How To Store Credit Card Information

Data breaches can hurt both the client and the attacked organization; therefore, properly storing credit card information is critical. Furthermore, the theft of credit cards and other sensitive details leads businesses to lose their consumers’ trust and may result in legal action.

But in today’s increasingly contactless world, allowing customers to shop with a credit card is also a must. Therefore, if your business accepts credit cards, you must protect your customer’s credit card information.

See Also: Advantages of Using a Credit Card Vault for PCI

In your contract with your bank or processor, you have agreed to comply with industry data security standards such as PCI DSS. A competent payment provider will have the technology and processes to comply with the PCI DSS.

Likewise, you have a responsibility to ensure that your business protects your customer’s information appropriately. Issues such as how you store credit card information, the equipment you use to do so, and the service providers you partner with should be thoroughly studied in credit card storage.

You can find the details of how your business can use best practices for storing credit card information in our article.

How Should You Store Credit Card Information?

The major data breach incidents we’ve heard in the news remind us how important it is as a business to keep credit card information and other personal data safe. If you run a recurring or subscription-based payment business, you should routinely retain credit card information.

See Also: How do I Protect the Stored Payment Cardholder Data?

Storing credit card data online is most advantageous for businesses that deal with recurring bills or have active account users who make frequent purchases. But if you’re not part of this camp, you have to ask yourself why you should store credit card data on your servers. If storing credit card data does not provide you and your customers a clear benefit, it is better not to store card data.

You can work with a service provider to store credit card information. However, the service provider you will work with should have services that can store your customer’s credit card information and sensitive data.

Can a Merchant Store Credit Card Information?

To answer briefly, yes, merchants can store credit card information.

The long answer is that merchants must be PCI compliant to store their credit card data. However, there’s also some data you can keep and some you can’t make sure you securely handle your customers’ credit card information.

See Also: PCI Requirements For Storing Credit Card Information

It is essential that you know what you can and cannot store. It is also crucial that you understand customer credit retention laws because you are legally entitled to withhold some details but not others.

You need to make sure your data is encrypted, and merchants may retain the following details, provided the credit card data is appropriately encrypted:

  • Card Holder’s Name
  • PAN (Primary Account Number) (16-digit number on the front of the card)
  • Expiration date
  • Service code (located on the card’s magnetic stripe)

Here’s what you can’t store, even if the data is encrypted:

  • SAD – Sensitive authentication data (e.g., full magnetic stripe information)
  • PIN code
  • PIN block (i.e., encrypted PIN)
  • CVV/CVC (three or four-digit code on back of card)

Building a PCI-compliant system is another step towards determining how credit card information is stored. It’s essential to think about who should access consumer credit card information and build up a safe access system with clear guidelines.

See Also: What Are the Parts of a Debit or Credit Card and How Do They Work?

These should be related to your company’s access, password creation and maintenance, and data processing needs. Be sure to share all of this in writing when hiring new employees.

What are the Matters Regarding the Storage of Credit Card Information?

It would be best to consider many different aspects of data security as you run your business. For example, when you store credit card information, you risk data breaches and fraudulent activity. While we’ll cover simple things you can do to keep card information safe as a business owner, there are some precautions your processor will want you to complete.

Once you have secured a merchant account, you must follow the Payment Card Industry’s Data Security Standards to process card payments securely. These standards are a security framework developed by PCI SSC and updated as needed.

The PCI DSS standard lays out the minimal requirements for safeguarding cardholder information. For example, under PCI DSS, data can only be stored on PCI SSC-approved PIN devices and payment applications. In addition, businesses that opt out of PCI compliance are subject to penalties, such as a PCI non-compliance fee.

PCI may seem confusing at first, but you don’t have to figure it out yourself. For more information, contact a certified payment processor.

What Are the Legal Requirements for Storing Credit Card Information?

Naturally, you first need to make sure you comply with all legal obligations. However, there is no single rule governing client credit card information. Any firm having a merchant account, on the other hand, should be aware of PCI DSS regulations. PCI compliance refers to a set of measures that all merchants must take to protect cardholder information by defining how data should be stored.

When determining how to securely store credit card information, meeting the requirements of a PCI DSS will significantly improve your security posture. PCI DSS requirements cover most of the credit card storage best practices below.

What are PCI Compliant Approaches in Storing Credit Card Information?

Cardholder data storage should be limited to what a merchant needs to meet legal, regulatory, or business needs. Below are the most trusted PCI compliant practices and approaches for collecting and securely storing credit card information online:

  • One-way hash: Hashing is suitable for situations where there is no need to obtain the original card number and is an irreversible technique. The algorithm only displays index data that refers to confidential information database entries.
  • Strong cryptography: Cryptography uses industry-accepted encryption protocols to convert payment details into an unreadable form.
  • Truncation: Truncation requires removing most PAN, with no more than the first six and last four digits shown.
  • Directory tokens and pads: It’s a method that uses an encryption technique to conceal the original digits through a random key or “pad.”

Keeping credit card data on-site, on the other hand, is a complicated approach that necessitates a great deal of knowledge and effort. Therefore many businesses opt to outsource their data storage needs.

See Also: How can you make stored PAN information unreadable?

Collaboration with a specialist third party, such as a PCI DSS certified PSP or payment gateway, is one of the preferred approaches to protect payment details. Such organizations place vulnerable information on secure servers. This alleviates the burden of PCI compliance by taking care of the most challenging aspects of regulation.

Best Practices for Storing Credit Card Information

Now that you know the importance of storing credit card information correctly, it’s time to put that knowledge into practice. Here are some helpful best procedures for storing customer information and sensitive credit card data.

1. Store Credit Card Information in a Safe Place

It should never be a primary priority to write down and store credit card information on paper. It’s a bad idea, even if you afterward shred credit card information. Likewise, online storage platforms are never safe ways to store credit card information independently.

If your business maintains all of your customer information in a CRM database, don’t use it to hold credit card information as well. While it is convenient to have all customer information in one place, it is a highly insecure option. It would help if you had a system with a secure vault to store this information or use a separate software connection to access it as needed.

2. Make Sure Sensitive Data Is Encrypted

When you store credit card information to process recurring transactions, you need to ensure that this data is always encrypted. Also, the encryption you use should use a robust algorithm to protect information. A strong encryption algorithm helps protect data even in a stolen computer or unauthorized access to sensitive data.

See Also: What Are the PCI DSS Encryption Requirements

Some payment processors provide a secure data storage service. However, if specific data storage is not included in your service package, you can add it to your existing service contract. This usually happens through a process called tokenization.

Businesses receive a “token” to the card number in the database. The token itself is a random number, so getting it doesn’t cause any security vulnerability. However, when you need to process a payment, you send the token to the service provider, and it will send back the full card number to you.

3. Apply Hardware Updates Without Delaying

All your hardware must be PCI Compliant, whether it’s a POS system or a mobile credit card reader. However, you cannot assume that your payment hardware will be compatible, so you should check your hardware updates and update if necessary.

Using vulnerable hardware puts your business and your customers at risk. To begin, double-check that the hardware vendors and equipment you’re considering are PCI compliant. You can also look for a list of approved providers on the PCI DSS website.

Part of your PCI compliance procedures should ensure that your hardware and software are updated. For example, not updating your POS system or smart terminals can expose your business to security vulnerabilities. Therefore, if there is a patch for your hardware or software, download and install it immediately.

PCI also recommends that you:

  • Identify which vendors are sending you patches and ensure you don’t miss any update notifications.
  • Do not ignore security vulnerabilities in eCommerce gateways and processors. Since most of the credit card information is collected online here, you should follow updates on these components more than anywhere else.

4. Beware of Recurring Billing

Managing a business that receives sales from a recurring billing structure is complex. PCI DSS often prevents companies from storing this information. As a result, you must exercise extreme caution when doing so. Where cardholder data is transported and stored is likewise governed by PCI rules.

Access control, network security, periodic penetration testing, and vulnerability scanning are among the basic requirements of PCI DSS. Using tokens allows you to continue running your business as needed while minimizing the need to store credit card information.

5. Work with a Reputable Service Provider

You do not have to develop and use credit card processing software. Instead, you can choose to work with a reputable payment provider that takes care of the payment infrastructure. Service providers that offer payment infrastructure are experts in their fields and have passed rigorous testing and approval to become experts in storing credit card information.

Service providers must pass tests performed by an external Qualified Security Assessor (QSA). QSA will audit the provider’s policies, procedures, and systems to ensure that the service provider has passed PCI DSS requirements. A provider that passes this audit will earn the title “PCI DSS Approved Service Provider.”

Tips for Correct Use of Credit Card Information

Consumers trust you with their sensitive data, including credit card information. Unfortunately, data breaches inevitably still happen, but there are ways to make sure you’re doing your best to keep your customers’ sensitive data, such as credit card information, safe. Here are the best practices your business can follow to correctly process customer credit card information.

1. Understand Your Obligation to Protect Credit Card Information

If you have a merchant account to process credit card transactions, you are also responsible for protecting your customers’ credit card information.

When you review the details of the contract you signed, it might say that your business must be “PCI Compliant.” An essential part of PCI Compliance is protecting sensitive account information, including the equipment and service providers you use, as well as how you store credit card data.

When using third-party software to process payments, the product must protect all customers’ credit card information.

2. Use Only PCI Approved Service Providers

If you do not wish to develop and run credit card processing software yourself, you may use a service provider to manage credit card processing and credit card data storage for you. Web-based SaaS providers, IVR telephonic services, and even firms to which you outsource entire payment processing operations are all examples of service providers.

These service providers undergo extensive testing by an external Qualified Security Assessor (PCI QSA), who performs a thorough audit of the company’s policies, procedures, and systems. If the company passes the PCI audit, it is designated as a “PCI DSS Certified Body.” Therefore, as part of your PCI compliance, you should only work with PCI DSS-certified service providers.

3. Use Only PCI Approved Equipment and Software

Whether you are using a terminal or a printer connected to a computer running payment processing software or a mobile phone for Point of Sale transactions, you need to ensure that all your hardware and software are PCI Compliant.

Unfortunately, not all equipment offered for sale is suitable for use. There are many apps and card readers that have security vulnerabilities.

Reputable hardware and software vendors undergo rigorous testing to ensure the integrity of their products. Be sure to use only tested and approved solutions to protect your customers’ data and your business. You can find lists of approved vendors searchable by company name or product name on the PCI DSS website:

4. Encrypt and Secure Electronic Credit Card Account Numbers and Paper Storage.

Some circumstances require you to retain credit card numbers, such as postal payments or written authorization for recurring payment authorizations. You should store paper documents with credit card numbers locked in a safe place such as a safe when not in use and restrict access.

Electronic storage of credit card numbers is also standard if, for example, you perform recurring or recurring transactions. You cannot store these files and card data unencrypted if you do. Make sure any electronic storage is encrypted using a robust encryption algorithm. Encryption provides some protection in case of theft or unauthorized access.

Make sure all your employees understand the risks. If you need to remotely retrieve your credit card information, do so through a secure payment gateway. For example, if you’re making a single payment transaction on a manual machine, get the details over the phone and encrypt them directly. Do not write down credit card data or ask for it by email.

Secure storage is available as a stand-alone service or as part of a payment processing package from several service providers. These providers typically give you a “token” in exchange for a card number that they keep on file. The token can be controlled in an unsafe file.

When you are ready to process a payment, you send the token to the service provider, and it receives the full card number just for processing the payment. If you use a solution like this, you must use a PCI DSS certified provider.

5. Never Store Electronic Track Data or Card Security Number (PINs).

While you may have a business reason to store credit card information, PCI DSS specifically prohibits storing a card’s security code or any “tracking data” contained in a magnetic stripe on the back of a credit card.

The three-digit number on the back of Visa, MasterCard, and Discover cards, or the four-digit number on the front of American Express cards, is known by several abbreviations such as CVV2, CID, and CSC.

It is designed to allow merchants to know whether a customer authorizing a transaction over the phone or the Internet owns the card. However, this method only works if the security code is not saved with the card number, which is simple with electronic storage.

But you don’t just create a field for the security code. You must reissue the security code for paper storage after successfully performing the transaction and before storing a paper authorization form.

Account-related information that is not visible on the card is saved in the magnetic stripe on the back of the card. This data helps authorize transactions and prevent credit cards from being easily counterfeited. Card readers can be made to make this data visible, and software can be designed to store it without your knowledge.

You should never hide security codes or knowingly monitor data. However, you need to make sure you don’t accidentally hide it. Be sure to use only PCI-approved hardware and software to do this.

6. Encrypt Phone Records Containing Credit Card Account Numbers

Many companies take orders over the phone, keep track of calls, check service quality, and keep payment authorization paperwork on file. Unfortunately, if you unconsciously record calls, you create a database of credit card numbers and often security code numbers, prone to theft.

See Also: How to Keep Credit Card Over Phone Orders PCI Compliant

If you store credit card numbers digitally, you should encrypt them as soon as possible and store them in a limited-access password-protected directory. In addition, ensure there is no software attached to the storage system that provides text-to-speech conversion. This will make credit card numbers vulnerable to anyone accessing the system.

Many companies concentrate solely on storing credit card information online, oblivious that audio recordings are also vulnerable. If your company takes phone orders and records calls for quality assurance, you must encrypt the voice recordings. Otherwise, you’ll end up with a massive archive of the credit card information. These data are frequently stored digitally in VoIP systems, making it simple to encrypt and store them in a password-protected location.

The cost of keeping credit card data safe is enormous for any startup company. Developing your billing system can increase your costs significantly. However, following the above best practices will help you meet your requirements for protecting credit card account information and being PCI Compliant. Also, there are many robust third-pay online gateways to suit your needs.

The most important thing to consider when choosing a billing system is whether the service provider is PCI compliant. Apart from that, you can look at other factors such as transaction fees, setup and related transaction fees, the ability to customize payment pages, among others.

Most third-party gateway systems allow you to start receiving payments within a few hours to a few days. In addition, some providers only require you to add a line of code to your pages to integrate the payment gateway.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Your 12-Step PCI DSS Compliance Checklist

PCI consistency is expected for any organization that acknowledges credit card installments. PCI additionally applies to any association that can affect the security of installment card exchanges.

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Related posts

Latest posts

Your 12-Step PCI DSS Compliance Checklist

PCI consistency is expected for any organization that acknowledges credit card installments. PCI additionally applies to any association that can affect the security of installment card exchanges.

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!