Can Retailers Save My Credit Card Information?

Cole Mayer  | 

If you’ve ever used Amazon, chances are that you saved your credit card to the site, so checking out in the future would be easier. Obviously, retailers can save your credit card information to make purchasers easier, but where are the rules surrounding storing your information?

What is the Law?

This is a bit of a trick question. The legal requirements for storing credit card information don’t matter so much as the industry’s standard. The security standard enforced by the credit card industry, known as the Payment Card Industry Data Security Standard (PCI DSS), was put in place by the major credit card companies such as Visa and MasterCard in order to ensure compliance by retailers, and can result in fines for noncompliance.

For brick-and-mortar retailers, the PCI DSS states they should only keep authentication data as long as needed to authenticate the purchase. Most stored data is encrypted and access is restricted.

Generally, for storing information for recurring transactions, like online retailers, it’s recommended they use third-party vendor credit card vaults (more on this later) and tokenization, similar to what virtual wallets use.

What Can Retailers Save?

Per the PCI DSS, retailers do not retain the security code (known as the CVV or CVV2) nor can they store PINs from debit cards. They can, however, keep the cardholder’s name, account number, expiration date, and service code. The Primary Account Number, or PAN (the number on the front of the card), must be obscured if shown, usually only showing the first six or last four numbers, and there must be a plan to destroy the numbers once the information is no longer needed.

3rd Party Vendors

Outsourcing security to professionals is fairly common as a way of keeping the information under virtual lock and key. Basically, the third-party vendor stores the information, and gives the retailer a “token” that, in turn, can be used for recurring payments. The token does not contain any actual credit card information, meaning that hackers stealing token information won’t be able to sell it on the internet.

Cookies and Autofill

Secure cookies can be used by websites to store information, including your login credentials and credit card information. These are encrypted to ensure security. Amazon, for example, uses cookies for 1-Click Purchasing.

If you would rather not have your information retained, you can delete the cookies from your browser, and login as a guest, not saving your information at all. You can save your information locally, to your browser rather than the website, and use autofill to enter the information for you. This limits your risk, as a hacker would need to hack your computer rather than the retailer to get the information. The credit card information is only kept long enough to verify the information with your lender and charge you.

Yes, retailers can store some information about your credit card. They have to keep it under virtual lock and key or destroy the information. It’s governed by a set of standards laid out by the giants of the credit card industry, and lack of compliance not only draws the ire of credit card lenders, but can result in fines. If you want to feel more secure, especially with online purchases, use the guest option to not have the retailer store the information longer than needed to complete the transaction.

Image Source

A former newspaper journalist, Cole spends his free time reading, writing, playing video games, watching movies, and learning about every subject under the sun. He lives with his wife and daughter in Idaho. Follow Cole on Twitter: @ColeMayer42