Storing credit card information online: Standards, security, and risks

Online shops are allowed to store their customer’s credit card information, but they are required to protect it with encryption and comply with other Payment Card Industry Data Security Standard (PCI DSS) requirements. The type of information and the manner of storing it also depends on the policies and practices of each shop.

Many online stores offer to save your credit card details for future purchases, making the checkout process faster and more convenient. And if the store offers subscription services, storing your credit card details allows it to automatically charge you for recurring payments and subscription renewals. You typically receive the offer to have your information stored by the merchant at the checkout, but you can decline and enter your information manually for each transaction.

Generally, this is the information that online shops are allowed to store:

• Card holder’s name.
• Primary account number (PAN, located on the front of the card).
• Card’s expiration date.
• Service code (located on the card’s magnetic stripe).

And here is the information online merchants are not allowed to store, even if they encrypt it:

• Sensitive authentication data (SAD, full magnetic stripe data).
• Card’s PIN code.
• PIN block (data encapsulating the PIN during processing).
• CVV (or CVC) code (located on the back of the card).

Paying by credit card is one of the safest ways to pay online, thanks to the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security requirements, created to strengthen the security of payment card transactions and payment card information. Major credit card companies, including Visa, MasterCard, American Express, Discover, and JBC, developed the standard to help businesses process card payments, protect sensitive cardholder data (cardholder name, account number, security codes, ect.), and prevent data breaches and fraud.

Any business that accepts, stores, or transmits credit card information must comply with the PCI DSS and other applicable standards, most of which are recognized and mandatory worldwide. Compliance with the PCI DSS includes ensuring a level of network security, customer data encryption, regular system testing, and security policies. PCI DSS helps to reduce the risk of data breaches and increases customer confidence in the business.

Even though reputable online stores uphold security standards regarding their customers’ credit card information, you are still risking your credit card safety by choosing to store your credit card information online because no online store is completely safe from cyberattacks and data breaches. In 2018, British Airways suffered a major breach that affected around 420,000 customers because their card payment details, names, and home addresses were stolen.

What’s worse, some merchants don’t store your credit card information properly because they lack the awareness of security risks or simply do not want to invest their time and money into upgrading their security solutions and technologies. This is especially true for smaller and less experienced online businesses.

There is also the risk of stumbling upon a fake website created by cybercriminals and compromising your credit card details by merely entering them on the website, let alone allowing to have them stored. Hackers take advantage of unsuspecting buyers, making use of special occasions like Black Friday, Cyber Monday, and the pre-Christmas period. Globally, people spend billions of dollars during these periods to grab the best deals online and save some money. In 2020, during Cyber Monday, customers in the US spent a whopping $10.8 billion dollars. Together with the growth in spending, there was a rise in fake websites offering special deals.

Criminals who create fake websites trick users into revealing their credit card details, such as their credit card CVV codes, and wipe out their bank accounts. Malicious emails and ads are also a popular way of scamming customers because fraudsters impersonate well-known brands, online shops, and banks. If you accidentally click on a link in a phishing email, you might get your device infected with malware, allowing hackers to monitor your online activities and intercept your data.

When it comes to storing credit card details, people around the world have very different habits. NordVPN’s research has shown that almost half of Americans (43.9%) store their banking information on their personal devices, followed by Spaniards (39.3%), Canadians (38.6%), and Australians (38%). While the Polish (25%) and Dutch (25.6%) care about their credit card safety the most among the surveyed countries, the percentage of people risking their security is still too high.

Many customers are still unaware of how cunning hackers can be. Various surveys have revealed that at least half of users don’t lock their phones. This means that even a random stranger could access your social media accounts, emails, notes, and payment platforms if they get hold of your device. But being careful on your phone is not enough, you should also look out for credit card skimmers.

Research the retailer online. Never rush to make a purchase without doing proper research on the retailer. Check the reviews on various platforms and only then commit to a purchase. Make sure there’s a lock symbol next to the URL, indicating that the website is secure. Use only trusted service providers.

Use strong passwords. Protect your accounts with complex passwords that contain upper-case and lower-case letters along with numbers and special characters. You can find more tips in our blog post on how to create a strong password.

Don’t click on suspicious links. Closely inspect every email you receive and never click on any links from unknown sources. Hackers can impersonate online shops and redirect you to malicious websites.

Don’t store your payment details on websites or browsers. To be extra careful, type your credit card information manually instead of choosing the option to store it for later. And never store your credit card CVV numbers.

Use a VPN. A virtual private network encrypts your traffic and hides your IP address, improving your online security and privacy. If you make purchases on public Wi-Fi, using a VPN is a must. Hackers can create a fake hotspot, infect your device with malware, and inspect your traffic. With one NordVPN account, you can protect up to six devices: laptops, tablets, smartphones, and more. NordVPN even offers an additional Threat Protection feature, which blocks websites known for storing malware and annoying ads.