Can a merchant store my credit card details without permission?

Most ask permission before keeping payment information, but regulations vary by state.

By Poonkulali Thangavelu, Bankrate.com

October 23, 2021 at 1:00PM
A merchant will typically ask you for permission before storing your card information to avoid running afoul of laws. (Dreamstime/TNS)
A merchant will typically ask you for permission before storing your card information to avoid running afoul of laws. (TNS/The Minnesota Star Tribune)

If you are a patron of a particular merchant, you might find that it makes the process smoother, enabling faster future transactions, if you allow it to store your card information. That's well and good, but can a retailer store your credit card details without permission?

When you shop online, you will likely receive a prompt from the site asking if you would like to save your card information to make it easier to shop in future. That's one way for the merchant to lure you back for future purchases. You might even find that the website is set up so that it becomes easier for you to complete your transaction when you save your card information.

Merchants would also like to save your card information when you have a recurring charge. That way they can automatically bill you every month without having to get your card information.

There are laws related to consumer privacy, data security and identity theft that could require a merchant to get your permission to store your card information for such purposes.

In addition, there are various state laws dealing with credit card fraud, falling under the umbrella of financial transaction card fraud. That's why merchants will typically ask your permission to store your card information. In Georgia, for instance, a merchant cannot use your card without your permission or authorization.

Given such laws, it seems there is no incentive for a merchant to store your card information without permission. Moreover, there are deterrents to such activity, such as the security standards set out by the Payment Card Industry Security Standards Council.

According to this body, "Organizations accepting payment cards are expected to protect cardholder data and to prevent their unauthorized use, whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider."

This association also states that, "In general, no cardholder data should ever be stored unless it's necessary to meet the needs of the business."

In addition, the council says a merchant should limit storing and retaining customer data to only the time required for business or legal purposes. The standards allow merchants to store your account number, your name and the card's expiration date according to the above guidelines. However, the body frowns on a merchant's storing a card verification value (CVV) or personal identification number (PIN).

The Federal Trade Commission has also said merchants shouldn't collect information they don't need.

Thangavelu is a writer for Bankrate.com, a provider of interest rates and other financial information.

about the writer

about the writer

Poonkulali Thangavelu, Bankrate.com

More from Business

card image

Founded in Bloomington, but now in Florida, NeueHealth will now be owned by a group of investors led by huge venture firm New Enterprise Associates.

card image