It can happen in an instant.

Employees at your local department store, repair shop or supermarket just have to turn their backs to you for a fraction of a second to swipe your credit card with skimmers connected to their belts. Once they do, they have your credit card information. They can then do with it what they want.

"These issues happen almost daily," says Yair Levy, professor of information systems and cybersecurity at Nova Southeastern University's Graduate School of Computer and Information Services in Fort Lauderdale, Florida. "I don't think consumers understand just how at risk their credit card information is when they shop."

Credit card breaches have certainly made the news. Major retailers Target, Neiman Marcus and Michaels Stores all reported headline-making credit card breaches in recent months, in which hackers stole the financial information of millions of consumers.

It's questionable, though, whether even the headlines are causing consumers to take extra steps to protect their credit card information when they shop.

"I don't know how much these breaches are changing the way consumers shop," says Markiyan Malko, director of product management for Merchant Warehouse, a Boston-based payment technology provider. "I know that I don't not shop at Target because of the breach it suffered last year."

That's a dangerous combination: high-tech thieves and consumers who take few precautions.

Point-of-sale problems

Part of the problem lies with the point-of-sale (POS) systems that businesses increasingly use to process customer transactions. These computerized networks allow retailers to collect sales information that can help them better understand customers and their spending habits. But they are also prime targets for hackers, who want to break into the systems to steal credit card data.

Jason Richelson, co-chief executive officer and founder of New York-based ShopKeep, which sells POS systems, says that too many retailers are focused on other issues to make boosting the security of their POS systems a priority.

"Small retailers have a lot of other problems to worry about," Richelson says. "They have to worry about employees stealing from them, about whether someone didn't show up for work. They're not focused on viruses or someone hacking into their PCs. That is on the bottom of the list of things to worry about."

The United States Computer Emergency Readiness Team, or US-CERT, has released several reports on credit card breaches and POS systems. According to the government agency, hackers often install memory-parsing malware on Windows-based cash-register systems at individual check-out lanes or on main servers. Hackers can then extract the data stored in the magnetic strips on the back of credit cards.


Retailers, though, can take steps to protect their consumers from breaches. US-CERT recommends that they use strong, difficult-to-guess passwords for their POS systems. A surprisingly high number of retailers simply use a default password that comes with their systems. US-CERT says that these default passwords are far too easy to guess.

US-CERT recommends, too, that retailers update their POS software with the latest patches and versions when they become available, install firewalls to keep hackers away from their systems and use anti-virus programs to catch malware before it attaches itself to the systems.

What about consumers? What steps can they take to protect their personal information when making credit card purchases? Not as much, unfortunately.

Levy says that consumers need to be vigilant when they hand their credit cards to waiters, cashiers and gas-station attendants. This means that consumers should never let their credit cards out of their sight.

"Keep an eye on your card at all times," Levy says. "In a restaurant, if this means walking with your server to a terminal in the back, do it."

Levy also recommends that consumers check their credit card accounts online every day. This way they can quickly identify questionable purchases. It helps, too, to use the right credit cards. The bigger card issuers will study consumer spending patterns. If they notice something unusual -- say your card shows a purchase in Los Angeles when you actually live in Chicago -- they might disable your credit card and send you a fraud alert. You can then contact the card issuer if that Los Angeles purchase was indeed fraudulent.

Malko says that the only way for consumers to completely protect themselves is to always pay with cash when shopping. Not all consumers can do this, though. Safety then becomes a matter of making good common-sense choices, Malko says.

When shopping online, consumers should only provide credit card information to websites that have the "https" marking at the beginning of the URL. These websites use encryption techniques to keep hackers from stealing their shoppers' personal data. Malko also says that consumers should never give websites -- even ones they visit often -- the option to remember their credit card data. Hackers can nab that data too easily, he says.

When shopping in the bricks-and-mortar world, consumers should know that larger retailers are usually -- thought not always -- safer than smaller ones, Malko says.

"For the little convenience stores on the corner, if you have cash, pay in cash," Malko says. "You don't know what systems they have. You don't know if they maintain it. You can feel safer at a larger retailer. Of course, there is no 100-percent guarantee. But if you use your credit card at a smaller merchant or on a website that looks kind of hokey, you are taking a risk."

Featured Partner Cards