The year 2014 was when consumers came to fear the data breach for real. According to the Identity Theft Research Center, there were 761 breaches in 2014 affecting more than 83 million accounts. Big names like Sony, JP Morgan Chase, the US Postal Service, Target, Home Depot and, most recently, Chic Fil A are some of the notables that proved that even companies with deep IT pockets are at risk.
If you fear for your money, you’re not alone. According to the ISACA IT Risk/Reward Barometer, 94% of consumers have read about or heard of data breaches and 61% say they have a take-charge attitude rather than waiting for something to happen. (See 7 Ways To Protect Against Credit Card Hacks and Credit Card Breach: How To Stay Safe.)
But what does “taking charge” mean? Each additional company that has your payment information puts you more at risk. If you enjoy the convenience of a PayPal account – using it makes it quicker to handle online purchases and other payments, such as charitable donations – are you increasing the chance that your information could be stolen?
How safe is PayPal? Should you have a PayPal account or should you pay for all online purchases with a credit card and not add one more company to your list?
The PayPal Pros
According to PayPal your data is safe. (But who wouldn’t say that?) PayPal states that your information is encrypted with the highest level commercially available. Its servers check your browser to make sure it employs the latest encryption technology and your data is stored on servers that aren’t directly connected to the Internet.
Slava Gomzin, author of "Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions," supports their contention. “If you have a choice on the Web, always select PayPal,” Gomzin says.
PayPal even pays hackers if they find vulnerabilities in its systems. According to Dean Turner, director of security intelligence at PayPal, "If you care about the product [and] you care about your customers, you care about your customers' security – this is what you have to do."
What About Credit Cards?
Credit cards aren’t as straightforward. Cybersecurity advocates routinely blast the U.S. credit card industry for failing to phase in chip cards. Already used in European countries and many others, these cards offer an added layer of security not present in the United States. The lack of these technologies is a major reason the United States is such a big target for cyber thieves, according Gomzin. (For more, read What You Need To Know About EMV Credit Cards.)
Nearly all credit cards are issued by banks – an industry more guarded and resistant to some of the cybersecurity practices that PayPal employs. According to the Financial Services Roundtable, the banking industry does not pay hackers to alert them to security flaws, for example. This year’s successful attack on JP Morgan Chase is proof that the banking industry is vulnerable despite their large teams of security experts.
PayPal, however, is the Holy Grail for hackers. Just because the company hasn’t been hacked doesn’t mean that it won’t be. Hackers are constantly trying to break in to PayPal’s servers.
The best and brightest team of cybersecurity experts can only do so much. The rest is in the hands of the consumer. One study found that only 45% of consumers changed their password this year, and the most popular passwords are still “password” and “123456.” If your password is easy to remember, it’s probably easy to hack. It’s time to change it.
You have to check your bank and credit card statements as often as possible, don’t use the same password for everything, and don’t click on any link in an email, even if it looks legit. Instead, go to the company’s website yourself or call.
The Bottom Line
Should you use PayPal or your credit card? Because many of the data breaches came from physically swiping the card, and because PayPal gets high marks for its security practices, experts advise using PayPal when possible. However, don’t link it to your checking account. Instead, link to a credit card so you get your credit card’s fraud protections in addition to PayPal’s.