Can A Merchant Store My Credit Card Details Without Permission?

FG Trade/iStock/Getty Images

If you shop frequently at particular merchants with your top credit cards, you might find that allowing them to store your card information can streamline your transactions at checkout. And if you have recurring charges — like those for streaming or subscriptions — allowing for the storing of your card details helps merchants to automatically bill you each month without asking for your card information each time.

That’s well and good — especially when you’ve consented to storing your data. But can a retailer store your credit card details without permission?

Can companies keep your credit card details on file without permission?

The short answer is no. While there is no rule that governs how or when issuers can store your card information, many states have laws on the books to deal with credit card fraud, which fall under the umbrella of financial transaction card fraud. Laws like one passed in Georgia explicitly bar merchants from using your card without your permission or authorization.

This means companies can only keep your credit card details on file and use it for transactions with your consent.

Security standards for merchants

The type of credit card information that merchants are allowed to store after consent is given is dictated by the Payment Care Industry Security Standards Council (PCI SSC), an organization founded the by credit card issuers and networks American Express, Discover, JCB International, Mastercard and Visa.

The PCI SSC sets security standards for merchants that transmit, process or store payment card account information and provides best practices that merchants are required to comply with. Its purpose, as noted on page 8 of its Quick Reference Guide, is to “encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally.” Some of its best practices for storing and transmitting card data include:

• Pin transaction security
• Software security
• Point-to-point encryption
• Mobile security standards

Compliance with the PCI Data Security Standard (PCI DSS) requires merchants to limit storing and retaining customer names, card account numbers and expiration dates only for the time required for business or legal purposes. And it explicitly frowns on merchants storing, for example, a card verification value (CVV) or personal identification number (PIN).

By following these standards after you’ve given consent to store or use your credit card information, merchants protect your privacy and can help combat identity theft and fraud.

You can opt out of automatic online card storing

As you shop online, you’ve likely received a prompt from the site asking if you would like to save your card information to make it easier to shop in the future. It’s one way for merchants to lure you back for future purchases.

However, you shouldn’t need to allow the retailer to store your card information to continue your purchase. Rather, most retailers allow you to check out as a guest, completing the transaction without allowing the site to retain your card details.

If that isn’t an option, a workaround is to provide your card information to complete the transaction and then edit your payment options after it’s complete to remove that information.

Learn more: Is it safe to give an app my credit card information?

Federal Trade Commission weighs in

The Federal Trade Commission (FTC) agrees that merchants shouldn’t collect information they don’t need, further advising that, if a merchant does collect card information, it’s in their interest to hold on to it only as long as there is a real business need to do so. This means that, while a retailer needs your card information to process a transaction, it shouldn’t store it if the merchant doesn’t anticipate future transactions.

And once a business decides that it must store your card details, the FTC requires it to safeguard this sensitive information adequately, including from employees that don’t have any business with your information.

The bottom line

Merchants will typically ask you for permission before storing your card information to avoid running afoul of laws, and it’s common for online sites to ask to store your information to facilitate future transactions or to enable recurring charges.

But if there’s no legitimate business need, stringent industry data storage laws advise there’s no incentive for a merchant to store your card information.