According to business payment service provider, DalPay Internet Billing, The 'T.J. Maxx hack', where the credit card data for over 45.7 million clients was compromised by hackers, may be bad for card holders, but it has been most costly for online merchants. Bjorn Snorrason, Director of DalPay Internet Billing, stated: "As people experienced in selling online know, the credit card associations and most payment providers including major banks give no protection to merchants selling online."

    He added: "A transaction marked as accepted by a payment gateway, with proof of goods shipped by a merchant in good faith, does not in fact mean that the merchant is protected if the credit card is later found out to have been stolen. In fact the merchant will be liable for chargeback fines as well as return of the money from the credit card sale, and for the cost of the merchandise stolen from them."

    Massive thefts of credit card information such as the T.J. Maxx hack hurt online merchants most, because unlike card holders or brick and mortar stores, online merchants are entirely liable for card not present transactions even if they are not at fault. In the case of the 'T.J. Maxx hack' hackers got access to information from 826 TJ Maxx, 751 Marshalls and 271 HomeGoods stores in the US and Puerto Rico, 36 Bob's Stores in the US, and 184 Winners and 68 HomeSense shops in Canada, in some cases dating back to 2003. 455,000 customers who returned merchandise without receipts appear to have had personal data stolen - including driver's licence numbers. TJX's 210 shops in the UK and Ireland are also tought to have been effected.

    Recently, Bank associations in the US states of Massachusetts, Connecticut and Maine sued TJX Cos., the parent company, about the data breach, seeking class-action status. However, the banks' concern is to be reimbursed for replacement cards and card present transaction costs for which they are liable. This is of little comfort to the thousands of card not present online merchants who have been effected, and who will not get a cent.

    DalPay.com and some payment gateways offer fraud screening methods to their merchants to help them to screen transactions themselves, and ensure that merchants are completely informed about any known risk factors in accepting an order online. Snorrason added: "These stolen card numbers have clearly been circulating in the hacker underground for a long period, and have been used to perpetrate millions of dollars worth of fraud against merchants. Without help to protect themselves, merchants are completely vulnerable, and liable. While that may be satisfactory to issuing banks, the card associations, and many payment gateways, it is not acceptable that they fail to make this risk acceptance by merchants crystal clear to the merchants themselves. And that is a crime against fairness as serious as the fraud itself"