> They can't store the numbers themselves except the last four digits IIRC

Companies can store the whole number. That's how on-file payments and automatic subscription renewal payments work.

What you are probably recalling is a PCI rule that requires keeping the credit card number protected, such as storing it encrypted and only letting things that are sending transactions to the credit card network have access to the plaintext. That rule has an exception for the last 4 digits and the first 6 digits.

For example, when your customer support people look up the history of a customer they are helping, if your account info viewing tool shows a list of prior transaction details, it could not show the credit card number used for each transaction, but it could show the first 6 and the last 4 digits.

CC processing agreements don't normally have any such restriction - the only information that absolutely can't be stored is the CVV/CVC number.

If you handle CC information, you are subject to security standards auditing (called PCI compliance - like encryption at rest, etc.), but the BIN number and last 4 digits are not considered privileged information.

I'm also not aware of any restrictions on how you want to use the BIN information - for example, merchants often use the BIN number to block prepaid card usage.

Another good use for BIN information is justifying tax decisions. A little while back the VAT rules in the EU changed for online merchants. Before, you collected VAT based on your location. After, you collected VAT based on the buyer's location.

Each country implemented a thing called VAT MOSS, and you can register with a country's tax authority to use their VAT MOSS system. You only have to do this in one country. Once a quarter you submit a VAT MOSS form that lists your sales in each EU country and how much VAT you collected. You pay that to the tax authority of the country whose VAT MOSS system you use, and they distribute the appropriate amount to each country.

They don't want it to be trivial for online buyers in high VAT counties to claim they are in some low VAT country, so merchants are not allowed to simply collect the VAT for whatever country the customer picks on the "country" drop down during check out. The merchant is required to have two pieces of non-contradictory evidence to justify their choice of which country's VAT to collect. One can be the country selected by the customer.

What we normally use where I work is the customer's selected country and the country that MaxMind's ip to country database says they are ordering from. If those two agree that's two pieces of non-contradictory evidence and we're done.

That's good enough most of the time but sometimes it fails. In that case I'll lookup the bank that issued their credit card from the BIN. Almost every time that bank turns out to be a bank from the country that the customer claimed to be from, giving two pieces of non-contradictory evidence for that country. Maybe once or twice the bank from the BIN did not match the claimed country but did match the IP country, so I went with that instead.

There have only been a handful of times when that was not good enough, and I had to dive into their past orders, support tickets, and logs of their software contacting our update servers to play detective and try to get enough evidence to justify picking a country.

I wonder how this will work for the UK post-Brexit. Do you have any educated guesses?

These are my guesses. Not sure how educated they are.

I'd expect it to depend on the nature of the post-Brexit relationship between the UK and the EU. They will have some sort of treaty or agreement on trade, and that will probably include something about handling taxes.

In the best case they cooperate fully and keep the VAT MOSS system working like it does now. That will result in no change from a VAT reporting and collection point of view.

In the worst case they do not cooperate. The consequences of that depend on where the seller is located.

If the seller is not in the UK and not in the EU, then the result is to approximately double the quarterly paperwork. Instead of reporting to the VAT MOSS system of one country and having it distribute the tax to all the others, they will have to report to one EU country VAT MOSS to deal with all of the EU, and to the UK tax authorities to deal with VAT for UK customers. My guess is that those currently using UK VAT MOSS will most likely switch to Ireland VAT MOSS for their EU VAT, to stick with an English speaking country.

If the seller is in the UK, and not in the EU, then the "do not cooperate" case is not as big an impact. That's because the UK VAT MOSS system cannot be used by UK merchants to report UK VAT. They can only use it to report non-UK VAT. They have to file separate paperwork with the UK tax authorities for UK VAT. So worst case for these sellers is that UK VAT MOSS goes away and they have to register with some EU country's VAT MOSS to deal with EU VAT. After that, they are essentially in the same position they are now: they are still reporting to both the UK tax authority and to a VAT MOSS. All that changes is that they might have to use a different VAT MOSS.

Thank you for the interesting reply.

One question:

> UK VAT MOSS system cannot be used by UK merchants to report UK VAT. They can only use it to report non-UK VAT

Why is that? Was it a deliberate choice by the UK tax authorities?

I don't know for sure why it works that way.

My guess would be that it is because each country has its own rules about how VAT works for for things sold to buyers in their country. Each country would like to fully apply its rules to all purchases by its residents, but they recognize that it would be unwieldy and expensive for sellers to have to deal with minutia of the VAT rules of a couple dozen different countries.

VAT MOSS is a compromise that simplifies the rules, so that a seller selling into several foreign EU countries only has to deal with one unified set of rules through the VAT system. Instead of having to know details of the tax law of several countries, the seller only need to know the VAT rate for each. That's much easier to deal with.

I'd guess that they don't apply VAT MOSS to sales by domestic sellers to domestic buyers because they consider their own tax rules superior to the rules under VAT MOSS.

>> They can't store the numbers themselves except the last four digits IIRC.)

That's not actually true. Vendors usually have to store the entire number (but not the CVV/CVN). Most of them show you the last 4 numbers to prevent shoulder surfing and accidentally disclosing the number to someone who's taken over your accounts.