In perhaps past six months, I have had to do the two-factor authentication for some EMT's that I create - I do not recall ever doing that for a credit card purchase. So far as I know, the "hack" occurs behind all of that - either by an employee of an otherwise legitimate payment processor, or by someone who has "hacked" their way into the payment system. As previously mentioned on CGN - I do not think most retail people even get to see your credit card information for an on-line purchase - unless you phone them and read out your numbers to the person on the phone - is all handled by a payment centre in Ireland or India or somewhere ...