Just gonna give my 2 cents as someone in the infosec industry. First of all, never heard of IntelCrawler, so take their findings with a grain of salt. If they’re working with these companies, they suck at complying with NDAs. If they got this info from the carder underground, well, they’re not what we would call a credible source. Card brands have a very strict investigation / forensics protocol and allowing a third party to “disclose” such compromises is not part of that protocol. So let’s just assume it’s true: if you didn’t authorize a transaction (via PIN or signature), you’re not liable. Simple as that. If a retailer was compromised, they must disclose the compromise at least to the issuing banks, acquirers and card brands. Depending on the state they’re doing business in, they must publicly disclose the fact. tl;dr: if that’s not your signature on the receipt, you might have a little bit of a hassle, but you’re not liable.
