This site is an independent educational resource. We are not a bank, card issuer, payment processor, financial advisor, or affiliate of any merchant or issuer mentioned. Information about Regulation E (12 CFR 1005), Regulation Z (12 CFR 1026), Regulation II (12 CFR 235), the Electronic Fund Transfer Act, and the Truth in Lending Act is sourced from the Consumer Financial Protection Bureau, the Federal Reserve, and the Federal Trade Commission as of April 2026. Rules change; verify with your card issuer or a licensed advisor before acting. Nothing on this site is personalised legal, tax, or financial advice.

creditcardvsdebitcard.com
🛒Use Credit

Updated May 2026

Credit vs Debit for Online Shopping: the Reg Z Billing-Error Window in Practice

Online checkout is the highest-fraud channel in the US payments system per Federal Reserve Payments Study data. Credit cards carry a statutory billing-error claim under Reg Z (12 CFR 1026.13) that explicitly covers goods or services not delivered as agreed. Debit cards rely on Reg E (12 CFR 1005.11), which only covers EFT errors. The gap matters most when the package never arrives.

The card-not-present fraud landscape

Card-not-present (CNP) fraud is fraud committed without the physical card at the point of sale: online checkout, phone orders, mail-order subscriptions, in-app purchases. EMV chip-and-PIN dramatically reduced card-present fraud in the US after the 2015 liability shift, which moved fraud loss from issuers to whichever party in the transaction had not upgraded to chip technology. The displaced fraud did not disappear. It moved to CNP channels.

Per the Federal Reserve Payments Study 2024 release, CNP fraud accounts for the majority of card fraud losses by value in the US. The same study notes that the average card-fraud loss per transaction is materially higher in CNP than in card-present, because thieves test stolen card numbers in low-value transactions before running high-value charges. By the time a cardholder notices the activity on a statement, multiple test charges have already cleared.

Both credit and debit cards are exposed to the same upstream fraud vectors: data breaches at retailers, formjacking and skimming scripts on checkout pages, phishing of card numbers from cardholders directly, and database leaks of saved payment instruments at merchants. The vector does not differ. What differs is what happens to the cardholder's money during the dispute, and whether the dispute window covers what actually went wrong.

Recovery mechanics: credit vs debit

Charge appears on statementCredit: limit reducedDebit: cash removed
Cardholder files disputeCharge withheld during investigationCash gone until provisional credit
Provisional credit timelineN/A (no cash out)10 business days (12 CFR 1005.11(c))
Investigation deadline90 days (12 CFR 1026.13(c)(2))45-90 days (12 CFR 1005.11(c))

The Reg Z billing-error claim, in practice

Reg Z (12 CFR 1026.13(a)) defines a billing error broadly. It includes computational errors, transactions the consumer did not make or authorise, transactions reflecting goods or services not accepted by the consumer, transactions reflecting goods or services not delivered to the consumer as agreed, and reflections of an incorrect amount. This is wider than the narrow fraud-only protection most consumers assume credit cards provide.

In an online-shopping context, the billing-error claim is the consumer's recourse when: a package never arrives, a package arrives damaged and the merchant refuses replacement, a merchant ships the wrong item and refuses return, a subscription continues to charge after a documented cancellation, a free-trial converts to paid after the consumer claims to have cancelled within the trial window, or a digital service was advertised with features the delivered product lacks. None of these is straightforward fraud. None of them would be covered by Reg E on a debit card, because the EFT itself was technically correct: the bank moved the money the consumer authorised at checkout.

The consumer must notify the issuer in writing within 60 days of the date the statement containing the disputed item was sent (12 CFR 1026.13(b)(1)). The notice has to identify the consumer, the account, the dollar amount, and the reason for the dispute. Most issuers accept disputes via secure message in the mobile app or online banking, which preserves the written-notice requirement. A phone call alone does not preserve the legal claim, although most issuers will open an investigation by phone as a courtesy.

Once the issuer receives the dispute, Reg Z (12 CFR 1026.13(c)) requires acknowledgement within 30 days and resolution within 90 days (the issuer must complete its investigation in two billing cycles, not to exceed 90 days). During the investigation, the consumer is not required to pay the disputed amount, no late fees can be assessed on the disputed amount, and the issuer cannot report the disputed amount as delinquent to the credit bureaus.

The Reg E narrowness

Reg E (12 CFR 1005.11) covers a much narrower category: errors in electronic fund transfers. An error is defined in 1005.11(a)(1) as an unauthorised EFT, an incorrect EFT, an EFT to or from the wrong consumer account, a computational or bookkeeping error by the financial institution, the consumer's receipt of an incorrect amount of money from an ATM, an EFT not reflected on a periodic statement, or a request for additional information about an EFT.

Notice what is not on that list: goods or services not delivered. The EFT was authorised at checkout. The bank moved the money correctly. The merchant simply failed to deliver. Under Reg E, this is not an EFT error. The consumer's legal recourse is to sue the merchant directly. The bank's only obligation is to point the consumer at the dispute department of the network (Visa or Mastercard) and to extend any voluntary chargeback right the network has set as a courtesy. Many large debit issuers do extend voluntary chargeback rights, but the rights are discretionary, the investigation is not on a statutory clock, and the consumer's checking account is debited until and unless the provisional credit posts.

Retailer chargeback prevalence by category

Not all online retailers are equal. Some merchant categories generate disputes at multiples of the network average. Chargeback prevalence affects the consumer in two ways: a high-chargeback merchant is more likely to file a counter-claim against a consumer's dispute, and a high-chargeback merchant is more likely to ship slowly, ship incorrectly, or fail to deliver in the first place. The Visa Dispute Monitoring Program and Mastercard Excessive Chargeback Program publish thresholds at which a merchant is forced into a remediation plan or loses card-network acceptance.

  • Digital goods / subscription services: Highest dispute rate by network volume. Cancellation friction (cancel-by-phone-only, dark-pattern unsubscribe flows) generates billing-error claims under Reg Z 1026.13(a)(3).
  • Dropshipping / overseas marketplaces: Long shipping windows, opaque tracking, and frequent non-delivery push these categories to high-dispute status. A 30-day shipping promise that turns into 60 days frequently triggers Reg Z claims.
  • Crypto and gambling-adjacent: Many issuers treat these as Merchant Category Code (MCC) cash-equivalent and block them outright. When accepted, they generate disputes at high rates because the consumer expects refund rights the merchant declines.
  • Major US retailers (Amazon, Walmart, Target, Best Buy): Lowest dispute rates. Self-service return portals and proactive refund issuance keep most issues resolved before they reach the network as a chargeback. For these merchants, both credit and debit work safely, although credit remains the better default for the no-cash-impact reason.

For consumers shopping at small or unfamiliar online retailers, the practical advice is to default to a credit card with strong Reg Z protections (and to keep a small balance below the credit limit so a disputed charge does not push the account over). For Amazon and the other big-four retailers, the difference between credit and debit is smaller in practice, but credit still wins on the cash-flow dimension during the rare dispute.

Virtual card numbers and merchant tokens

A virtual card number is a single-use or merchant-locked replacement for the underlying card number. The actual card number stays in the wallet. The virtual number gets sent to the merchant. If the merchant database is breached, the leaked number is useless: it has either already been used (single-use) or is locked to one merchant (merchant-locked). The underlying account is never exposed.

Capital One Eno, Citi Virtual Account Numbers, and American Express disposable virtual numbers are the major issuer-side implementations. Privacy.com is a third-party service that funds virtual numbers from a linked bank account or debit card. Apple Pay and Google Pay use a tokenisation framework that performs a similar function in card-present and in-app contexts: the merchant receives a device-specific token, not the underlying card number.

Virtual numbers are available on both credit and debit cards from many issuers. The protection profile differs: a virtual debit number still draws on a checking account if used fraudulently, and the cardholder still depends on Reg E's narrow EFT-error claim for recovery. A virtual credit number combines the merchant-isolation benefit with the underlying Reg Z dispute right and the no-cash-impact recovery. For the highest-risk online merchants (unfamiliar retailers, free trials, foreign sites), a virtual credit number is the strongest combination of protections available.

Common questions

Is it safer to shop online with a credit card or debit card?â–¼
Safer with credit. Online (card-not-present) is the highest-fraud channel per the Federal Reserve Payments Study. Credit cards carry a statutory $50 maximum fraud liability under TILA 15 USC 1643 plus a billing-error claim under Reg Z 12 CFR 1026.13 when goods are not delivered. Debit cards use Reg E 12 CFR 1005.6(b), where liability is tiered: $50 if reported within 2 business days, $500 if reported within 60 days, unlimited after 60 days.
Can I dispute an online order that never arrived if I paid with debit?â–¼
Possibly, but the path is narrower. Regulation E only covers EFT errors (whether the transfer was processed correctly), not whether the merchant delivered. Some debit issuers extend voluntary Visa or Mastercard chargeback rights to debit transactions as a courtesy, but this is discretionary. With a credit card, a billing-error claim under Reg Z 12 CFR 1026.13(a)(3) covers goods or services not accepted or not delivered as agreed.
How long do I have to dispute an online purchase?â–¼
Under Regulation Z 12 CFR 1026.13(b)(1), the credit-card billing-error window is 60 days from the date the statement containing the disputed charge was sent. Under Regulation E 12 CFR 1005.6(b), the debit window is 60 days from the date the statement showing the unauthorised EFT was sent. Both windows are 60 days from statement, but the credit-card window covers a broader set of disputes (goods not delivered, services not as described) than the debit window.
What is card-not-present fraud and which card is worse hit?â–¼
Card-not-present (CNP) fraud is any fraud where the physical card is not at the point of sale: online checkout, phone orders, mail-order. Per the Federal Reserve Payments Study, CNP is the highest-fraud channel in the US payments system, accounting for the majority of card fraud losses by value. Credit cards and debit cards are both vulnerable to CNP fraud, but the recovery mechanics differ: credit cards never freeze cash, debit cards do.
Should I use a virtual card number for online shopping?â–¼
Virtual card numbers (Capital One Eno, Citi virtual numbers, American Express disposable numbers, Privacy.com) generate single-use or merchant-locked numbers that are useless to a thief who steals them from a breached retailer. Many issuers offer virtual cards on both credit and debit, however debit-based virtual cards still draw on a checking account if used. The protection is strongest on virtual credit cards: the merchant-locked number plus the underlying Reg Z dispute right plus no cash exposure.

Related on this site

Recurring SubscriptionsSubscriptions: existing scenarioFraud Liability ComparedReg E vs Reg Z deep diveGlossary: TokenisationGlossary: Chargeback

Sources verified May 2026

Informational summary, not financial or legal advice. CFR sections cited are current as of May 2026. Issuer dispute timelines may differ from the statutory floor (often faster).