Taking payment from a consumer
Trading fair or trading secure?
Recently when working on international business to consumer (B2C) retail online business terms we ran into tension around taking payments between the law on unfair trading and the law on data security. The tension lies between the Competition and Markets Authority (CMA) guidance on unfair consumer terms and the Payment Card Industry Data Security Standards (PCI DSS) as quite reasonably applied by a card company on its retail business customers.
The CMA Unfair terms guidance states that demanding full payment upfront may well be unfair under the Consumer Rights Act 2015 because, for example, it may leave consumers at risk of loss if the trader becomes insolvent. To reflect the guidance the retailer business terms might well say something like: “We will not charge your credit or debit card until we dispatch the products to you.”
On the other hand PCI DSS don’t like disclosed sensitive information such as personal card details being held by recipients for longer than is necessary and for retailers would discourage retention over a period – sometime weeks – between time of order when card details are provided and time of despatch when card is charged.
Given that PCI DSS does not allow compliance with the CMA guidance on the above point the terms of sale should make every effort to appear fair in other respects – perhaps even providing a small additional sum or gift beyond refunding the customer should having taken the money the retailer can’t deliver. This would seem to be the only practicable approach when a payment card company will not permit the retailer to store card details. This still leaves exposure for the consumer should insolvency occur between taking payment and before despatch, as will of course occur in any case should having received the goods the customer wishes, for example, to reject or return for repair.