Home & Office

How to keep your credit card details from being stolen online

Having a credit card compromised is a major pain in the wallet. Fortunately, there are protections in U.S. law that limit your losses, and there are steps you can take to minimize the risk.
Written by Ed Bott, Senior Contributing Editor on
Female holding credit card making online payment, closeup view
Getty Images/iStockphoto

There's nothing quite like the sinking feeling in your stomach when you discover that someone has stolen your credit card information and begun using it online. Eventually, that feeling of astonishment is replaced by a seemingly endless series of steps as you try to recover from the damage. At a minimum, you have to get the compromised card replaced and then change all your online payments.

Is there a way to minimize the risk that this will happen again?

For starters, realize that you probably have protections under existing laws. For cardholders in the United States, provisions in the Fair Credit Billing Act mean your actual losses are limited to $50, provided you notify the card issuer as soon as you become aware of any theft or unauthorized use. Most card issuers have fraud detection capabilities that will alert you immediately in the event of a suspicious transaction and protect you from any loss. 

One important caveat here: These fraud protections do not apply to debit cards, even if the card has the logo of a major credit card issuer. The Electronic Fund Transfer Act offers similar protections if you report an unauthorized transaction within 48 hours, but after that you're on the hook for $500 in losses, and the limit vanishes completely if a fraud goes unreported for 60 days. (For details, see this FTC page: "Lost or Stolen Credit, ATM, and Debit Cards." 

Even with those protections, there's always a risk with any online transaction. Here's how to minimize your risk. 

  1. Be vigilant about sites where you use your card. Make sure the page is secure and that the merchant is trustworthy. If you don't recognize the merchant or the site seems suspicious, think twice before entering your card details. 
  2. Avoid storing your card details unnecessarily. You can probably waive this precaution for top-tier merchants like Amazon and Apple, but it's really not that inconvenient to re-enter a card number for smaller merchants that you do business with occasionally. (Obviously, you can't avoid this for recurring payments.) 
  3. Use Apple Pay, Google Pay, Samsung Pay, or other digital wallets whenever possible. Those systems use virtual account numbers tied to your device, which means in the event of compromise, your actual card number is not revealed. (For details on virtual card numbers, see these support documents from Google and Apple.) 
  4. Create your own masked card. The free Privacy.com service, for example, lets you create virtual credit cards for specific merchants. Each virtual card looks like a standard credit card, but it's tied to your bank account or a credit card. You can assign per-transaction limits or set an overall maximum charge for one of these cards, making it impossible for an unscrupulous merchant to turn a small charge into a larger one without your consent. We've used this service and can recommend it enthusiastically. 

In addition to all that, be sure to install the mobile app for your credit card and turn on notifications. That way, in the unlikely event your card is compromised, you'll know immediately and can use the app to temporarily disable the card while you contact the issuer for help.


Editorial standards