The complex systems that retailers use to process and protect customer data have vulnerabilities in a number of areas that a cyberattacker might exploit.
The recent attack that exposed millions of Target customers' credit and debit card information involved malicious software on point-of-sale terminals where customers pay, according to a person familiar with the investigation.
Other big security breaches have been inside jobs. It's also possible for attackers to access computers that aggregate transaction information and transmit it to outside credit card companies.
"Criminals could intercept the card information in computer memory, even if it's there for less than a millisecond," said Avivah Litan, a financial services security analyst at Connecticut-based research firm Gartner.
In recent years, a wide range of companies have fallen victim to cyberattacks. With information on 40 million accounts stolen, the recent Target break-in ranks among the top 20 or so known data breaches recorded by the Open Security Foundation.
In a cyberattack on software company Adobe Systems Inc. a few months ago, hackers compromised an estimated 152 million records of all types, including the source code for some popular products.
The retail industry has been a regular victim of major attacks. In 2007, a hack of TJ Maxx parent TJX Cos. Inc. exposed the records of an estimated 94 million credit cards and transaction details, according to the Open Security Foundation's website www.datalossdb.org.
Target spokeswoman Katie Boylan said that the Minneapolis-based retailer was also affected by an intrusion in 2007, but that it was much smaller and involved a number of retailers.