Some small businesses, such as those that offer subscriptions, need to store customer credit card details. However, card networks take the security of credit card data seriously and employ strict merchant guidelines for storing credit card information. We provide an overview of the nature of credit card data plus tips on how to securely store it.
Key takeaways:
- The PCI Security Standards Council lists guidelines for securely storing credit card information.
- Only store necessary customer data and discard the information when it is no longer needed.
- Any data breach resulting from the unauthorized access of customer data can lead to litigation and fees that can cost hundreds and thousands of dollars.
- Most payment processors provide secure credit card data storage services.
What Is Credit Card Data?
Credit card data is electronic information shared and captured to process credit card transactions. The elements of credit card data can be categorized as cardholder data (CHD) that is printed, and sensitive authentication data (SAD) that is concealed in the physical credit card.
In the latest version of PCI DSS, the collective term for this information is account data.
- Cardholder data (CHD)
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Sensitive authentication data (SAD)
- Full track data (magnetic-stripe data or equivalent on a chip)
- Card verification code (CVC)
- PINs/PIN blocks
Account data on payment cards (Source: PCI Security Standards website)
For businesses that accept credit cards as forms of payment, it is legal to store a customer’s credit card information, but strict regulations are imposed as to what data can be saved and how to save them. The PCI Security Standards Council established a 12-point guideline on how to protect customer data, which includes the proper management of cards on file.
Who Should Store Credit Card Information?
Under PCI DSS, merchants should only store credit card information on file if it is an absolute necessity for running normal business operations. Some examples include businesses that need to efficiently collect payments from repeat customers (such as for club memberships), for temporary use (such as for hotel reservations), and for running a subscription service.
These business types benefit from storing customer credit card information for a number of reasons:
- Allows for automated recurring billing and payments
- Improves accounts receivable and cash flow
- Creates quick and easy checkout for recurring customers
Why Should Merchants Secure Stored Credit Card Data?
The National Council on Identity Theft Protection received over 100,000 legitimate reports from US consumers of credit card information stolen in the past year. Credit card fraud from online shopping resulted in $66 million worth of losses. A Juniper Research report also estimated that online payment fraud cost merchants $38 billion in 2023.
Businesses that accept credit card payments are accountable for protecting customer’s data during the transaction. This extends to merchants who save customer card information as a means to collect payments.
When a business is not compliant with PCI standards for storing credit card information, it can lead to penalties starting from $20 per month until PCI compliance is met. If a data breach results from non-compliance, businesses can be fined anywhere from five to hundreds of thousands of dollars, not to mention the risk of losing their merchant account.
Related reading:
- How to Avoid Payment Fraud
- Small Business Guide to POS Security
- Small Business Guide to Secure Payment System
PCI Guidelines for Storing Credit Card Information
According to the PCI DSS requirements, merchants should only save necessary customer card data and dispose of the information properly when it’s no longer needed. Storing sensitive authentication data is strictly prohibited after the payment authorized by the customer has been completed.
To summarize, the table below explains which elements of a customer’s account data can be stored and if encryption is required.
Account Data Type | Data Elements | Storage Restrictions | Encryption Required |
|---|---|---|---|
Cardholder Data | Primary Account Number (PAN) | Kept to a minimum | Yes, if stored with other data elements |
Cardholder Name | Kept to a minimum, only if data is available with the customer’s PAN | No | |
Service Code | |||
Expiration Date | |||
Sensitive Authentication Data | Chip or Magnetic Stripe data | Should not be stored after authorization is complete | Yes, with heavy encryption |
Card verification code | |||
PIN/PIN Block |
Tips on How to Store Credit Card Information
To meet PCI compliance, merchants should work with a payment processor that can provide PCI compliant card on file service. There are also simple tips and adjustments merchants can make to help protect their customer card information
Never Write Down Customer Credit Card Information
Make sure to train your customer-facing employees to refrain from getting into the habit of writing down a customer’s credit card information. This makes it easier for unauthorized individuals to access customer data. Create a policy for properly disposing of hard copies, personal notes, and loose leaves of papers within the workplace for added security measures.
Only Keep the Last Four Digits of the Customer’s Card Information for Your Records
Your point-of-sale (POS) software should only display the last four digits of your customer’s credit card information. This goes for hard copy and digital receipts, on your website checkout pages, customer profiles on your CRM, and your sales records. Perform a test transaction and check for the proper encryption before signing up for a POS system.
Use a Credit Card Authorization Form
When possible, have your customers sign a credit card authorization form. This is especially useful for businesses that collect recurring payments and customers using their credit card information to hold hotel and ticket reservations. Credit card authorization forms also protect merchants from the risk of chargeback claims by serving as documented proof of valid credit card transactions.
Do Not Access Your Business Software From Public Networks
Mobility provides merchants with the convenience to work while on the go. However, remember not to access your business systems on a public network. Bring your own secure mobile internet service if your business requires you to accept payments in public areas, such as when out for deliveries or at craft shows.
Keep Your Security Software Updated
It’s important to regularly implement security software updates whenever one is available. Doing so ensures that your business system is always monitored and protected from the latest hacking technology. Don’t turn off security software notifications and regularly check to make sure you have not missed any.
Only Use PCI-approved Hardware and Software
Merchants need credit card terminals and payment gateways to accept credit card payments. However, not all payment processing hardware and software are secure. Work only with PCI-compliant payment processors and purchase approved hardware directly. Always ask for proof of PCI compliance before signing up with a service provider.
Frequently Asked Questions (FAQs)
These are some of the most common questions we encounter about storing credit card information. Click through each to learn more.
Only businesses that need a customer’s credit card details for future transactions and with expressed authorization from the credit card owner should store credit card information.
Yes, it is legal—but merchants are required to follow strict guidelines set by the PCI Security Standards Council for storing credit card information.
Merchants who follow the PCI standards can safely store credit card details. Credit card owners who wish to save their credit card information should look for software that can encrypt their data to protect it from hackers.
Bottom Line
When storing credit card information, merchants should be constantly aware of their responsibility to protect their customer’s data. While understanding PCI guidelines is important, making simple changes to business procedures can create significant improvements in securing customer’s information. Not only will this help your business achieve PCI compliance, but ensuring customers that their information is safe will also build consumer confidence, loyalty, and trust.
