I order groceries online, more or less each week. Every week, as I checkout I use my password manager to fill in the credit card details. Every week, the store asks if I wish to save these card details “to make checkout faster in the future”. I do not really need that since I have the card details stored in my password manager so it’s very fast for me anyway. Additionally, when my card expires, or I otherwise have to change it, or I just wish to use a different one, I only have one place to change it, rather than several places.

However, the main reason I do not store my card details on the store’s site, is that I’m not 100% convinced of their security practices. I have no reason to doubt that they are taking security very seriously, but I also have no reason to assume that they are. In addition, they are more likely to get hacked than I am, simply because the pay-off for the hackers would be much larger. Storing my card details in one place makes the attack surface smaller, I only have to worry about my password manager being hacked, not all of the stores I’ve chosen to save my card details on.

However, there is something of a fly in this ointment. If you want to get a good delivery time, or indeed any delivery time, you have to place your order around about a week in advance. So I basically order enough groceries for a week, and when it arrives I place a new order. You can make changes to your order at any time, and you are not charged for order until it is finalised when it is picked and packed. So this means, that although I have chosen not to have my credit card details stored, they are stored for the time between placing the order and the order being finalised.

In practice, this means I basically have my card stored on their server the entire time, because I usually make next week’s order the same day as the previous week’s order is finalised. So perhaps it would be worth the extra convenience to just go ahead and tick the box to have my card details stored?

I’m still not going to do it for several reasons:

  1. Presumably the card details are stored on the order when placed, but if stored ‘for next time’ they must be stored in a separate place. It’s just possible that attackers could gain access to all the stored cards without gaining access to the stored orders (and hence the cards stored on them).
  2. It’s good practice, whilst it might be the case that I’m not saving much security here, that’s only because I buy groceries most weeks. Groceries are also unusual in that you place the order but aren’t charged immediately. Keeping up the practice of refusing the offer to store my card probably makes it a bit less likely that I make the mistake of storing the card on some other site I don’t use often.
  3. I don’t buy groceries when away from home, for example on holiday, that’s a nice time not to get a nasty email telling you that you should cancel your credit card. However, I do sometimes set up an order for the day (after) I return from holiday.

Overall, I’m probably not increasing my security by much, but I’m still going to do it.

One small point of kudos to the grocery store in question. It used to be that the ‘Save my card for next time’ checkbox was checked by default and I had to uncheck it everytime. That appears to have changed, and it is now unchecked by default.