Steam · Steam Privacy Policy

Transaction and Payment Data Collection

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

When you buy something on Steam with a credit card, Valve collects your full credit card details — including card number, expiration date, and security code — and shares them with payment processors and uses them for anti-fraud checks.

Consumer impact (what this means for users)

Your complete credit card information, including the CVV security code, is processed by Valve before being passed to payment processors, creating an additional point of exposure for sensitive financial data compared to a direct payment processor relationship.

Cross-platform context

See how other platforms handle Transaction and Payment Data Collection and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Valve acts as an intermediary for full credit card data before transmitting it to payment processors, meaning your financial data passes through Valve's infrastructure — creating a data security risk point that consumers should be aware of.

View original clause language
In order to make a transaction on Steam (e.g. to purchase Subscriptions for Content and Services or to fund your Steam Wallet), you may need to provide payment data to Valve to enable the transaction. If you pay by credit card, you need to provide typical credit card information (name, address, credit card number, expiration date and security code) to Valve, which Valve will process and transmit to the payment service provider of your choice to enable the transaction and perform anti-fraud checks. Likewise, Valve will receive data from your payment service provider for the same reasons.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: Payment card data processing engages PCI DSS (Payment Card Industry Data Security Standard) compliance obligations. In the EU, this also engages GDPR Art. 6(1)(b) (contractual necessity) and Art. 32 (security of processing). Under CCPA §1798.140, financial information constitutes 'personal information.' The GLBA (15 U.S.C. §6801) may apply to the extent Valve is considered a financial institution for payment data purposes, though this is unlikely given its gaming platform status. FTC Act Section 5 applies to data security failures.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has enforcement authority over inadequate payment data security practices under FTC Act Section 5, as established in FTC v. Wyndham and subsequent actions.
    File a complaint →
  • CFPB
    The CFPB has jurisdiction over payment data practices and consumer financial protection issues arising from credit card data processing on digital platforms.
    File a complaint →

Provision details

Document information
Document
Steam Privacy Policy
Entity
Steam
Document last updated
April 29, 2026
Tracking information
First tracked
April 18, 2026
Last verified
April 18, 2026
Record ID
CA-P-002931
Document ID
CA-D-00182
Evidence Provenance
Source URL
https://store.steampowered.com/privacy_agreement/
Wayback Machine
View archived versions →
SHA-256
63210b28892392d9dae07097221e6ab8458f850d4edd68ce4be0bc540f120bb5
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Steam | Document: Steam Privacy Policy | Record: CA-P-002931
Captured: 2026-04-18 10:57:26 UTC | SHA-256: 63210b28892392d9…
URL: https://conductatlas.com/platform/steam/steam-privacy-policy/transaction-and-payment-data-collection/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document