Skip to main content
No. of Recommendations: 2

You wrote, By provider, you mean the retailer/business? I am not aware of any laws/rules that says that there is a maximum time limit as to how long they can store your card number. At a minimum, they would probably need to keep your number at least as long as the consumer is allowed to dispute the charge - 60 days after the statement showing the charge is sent to a consumer in most cases; potentially longer if there is a specified delivery date associated with the purchase. Because of the dispute provisions, I would say that most businesses would probably keep numbers on file a minimum of 105 days......Assuming that the consumer's most recent statement was sent out the of the purchase, so the next statement is likely to go out 30 or 31 days later, plus the 60 day dispute timeframe, plus an extra 2 weeks just to provide some time for the credit card company to process the dispute and notify the business.

A business should be able to reverse a charge or handle a dispute based on a credit authorization code. Such codes can be generated where they have no apparently link back to the original card, except as found in transaction processor's database. It should not be necessary to retain the card number once the authorization is acquired.

I do not recall there being any laws about whether they CAN retain a card number, so I think whether or not they do so is supposed to be based on their merchant agreement's rules. In theory they should be able to keep the card number without compromising the card - though I'd avoid designing a system that did so. The card is supposed to remain secure as long as they do not keep the expiration date and CID. However in practice, the expiration date and CID don't have that much entropy, so storing the card number is a bad security practice.

In fact, the original processing systems required the merchant to take a carbon imprint of the card to prove they had possession of it. The carbon copies remained in their possession for some time.

BTW, most people assume that to track you by your credit card number, a store needs to keep a record of that credit card number. I suspect some more novice software engineers probably think so too. But its not true.

A properly designed system would use a cryptographic hash code that's non-reversible. (Such as SHA-256 or SHA-3.) Hash the card number and other identifying info on the magnetic strip and out comes a seemingly random sequence that's the same every time you swipe your card. That hash code then becomes the unique look-up key every time you make a purchase. Done correctly you wouldn't be able to work backwards to an original card number, but the merchant could still keep tabs on you and what you buy.

- Joel
Print the post  


UGC Disclosure Notice Regarding Credit Card Posts
Community board discussions about credit cards are not provided or commissioned by banks who may have advertising relationships with The Motley Fool. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
TMF Credit Center
The Motley Fool Credit Center arms you with real tools and simple messages, that will help you in every credit situation.
What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and Glassdoor #1 Company to Work For 2015! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.