Skip to content
Go to GoCardless homepage
Pricing
LoginSign up

How To Store Credit Card Information

Last editedApr 20223 min read

Making an online payment involves a level of trust between customer and merchant. When you’re handed customer credit card details, it’s vital to handle and store them securely to prevent a costly data breach. Here are a few practices to follow, ensuring your storage system is safe.

Are merchants allowed to store customer credit card details?

Yes, if they follow all security requirements and are PCI compliant. Businesses are allowed to store the following information, but it must be encrypted.

  • Cardholder name

  • Primary account number (PAN), which is the 16-digit card number

  • Card expiration date

  • Service code

While this information can be stored, there are also some elements of cardholder information that cannot be stored by merchants:

  • PIN

  • Encrypted PIN

  • CVV/CVC security code

  • Authentication data

What are the risks of a credit card user database?

Using a credit card user database can streamline the payments process, particularly for repeat clients. However, if you decide to store the permitted customer credit card details to make the checkout process easier, you should be aware of any potential risks. Credit card data storage is attractive to hackers and other bad actors, making it prone to security breaches.

  1. Malware – Data hackers and cybercriminals use techniques like SQL code injection to gain access to databases. In the case of malware, a criminal uses phishing emails or sends a corrupted file that spreads it when the file is opened.

  2. Inside credential abuse – A current or former employee abuses their privilege to access sensitive customer credit card details and steal valuable data.

  3. Backup file theft – It’s good practice to back up files in credit card data storage, but if this process isn’t secured with full encryption, you leave your media files open to theft.

How to store credit card information securely

The failure to store and secure your customer credit card data can have widespread implications for your business’s success. Not only can your reputation take a hit, but you may face fines and additional financial damage as you rebuild your system. One option is to simply avoid storing any cardholder data entirely. However, if you do want to go down this route here’s how to store credit card information securely.

1. Learn the PCI standards, inside and out.

All businesses handling credit card payments should have a basic knowledge of the PCI standards, but this is particularly key if you are using your own credit card data storage. These standards are clearly defined on the Security Standards Council website.

2. Use a secure payment gateway.

Never write down credit card details when taking a remote payment, either over the phone or online. Instead, these payments should be entered and processed using a virtual terminal or other remote payment gateway.

3. Use a dedicated credit card data storage system.

While it may be tempting to use your existing CRM to store credit card data, this most likely will not meet PCI standards. Instead, use password-protected, dedicated storage with all encryption and security built in.

4. Keep on top of software updates.

Whether you’re using your own storage system or a third-party payment processor, you should ensure you stay on top of all routine software and hardware updates. Cybercriminals are constantly trying to poke holes in existing defences, with software manufacturers patching them with the latest updates.

5. Use PCI compliant equipment.

The PCI guidelines spell out the requirements for any equipment and software used for handling card details. Whether this includes a point-of-sale terminal or payment processing software, double check that your equipment meets the guidelines for data storage.

6. Never store the CVV security number.

While you can store the credit card number on the front of the card, never hold onto the customer’s CVV security code. This appears as either a three or four-digit code on the back of any Visa or MasterCard.

Credit card data storage: the bottom line

Building your own billing and storage system from scratch isn’t feasible for many small business owners, but fortunately there are plenty of payment processors to handle all the ins and outs of PCI compliance on your behalf.

Of course, security is vital for any type of payment. GoCardless does not handle card transactions, but we do process payments via Direct Debit and Open Banking. Both methods are extremely secure for recurring and one-off payments, using strong encryption to keep you and your customers safe. Best of all, GoCardless is an FCA approved payment processor, which means we handle it for the business.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

Over 70,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More

Interested in automating the way you get paid? GoCardless can help

Contact sales