The payment card industry’s security standards advise merchants not to store card data unless it is necessary for business, though there is no specific law against this practice.
Reader Scott, for one, wonders if it’s legally acceptable for a retail business to make copies of a customer’s credit card to store at an on-site file cabinet. This includes front and back copies of the card, with its card verification value (CVV) code. Would this practice run afoul of any federal law?
It seems that merchants nowadays are more inclined to avoid such a practice because they could be held liable for being negligent and not storing customer information securely. However, some might want to store this information to facilitate their recurring billing, such as for ongoing monthly services.
The Payment Card Industry (PCI) Security Standards Council outlines strict data security compliance practices for merchants relating to data storage.
Attorney Dana Karni, principal at Karni Law Firm in Houston, said in emailed comments, “I am not aware of any particular statute that would make it illegal to copy the front and back of a credit card. I am, however, aware that the PCI standards are rigorously enforced by many merchant suppliers. In order to be PCI compliant, merchants are required to show data security.”
Payment card industry standards
The PCI Security Standards Council says, in its online reference guide to data security standards for the payment industry, that it’s a merchant’s responsibility to protect cardholder data and prevent it from being used without permission.
The council notes, “In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip should never be stored. If your organization stores PAN (primary account number), it is crucial to render it unreadable.”
The standards also don’t permit merchants to store sensitive authentication data, such as a cardholder’s CID (card identification number), CVV, PIN (personal identification number) or a card’s magnetic stripe data.
The PCI Security Standards Council also notes that legislation related to consumer privacy, data protection, identity theft or data security could apply that requires merchants to specifically protect such consumer card data, or entail them to make adequate disclosures, if they collect such data in the conduct of their business.
And the organization explains how to deter old-fashioned break and enter attempts to access the data in a file cabinet, as well as hacking attempts to access data stored online. For instance, maintaining a visitor log could provide a record of those who could have accessed this data.
See related: How small businesses can safely store card details
FTC weighs in
The Federal Trade Commission also weighs in, advising businesses that although it may be necessary to collect customers’ personal data to facilitate a transaction, it may not be advisable to hold on to that data once the deal is done.
And you too can do your bit to prevent credit card fraud from happening. Precautions the FTC advises consumers take include:
- Keep a secure record of each card’s account number and expiration date, as well as its number to report fraud.
- Don’t lend your card to anyone.
- Don’t be careless with your card statements, cards or receipts. And shred them once you are done with them.
- Don’t forget to get your card back after a transaction.
- Contact the card issuer about any charges you don’t recognize.
- Don’t sign an empty receipt.
- Inform your card issuer of any change of address or extended travel plans.
See related: Suspect card fraud? How to file a claim
Be wary and use your discretion
Scott, the bottom line is be wary of allowing a merchant to take copies of your card without any legitimate business reason. Attorney Lu Ann Trevino, principal at the Trevino Law Firm in Houston, said in an email, “I can think of no legal reason for a merchant to require a copy of a credit card. I would refuse the request.”
And if you do find that a merchant has compromised your data, you could take legal action against it.
“Before jumping into litigation, the customer may want to get a full understanding of the depth of their damages,” Karni said. “That would include examining their credit reports under a microscope and confirming over time that no new inquiries or requests for credit are made in the consumer’s name without their knowledge.”
She surmises that card issuers’ response to these sorts of potential negligence-related data breaches will be to move faster toward chip-only cards.