Do businesses save their customers' credit card information until the payment is finalized?
Paying by credit card is sometimes a multi-step process. In some of those cases, only the initial authorization is made at the point of sale; the finalized transactions are usually entered as a batch at the end of each business day.
In the United States, for service (as opposed to goods) transactions, the finalized charge in that situation is often different from the initial authorization amount, as it includes any tip that the customer may have left.
In such cases, does the restaurant's credit card system typically store the customer's credit card information after the initial authorization until the charge is finalized? If so, for how long is it typically stored? If not, how is the business able to change the amount charged to the card?
4 Comments
Sorted by latest first Latest Oldest Best
Merchants should ideally not be in possession of customer credit card data. Where merchants have payment terminals provided by a credit card processor (those machines you tap with your card or slide in to read the chip), the merchant doesn't even see the credit card number. Since the merchant receives a transaction identifier, they have the means to amend a transaction without having access to the CC number.
The following may now be obsolete, but one CC system I worked on allowed a mobile (no radio) POS terminal to accept credit cards for purchases. The transactions were batched up on the device until it could be docked and the data uploaded to the credit card processor (perhaps at the end of a day). PCI compliance required the transactions to be encrypted in a fairly specific manner to ensure that the stored data could only be decrypted by the processor. Given the advances in wireless communication since then, I would expect that there is no longer a need to store transactions on the device, and that they are uploaded immediately.
I wouldn't regard that article as knowledgeable about credit card processing systems, however:
Does the restaurant's credit card system typically store the
customer's credit card information after the initial authorization
until the charge is finalized? If so, for how long is it typically
stored?
They shouldn't do, unless their business is fully PCI-DSS security compliant.
If not, how is the business able to change the amount charged to the
card?
When the restaurant processes the card for the initial hold, they will get an identity/authorisation code back for that particular transaction. They can then submit an additional/amended transaction using that identity/authorisation code, which their card services provider can use to refer back to the initial transaction and re-use the card details as originally processed.
Most payment systems today can utilize a token-based payment system.
The original card information is sent to the payment processor, who generates a token linked to that card information, and sends the token back to the retailer. The retailer can then store this token for future transactions, without having to store the actual card number. This makes for a much more secure system.
In cases like a restaurant, the card can be authorized for a higher amount than the bill (to leave room for a tip), and some payment networks allow for a charge to be made for slightly higher than the authorized amount. One example of this would be where you buy a 0 item but the merchant doesn't charge the shipping fee until later, when they actually ship it. The person who takes your order doesn't know the shipping fee but as long as it is only a small amount, the card processor will take the charge.
I have done integrations with Vantiv, I'm not an expert but I know more than I did a year ago. With Vantiv express they can give you an authorization token that does not expire, so this is how we "add credit cards" to the system we use. Implied is the consent from the consumer to use those credit cards (we have a web form saying you give us access - part of terms / conditions). Anyway the auth token is PCI compliant. Express is a fully PCI compliant system in that we at never point, ever ever ever see the unmasked credit card info. We don't know your credit card number at all. We have that token and that's it. They enter the credit card number either on a PIN pad or via a IFRAMEd web form that goes directly to Vantiv.
Terms of Use Privacy policy Contact About Cancellation policy © freshhoot.com2025 All Rights reserved.