This is a great point. The issue here is this: the actual card, the physical plastic and the data encoded in it belongs to the issuing bank. There's no question about this. If you challenge a transaction, the issuing bank must prove that the cardholder authorized said transaction. If your signature is not there, you didn't authorize the transaction (let's just remember that there's a finite number of credit card numbers, and they follow a pattern, so it's not that hard to come up with a "valid" number) and that's it. If you authorized a transaction though a PIN, things are a little bit more complicated. Let's say you went to Target, bought a bunch of stuff and authorized your credit/debit card transaction via PIN. Supposedly, your PIN is unique and bears as much value as your signature, but a POS malware can capture it. That's when these anti-fraud procedures come into effect: if you start looking at a bunch of fraudulent transactions that were authorized with a PIN and have a common merchant, say, Target, you're covered. I buy something at compromised Target, you buy something at compromised Target and 45 million people do the same. All of the sudden, our credit cards are being used fraudulently. The common denominator is Target. You can infer that Target was compromised and it was not your fault that your card was used fraudulently. Card brands have been trying to shift the liability to the cardholders for at least 15 years, but this is very complicated to do in the US due to the lack of EFT (aka chip and pin). The bottom line is: it costs less to the issuing banks to cover the costs of fraud than to adopt EFT. Until they do so, you're not liable. Again, you might have to fight it, but if you didn't authorize the transaction, you won't pay for it.