Can a merchant store my credit card details without permission?
Key takeaways
- Storing your credit card information makes it easier for merchants to facilitate future and recurring transactions.
- For data security or consumer privacy purposes, however, you may not want merchants to retain your credit card details.
- State laws, card industry security standards, FTC guidance and other regulations all influence how and when merchants are allowed to store your card details.
If you shop frequently at particular merchants, you might find that allowing them to store your card information can streamline your transactions at checkout. And if you have recurring charges — like those for streaming or subscriptions — allowing for the storing of your card details helps merchants to automatically bill you each month without asking for your card information each time.
That’s well and good — especially when you’ve consented to storing your data. But can a retailer store your credit card details without permission?
The short answer is no. While there is no rule that governs how or when issuers can store your card information, many states have laws on the books to deal with credit card fraud, which fall under the umbrella of financial transaction card fraud. Laws like one passed in Georgia explicitly bar merchants from using your card without your permission or authorization.
Security standards for merchants
In many cases, laws related to consumer privacy, data security and identity theft require merchants to get your permission before storing your card information. The Payment Care Industry Security Standards Council — or the PCI SSC, as it’s called in the industry — is an organization founded by American Express, Discover, JCB International, Mastercard and Visa.
The PCI SSC sets security standards for merchants that transmit, process or store payment card account information and provides best practices that merchants are required to comply with, including a requirement to “protect cardholder data and to prevent their unauthorized use — whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.”
Compliance with the PCI DSS requires merchants to limit storing and retaining customer names, card account numbers and expiration dates only for the time required for business or legal purposes. And it explicitly frowns on merchants storing, for example, a card verification value (CVV) or personal identification number (PIN).
You can opt out of automatic online card storing
As you shop online, you’ve likely received a prompt from the site asking if you would like to save your card information to make it easier to shop in the future. It’s one way for merchants to lure you back for future purchases.
However, you shouldn’t need to allow the retailer to store your card information to continue your purchase. Rather, most retailers allow you to check out as a guest, completing the transaction without allowing the site to retain your card details.
If that isn’t an option, a workaround is to provide your card information to complete the transaction and then edit your payment options after it’s complete to remove that information.
Federal Trade Commission weighs in
The Federal Trade Commission agrees that merchants shouldn’t collect information they don’t need, further advising that, if a merchant does collect card information, it’s in their interest to hold on to it only as long as there is a bona fide business need to do so. This means that, while a retailer needs your card information to process a transaction, it shouldn’t store it if the merchant doesn’t anticipate future transactions.
And once a business decides that it must to store your card details, the FTC requires it to safeguard this sensitive information adequately, including from employees that don’t have any business with your information.
The bottom line
Merchants will typically ask you for permission before storing your card information to avoid running afoul of laws, and it’s common for online sites to ask to store your information to facilitate future transactions or to enable recurring charges.
If there’s no legitimate business need, stringent industry data storage laws advise there’s no incentive for a merchant to store your card information.