"We'd work with the acquirer and work with the merchant to try and rectify the situation," said Jennifer Fischer, a Visa senior business leader who focuses on payment risk issues.
StorefrontBacktalk surveyed our readers this month to get a sense of how widespread the practice is today. We need to stress the unscientific nature of this survey: participants were self-selected, and we have no accurate way of knowing who was really answering the questions. That caveat made, 28 percent of respondents said that they "currently use payment card data for anything other than payment processing, such as for CRM or other customer identification purposes." An additional 14 percent said "we used to, but don't anymore" and 48 percent said "we don't and never did."
On top of that, some written-in answers suggested that more chains do it, but they try and protect the data.
One write-in, for example, said "Yes, but only in tokenized form." Theoretically, the rule banning such usage doesn't have a tokenization exemption. Another reader said that his chain does it, but in a limited way. "The first 6 digits yes, tokenized card number yes, full card number no," he wrote in. "The first 6 digits = Bank ID = country where issued, which gets compared to country provided by customer and derived from the IP. Tokenized card number is compared with other card tokens."