reduce the practical exposure to zero for reported unauthorised use. The statutory floor is $50; the network policy floor is typically zero.
What is the maximum I can owe if my debit card is stolen?
Tiered by reporting speed under Regulation E 12 CFR 1005.6(b). Report within 2 business days of learning of the loss: $50 max. Report after 2 business days but within 60 days of statement: $500 max. Report after 60 days of statement: unlimited. The 60-day clock starts from the date the statement showing the first unauthorised transaction was sent.
What is the difference between statutory liability and network zero-liability?
Statutory liability is the floor set by federal law: $50 for credit (TILA) or tiered for debit (EFTA). Network zero-liability is a voluntary policy by Visa, Mastercard, American Express, and Discover that reduces practical exposure to zero, conditional on prompt reporting and absence of cardholder negligence. The statutory floor cannot be raised by network rules; the network floor can be lowered.
What counts as unauthorised use?
Reg E 12 CFR 1005.2(m) defines unauthorised EFT as a transfer initiated by a person other than the consumer, without the consumer's authority, from which the consumer receives no benefit. Reg Z does not formally define unauthorised use the same way, but TILA 15 USC 1602(p) defines unauthorised use as use by a person other than the cardholder who does not have actual, implied, or apparent authority. Disputes about gifts that turned sour, or credit cards lent to a partner who then over-charged, often fall outside the definition.
Does friendly fraud or first-party fraud count?
Friendly fraud is the term issuers and merchants use for disputes filed by cardholders who actually authorised the original transaction (the consumer made the purchase, received the goods, then disputed the charge as unauthorised). Neither Reg Z nor Reg E protects friendly fraud. Both statutes apply to genuinely unauthorised use only. The CFPB Consumer Complaint Database includes a steady volume of complaints where the consumer's claim was rejected on a friendly-fraud finding.

Related on this site

Full Protection ComparisonReg E vs Reg ZLiability CalculatorChargeback Timeline CalculatorOnline ShoppingCFPB Zelle case study

Sources verified May 2026

Informational summary, not financial or legal advice. Statutory and network references current as of May 2026.