I did not know this. Thank you for pointing it out. In that case, it's probably not in violation of MA law. It does protect against grey areas that may allow malicious activity against you, e.g. billing address, etc, but it would be a hard sell and not worth anyone's time. Though, it's worth pointing out this is exactly why companies do everything possible to avoid storing PII (e.g. credit card info) even if it's to the customer's disadvantage.