Lazy trips to Target aren’t an option in 2020 — this year, holiday shopping is all about finding the perfect gift on the World Wide Web. And while digital payment systems like Apple Pay and Shop Pay have made the checkout process nearly seamless, there's still a huge risk of fraud.
According to Adam Levin, chairman and founder of identity protection firm CyberScout, it’s a “cat-and-mouse” situation between the bad guys and the retail industry.
“When you’re dealing with hackers, you’re dealing with sophisticated, creative and extremely persistent people,” Levin adds. “Protections that most retailers and financial institutions have are advanced, robust and constantly evolving to meet the highest standards — but there’s a lot of money on the side of evil.”
In brick-and-mortar stores, the primary financial threat occurs at the point of sale. Think: Physical devices that skim your debit card and steal the info when you slide it into an ATM.
But Levin says that with online shopping, there are two major considerations. First, how does a system secure your data as it travels from you to the company, and second, how does a system store your data once it’s reached the company?
Luckily, it’s not the wild west; there are some hard rules. Card issuers like American Express and Visa got together in 2006 to form the Payment Card Industry Security Standards Council, which sets policies to ensure companies that deal in credit card info do so safely. The details of this so-called PCI compliance are super complicated and not worth getting into here, but the broad strokes are that systems are supposed to utilize hardware and software to reduce fraud.
“The purpose is so, as a business, you can do what you do and know that your customers’ data is secure against compromise from the inside and outside,” Levin adds.
These details are also very complex, but most use encryption, tokenization and data masking. They make it so your actual credit card info isn’t floating around after a purchase — only a disguised version of it.
Apple Pay, for example, “doesn’t store or have access to the original credit, debit, or prepaid card numbers” customers use, according to its website. The info is initially encrypted when someone enters it. Then Apple “decrypts the data, determines your card’s payment network, and re-encrypts the data with a key that only your payment network (or any providers authorized by your card issuer for provisioning and token services) can unlock.” Google Pay and Shop Pay have a similar setup.
This kind of encryption generally makes the systems safe to use, says the National Retail Federation’s Leon Buck.
So how can you play Santa safely?
Levin advises people to never shop on a shared computer or public wifi because they’re easy for strangers to exploit. You could even set up a VPN to make things uber-secure.
He also says to avoid ordering items by clicking on links — if there’s something you want from a store, it’s safer for you to (carefully) type in the URL myself so you know exactly where you're going.
“Some people go, ‘Well that's a pain in the butt,’” Levin adds. “That has no pain in it compared to the level of pain you'll face if you have to go through the agony of identity theft or credit card compromise.”
When you're ready to check out, it’s better to use a credit — not debit — card, because most credit card firms offer $0 fraud liability. Many debit card companies limit liability too, but credit card lenders tend to display more urgency in locating stolen money.
Bottom line? Tokenized systems like Google Pay, Shop Pay and Apple Pay are pretty secure, but there are a couple of steps you can take to give yourself an extra layer of security.
After all, you've got to look out for No. 1.
“The ultimate guardian of the consumer is, has been and will always be the consumer,” Levin says. “No one has more interest in our financial security than we do.”
More from Money:
Rates are subject to change. All information provided here is accurate as of the publish date.