Where is My Credit Card Data Stored?
Three out of four Americans have shopped online, according to a 2018 study by SmallBusiness.com. That study also revealed over half of the online consumers do not have a lot of confidence in retailers to keep their personal data secure.
To complete an online transaction with a retailer, you will likely be may be asked if you would like to store your credit card with the company once you have completed the purchase. As you decide whether to opt-in, it is important to know where this credit card data is stored.
Most companies use an online, or cloud, storage system with encryption to store your credit card data. Long gone are the days when a retailer or service provider would copy your card and keep the information in a folder. In fact, regulations dictate what information a company can store and how they must protect that information.
Companies are required to store a customer’s credit card data using a method that meets the Payment Card Industry’s Data Security Standard or PCI DSS. These standards have a number of requirements, including:
- Only storing cardholder data if it is necessary for business purposes. If you are opting in to have your credit card stored, the “business purpose” is speedier transactions.
- Truncating cardholder information, which means shortening the full credentials. For example, when you request a credit report, only the last four digits of the card number are typically displayed.
- Not storing cardholder information on unprotected devices, such as PCs, laptops or mobile phones.
- Using cryptography and other layered security technologies to minimize the risk that the data could be read by an unauthorized party. For example, if credit card data is properly encrypted, it would be impossible for unauthorized parties to access the information since they do not have the encryption key.
- Only allowing third parties to access the data if they have clear security and password protection policies.
In addition to these rules, there is certain information companies cannot store. While it is acceptable for a business to store the cardholder name, expiration date and primary account number, they cannot store the full magnetic stripe data, the CVV (three digit code) on the back of the card or the PIN.
What happens if a company has improperly stored your credit card information and their system is hacked? Unfortunately, the federal government has not passed legislation with specific laws and consequences for companies that fail to adequately protect consumer information. A number of states have passed laws in the wake of high profile security breaches, but the decision of whether to punish a company after a breach is left up to the state’s judicial system. To win a case, cardholders must show they were momentarily affected by the breach and the company was grossly negligent.
Monitor your credit card and bank statements each month to make sure you recognize each transaction. If you have a questionable transaction, notify the company right away so you can dispute the unauthorized charge. Generally, if you do so in a timely manner, the charge will be reversed. Additionally, you can request a new credit card number from your issuer if you believe your information has been compromised.