Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.

And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.

Gambling with data

The government leaves it to card companies to design security rules that protect the nation’s 50 billion annual transactions. Yet an examination of those requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to an analysis of data breaches dating to 2005.

Every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you’ll spend weeks straightening your mangled credit. Even if your transaction isn’t hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.

More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn’t detect it. Even the companies that had the payment industry’s top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.

Companies that are not compliant with the PCI standards — including one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don’t have to endure security audits, but can evaluate themselves.

Credit card providers don’t appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system.

That is of little consolation to consumers who bet on the industry’s payment security and lost. It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.

LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees — which were eventually refunded — while the banks investigated.

“Maybe somebody who doesn’t live paycheck to paycheck, it wouldn’t matter to them too much, but for me it screwed me up in a major way,” she said.

PCI standards

In 2006, the big card brands — Visa, MasterCard, American Express, Discover and JCB International — formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.

Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the compliance by 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones.

That leaves plenty of merchants out, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.

Computer security experts say the PCI guidelines are superficial. Tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.

“It’s like going to a doctor and getting your blood pressure read, and if your blood pressure’s good you get a clean bill of health,” said Tom Kellermann, vice president of security awareness for Core Security Technologies, which audited Google’s Internet payment processing system.

Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.

PCI’s general manager, Bob Russo, said inspector certification is “rigorous.” Yet he also acknowledged that inconsistent audits are a problem — and that merchants and payment processors who suffered data breaches possibly shouldn’t have been PCI-certified.

The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.