FG Trade/iStock/Getty Images
Key takeaways
- Storing your credit card information makes it easier for merchants to facilitate future and recurring transactions.
- For data security or consumer privacy purposes, however, you may not want merchants to retain your credit card details.
- State laws, card industry security standards, FTC guidance and other regulations all influence how and when merchants are allowed to store your card details.
If you shop frequently at particular merchants, you might find that allowing them to store your card information can streamline your transactions at checkout. And if you have recurring charges — like those for streaming or subscriptions — allowing for the storing of your card details helps merchants to automatically bill you each month without asking for your card information each time.
That’s well and good — especially when you’ve consented to storing your data. But can a retailer store your credit card details without permission?
The short answer is no. While there is no rule that governs how or when issuers can store your card information, many states have laws on the books to deal with credit card fraud, which fall under the umbrella of financial transaction card fraud. Laws like one passed in Georgia explicitly bar merchants from using your card without your permission or authorization.
Security standards for merchants
In many cases, laws related to consumer privacy, data security and identity theft require merchants to get your permission before storing your card information. The Payment Care Industry Security Standards Council — or the PCI SSC, as it’s called in the industry — is an organization founded by American Express, Discover, JCB International, Mastercard and Visa.
The PCI SSC sets security standards for merchants that transmit, process or store payment card account information and provides best practices that merchants are required to comply with, including a requirement to “protect cardholder data and to prevent their unauthorized use — whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.”
Compliance with the PCI DSS requires merchants to limit storing and retaining customer names, card account numbers and expiration dates only for the time required for business or legal purposes. And it explicitly frowns on merchants storing, for example, a card verification value (CVV) or personal identification number (PIN).
You can opt out of automatic online card storing
As you shop online, you’ve likely received a prompt from the site asking if you would like to save your card information to make it easier to shop in the future. It’s one way for merchants to lure you back for future purchases.
However, you shouldn’t need to allow the retailer to store your card information to continue your purchase. Rather, most retailers allow you to check out as a guest, completing the transaction without allowing the site to retain your card details.
If that isn’t an option, a workaround is to provide your card information to complete the transaction and then edit your payment options after it’s complete to remove that information.
Federal Trade Commission weighs in
The Federal Trade Commission agrees that merchants shouldn’t collect information they don’t need, further advising that, if a merchant does collect card information, it’s in their interest to hold on to it only as long as there is a bona fide business need to do so. This means that, while a retailer needs your card information to process a transaction, it shouldn’t store it if the merchant doesn’t anticipate future transactions.
And once a business decides that it must to store your card details, the FTC requires it to safeguard this sensitive information adequately, including from employees that don’t have any business with your information.
The bottom line
Merchants will typically ask you for permission before storing your card information to avoid running afoul of laws, and it’s common for online sites to ask to store your information to facilitate future transactions or to enable recurring charges.
If there’s no legitimate business need, stringent industry data storage laws advise there’s no incentive for a merchant to store your card information.
FAQs
But can a retailer store your credit card details without permission? The short answer is no. While there is no rule that governs how or when issuers can store your card information, many states have laws on the books to deal with credit card fraud, which fall under the umbrella of financial transaction card fraud.
Can a merchant store credit card information? ›
Can A Merchant Store Credit Card Information? The short answer here is yes. The long answer is that there are certain things you can store and certain things you can't, in order to be compliant and to ensure you're treating your customers' credit card details safely.
Are companies allowed to store card details? ›
Yes, if they follow all security requirements and are PCI compliant. Businesses are allowed to store the following information, but it must be encrypted. While this information can be stored, there are also some elements of cardholder information that cannot be stored by merchants: PIN.
Do companies keep your credit card information? ›
Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees. This information often is necessary to fill orders, meet payroll, or perform other necessary business functions.
What does it mean when card info is stored by merchant? ›
Stored card information means a merchant, such as an online retailer, has saved your card information to make future purchases easier. These transactions require your authorization each time you make a purchase with that merchant. A recurring charge is one that a merchant charges you on an ongoing basis.
What credit card information Cannot be stored? ›
You Are NOT Allowed To Store (Even When Encrypted):
Card validation value (CVV) - The 3- or 4-digit security code printed on the card. PIN. PIN block - The encrypted version of the PIN. Full magnetic stripe data.
What laws protect credit card information? ›
The Consumer Credit Protection Act Of 1968 (CCPA) protects consumers from harm by creditors, banks, and credit card companies. The federal act mandates disclosure requirements that must be followed by consumer lenders and auto-leasing firms.
Can merchants store CVV? ›
Essentially, it provides a check of the information embossed on the card. This information is not permanently stored because that action is prohibited by law. The Visa USA Inc. Operating Regulations explicitly prohibits merchants and/or their agents from storing the CVV-2 data.
Can a bar legally hold your credit card? ›
Although each bar's policy on open tabs varies based on management preferences, most bars require customers to provide a credit card before opening a tab. In many cases, a bartender holds on to the customer's card until the tab is closed. This helps to ensure the tab is paid for at the end of the night.
How long can a company hold credit card details? ›
Alarmingly, according to the Association of Payment Clearing Services, companies can keep customer card details indefinitely, provided that they are stored safely and not misused.
A credit card vault service stores customers' credit details in a secure manner. Typically, the data remains in the vault until it needs to be used to process a payment.
Where to report PCI non-compliance? ›
If you believe your payment card data could have been or may become compromised, contact your issuing bank (the bank name and phone number on the card) right away to alert them and request a new card.
How does a merchant know my new card number? ›
How Updater Services Work. Each month, merchants send a list of names and card numbers to their acquirer, or payment processor, who check their data against Visa, MasterCard, American Express and Discover, Lindeen explained. The acquirer lists the cards with updated information, and returns the list to the merchant.
Can a company take payment without consent? ›
Both state and federal laws prohibit unauthorized withdrawals from being taken from your bank account or charges made to your credit card without your express consent having first been obtained for that to occur. Some laws require this consent to have first been obtained expressly in writing.
Are credit card records confidential? ›
Under California law, financial service companies must get your permission first, before they can share your personal financial information with outside companies. This does not apply to sharing with outside companies that offer financial products or services.
Is it illegal to store CVV codes? ›
Essentially, it provides a check of the information embossed on the card. This information is not permanently stored because that action is prohibited by law. The Visa USA Inc. Operating Regulations explicitly prohibits merchants and/or their agents from storing the CVV-2 data.
