Breadcrumb

How to Store Credit Card Information Securely

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedNov 20212 min read

Your customers trust you to protect their credit card details, so are you upholding your end of the bargain? While many businesses encrypt credit card information during transmission, it’s equally vital to protect these sensitive details during storage. Read on to learn more about the legal requirements for storing credit card information, along with five best practices to follow.

Legal requirements for storing credit card information

Naturally, you’ll first want to ensure that you’re compliant with all legal obligations. There’s no single storing customer credit card information law to follow. However, any business with a merchant account should be aware of PCI DSS requirements. PCI compliance refers to a series of steps all merchants must take to safeguard cardholder details, setting out how you should store information.

When determining how to store credit card information securely, a PCI DSS checklist is a great place to start. Many of the best practices below are covered under PCI requirements. Here are some key steps to take when storing credit card information.

Know what you can – and can’t – store

It’s important for merchants to understand the storing customer credit information laws – while you are legally entitled to store some details, others are not allowed. Merchants can store the following details, provided they’re all properly encrypted:

Cardholder name
Primary account number (PAN)
Card expiration date
Service code (contained within the card’s magnetic stripe)

The following details cannot be stored, even when encrypted:

Authentication data
PIN code
CVV/CVC (verification code on back of card)

2. Create a PCI compliant system

Creating a PCI compliant system is another step towards determining how to store credit card information. You should think about who needs to have access to customer credit card information, devising a secure access system with a defined set of rules. These should relate to access, password creation and maintenance, and data handling requirements within your organization. Be sure to put all of this in writing to share when onboarding new employees.

Use PCI approved equipment

Along with processes, your equipment should also be PCI compliant. Examples of equipment include things like point-of-sale terminals, mobile devices, and payment processing software. These should all include basic built-in security features such as firewalls and the latest standard of anti-virus software to ward off malware.

Keep on top of software updates

Keep up with security prompts to ensure all company software and hardware is protected with the most recent updates. Technology advances rapidly and hackers tend to be ahead of the curve, so you need to keep pace with these updates for adequate security. Otherwise, your customers’ card details could be vulnerable to attack.

Don’t forget about audio recordings

Many businesses focus entirely on storing credit card information online, forgetting that audio recordings can also be vulnerable. If your business accepts telephone orders and records calls for quality assurance, you must encrypt these audio recordings. Otherwise, you’re creating an audio archive of recorded credit card details. VoIP systems often store these files digitally, making it easy to encrypt each file and store them in a password-protected location.

The risks and benefits of storing credit card information

Storing credit card information puts a business in a vulnerable position in terms of hacking and fraud, so why do so many businesses choose to do it? There are several benefits, particularly when it comes to online payments. Storing data in-house lets you integrate a smoother, easier checkout process for subscription-based services or repeat customers.

Yet storing these sensitive details in your company’s own databases risks exposure and comes at a significant expense. For many businesses, it makes more sense to use a third-party payment gateway that takes care of security and PCI compliance.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.