Unauthorized credit and debit transactions: know your rights and responsibilities
How you’re protected from unauthorized transactions
Visa, Mastercard, American Express and Interac have committed to protect you against financial loss if someone uses your credit or debit card without your permission.
You’re responsible for taking reasonable care to keep your account information and personal identification number (PIN) safe. If you did, they’ll usually reimburse you in full.
Learn more about these commitments and policies:
- Visa Zero Liability Policy
- Mastercard Zero Liability Protection
- American Express Fraud Protection Guarantee
- Interac Zero Liability Policy
Credit card transactions you didn’t authorize
There’s a maximum amount you’ll be responsible for if someone uses your credit card without your permission.
If a bank issued your credit card, the maximum amount is $50, unless you demonstrated gross negligence (in Quebec, gross fault) in safeguarding your:
- credit card and its account information
- personal authentication information (including personal identification number (PIN), passwords or other information they use to verify your identity)
If a federally regulated financial institution other than a bank issued your credit card, the maximum amount is the lesser of:
- $50
- the maximum amount set by your credit card agreement
Debit card transactions you didn’t authorize
You’re not responsible for losses due to situations beyond your control. For example, technical problems or someone used your card when you had already reported it as lost or stolen.
The maximum amount you’re responsible for usually can’t be more than the withdrawal limits of your debit card. However, you may be responsible for more than the balance of your account, for example if:
- your account links to a line of credit or overdraft protection
- your account links to 1 or more other accounts
Your responsibilities when using a credit or debit card
To receive a full reimbursement, you must:
- notify your card issuer without delay:
- of any unauthorized transaction
- if you lost your card, or
- if someone stole it
- keep your PIN confidential and never share it with anyone, not even a family member
- avoid choosing a PIN that is easy to guess like a birth date or a telephone number
Generally, these conditions are similar across all card issuers. Contact the one that issued your card or check your credit or debit card agreement to verify the terms and conditions attached to it.
Your right to an investigation
Federally regulated financial institutions can’t hold you responsible for a transaction you didn’t authorize just because someone used an authentication technology to do it. This means a personal identification number or any other password or information that you create to be used to verify your identity. For example, if a person used your PIN to complete the transaction.
They must always fully investigate a transaction that you dispute. It doesn’t matter how someone processed it, including:
- with your PIN
- by magnetic swipe, or
- through other technology
They should consider all factors that contributed to the unauthorized use of your credit or debit card. This includes circumstances beyond your control such as:
- someone forced you
- someone stole your card
- there was a system malfunction
- someone obtained your PIN through shoulder surfing
Shoulder surfing is when someone gets your PIN by looking over your shoulder. They do this while you enter it at an automated teller machine (ATM) or anywhere else you use your card.
Resolving unauthorized credit and debit transactions
Contact your card issuer right away if:
- you notice an unauthorized transaction on your credit or debit account
- you lose your card
- someone stole your card
Find out how to resolve an unauthorized transaction.
When these rights apply to you
These rights apply when you’re dealing with a federally regulated financial entity like a bank, federal credit union or payment card network operator.
Find out if your financial institution is federally regulated.
Report a problem or mistake on this page
- Date modified: