The fastest-growing segment of credit card transactions today are so-called "card-not-present" transactions where the customer is not physically present at the merchant's location and simply gives a credit card number over the telephone. Card-not-present transactions are almost totally unprotected...the merchant has no idea whether or not you're actually the legitimate cardholder, and you have no idea whether the minimum-wage telephone clerk on the other end of the line is keeping private copies of card numbers.
The other class of transactions where you actually present your card to the merchant are a bit better protected, but when the merchant swipes your card through his Verifone terminal and gets an electronic authorization, the entire contents of the mag stripe (card number, expiration date, and DES-encrypted checksum) are sent over the phone at 1200 baud in clear ASCII. So anybody with a $15 tape recorder and a set of clipleads can easily capture every card swiped at a place of business.
In view of this, sending credit cards over the Internet represents no meaningful incremental increase in exposure. There are 60 trillion bytes of information blasting through the information pipeline every second. In this way you have true security through obscurity.
The form we use is more secure than if you had used your credit
card in a restaurant or given it to the reservations desk at the airport
or over the phone to a hotel. Think of how many hands your credit card goes through in a restaurant-- The waiter, the cashier, the manager, the accountant and whoever sweeps up at night.
How It works...
The Internet connects any computer to any other. Obviously there isn't a single connection from each computer to each of the others, any more than your telephone has a direct connection to every other telephone in the world. The telephone system uses exchanges; the Internet uses special-purpose computers called "routers", whose sole function is to receive packets of data and send them on towards the correct destination. When a message goes from one computer to another, it is split into fragments which are then passed from router to router until they reach their destination (on a journey across the United States, it is not unusual for 10 routers to be involved). The routers are owned by the telecommunications companies and Internet service providers, and are physically pretty secure.
It is extemely unlikely that anyone could intercept communications at this level, and impossible for them to do it without being detected. Remember, each packet of data spends only a small fraction of a second in transit.
1. The unauthorized person who has your number, but not your card, also needs to have an appropriate ship-to address. They can't buy anything unless they can wait for a package at your address while you are gone. If they can get a seller to ship a purchase to another address, that address becomes a matter of record and can help apprehend them.2. The credit card company limits your liability, as regulated by law.