I think the answer is both, but there is another possibility: the physical card is skimmed locally by a vendor’s employee or with an installed skimmer.
Unfortunately, my experience and observations with some companies is that security breaches are now the ‘cost of doing business.’ I stop reading and start rolling my eyes when I see the words “We take security seriously.” They may pay for credit card monitoring for a couple of years–in my opinion, worthless–and there may be a lawsuit in which the lawyers get most of the money. But, it is largely forgotten after the next incident, which happens too frequently.
I do not mean to confuse security with privacy, but I have a point. Some companies’ privacy policies are not worth the bits used to store them. I have found customer service representatives who have not read them and do not know what they are. They also cannot answer questions about the terms.
Companies’ employees need to understand and be educated on both security and privacy to have any chance.
As for users’ systems, I sometimes work on my laptop near a public system, and I am absolutely astonished at how clueless about security and privacy some people are. I try not to pay attention, but I have seen people use it to access their e-mail, apply for credit, and do tax forms! Just browsing the system when it was not being used, I have found SSNs and dates of birth. One guy even left his Google accounts connected. My evil twin could have had a good time that day.
Those are the people who laugh at me about my dumb, flip phone.
Security is hard enough on one’s personal system, and it is easy to overlook something, whether it is a Librem/PureOS system or not.
When I do discuss security and privacy with folks who are not ‘computer’ people, I tend to get shrugged shoulders and the fallacious “I have nothing to hide.” argument. But, they will not give me their passwords or the keys to their homes.
I think it is only when people have to pay a significant amount of money or someone is held accountable that things will start changing. GDPR may be a good start and maybe we will see something like that in the US eventually. (I am not holding my breath. We have a decentralized model, and politicians would rather spend their time campaigning and lambasting each other, which never ends.) GDPR has its flaws, however. Asking a user to accept cookies without him or her knowing how the cookies are going to used is a problem to me. So what?
Sorry for being long-winded, but you hit a hot button.