Companies are allowed to store your credit card details — that’s what makes shopping online so easy. However, that also puts your credit card information at risk.
Luckily, merchants aren’t free to do whatever they want with your private financial information. There are limits on what information they can store and specific industry guidelines they have to follow if they choose to accept credit cards as a form of payment.
Table of Contents
Is It Illegal for Retailers to Keep Credit Card Details on File?
It isn’t illegal for companies to store your credit card information. However, the legal requirements for storing credit card information don’t matter as much as the standard set by the major players in the credit card industry. With the help of the Payment Card Industry Security Standards Council (PCI SSC), credit card companies enforce the Payment Card Industry Data Security Standard (PCI DSS) to ensure retailers process, store, and share cardholder information securely.
There may be social, legal, and financial consequences for anyone who fails to comply with the PCI DSS. A company’s reputation could be compromised, leading to a loss of customers. Credit card companies may impose fines, which can add up quickly. In the case of serious violations, a retailer may face an audit from the Federal Trade Commission.
It doesn’t matter if a company is intentionally or accidentally non-compliant. For customers, the outcome for their failure is the same as if it were done on purpose: their card information is now at risk.
What Cardholder Data Can Be Stored?
If a merchant needs to keep your cardholder information, they are not permitted to store all of it. Per the PCI DSS data storage best practices, retailers cannot retain:
- The full contents of a card’s magnetic stripe data, including data from EMV chips;
- The security code (knowns as the CVV or CVV2);
- The personal identification number (PIN).
Retailers should only keep this sensitive authentication data as long as needed to authenticate a purchase. It must be properly deleted once the transaction is complete
They can, however, keep:
- The primary account number (PAN);
- The cardholder’s name;
- The service code;
- The card’s expiration date.
Merchants are required to protect the information they do store — especially the PAN, or the number on the front of your card. In addition to being inaccessible, it must be unreadable or obscured if shown, usually only showing the first six or last four numbers. Other pieces of information must have similar protections if they are stored with the PAN.
Businesses should not store your information any longer than necessary. There must be a plan to destroy the information once it is no longer needed.
The PCI DSS recommends that merchants avoid storing cardholder data whenever possible. It is inherently and automatically safer to do so. After all, data can’t be compromised if it doesn’t exist.
Storing Credit Card Details on Paper
Businesses can also store credit card information on paper. The same rules apply to both physical and digital storage: sensitive authentication data can never be stored, but other pieces of cardholder data can.
Storing information on paper does eliminate the possibility of information getting stolen online, but it does not eliminate the risk of theft entirely. Someone could easily find the information on a piece of paper and steal it for future use.
For this reason, merchants need to physically secure cardholder data stored on paper, such as in a locked drawer or safe. They also need to limit who has access to that information and only reference it when necessary.
Storing Information for Recurring Transactions
PCI DSS guidelines aren’t any different for recurring transactions, such as automatic bill pay or monthly subscriptions. Merchants cannot hold your sensitive authentication data to process recurring transactions, even if you give them written or verbal permission to do so.
The PCI SSC encourages merchants to work with their bank or payment brand directly for assistance with recurring payments. This means merchants often work with third-party vendor credit card vaults to “tokenize” the data.
The third-party vendor stores the information and gives the retailer a “token.” The token does not contain any actual credit card information, making it an unreadable string of numbers to merchants and would-be thieves. Tokens are then sent to the payment processor, who can view the original data so they can process the transaction.
Can Cookies Store Credit Card Information?
Cookies are pieces of data stored locally on your computer that contain information about you, your preferences, and your browsing habits for the websites you visit. They can be used by websites to store information, including your login credentials and credit card information.
Storing credit card information in cookies is certainly convenient when you’re using a retailer’s website, but it isn’t the safest way to go about online shopping. Hackers can steal your cookies if they aren’t properly secured. If your card details are stored there, the hacker now has everything they need to go commit credit card fraud or identity theft.
Either way, it’s a good idea to delete your cookies periodically to keep your card details safe. Technology has changed the nature of personal finance, but it’s also opened up new security risks. Deleting your cookies is a simple way to reduce that risk and protect your finances.
Storing Information in Autofill
Autofill may be a better option if you want to make online shopping more convenient without sacrificing your security. If you would rather not have your information retained, you can delete the cookies from your browser, and log in as a guest. You can then save your information locally to your browser. When you make a purchase, the information will be filled in automatically.
This is far better than storing your credit card details on a retailer’s website, as a hacker would need to hack your computer rather than the retailer to get the information. The credit card information is only kept long enough to verify the information with your lender and charge you. However, it is always safer to manually enter your credit card details each time you make a purchase and avoid storing them in the first place.
Is It Safe to Buy Something Online With a Credit Card?
Generally, it’s safe to use your credit card when shopping online.
That being said, you have to trust merchants completely when you purchase something with your credit card, because, once you share that information with someone else, it’s out of your hands. You can’t control what others do with that data.
That’s part of why the PCI DSS exists. Consumers need to know that retailers take their privacy seriously and that they will have financial support if their information is compromised.
Data breaches are commonplace, so there’s still a chance your information could be compromised even when companies are completely PCI compliant. This is simply a risk you take on when you use your credit card for a purchase.
However, as long as you’re conscious and careful with your private information, the financial benefits of building credit will likely outweigh the risks of doing so.
Image Source: https://depositphotos.com/