There are a few ways to pay with a credit card. They’re all vulnerable to attack from industrious criminals, but some are more vulnerable than others…
Point-of-Sale (POS) Terminal
You hand your card to an employee, who swipes it at the POS terminal. After encryption, your credit card information goes over the phones to a payment processor.
Untrustworthy employees, to be blunt. Dodgy employees have been surreptitiously stealing credit card numbers for ages. A fairly common technique is to swipe the card through a small scanner before putting it through the store’s POS terminal.
But while cashiers can very easily steal credit card numbers, they don’t need many to make it worthwhile and they can very easily be caught, so they’re not usually stealing high volumes of card numbers.
You type your card number into a form on a website. A web server takes your credit card number and other associated data, encrypts it, and sends it over the Internet to an online payment processor.
A hacked website or hacked computer. A publicly accessible website that has been hacked may be capturing credit card numbers and sending them off to criminals. Your computer or the computer in use by a phone agent may have been compromised.
Hacking websites requires a great deal more skill and effort but results in very many more stolen cards—numbering in the millions in the most high-profile cases. Website hacking is common because hackers can harvest a lot of data at once. If your PC has been compromised, hackers may be logging and sending off every keystroke.
Over Phone With Agent
You speak your card number over the phone to a phone sales rep. The sales rep acts much like a cashier here. They enter your card data into a POS terminal or a virtual POS terminal that encrypts your card number and sends it to a payment processor either over phone lines or over the internet.
As with POS terminal sales, less-than-savory sales reps can steal card numbers over the phone just like they can in person; again, at their own great risk. Unlike POS terminal sales, there’s also a risk of someone tapping your phone and listening in on your conversations. However, criminals out to steal credit card numbers aim for volume, so targeting a single person is too much of a pain.
Over Phone With IVR
You type your card number on the telephone keypad and an IVR server captures and transfers the number to a web server that encrypts the data and sends it over the Internet to an online payment processor.
Someone could tap your phone line and listen to your conversation. Although, again, that only nets…one credit card number if the hacker happens to be listening at the right time.
Fortunately, it’s impossible to hack an IVR by talking to it over the phone. Also, the web servers that process these transactions are hidden from the Internet, and hackers generally can’t hack what they can’t see.
So, Which is Safest?
Well, it depends on the situation and, frankly, your luck. Having said that, however, IVR does offer a less inviting prospect for fraudsters. It’s hard to steal card numbers during an IVR interaction, and it doesn’t yield a large volume of card numbers, anyway.