Can We Store Customers’ Credit Card Information?
Question: We are confused about the law regarding keeping credit card numbers on file for servicing our customers. We are under the impression that we cannot legally keep them on file because of the new privacy act. Is this true, or are there extenuating circumstances? I have had occasion to order something over the phone and the vendor will ask ‘do you want this put on your card number XXXX’? I would appreciate a clarification of this law.
Answer: This question is often posed to me by ACCA members. I believe there is some confusion out there as to what specifically the Federal Trade Commission (FTC) addressed in the Fair and Accurate Credit Transaction Act (FACTA) two years ago in another sweeping move at consumer protection, as opposed the Privacy Act of 1974 which protects certain federal government records pertaining to individuals.
While there are no federal laws regarding destruction of credit card information by a vendor, many states have legislated their own rules for retention and disposal of consumers’ personal information, and you should be cognizant of those rules. (For example, Texas has passed strict rules in this area: Penalties against businesses who violate Texas’ identity theft provisions are substantial. New provisions of Chapter 35 of the Business and Commerce Code require businesses to develop retention and disposal procedures for their clients’ personal information. The law provides for fines of up to $500 for each record that could potentially land in the wrong hands. And the new Identity Theft Enforcement Act could mean fines of up to $50,000 for each similar violation – even for a single record. Additionally, businesses that give consumers specific reassurances about how their privacy will be protected could face penalties of up to $20,000 per violation if they fail to live up to those promises.)
As a standard part of conducting business, there is a good deal of protection that should be afforded to your customers, particularly in this age of identity theft. Here is a link to an article from an attorney with the FTC’s Bureau of Consumer Protection who specializes in business compliance: http://www.ftc.gov/bcp/edu/pubs/articles/art03.shtm.
Her recommendation is that “unless you have a legitimate business justification, don’t hold onto customers’ credit card information….Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.” However, the FTC does not legally bar a business from retaining and using credit card information for legitimate business reasons.
The confusion herein must lie with FACTA, in which the FTC has required businesses, since the law’s passage and implementation on December 1, 2006, to truncate all credit card information on printed debit and credit card receipts. Your business may include no more than the last five digits of the card number on printed receipts, and you must delete the card’s expiration date. An “FTC Business Alert” discussing the law is found here: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.pdf.
This response is intended for general informational purposes only and should not be construed as legal advice or a legal opinion, nor is this column a substitute for formal legal assistance.
- Can Employers Make Vaccines Mandatory in COVID-19? - November 12, 2020
- How to Handle Employees and I-9s - October 28, 2019
- Labor Day, a Celebration of Workers, or Is It? - August 22, 2019
Posted In: Legal
BECOME AN ACCA MEMBER