>>DISCLAIMER: the following is based on my reading/research and is not offered in any professional capacity. Readers should always do their own research and talk to their credit card companies. <<
The new cards (issued in the last year) with the visible “chip” on them are “Chip and Pin” or “Chip and Signature” cards. That visible chip is not an RFID chip, it is actually a form of computer that improves the security of your card. This is not readable from a distance. There were cards issues a few years ago that did have RFID chips that allowed you to wave a card at a scanner and conduct a purchase. Those cards that still offer that feature have (generally) had encryption added to the cards to make it harder to use any information picked up remotely .
By October of this year all retail merchants are supposed to upgrade their scanners to only accept the “Chip and Signature/Pin” technology. In Europe, you insert your card into a slot (vs swipe) and have to enter a secret 4 digit code (like you use with your ATM). However, the American credit card companies did some “market research” and concluded that we Americans would be upset if we had to do TWO new things to make credit card purchases. Examples of these terminals are in place at Walmart, Lowes, Target and Home Depot. Note that the Target and Home Depot were where many MILLIONS of us had our credit card information stolen because those firms were hacked. Walmart, love them or hate them, have actually turned their readers on so you have to insert a Chip card vs swipe it.
That last point is vital, until most retailers turn on their Chip readers, any card can be read by a pocket skimmer and duplicated. I have a Marriott Signature card, very fancy, carbon fiber, and has a Chip. Well, one of the local restaurants has a bad apple and the card got skimmed, duplicated and used at a convenience store and then at a gas station. Visa figured it out, texted me and we killed the card. Last year the card was compromised at Lowe’s.
Now, using a card ONLINE is another can of worms. There are several vulnerabilities between you and the actual credit card payment processing company. First, always make sure you see https:// in the address bar of your browser (and the little green lock) before using a credit card online (this site has that feature so go look right now on your address bar). The rest of the vulnerabilities are, as far as I can tell, out of your hands. The larger the vendor the better the odds that they have taken additional steps in compliance with a mandatory standard called PCI DSS 3.1 however…. not all of those protections will be in place for another year or so…..
So what else can you do? Personally, I’ve opted for several credit cards designated for different purposes. We use one card for online purchases, one for auto pay (some utilities are happy to bill my credit card), one for retail and one for travel, Some may say having four cards in play makes me four times as vulnerable but oddly enough the card that has been replaced the most often is the card I use for retail purposes!
Now if someone out there is more involved in the PCI world, they are welcome to (politely) correct any misstatements or provide additional fact based evidence.