When you buy something on Steam using a credit card, your card details are collected by Valve and transmitted to a payment processor, and Valve also receives payment data back from that processor for anti-fraud purposes.
This analysis describes what Steam's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Full credit card details are processed by Valve before transmission to payment service providers, meaning Valve is an intermediary in the payment data flow rather than relying solely on direct processor collection.
Valve processes your full credit card number, expiration date, and security code as part of payment transactions before transmitting that data to payment service providers. This data processing arrangement means Valve handles raw payment credentials, which creates data security relevance for users.
How other platforms handle this
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal, and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the ...
Monitoring
Steam has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In order to make a transaction on Steam (e.g. to purchase Subscriptions for Content and Services or to fund your Steam Wallet), you may need to provide payment data to Valve to enable the transaction. If you pay by credit card, you need to provide typical credit card information (name, address, credit card number, expiration date and security code) to Valve, which Valve will process and transmit to the payment service provider of your choice to enable the transaction and perform anti-fraud checks. Likewise, Valve will receive data from your payment service provider for the same reasons.— Excerpt from Steam's Steam Privacy Policy
(1) REGULATORY LANDSCAPE: Processing of credit card data by Valve as an intermediary engages PCI DSS (Payment Card Industry Data Security Standard) compliance obligations, which are enforced by card networks rather than a government agency. The FTC has jurisdiction over data security practices for consumer payment data under the FTC Act. GDPR Article 9 is not directly implicated, but financial data processing must have a clear legal basis under GDPR Article 6. (2) GOVERNANCE EXPOSURE: Medium. The policy discloses that Valve processes credit card details and transmits them to payment providers, which raises questions about PCI DSS scope. If Valve is in-scope for PCI DSS, it must maintain a validated compliance program. The policy does not disclose Valve's PCI DSS compliance status. (3) JURISDICTION FLAGS: U.S. state breach notification laws (all 50 states) require notification if payment card data is compromised. EU GDPR Article 33 requires breach notification to supervisory authorities within 72 hours. California's CCPA and the CPRA specifically list financial information as a sensitive personal information category with additional protections. (4) CONTRACT AND VENDOR IMPLICATIONS: Payment service provider agreements should include PCI DSS compliance representations. Valve's role as a data intermediary in payment flows means that breach liability and notification obligations may be shared with payment processors; this should be addressed in contractual arrangements. (5) COMPLIANCE CONSIDERATIONS: Legal and security teams should confirm Valve's PCI DSS compliance scope and certification status. California teams should assess whether payment data is covered by the CPRA sensitive personal information framework and whether additional user rights apply. Incident response plans should specifically address payment data breach notification timelines across all applicable jurisdictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Full credit card details are processed by Valve before transmission to payment service providers, meaning Valve is an intermediary in the payment data flow rather than relying solely on direct processor collection.
Valve processes your full credit card number, expiration date, and security code as part of payment transactions before transmitting that data to payment service providers. This data processing arrangement means Valve handles raw payment credentials, which creates data security relevance for users.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Steam.