Skip to content
Go to GoCardless homepage
Pricing
Log inSign up

How to Store Credit Card Information Securely

Written by

Last editedNov 20212 min read

Your customers trust you to protect their credit card details, so are you upholding your end of the bargain? While many businesses encrypt credit card information during transmission, it’s equally vital to protect these sensitive details during storage. Read on to learn more about the legal requirements for storing credit card information, along with five best practices to follow.

Naturally, you’ll first want to ensure that you’re compliant with all legal obligations. There’s no single storing customer credit card information law to follow. However, any business with a merchant account should be aware of PCI DSS requirements. PCI compliance refers to a series of steps all merchants must take to safeguard cardholder details, setting out how you should store information.

When determining how to store credit card information securely, a PCI DSS checklist is a great place to start. Many of the best practices below are covered under PCI requirements. Here are some key steps to take when storing credit card information.

Know what you can – and can’t – store

It’s important for merchants to understand the storing customer credit information laws – while you are legally entitled to store some details, others are not allowed. Merchants can store the following details, provided they’re all properly encrypted:

  • Cardholder name

  • Primary account number (PAN)

  • Card expiration date

  • Service code (contained within the card’s magnetic stripe)

The following details cannot be stored, even when encrypted:

  • Authentication data

  • PIN code

  • CVV/CVC (verification code on back of card)

2. Create a PCI compliant system

Creating a PCI compliant system is another step towards determining how to store credit card information. You should think about who needs to have access to customer credit card information, devising a secure access system with a defined set of rules. These should relate to access, password creation and maintenance, and data handling requirements within your organization. Be sure to put all of this in writing to share when onboarding new employees.

Use PCI approved equipment

Along with processes, your equipment should also be PCI compliant. Examples of equipment include things like point-of-sale terminals, mobile devices, and payment processing software. These should all include basic built-in security features such as firewalls and the latest standard of anti-virus software to ward off malware.

Keep on top of software updates

Keep up with security prompts to ensure all company software and hardware is protected with the most recent updates. Technology advances rapidly and hackers tend to be ahead of the curve, so you need to keep pace with these updates for adequate security. Otherwise, your customers’ card details could be vulnerable to attack.

Don’t forget about audio recordings

Many businesses focus entirely on storing credit card information online, forgetting that audio recordings can also be vulnerable. If your business accepts telephone orders and records calls for quality assurance, you must encrypt these audio recordings. Otherwise, you’re creating an audio archive of recorded credit card details. VoIP systems often store these files digitally, making it easy to encrypt each file and store them in a password-protected location.

The risks and benefits of storing credit card information

Storing credit card information puts a business in a vulnerable position in terms of hacking and fraud, so why do so many businesses choose to do it? There are several benefits, particularly when it comes to online payments. Storing data in-house lets you integrate a smoother, easier checkout process for subscription-based services or repeat customers.

Yet storing these sensitive details in your company’s own databases risks exposure and comes at a significant expense. For many businesses, it makes more sense to use a third-party payment gateway that takes care of security and PCI compliance.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

Over 70,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More

Interested in automating the way you get paid? GoCardless can help

Contact sales