If you are a patron of a particular merchant, you might find that it makes the process smoother, enabling faster future transactions, if you allow it to store your card information. That’s well and good, but can a retailer store your credit card details without permission?
When you shop online, you will likely receive a prompt from the site asking if you would like to save your card information to make it easier to shop in future. That’s one way for the merchant to lure you back for future purchases. You might even find that the website is set up so that it becomes easier for you to complete your transaction when you save your card information.
Merchants would also like to save your card information when you have a recurring charge, for one. That way they can automatically bill you every month without having to get your card information.
There are laws related to consumer privacy, data security and identity theft that could require a merchant to get your permission to store your card information for such purposes.
In addition, there are various state laws dealing with credit card fraud, falling under the umbrella of financial transaction card fraud. That’s why merchants will typically ask your permission to store your card information. In Georgia, for instance, a merchant cannot use your card without your permission or authorization.
Security standards for merchants
Given such laws, it seems there is no incentive for a merchant to store your card information without permission. Moreover, there are deterrents to such activity, such as the security standards set out by the Payment Card Industry Security Standards Council.
According to this body, “Organizations accepting payment cards are expected to protect cardholder data and to prevent their unauthorized use—whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.”
This association also states that, “In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business.”
In addition, the PCI SSC says a merchant should limit storing and retaining customer data to only the time required for business or legal purposes. The standards allow merchants to store your account number, your name and the card’s expiration date according to the above guidelines. However, the body frowns on a merchant’s storing a card verification value (CVV) or personal identification number (PIN).
Federal Trade Commission weighs in
The Federal Trade Commission has also said merchants shouldn’t collect information they don’t need. And the regulator advises that when they do collect card information, it is in their interest to hold on to it only as long as there is a bona fide business need to do so. That means while a merchant needs your card information to process a transaction, it doesn’t need to hold on to it unless it anticipates future transactions.
And once a business decides that it does need to store your card information, it should safeguard it adequately, even from employees who don’t have any business with the information.
The bottom line
A merchant will typically ask you for permission before storing your card information to avoid running afoul of laws. Online sites will likely want to store your information to facilitate future transactions. Merchants would also like to have this input to enable recurring charges.
If there is no legitimate business need, industry data storage laws are stringent, and there is no incentive for a merchant to store your card information.
Contact me at firstname.lastname@example.org with your credit card-related questions.