Is it legal to sell credit card information in the U.S. or my country?

1. Criminal law vs. commercial transfers: the basic legal divide

Federal criminal law prohibits knowingly selling or transporting counterfeit, forged, lost, stolen or fraudulently obtained credit cards or card data across interstate lines; the statute spells out penalties tied to fraudulent intent and interstate commerce, which law enforcement has used against traffickers who sell victims’ card information (15 U.S.C. §1644) ^[1]. By contrast, creditors legally may transfer accounts or sell debt portfolios — the Consumer Financial Protection Bureau explains that most cardholder agreements permit a card issuer to sell an account to another company, a lawful commercial transaction distinct from selling stolen card numbers ^[2].

2. When sharing is legal: banks, account sales, and permitted data uses

Card issuers and financial firms routinely exchange and sell certain financial information as part of normal business: the CFPB notes that card issuers can sell accounts to other companies, and those transfers are governed by disclosure and consumer‑protection rules rather than criminal statutes ^[2]. Separately, financial institutions can share or sell categories of customers’ transaction data under existing privacy frameworks like the Gramm‑Leach‑Bliley Act, which allows firms to share certain financial information subject to notice and opt‑out requirements — a policy point emphasized by the ACLU in describing how firms use card transaction data ^[3].

3. Payment‑industry rules and compliance are a separate, binding layer

Even when conduct is not a criminal sale, card networks and industry standards impose strict limits: merchants and processors must follow PCI DSS and card‑network rules about who may store or transmit cardholder data, and violations can mean account termination, fines or operational sanctions — consequences explained in merchant guidance and PCI‑compliance summaries rather than criminal law ^{[4] [5]}. Industry enforcement can be as decisive as regulators in stopping improper resale or mishandling of card data ^{[5] [4]}.

4. Where the law is clearest — and where it’s gray

The line is clear for stolen or fraudulently obtained card numbers: selling that data is criminal if done knowingly and across interstate commerce per federal statute ^[1]. It’s less binary for aggregated transaction metadata or permitted account transfers: those commercial data sales can be lawful but are regulated by consumer‑finance statutes, privacy rules and contractual provisions with networks and processors — details matter and differ by the type of data and the party sharing it ^{[2] [3] [5]}.

5. Enforcement and consumer protections you should know

Criminal enforcement targets the trafficking of illicit card data, while civil and administrative regulators (CFPB, FTC and state authorities) oversee disclosures, account transfers and deceptive business practices; the FTC also pursues nonbank actors that deceptively market credit products ^{[6] [2]}. Consumers have protections around liability for fraud and dispute processes; reports and guides emphasize that compromised data can lead to identity theft and that victims should use dispute remedies and fraud notifications ^{[7] [6]}.

6. Practical implications for merchants and individuals

Merchants cannot lawfully store or share cardholder data without complying with PCI standards and card‑network rules; failure risks fines or loss of the ability to process cards even if not prosecuted criminally ^{[4] [5]}. Individuals should distinguish between a bank selling a delinquent account (legal and regulated) and a third party buying or selling raw card numbers obtained by theft (criminal and prosecutable) ^{[2] [1]}.

7. Limits of available reporting and next steps

Available sources outline federal criminal statutes, CFPB guidance on account sales, FTC consumer enforcement, industry compliance obligations, and privacy concerns under GLB, but they do not provide a state‑by‑state legal chart nor country‑specific rules for jurisdictions outside the U.S.; those are not found in current reporting ^{[1] [2] [3] [6]}. If you want a definitive answer for “my country,” say which country and we can consult local statutes and regulators; for U.S. specifics consult 15 U.S.C. §1644 for criminal exposure and the CFPB/FTC for consumer‑finance rules ^{[1] [2] [6]}.