Key takeaways
- Retail websites often ask you for your credit card information to complete a transaction, and they’d like to be able to hold on to that information for the future.
- If you aren’t comfortable storing your card information on a website, you should be able to check out as a guest or remove your payment information from the website after checking out.
- Websites can sometimes be designed to manipulate consumer choices — if there’s no way of opting out of having your information stored, you could take the issue up with the FTC or other authorities.
When you’re shopping online, you’ve probably seen retailers ask if you’d like to save your card information. While the rationale is that doing so is a convenience for you, it also creates a situation that’s beneficial for the merchant since it encourages you to come back for future shopping.
You should have the choice to decide whether you want to save your card information with a merchant, but what if you don’t have the chance to opt out?
As an example, reader Juanita recently shared that, “A local sports facility offers summer classes for kids. Weekly sessions can be purchased individually, and the person must register each time they sign up for a session. They only accept credit card payments, and although their payment form powered by EZ Facility offers the option to uncheck the statement ‘I authorize Longplex LLC to store my credit card information for future payments,’ the ability to uncheck it isn’t available.”
Understandably, Juanita wanted to know if this behavior was lawful. Here’s what she needs to know.
When are credit cards saved with an online merchant?
Credit cards are typically saved when you’re completing an online transaction and creating a user profile for the merchant website at the same time. Many merchants will ask you to set up an account and provide your personal information before you make a purchase, including your credit card details. This way, when you make a future purchase, all you have to do is log into your account and use the payment method that’s already saved.
Other instances of your card information being saved might come from outside of the merchant site, such as when web browsers prompt you to save your credit card information for auto-filling purposes.
How to remove card information from an online site
Some websites, however, will also allow you to check out as a guest so that you don’t have to store your personal information on the site.
In case you have concerns about your card information being compromised and don’t have the option of checking out as a guest, you can complete your purchase and then remove your card information from the website. You should be able to do this with the following general steps:
- Sign into your online account with the merchant. Most merchant websites allow you to sign up with their page, which is how they store your information in the first place.
- Find your payment plan information. This is usually listed somewhere under your account details.
- Delete your credit card information. There should be an option to edit or delete your payment plan information.
Keep in mind: If you don’t see this information or don’t see a way to remove it, you may have to reach out to customer service.
Can a merchant store your credit card information without permission?
The short answer is no. While there’s no rule that governs how or when issuers can store your card information, many states have laws on the books to deal with credit card fraud, which fall under the umbrella of financial transaction card fraud. Laws like one passed in Georgia explicitly bar merchants from using your card without your permission or authorization — and if there’s no way to opt out of giving your permission, that could be considered illegal.
Security standards for merchants
The Payment Care Industry Security Standards Council — or the PCI SSC — is an organization founded by American Express, Discover, JCB International, Mastercard and Visa.
The PCI SSC sets security standards for merchants that transmit, process or store payment card account information and provides best practices.
Compliance with the PCI DSS requires merchants to limit storing and retaining customer names, card account numbers and expiration dates only for the time required for business or legal purposes. And it explicitly frowns on merchants storing, for example, a card verification value (CVV) or personal identification number (PIN).
Dealing with “dark patterns” that undermine consumer choice
While the process to remove your card information from a site or keep it off the site entirely seems simple enough, some merchants make it deliberately difficult for you to exercise this option, going against PCI SSC recommendations.
One way they do this is by designing their sites to utilize dark patterns that subvert your choices. For example, according to the Federal Trade Commission, dark patterns incorporate design elements that:
- Don’t allow consumers to “definitely reject” collection or use of data
- Repeatedly lead consumers to select settings they don’t favor and want to avoid
- Use confusing settings that lead consumers to make privacy choices they did not intend to choose
- Highlight choices that make for more information collection, while “graying out” options that allow consumers to avoid this
- Purposefully obscure privacy choices and make them difficult to find
- Use default settings that are geared to maximize data collection and storage
What if you can’t opt out of having a website store your information?
In Juanita’s case, the website she was using doesn’t allow for opting out of storing your credit card information since she can’t uncheck the option. That seems like a design element with dark patterns.
If Juanita wants to opt out of having a website store her card information, but finds that she can’t exercise that option, she should try the following steps:
Talk to the merchant
First, she should try to resolve the matter with the merchant. The merchant could be having an issue with their website, for example. Even if they’re not and the situation is a dark pattern by design, Juanita should be able to request that they remove her payment information by speaking with customer service.
Keep in mind: If you’re calling them to have your information removed, make sure you request an email summary of their promise so that you can be sure they follow through.
File a report
If the merchant doesn’t respond or refuses to remove her information, Juanita could also file a report with the FTC.
The Consumer Financial Protection Bureau has also been concerned about businesses using dark patterns to manipulate consumers, so she could also file a complaint with that agency. In addition, she could turn to her state attorney general for guidance.
Use a virtual credit card or digital wallet
There are also actions Juanita can take before completing her purchase if she wants to keep her credit card information safe. For example, she could opt to use a virtual card provided by her issuer or a third-party app like PayPal. Virtual credit cards have the buying power of your regular credit card, but use a different set of numbers that changes with your transactions, so your real card number is never saved.
Many credit card issuers have begun offering virtual cards — Capital One, for example, provides virtual cards through its built-in assistant Eno, while Bank of America lets you get a virtual card number through its mobile app.
Another option is to use cards stored within your digital wallet for your payment. With digital wallets, your real credit card number is encrypted, so the merchant will never be able to save your actual card information.
Keep in mind: Virtual credit cards are typically only accepted for online purchases, while digital wallets can be used both online and in participating physical locations.
In the news: Federal Trade Commission weighs in
The Federal Trade Commission agrees that merchants shouldn’t collect information they don’t need, further advising that, if a merchant does collect card information, it’s in their interest to hold on to it only as long as there is a bona fide business need to do so, meaning it shouldn’t store it if the merchant doesn’t anticipate future transactions.
In addition to the FTC, various state authorities have also been cracking down on dark patterns that are aimed at thwarting consumers’ choices. For instance, the California Consumer Privacy Act, the Colorado Privacy Act and similar legislation in Connecticut weigh in on the use of online dark patterns.
Bankrate’s take: Even if Juanita did plan on using the merchant again at a later date, she should still be able to remove her card information in the meantime. That’s why filing a complaint with the FTC is a good step for her to take.
The bottom line
Although retailer websites want to hold on to your card information to make it more likely that you’ll shop with them in future, you should be able to check out as a guest if you don’t want your personal details stored. You can also use an alternate payment method like a virtual credit card or a credit card through your digital wallet. If that’s not an option, you can try to complete your transaction with your card and then remove your card information from the website.
If a website is designed so that you can’t opt out of having your merchant store your credit card information, your merchant is likely using dark pattern designs in an attempt to manipulate you and other customers. Call the merchant to try and sort out the situation, and consider filing a complaint with the appropriate authorities while you’re at it.
Read the full article here
