5 Steps to Keep Your Credit Card Safe When Shopping Online

Some security risks are beyond your control, but there are ways to protect your information and reinforce existing safeguards.

Melissa LambarenaJuly 8, 2020

Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.

Online shopping with a credit card these days is generally pretty safe, but that's not to say there are no risks at all.

While you can't control things like a data breach at your favorite retailer, you can shop smart and make it harder for thieves to access your information and commit credit card fraud.

With some vigilance, maintenance and added layers of security, you can protect your credit card information and your online shopping experience.

Nerd tip: If you're using a credit card instead of a debit card for online purchases, you’re already making a smart choice. That's because credit cards offer greater fraud protections than do debit cards. Federal law caps your liability at $50 for unauthorized transactions you report within 60 days, and most major credit card issuers offer zero-liability protection on top of that.

1. Use a private device and a secure connection

Shop in private, away from curious eyes and potentially prying public devices.

With a communal computer — say, in a library or lobby — websites can save login information and leave accounts vulnerable to the next user. Even if you log out of a public computer, you run the risk that spyware might be installed that can record keystrokes and gain access to usernames, passwords, credit card numbers and personal information.

Using your own personal laptop or tablet is safer, but it’s not entirely foolproof. Information can still be stolen over a public Wi-Fi connection. Shop online only with a personal device and a private Wi-Fi connection. You might also consider subscribing to a virtual private network, or VPN, which can encrypt your data. It adds a layer of security to both private and public networks.

2. Investigate the merchant and the URL

If you receive an email with a link to a website, avoid shopping directly through that link — even if it is a big, well-known company. Instead, navigate to the site through your web browser. You can go directly to the site if you know the address or bring it up on the search engine by looking up the merchant’s name. This could protect your device from a possible phishing attack, in which fraudsters use official-looking email addresses and logos to try to trick you into handing over your information.

If the merchant isn’t well known, some research may be necessary to prevent a potential security breach. Start by looking up the merchant’s name on the Better Business Bureau’s website. You can also explore consumer reviews on social media, the merchant’s direct website, blogs and search engines to find out whether customers had any complaints about the retailer, its security features or its products.

Lastly, before adding your credit card information at checkout, give the page’s web address another look in case you accidentally skipped a letter and landed on an unsafe website that looks deceptively like the merchant’s official page.

3. Pay with an added layer of security

Third-party digital wallets, such as Apple Pay and Google Pay, can offer added protection because they don’t provide your credit card information to the merchant. Instead, they serve up a one-time virtual account number for each purchase, a process called "tokenization." Apple even goes as far as not storing your account number on your device or on Apple servers, according to its website.

Not all websites accept mobile wallet payments, but your credit card might offer "virtual account numbers" that work the same way. Capital One and Citi, for example, offer this option on some of their credit cards.

Nerd tip: You never need to give out your Social Security number to make a simple purchase. If a website seems to be asking for more information than is normal or necessary, consider it a red flag.

4. Use your credit card app’s security features

Credit card mobile apps often have a broad range of security features that you can set up to prevent fraud on your account, including:

  • Two-factor authentication: If someone does get their hands on your credit card account's login details, setting up two-factor authentication can block them from accessing more information. In addition to your login and password information, it adds a second step like requiring a passcode via text or email to ensure that you’re the one accessing the account. As a general safety practice, avoid using the same login and password on different apps and websites. Especially avoid repeating your credit card account's login details on other merchants' apps or websites.

  • Account alerts: You may have the option to set up alerts via text or email for “card not present” transactions (meaning online purchases). You can also do this for instances in which the balance and/or transaction exceeds a designated amount. Or you can simply set up alerts for transactions of any kind. This can help you spot unauthorized transactions and dispute them quickly.

5. Schedule routine maintenance

Keeping your credit card details safe requires effort and maintenance, including:

  • Updating apps, browsers, firewalls and anti-virus software automatically or manually on devices.

  • Keeping contact information up to date on issuers' apps and websites so that you may be reached about possible fraudulent activities.

  • Using strong passwords and changing them regularly on credit card issuers’ and merchants’ platforms.

  • Setting aside time to review credit card statements for unauthorized transactions and disputing fraudulent charges.

We want to hear from you and encourage a lively discussion among our users. Please help us keep our site clean and safe by following our posting guidelines, and avoid disclosing personal or sensitive information such as bank account or phone numbers. Any comments posted under NerdWallet’s official account are not reviewed or endorsed by representatives of financial institutions affiliated with the reviewed products, unless explicitly stated otherwise.