Most people’s real card details are stored in far more places than they realise. A streaming subscription here, a delivery app there, an online store used once three years ago — each of those merchants has your card number in a database somewhere, typically for longer than you’d expect.
You can’t undo past exposure. But you can change how you pay from today forward. Here’s how to shop online without putting your real card details at risk.
Why your real card details are more exposed than you think
Every time you save your card at checkout, that information is retained by the merchant or their payment processor. Most reputable sites use tokenisation and encryption to protect stored card data, but “most” is not “all” — and even reputable companies get breached.
The exposure compounds over time. A card you’ve used for ten years of online shopping might be stored across dozens of merchant databases — some active, some long-defunct, all potentially holding data that could be exploited if their systems are ever compromised.
Method 1: Use a virtual card for every online purchase
The most direct solution is to stop giving merchants your real card number. A virtual card generates a unique number for each use — you can create a new one for each merchant, or use a single-use card for one-off purchases.
The practical benefits:
- A breached merchant database exposes only a virtual card number — not your real one
- You can delete a virtual card instantly if a charge looks suspicious
- Merchant-locked cards cannot be used at any other site, even if the number is stolen
For tools that offer this kind of control, this guide to alternatives to privacy.com compares the main options available. Halocard is one worth considering, particularly for straightforward one-card-per-merchant management.
Method 2: Use PayPal or a digital wallet as a protective layer
If you’re not ready to switch to virtual cards entirely, PayPal and digital wallets (Apple Pay, Google Pay) offer a similar protective mechanism: the merchant doesn’t see your real card number at checkout. A token or PayPal’s own payment identifier is passed instead.
PayPal: Widely accepted, good buyer protection, but you’re dependent on PayPal’s own dispute resolution process, and not every merchant accepts it. PayPal also retains your real card on file behind the scenes.
Apple Pay / Google Pay: Excellent security through device-level tokenisation and biometric authentication, but only works on supporting merchant sites and compatible devices.
These are solid options for many situations, but they offer less granular control than a dedicated virtual card — you can’t set per-merchant spending limits or generate disposable one-use numbers.
Method 3: Use a dedicated low-limit card for online shopping
If you want a simple approach that doesn’t require signing up for a new service, consider setting up a separate credit card exclusively for online purchases — one with a deliberately low credit limit.
The benefit: if this card is ever compromised, the damage is bounded by the limit. You cancel and replace just this card, updating your online subscriptions, while your primary card is completely unaffected.
The trade-off: managing two physical cards, and the low limit may be a practical constraint for larger purchases. This is a reasonable transitional approach while you explore virtual card options.
A quick-reference checklist for safer checkouts
- Check for HTTPS and the padlock icon before entering any payment details
- Avoid entering payment details on public WiFi without a VPN
- Don’t save your card on a merchant’s site on your first purchase
- Set up real-time transaction alerts on your account
- Use a strong, unique password for every account that holds payment data
- Enable two-factor authentication on email and financial accounts
A note on merchant data retention
Even when you pay safely, merchants typically retain other data — your name, address, email address, and purchase history. This is separate from payment data and is governed by each merchant’s privacy policy.
You can limit this over time by creating accounts only on sites you use regularly, and by reviewing account deletion options for services you no longer use. The UK National Cyber Security Centre’s guidance on shopping online securely is an excellent practical reference, and the FTC’s safe online shopping resource covers the US consumer protection angle in detail.
