Fraud Protection on the Short term
The bad guys that have this debit card data are not going to attack online merchants for goods that they will have to convert to cash. They have been walking straight to the ATMs for the green dollar.
The impact on merchants in the CNP world will be minimal; certainly no more than a few numbers of credit cards but probably less. I do not think the CP merchants will feel it much either. Consumers, on the other hand, are going to take a huge hit. As you probably know, credit card holder’s liability is limited to $50 under FTC regulations but I do not think there is any such limit for debit cards. The card holder is responsible for keeping the PIN private and shame on him if it gets out and he does not report the card stolen.
And yes the banks will almost certainly do what they can to keep their card holding customers happy, particularly if the cleaned out account can be traced to a compromised PIN by whoever it shakes out is accountable. Will that responsibility always be traceable? I do not know. But even if the banks in the end cover those losses, the cardholder has to deal with his account being cleaned out and all...