'If merchants are storing [cardholder] information ... they should encrypt it. If they don't need that information, they need to change their business practices and get rid of that cardholder data.'

Cardholder information, stored on a server, for example, could be an easy gold mine for criminals, he said.

'You don't need to have a direct internet connection for a criminal to get into the system. If you have got an external email system or a corporate internet system that could be the hole that lets a criminal in.'

John Albertson, chief executive of the New Zealand Retailers Association, said the primary responsibility for the security of credit cards lies with customers, but that retailers have a responsibility to ensure that credit card information is not made available to anyone.

'In terms of card security overall, the key security point is with the customers themselves, for example, making sure that PIN numbers are kept absolutely confidential,' he said.