Image: Creditcard Computer © Photographers Choice RF-Getty Images

Related topics: identity theft, fraud, credit cards, financial privacy, Liz Weston

Credit cards have long been the safest way to pay online, with stronger consumer protections than any other form of payment.

But you may not know that:

Debit card issuers have bolstered protections and streamlined dispute processes in recent years as debit card use has grown, shrinking both the likelihood of fraud and its severity.

Using a retailer-specific card, rather than a general-purpose credit card, may put you at greater risk of fraud.

Alternative payment systems, such as PayPal, can provide an additional layer of security, but they also have quirks you need to know about.

These are the conclusions of Javelin Strategy & Research, a company that performs the massive annual identity theft survey for the Federal Trade Commission and has compiled reams of data about online payments and fraud.

Nearly all financial institutions have zero-liability policies for debit cards that limit users' risk, said Javelin CEO James Van Dyke. The banks also have improved their fraud-detection capabilities, he said.

Liz Weston

Liz Weston

Now, zero liability doesn't mean zero costs to victims. In fact, the bigger the fraud, the more likely victims are to incur out-of-pocket expenses, Van Dyke said.

Some of these expenses are incurred trying to clean up the mess, and some people "run out of energy" trying to fight continuing fraud and simply pay the bill.

But the improvements in fraud detection and resolution with debit card fraud are reflected in the average out-of-pocket expenses reported by victims.

Average cost of fraud to victims200720082009
Debit cards$739$545$243
Credit cards$696$521$314

And you're still more likely to be the victim of credit card fraud than debit card fraud, Van Dyke said. Credit cards are used in about half of all transactions but make up two-thirds of reported frauds.

The credit card figures contain another surprise. The toll from major credit card fraud -- fraud using Visa, MasterCard, American Express or Discover -- averaged $396 in 2008, Van Dyke said. By contrast, the average cost to victims of fraud using retail cards -- the kind of revolving accounts you can use only at a single retail chain, rather than everywhere -- was a whopping $960.

Single-retailer cards tend to use smaller processing networks that aren't as adept at detecting fraud as the major credit card networks, Van Dyke said.

Here's what you need to know about various forms of payment.

Credit cards

The federal Truth in Lending Act outlines the substantial consumer protections that accompany credit card use:

  • Your maximum liability for unauthorized use is $50 when your card is used offline (and most issuers waive that in their zero-liability policies). When used online, your liability is zero by law.
  • There's no specific time limit for you to report unauthorized use, FTC senior attorney Carole Reynolds said, although "it is best to do so as soon as possible." With other methods of payment, failing to report fraud quickly can cost you a bundle.
  • You don't have to pay a disputed charge until it's been investigated. With other forms of payment, the money typically disappears from your account, and you have to wait to get it back.

You'll still want to be a savvy consumer to reduce the chances of becoming a victim, of course. That means making sure the address bar of the retailer's website shows "https" rather than just "http," to denote SSL encryption, and not using any site if you get a pop-up window or warning that there's something wrong with the site's encryption. You'll also want to review each month's bills for fraudulent charges and, if there are any, to dispute them immediately. Many issuers allow you to start those disputes online, but you should follow up in writing to preserve your federal rights.

You'd also be smart to set up e-mail alerts to signal you when large purchases have been made (or when any purchase is made on a card you don't use often).

If you want an extra layer of protection, consider signing up for Verified by Visa or MasterCard SecureCode. These programs allow you to use a password to complete purchases at participating merchants.

Debit cards

Debit card protections are detailed in the federal Electronic Funds Transfer Act. Under the law, your liability is limited to $50 if you report a bogus transaction within two business days of discovering it. Otherwise, your liability is capped at $500 if you report the fraud within two months of the statement mailing date.

As noted earlier, debit card issuers have stepped up with zero-liability policies that provide much more protection than federal law. But Visa and MasterCard are a bit, shall we say, vague about when this protection might expire. A Visa spokeswoman says it's up to the issuer to determine how long victims have to report fraudulent transactions. MasterCard did not return calls for comment.

(Also, you should know that your protection is different for debit card transactions using a personal identification number. Online debit card transactions are typically processed as "signature transactions" and qualify for zero-liability protection. When you use a PIN, Visa's zero-liability protection applies only if the transaction is processed on its own network. MasterCard does not extend zero-liability protection to PIN transactions.)

Limit your risk by following the precautions listed above: Use only properly encrypted retail sites, scan your statements for fraudulent charges, and set up account alerts.

You should strongly consider closing a bank account that's been compromised, advises the Identity Theft Resource Center in San Diego, because the thief may well strike again. You should definitely close the account if the thief has access not just to your debit card number, which can and should be changed, but to your bank account number, which can't be.

Electronic payments and bill pay

Payments that come directly from your bank accounts, such as automatic debits and payments made through a bank's bill-pay system, are covered by the Electronic Funds Transfer Act.

Your bank may offer you zero liability on these transactions, or you may be bound by the less generous federal reporting requirements, which cap your liability at $50 only if you report fraud within two days of discovering it and at $500 if you report the fraud within two months of the statement date, and which make you liable for the whole fraud if it's reported after that.

Banks and other financial institutions generally do a better job than merchants of protecting your account numbers and other data, so consider using recurring bill payments or charging bills to a credit card rather than signing up for automatic debits that initiate from a merchant or utility.

And as with any other payment method, carefully go over each month's statement and immediately report any potential fraud.

Alternative online payments

Services such as PayPal, Bill Me Later and Google Checkout put a layer of security between you and a merchant. Your account numbers and other sensitive information aren't shared with the seller. Instead, you entrust them to the alternative payment site, which processes the transaction. Here's how it works:

  • With Google Checkout, you enter a credit card or debit card number, and transactions are charged to that account.
  • PayPal uses either a credit card or your checking account number to process transactions.
  • Bill Me Later runs a credit check on you and, if you're approved, opens a line of credit you can use for purchases. After an initial grace period, your purchases accrue interest.

These alternative payments have another distinction: They're "push" payment methods.

Most transactions are "pull" transactions: A merchant can charge your account, pulling the money out, as long as it has your debit, credit or bank account number. That can lead to mistakes such as charging twice for the same purchase, or the merchant can simply commit fraud by charging you for something you didn't order.

With alternative payment methods, Van Dyke explained, you have to "push" out the payment, which reduces mistakes and fraud. Your account can, however, be hacked -- anyone who knows or guesses your password can push out a payment. That's why it's important to have a strong password, change it often and monitor your account closely if you use these payment options.

Your protection under federal law depends on the underlying payment method you use (credit card, debit card or bank account), and, once again, using a credit card offers the most security. The online services promise additional fraud protection on top of federal law but typically require you to mail in forms and wait for their investigation, which could mean getting your money back takes longer than if you'd just used a credit card in the first place.

The bottom line? You have varied protections with each online payment method, but you need to be vigilant about security, reviewing your bills and reporting fraud promptly if you find it.

Liz Weston is the Web's most-read personal-finance writer. She is the author of several books, most recently "The 10 Commandments of Money: Survive and Thrive in the New Economy" (find it on Bing). Weston's award-winning columns appear every Monday and Thursday, exclusively on MSN Money. Join the conversation and send in your financial questions on Liz Weston's Facebook fan page.