The Motley Fool Discussion Boards

Previous Page

Personal Finances / Credit Cards and Consumer Debt


Subject:  Re: Credit Card Security Date:  6/2/2014  8:22 PM
Author:  joelcorley Number:  308272 of 312187


You wrote, By provider, you mean the retailer/business? I am not aware of any laws/rules that says that there is a maximum time limit as to how long they can store your card number. At a minimum, they would probably need to keep your number at least as long as the consumer is allowed to dispute the charge - 60 days after the statement showing the charge is sent to a consumer in most cases; potentially longer if there is a specified delivery date associated with the purchase. Because of the dispute provisions, I would say that most businesses would probably keep numbers on file a minimum of 105 days......Assuming that the consumer's most recent statement was sent out the of the purchase, so the next statement is likely to go out 30 or 31 days later, plus the 60 day dispute timeframe, plus an extra 2 weeks just to provide some time for the credit card company to process the dispute and notify the business.

A business should be able to reverse a charge or handle a dispute based on a credit authorization code. Such codes can be generated where they have no apparently link back to the original card, except as found in transaction processor's database. It should not be necessary to retain the card number once the authorization is acquired.

I do not recall there being any laws about whether they CAN retain a card number, so I think whether or not they do so is supposed to be based on their merchant agreement's rules. In theory they should be able to keep the card number without compromising the card - though I'd avoid designing a system that did so. The card is supposed to remain secure as long as they do not keep the expiration date and CID. However in practice, the expiration date and CID don't have that much entropy, so storing the card number is a bad security practice.

In fact, the original processing systems required the merchant to take a carbon imprint of the card to prove they had possession of it. The carbon copies remained in their possession for some time.

BTW, most people assume that to track you by your credit card number, a store needs to keep a record of that credit card number. I suspect some more novice software engineers probably think so too. But its not true.

A properly designed system would use a cryptographic hash code that's non-reversible. (Such as SHA-256 or SHA-3.) Hash the card number and other identifying info on the magnetic strip and out comes a seemingly random sequence that's the same every time you swipe your card. That hash code then becomes the unique look-up key every time you make a purchase. Done correctly you wouldn't be able to work backwards to an original card number, but the merchant could still keep tabs on you and what you buy.

- Joel
Copyright 1996-2018 trademark and the "Fool" logo is a trademark of The Motley Fool, Inc. Contact Us