Is it legal to store credit card information in database?
Remember, if you collect and retain data, you must protect it. Don't keep customer credit card information unless you have a business need for it. For example, don't retain the account number and expiration date unless you have an essential business need to do so.
The Federal Trade Commission agrees that merchants shouldn't collect information they don't need, further advising that, if a merchant does collect card information, it's in their interest to hold on to it only as long as there is a bona fide business need to do so.
You Are Allowed To Store (When Encrypted):
Cardholder name. Expiration date. Primary account number (PAN) - The 14-, 15-, or 16-digit number printed on the card. Service code - This data lies within the magnetic stripe and is not visible to the naked eye.
Can A Merchant Store Credit Card Information? The short answer here is yes. The long answer is that there are certain things you can store and certain things you can't, in order to be compliant and to ensure you're treating your customers' credit card details safely.
No federal or state laws prohibit businesses from storing consumers' credit card information, however, practices are legally obligated to have safeguards in place to protect sensitive information and limit liability exposures.
Essentially, it provides a check of the information embossed on the card. This information is not permanently stored because that action is prohibited by law. The Visa USA Inc. Operating Regulations explicitly prohibits merchants and/or their agents from storing the CVV-2 data.
Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions). Never store the personal identification number (PIN) or PIN Block.
Financial institutions are required to take steps to protect the privacy of consumers' finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.
Sensitive authentication data on the magnetic stripe or chip must never be stored. Only the PAN, expiration date, service code, or cardholder name may be stored, and merchants must use technical precautions for safe storage (see back of this fact sheet for a summary).
Keep paper documents with credit card numbers locked in a secure place (like a safe) when not in use. Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you cannot store these files unencrypted.
How long should card data be stored?
PCI DSS does not define minimum or maximum times for which cardholder data may be stored. PCI DSS Requirement 3.1 specifies that a data retention and disposal policy must be implemented to limit data storage to that which is necessary for legal, regulatory, and/or business purposes.
A credit card vault service stores customers' credit details in a secure manner. Typically, the data remains in the vault until it needs to be used to process a payment.
Under California law, financial service companies must get your permission first, before they can share your personal financial information with outside companies. This does not apply to sharing with outside companies that offer financial products or services.
Never make your card details shown in public. Never provide your cvv number when asked on the phone or when processing a card payment in person.
The Credit Card Accountability, Responsibility, and Disclosure Act of 2009 is a federal law designed to protect credit card users from abusive lending practices by card issuers.
Under the CARD Act of 2009, credit card issuers must generally wait until an account is at least one year old before raising interest rates and must give notice to the cardholder 45 days before making such an increase, during which the cardholder is free to cancel the account.
The Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) established various protections for cardholders, including limitations on how and when card issuers can charge you interest and fees. At Experian, one of our priorities is consumer credit and finance education.
Companies are prohibited from collecting and storing credit card information without the explicit consent of the cardholder. This is a requirement of both the credit card companies and federal regulations, specifically the Payment Card Industry Data Security Standard (PCI-DSS).
Handing over your CVV for purchases completed offline is risky, because it gives someone the opportunity to steal that information. With your CVV code, they would have everything they need to make fraudulent online transactions in your name. When making in-person purchases, do not give out your CVV code.
It's absolutely legal for retailers or service providers to ask for your card's CVV code when you're making a purchase. A merchant can't complete the card verification process without one. So if you're making card-not-present purchases, you can expect to be asked to provide your card's CVV code each time.
What does it mean to mask a PAN?
PAN masking hides a portion of the long card number, or PAN, on a credit or debit card, protecting the card account numbers when displayed or printed.
Ultimately, the primary account number (PAN) must always be protected and masked when shown. Making PAN data unreadable means that the data becomes virtually useless to fraudsters. Additional cardholder data including cardholder name, service code and expiration date must be protected if stored with the PAN.
Here are some additional tips for complying with PCI DSS Requirement 4: Use a strong encryption key. Encrypt all cardholder data, including full card numbers, expiration dates, and CVV codes.
The Fair Credit Reporting Act limits who can access your credit report and for what purpose. Potential employers must get your written permission before accessing your credit reports.
As mentioned above, the IT Rules allow for withdrawal of consent by the data subject, upon which the corporate body is prohibited from processing the personal information in question. The IT Act and Rules do not contain provisions relevant to data portability.
References
- https://www.bankrate.com/finance/credit-cards/can-merchants-store-card-details/
- https://www.lexology.com/library/detail.aspx?g=48b5c789-c1a3-44ab-87e9-07961fe3249a
- https://www.usbank.com/customer-service/knowledge-base/KB0205906.html
- https://stripe.com/en-lv/resources/more/how-do-credit-cards-on-file-work-a-quick-guide-for-businesses?__previewId&__hstc=106715356.2af3f924a8d9f62fbbee3a8b127f2354.1666137600426.1666137600427.1666137600428.1&__hssc=106715356.1.1666137600429&__hsfp=1158240967
- https://www.aura.com/learn/someone-used-my-credit-card-without-my-card
- https://support.apple.com/en-us/101554
- https://secureframe.com/hub/hipaa/phi
- https://www.chargebee.com/blog/db-credit-card-vault/
- https://www.experian.com/blogs/ask-experian/can-you-pay-medical-bills-with-a-credit-card/
- https://www.quora.com/Is-it-legal-for-a-company-to-keep-your-credit-card-on-file-without-your-knowledge-and-then-charge-you-for-a-product-without-telling-you-after-you-said-no-They-replied-how-much-can-you-afford-and-you-said-maybe-X
- https://www.connectria.com/resources/9-surprising-business-activities-affected-by-hipaa-compliance/
- https://www.fdic.gov/resources/consumers/consumer-assistance-topics/credit-cards.html
- https://www.paubox.com/blog/hipaa-and-the-credit-card-exemption
- https://www.eckoh.com/glossary/masking
- https://wallethub.com/answers/cc/can-i-book-a-hotel-room-for-someone-else-using-my-credit-card-2140663737/
- https://www.forbes.com/sites/billhardekopf/2019/04/08/where-is-my-credit-card-data-stored/
- https://support.apple.com/en-gb/118219
- https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act
- https://www.quora.com/Can-a-business-charge-a-credit-card-on-file-if-the-bill-hasnt-been-paid
- https://etactics.com/blog/is-zelle-hipaa-compliant
- https://www.aciworldwide.com/blog/can-cardholder-data-be-stored-without-involving-pci-scope
- https://www.protectingconsumerrights.com/blog/2016/03/is-your-doctor-pulling-your-credit-report/
- https://support.apple.com/guide/iphone/automatically-fill-in-forms-iphccfb450b7/ios
- https://oag.ca.gov/privacy/facts/financial-privacy/rights
- https://www.moneyunder30.com/how-to-see-saved-credit-cards-on-iphone/
- https://www.hipaajournal.com/is-telling-a-story-about-a-patient-a-hipaa-violation/
- https://www.capitalone.com/learn-grow/money-management/what-is-a-cvv/
- https://carthage.libanswers.com/faq/399808
- https://www.yesbank.in/blogs/credit-card/the-main-purpose-of-the-cvv-number-on-a-credit-card
- https://www.joinheard.com/articles/hipaa-compliant-payment-methods-for-therapists
- https://www.linkedin.com/pulse/how-comply-pci-dss-requirement-4-encrypt-cardholder-data-sahoo
- https://www.adyen.com/en_GB/knowledge-hub/card-on-file
- https://www.quora.com/How-can-Booking-com-get-away-with-saving-card-numbers-and-card-control-numbers-CVV-in-their-database-since-this-is-against-PCI-DSS-rules
- https://rebartechnology.com/2022/09/what-is-a-credit-card-vault/
- https://www.rectanglehealth.com/resources/blogs/paying-medical-bills-on-credit-card/
- https://www.linkedin.com/pulse/simple-steps-removing-medical-collections-from-credit-daniel-rosen
- https://www.towson.edu/universityaccounting/documents/pci_datastorage_dosdonts.pdf
- https://www.avg.com/en/signal/ccv-safety
- https://www.lendingtree.com/credit-repair/what-to-do-if-your-credit-is-pulled-without-your-consent/
- https://www.quora.com/Do-business-credit-cards-report-to-the-IRS
- https://www.ifaxapp.com/hipaa/is-venmo-hipaa-compliant/
- https://www.quora.com/Can-a-company-store-my-credit-card-information-without-my-permission
- https://www.law.cornell.edu/wex/credit_card_accountability_responsibility_and_disclosure_act_of_2009
- https://www.quora.com/Can-I-check-into-a-hotel-if-someone-else-has-paid-for-it
- https://blog.payjunction.com/credit-card-on-file-transactions
- https://gocardless.com/guides/posts/how-to-store-credit-card-information/
- https://www.capitalone.com/learn-grow/money-management/credit-card-hold/
- https://security.stackexchange.com/questions/207241/what-information-about-me-do-stores-get-via-my-credit-card
- https://nordvpn.com/blog/what-is-cvv-code/
- https://www.paubox.com/blog/when-can-hipaa-be-broken
- https://www.fool.com/the-ascent/credit-cards/articles/is-it-safe-to-store-your-credit-card-info-on-amazon/
- https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/financial-privacy
- https://www.ifaxapp.com/hipaa/pci-dss-vs-hipaa/
- https://www.nasdaq.com/articles/how-to-check-in-to-a-hotel-without-a-credit-card
- https://support.google.com/googlepay/answer/11470170?hl=en&co=GENIE.Platform%3DAndroid
- https://oomphmade.com/blog/how-do-hotel-key-cards-work
- https://www.equifax.com/personal/education/credit/report/articles/-/learn/9-things-you-may-not-know-about-fair-credit-reporting-act/
- https://www.pocket-lint.com/how-to-see-and-delete-saved-credit-cards-from-autofill-on-iphone/
- https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf
- https://www.walmart.com/cp/walmart-pay/3205993
- https://paysimple.com/blog/handling-customer-credit-card-information/
- https://www.cardfellow.com/blog/take-credit-card-doctor-healthcare/
- https://www.swipesum.com/insights/credit-card-on-file-policy-what-to-know
- https://www.medicalbillersandcoders.com/blog/keeping-patient-credit-card-details-safe/
- https://support.apple.com/en-us/118219
- https://www.citizensadvice.org.uk/debt-and-money/banking/your-payment-card-was-used-without-your-permission-distance-sales/
- https://www.hilton.com/en/hotels/wasclhx-hampton-college-park/hotel-info/
- https://www.forbes.com/advisor/credit-cards/how-credit-card-information-is-stolen-and-what-to-do-about-it/
- https://corp.sertifi.com/blog/posts/hotel-payment-series-cvv-unmasking-security-mandates-recommendations/
- https://www.investopedia.com/terms/c/credit-card-accountability-responsibility-and-disclosure-act-of-2009.asp
- https://www.mypos.com/en-gb/is-it-safe-to-give-your-debit-card-details-over-the-phone
- https://d30000001huxdea4.my.salesforce-sites.com/faq/articles/Frequently_Asked_Question/What-is-the-maximum-period-of-time-that-cardholder-data-can-be-stored
- https://www.lendingtree.com/personal/financing-options-plastic-surgery/
- https://www.reddstrategy.com/single-post/hipaa-compliant-billing
- https://www.soundonsound.com/information/cookies-site-security
- https://theconversation.com/how-risky-is-it-to-give-card-details-over-the-phone-and-how-do-i-reduce-the-chance-of-fraud-216833
- https://gocardless.com/en-us/guides/posts/card-on-file-meaning/
- https://www.tidalcommerce.com/learn/storing-credit-card-information
- https://www.experian.com/blogs/ask-experian/what-is-the-credit-card-act-of-2009/
- https://www.chase.com/personal/credit-cards/education/basics/storing-credit-cards-on-website
- https://www.medicaleconomics.com/view/pros-and-cons-keeping-patient-credit-cards-file
- https://www.idx.us/knowledge-center/rfid-skimming-is-the-danger-real
- https://www.lawpay.com/about/blog/storing-credit-card-information/
- https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
- https://www.bajajfinserv.in/common-types-of-credit-card-fraud
- https://www.credit.com/blog/why-hotels-put-a-hold-on-your-credit-card-104134/
- https://www.strongdm.com/blog/hipaa-violation-examples
- https://support.americommerce.com/hc/en-us/articles/201906200-What-are-CVV-Codes-and-Why-are-They-not-Stored
- https://www.quora.com/How-long-can-a-hotel-keep-your-credit-card-details
- https://www.securitymetrics.com/blog/dos-and-donts-storing-card-data
- https://www.chase.com/personal/credit-cards/education/basics/why-do-some-sites-not-require-cvv
- https://money.com/what-is-a-credit-card-cvv/
- https://ora.research.ucla.edu/OHRPP/Documents/Policy/6/PHI_PII.pdf
- https://www.iolo.com/resources/articles/how-to-autofill-credit-card-details/
- https://www.hhs.gov/hipaa/for-professionals/faq/treatment-payment-and-health-care-operations-disclosures/index.html
- https://www.linkedin.com/pulse/what-most-people-dont-know-pii-tim-williams
- https://developer.squareup.com/docs/reader-sdk/cookbook/charge-cards-on-file
- https://nordvpn.com/blog/storing-your-credit-card-details/
- https://www.airbnb.com/help/article/2143
- https://www.bankrate.com/finance/credit-cards/can-hotel-charge-credit-card-without-notification/
- https://www.hipaaguide.net/is-zelle-hipaa-compliant/
- https://www.lendingtree.com/credit-cards/articles/what-can-you-do-about-credit-card-holds/
- http://busfin.colostate.edu/Forms/General_Forms/fmMerchantPCIFormsDataDosDontsAttestation.pdf
- https://www.chase.com/personal/credit-cards/education/rewards-benefits/why-hotels-need-your-credit-card
- https://www.nordistechnologies.com/blog/keeping-medical-billing-and-payments-private-and-secure/
- https://www.credit.com/blog/how-companies-know-your-new-credit-card-number-before-you-give-it-to-them-151126/
- https://www.linkedin.com/pulse/pci-dss-requirements-storing-credit-card-information-cyberarrow
- https://pcidssguide.com/how-to-store-credit-card-information/