Talking with other developers and clients it amazes me how many people store credit card numbers in their systems. There is usually no need to store a full credit card number in your own database. It should be forwarded on to the processing gateway and then the information should be purged from your system the instant the transaction is complete.
The Credit Card Companies Stances
Contrary to popular believe you are allowed to store credit card information. The companies do have standards that you need to follow if you are storing this information. More information on this standard can be found on the Payment Card Industry Security Standards Council website. By not complying with these standards the credit card company may impose fines and/or restrictions on your credit card processing ability.
More info can be found here:
http://www.visa.ca/ais
http://www.mastercard.com/sdp
I contacted both VISA and MasterCard to ask what kind of costs we were looking at but they only replied with a generic message that basically said “if you don’t protect data you will be responsible for what happens to it”
The Customers Stance
From my reading it would appear that if a company discloses credit card (or other personal information) they can be held liable for damages. This could be a lot of money for a company.
The Laws Stance
There are many laws governing the disclosure of private/personal data. They do seem geared towards what a company can do with your information and a lot less towards what if someone steals the information.
For Canada there is the Personal Information Protection and Electronic Documents Act (PIPEDA) that could be applied to credit card information disclosure. This could yield fines of $10,000 to $100,000.
Here in Alberta we have the Personal Information Protection Act (PIPA) that could be applied to the disclosure of credit card information. If a company is found in breach of this they could be fined up to $100,000. This law is similar to PIPEDA and may be applied instead of PIPEDA depending on the situation. Quebec and British Columbia have also passed similar privacy laws.