Storing credit card information not allowed without owner’s consent

Dubai: Online e-commerce portals are not allowed to store credit card information of its users unless the transaction is on a subscription basis and where the buyer and the merchant expressly agree on it, a senior official said.

“In general, it [storing credit card information] is not allowed, unless it is a subscription that consumer and retailer agreed on, with the credit card as the method of payment,” Mohammad Ali Rashid Lootah, CEO of the Commercial Compliance and Compliance (CCCP) Sector of the Department of Economic Development, told Gulf News in a statement.

The statement came following a complaint made by Dubai resident V.K. Moorthy when an e-commerce portal saved his credit card information and allegedly used it to purchase a product he was browsing.

“The penalty will vary depending on the case, but the online website should inform the consumer that the credit card information will be saved,” Lootah added.

Moorthy alleged that he did not consent to Groupon saving his credit card details. Groupon, however, in a statement sent to Gulf News said these terms are mentioned in the privacy policy of the site.

Gulf News tried to make a purchase on Groupon to check the claim and the payment option did not visibly mention that the site will store your credit card information. It has, however, a fine print under the “buy now” button. It says that by clicking “Buy Now” you agree to the “Terms of Use, Privacy Statement and voucher terms”.

In Groupon’s example, the part where it talks about storing and encrypting credit card information is mentioned once somewhere in Groupon’s four-page privacy policy, which, in many instances, users seldom read closely or understand.

When Gulf News checked similar popular e-commerce platforms such as cobone.com and souq.com, the payment page of both sites expressly give users the choice to “remember” their details for future use.

For cobone.com for example, by clicking the “Remember my details” option, the customer authorises the payment processor to store his data in a secure way. If not, his payment data will be deleted as soon as his payment has been processed.

Site safety

E-commerce platforms use commercially available ways to secure their users’ information. But no site can be 100 per cent secure. Putting extra security measures can ward off potential cyber thieves.

“So the rule of thumb really is that if you, as an online business retailer and as part of your business flow, want to keep your credit card information as part of your user profile, then you have to be PCI (Payment Card Industry)-compliant,” Nicolai Solling, chief technology officer at help ag, said.

Being PCI-compliant means certification that the shop adheres to the Payment Card Industry Data Security Standard (PCI DSS) which is a set of improved security standards to ensure that credit card information is accepted, processed, stored or transmitted in a secure environment.

PCI compliance is not yet enforced by law in the UAE but most banks and payment institutions are already compliant. Other e-commerce platforms use third-party payment gateways that are compliant. Residents will know this when they pay as they are redirected to secure page such as PayPal and other payment gateways.