The bad guys that have this debit card data are not going to attack online merchants for goods that they will have to convert to cash. They have been walking straight to the ATMs for the green dollar.
The impact on merchants in the CNP world will be minimal; certainly no more than a few numbers of credit cards but probably less. I do not think the CP merchants will feel it much either. Consumers, on the other hand, are going to take a huge hit. As you probably know, credit card holder's liability is limited to $50 under FTC regulations but I do not think there is any such limit for debit cards. The card holder is responsible for keeping the PIN private and shame on him if it gets out and he does not report the card stolen.
And yes the banks will almost certainly do what they can to keep their card holding customers happy, particularly if the cleaned out account can be traced to a compromised PIN by whoever it shakes out is accountable. Will that responsibility always be traceable? I do not know. But even if the banks in the end cover those losses, the cardholder has to deal with his account being cleaned out and all that goes with it.
Fraud Protection on the long term
The big concern for the merchant, on line and off, is if the consumer confidence disappear. We already have confirmation that confidence in online transactions has been falling a bit. This first debit/PIN compromise by itself is survivable, but if it turns out that it was not a one-time thing and we have all of a sudden discovered that PIN transactions are not as safe as we thought. Well, then on line merchants are in trouble and brick & mortar could be in trouble as well.
And I wonder how long the banks are able to calm down their debit card holders. When will they begin to pass the losses to the cardholders like they already pass them on to the online merchants now? It could become a matter of continued existence.