Storing Customer Credit Card Details - Do you have to remove when asked

teddy b123

About a year ago I purchased something online, Now, as I am unlikely to purchase from them again I would like my credit card details removed.
They will not do this.

This is the email I got

Dear Customer:

Thank you for contacting ******. Credit Cards already used for payment cannot be removed. You can select as default a new credit card by accessing your ****** Account and selection Credit Card Management section.

If you have any further questions or comments regarding this matter, please feel free to contact us.

Are they allowed do this?

slimjimmc

Would have thought so.
I think businesses in the EU are legally obliged to keep records of all financial transactions for a minimum period (6 years?), so removing your credit card details would probably breach that requirement. EU data protection law does not impose an obligation to breach other law. Of course if the business is based outside the EU what they can do it depends on their local laws.

Procrastastudy

While I find it hard to believe they wouldnt be under an obligation to remove the details if requested I have no basis for that belief beyond my own, possibly faulty, common sense. I've had my card removed (though the automatic system on websites) many times. Doesn;t mean they don't store it somewhere else I guess.

If you're that worried OP simply cancel the card and request a new one. The number will be different.

JimsAlterEgo

is this the case where they store the details for future us to stop you having to fill it again or a normal transaction? I first I would think it falls under data protection rules

sf80

Can you view/edit the credit card details in your account? Update the card to a test card number if you can, to overwrite your real details, you'll find such card numbers with a search; worth a try.

sandin

Every time you use your card whether online or offline the details including full card number and expiry date have to be kept for a minimum of 12 months under the credit card merchant agreement, but depending on how you interpret the new rules on retailers set by revenue, this period can be up to six years.

However for your own peace of mind, retailers have a lot of obligations to keep info safe and card not present transactions such as online sales have even more rules and regs. So I wouldn't be worried one iota about this.

teddy b123

I see, I was always under the impression that retailers storing card numbers was only done for possible repeat transactions. not something they had to store?

GerardKeating

sandin wrote: »

Every time you use your card whether online or offline the details including full card number and expiry date have to be kept for a minimum of 12 months under the credit card merchant agreement, but depending on how you interpret the new rules on retailers set by revenue, this period can be up to six years.

However for your own peace of mind, retailers have a lot of obligations to keep info safe and card not present transactions such as online sales have even more rules and regs. So I wouldn't be worried one iota about this.

Actually a lot of merchants only gets masked card details on the merchant copy of the receipt, so they never get to see, let alone store/keep the full card number.

BuffyBot

teddy b123 wrote: »

I see, I was always under the impression that retailers storing card numbers was only done for possible repeat transactions. not something they had to store?

They are often stored for fraud protection, dealing with chargebacks etc. It could be the retailer, or third party that processes the payment etc for them but they don't just *vanish* overnight.

sandin

GerardKeating wrote: »

Actually a lot of merchants only gets masked card details on the merchant copy of the receipt, so they never get to see, let alone store/keep the full card number.

Never heard of this and I'm in retail 30 years. Full card number is always on the merchant copy. Masked number is on customer copy.

If the numbers were masked it would be nigh on impossible to do charge backs.

Some poorly trained retail staff will give out the wrong copy, but other than that the merchant has number and expiry date. - but does not have pin.

GerardKeating

sandin wrote: »

Never heard of this and I'm in retail 30 years. Full card number is always on the merchant copy. Masked number is on customer copy.

If the numbers were masked it would be nigh on impossible to do charge backs.

Some poorly trained retail staff will give out the wrong copy, but other than that the merchant has number and expiry date. - but does not have pin.

The Card Schemes are starting to impose fairly strict PCI requirements in relation to the storage of the slips, slips with masked PAN are not in scope for this, so some retailers opt for it.

dahamsta

OP, credit card details are a tricky one because of the aforementioned. If you want an authoritative answer, ask the data protection commissioner, dataprivacy.ie. Whatever about their enforcement, they're generally good to answer questions from consumers.

slimjimmc

dahamsta wrote: »

OP, credit card details are a tricky one because of the aforementioned. If you want an authoritative answer, ask the data protection commissioner, dataprivacy.ie. Whatever about their enforcement, they're generally good to answer questions from consumers.

The OP hasn't told us under which jurisdiction the online store is based and where the data is stored. I doubt the Data Protection Commissioner would be much use if the store/data is outside the EU.

dahamsta

I guess we'll just have to wait for the OP to tell us before either of us jump to conclusions or offer any advice whatsoever then, won't we?

OP, if the vendor is based outside the eu, it's still worth citing the data protection act, but make sure you mention that it's transposed from a European directive. I've had some success with this, particularly with mid/large US-based vendors who can be terrified of coming to the attention of the EU, in light of the antitrust stuff.

teddy b123

Not too sure where they are based.
The company is Comodo.

faceman

OP you will likely need to cancel your account to have your credit card number removed from their database. Some online retailers unfortunately are awkward like that. They must remove your details if you do. They are not allowed store or keep your cvv2 number however.

A retailer be it online or otherwise storing your credit card number on a database and a retailer keeping a transactional record of payment are two desperate things

dahamsta

teddy b123 wrote: »

Not too sure where they are based. The company is Comodo.

You can't Google?

Comodo is based in the US. They have an office in the UK but I'm not sure if it's customer facing. They're a big operation but they're at the budget end of the market so your mileage may vary. However if it was me, I'd be requesting cancellation of my account and deletion of all data on their systems not required by law, citing the Irish and UK data protection acts as transposed from the European directive. You can find the correct act names and directive numbers on dataprivacy.ie. If that fails I /would/ follow up with a complaint to the commissioner, as they'd have fairly substantial dealings into Ireland.