UnThreaded | Threaded | Whole Thread (6) | Ignore Thread Prev Thread | Next Thread
Author: Claw626 New Fool Contributor Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: of 308453  
Subject: Credit Card Security Date: 6/1/2014 10:19 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
Wondering if anyone knows the laws in regard to credit card numbers. Specifically, if I swipe my card at a retailer or type it in online, how long does the provider get to keep the number?...

Is there anyway to use the card such that its impossible for the retailers to keep? Seems like sometime ago I heard something about disposable numbers?
Print the post Back To Top
Author: aj485 Big gold star, 5000 posts Feste Award Nominee! Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 308269 of 308453
Subject: Re: Credit Card Security Date: 6/2/2014 12:32 AM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 2
Wondering if anyone knows the laws in regard to credit card numbers. Specifically, if I swipe my card at a retailer or type it in online, how long does the provider get to keep the number?...

By provider, you mean the retailer/business? I am not aware of any laws/rules that says that there is a maximum time limit as to how long they can store your card number. At a minimum, they would probably need to keep your number at least as long as the consumer is allowed to dispute the charge - 60 days after the statement showing the charge is sent to a consumer in most cases; potentially longer if there is a specified delivery date associated with the purchase. Because of the dispute provisions, I would say that most businesses would probably keep numbers on file a minimum of 105 days......Assuming that the consumer's most recent statement was sent out the of the purchase, so the next statement is likely to go out 30 or 31 days later, plus the 60 day dispute timeframe, plus an extra 2 weeks just to provide some time for the credit card company to process the dispute and notify the business.

Is there anyway to use the card such that its impossible for the retailers to keep? Seems like sometime ago I heard something about disposable numbers?

Several credit cards have a feature of providing you limited use numbers that are different from your credit card number. The 'limitation' can be that the number is only good for a specific amount, for a specific business, for a specific timeframe, or some combination thereof. You need to check your particular credit card's features to see if they have that type of service. If you can't find it in the terms and conditions and/or on their website, you can call customer service and ask if the card provides this option.

AJ

Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Print the post Back To Top
Author: Jeanwa Big gold star, 5000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 308270 of 308453
Subject: Re: Credit Card Security Date: 6/2/2014 12:40 AM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
At a minimum, they would probably need to keep your number at least as long as the consumer is allowed to dispute the charge - 60 days after the statement showing the charge is sent to a consumer in most cases; potentially longer if there is a specified delivery date associated with the purchase. Because of the dispute provisions, I would say that most businesses would probably keep numbers on file a minimum of 105 days......Assuming that the consumer's most recent statement was sent out the of the purchase, so the next statement is likely to go out 30 or 31 days later, plus the 60 day dispute timeframe, plus an extra 2 weeks just to provide some time for the credit card company to process the dispute and notify the business.
=====================================

FWIW, if the card is swiped we don't have any record of the number at all. The last 4 digits print up on the receipt but that is all.

There are all kinds of rules about the storage of the numbers on purchases that are phoned in. I can find them if you want.

I don't know about internet purchases.

Jean

Print the post Back To Top
Author: vkg Big gold star, 5000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 308271 of 308453
Subject: Re: Credit Card Security Date: 6/2/2014 2:00 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 2
Seems like sometime ago I heard something about disposable numbers?

Disposal numbers can be used online. It would be difficult for in store purchases because there is no physical card.

Disposal number are useful for online retailers. Especially, those that are a one time transaction where you don't have any confidence in them. A disposable number can be setup with a low limit and short expiration date.

I use a disposal number for PayPal. They still whine that they want access to my checking account, but the few transactions that I do through ebay hasn't reached the limit where they require "authenication". If it ever does, I will close that account and open a new one with a different email address.

Print the post Back To Top
Author: joelcorley Big gold star, 5000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 308272 of 308453
Subject: Re: Credit Card Security Date: 6/2/2014 8:22 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 2
aj485,

You wrote, By provider, you mean the retailer/business? I am not aware of any laws/rules that says that there is a maximum time limit as to how long they can store your card number. At a minimum, they would probably need to keep your number at least as long as the consumer is allowed to dispute the charge - 60 days after the statement showing the charge is sent to a consumer in most cases; potentially longer if there is a specified delivery date associated with the purchase. Because of the dispute provisions, I would say that most businesses would probably keep numbers on file a minimum of 105 days......Assuming that the consumer's most recent statement was sent out the of the purchase, so the next statement is likely to go out 30 or 31 days later, plus the 60 day dispute timeframe, plus an extra 2 weeks just to provide some time for the credit card company to process the dispute and notify the business.

A business should be able to reverse a charge or handle a dispute based on a credit authorization code. Such codes can be generated where they have no apparently link back to the original card, except as found in transaction processor's database. It should not be necessary to retain the card number once the authorization is acquired.

I do not recall there being any laws about whether they CAN retain a card number, so I think whether or not they do so is supposed to be based on their merchant agreement's rules. In theory they should be able to keep the card number without compromising the card - though I'd avoid designing a system that did so. The card is supposed to remain secure as long as they do not keep the expiration date and CID. However in practice, the expiration date and CID don't have that much entropy, so storing the card number is a bad security practice.

In fact, the original processing systems required the merchant to take a carbon imprint of the card to prove they had possession of it. The carbon copies remained in their possession for some time.

BTW, most people assume that to track you by your credit card number, a store needs to keep a record of that credit card number. I suspect some more novice software engineers probably think so too. But its not true.

A properly designed system would use a cryptographic hash code that's non-reversible. (Such as SHA-256 or SHA-3.) Hash the card number and other identifying info on the magnetic strip and out comes a seemingly random sequence that's the same every time you swipe your card. That hash code then becomes the unique look-up key every time you make a purchase. Done correctly you wouldn't be able to work backwards to an original card number, but the merchant could still keep tabs on you and what you buy.

- Joel

Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Print the post Back To Top
Author: aj485 Big gold star, 5000 posts Feste Award Nominee! Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 308273 of 308453
Subject: Re: Credit Card Security Date: 6/2/2014 8:30 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 2
Done correctly you wouldn't be able to work backwards to an original card number, but the merchant could still keep tabs on you and what you buy.

Yeah, that 'Done correctly' part is the part that many don't seem to have the answer to.

AJ

Print the post Back To Top
UnThreaded | Threaded | Whole Thread (6) | Ignore Thread Prev Thread | Next Thread
Advertisement