Shocking : A cyber security firm found 90% of credit card readers currently use the same password from 1990 till date.

This is a facepalm moment for the credit card issues and retailers. Nearly all credit card readers in United States are still using the default password which can be easily hacked into by cyber criminals.

The passcode, set by default on credit card machines since 1990, has been exposed for so long there’s no sense in trying to hide it. It’s either 166816 or Z66816, depending on the machine.

Using either of the two passwords, an attacker can gain complete control of a store’s credit card readers, potentially allowing them to hack into the machines and steal customers’ payment data. No wonder big retailers like Target and Home Depot keep on losing our credit card data to hackers.

Researchers at Trustwave, a cybersecurity firm were quite flummoxed to find that retailers still use decades old passwords for credit card readers. Trustwave executive, Charles Henderson explained that armed with these passwords, hackers can gain administrative access to the card readers and infect them with malware that steals credit card data. Henderson presented his findings at last week’s RSA cybersecurity conference in San Francisco at a presentation called “That Point of Sale is a PoS.”

Device makers sell machines to special distributors. These vendors sell them to retailers. But no one thinks it’s their job to update the master code, Henderson told CNNMoney.

“No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson said. “We’re making it pretty easy for criminals.”

To arrive at the conclusion, Trustwave researchers studied the credit card terminals at more than 120 retailers nationwide. Henderson stated that these terminals included major clothing and electronics stores, as well as local retail chains however he did not name specific retailers.

According to Trustwave majority of the machines in operation in the US are manufactured by Verifone but they found the same issue to be present in all major terminal makers.

A spokesman for Verifone said that a password alone isn’t enough to infect machines with malware. The company said, until now, it “has not witnessed any attacks on the security of its terminals based on default passwords.” As an afterthought the spokesperson added that Verifone said retailers are “strongly advised to change the default password.”

The fault however lies with the retailers as they should be securing their own machines. Consider one case Henderson investigated recently. A nasty keystroke-logging spy software ended up on the computer a store uses to process credit card transactions. It turns out employees had rigged it to play a pirated version of Guitar Hero, and accidentally downloaded the malware.

“It shows you the level of access that a lot of people have to the point-of-sale environment,” he said. “Frankly, it’s not as locked down as it should be.”