PCI Requirements for Storing Credit Card Information on Paper

While you may have a business reason to store credit card information, PCI DSS requirements expressly prohibit storing a card’s security code or any “track data” contained in a magnetic stripe on the back of a credit card.

CVV2, CID, and CSC are abbreviations for the three-digit number on the back of MasterCard, Visa, Discover, American Express cards, and the four-digit number on the front of American Express cards. It is designed to let merchants know if a customer authorizing a transaction over the phone or the Internet has the card.

Only if the security code is not saved with the card number will this method work. This is made simple by electronic storage. To store credit card information on paper, you must cross it out with a dark pen to make the security code unreadable after completing the transaction and before storing a paper authorization form.

See Also: Ensuring Physical Security: PCI DSS Requirement 9

Track data stored in the magnetic stripe on the back of the card also includes account-related information not displayed on the card. This information aids in the authorization of transactions and ensures that credit cards cannot be easily forged. This tracking data can be made apparent using card readers, and software can be created to store it without your knowledge.

You should not save security codes or track data deliberately. However, you should make sure you don’t mistakenly hide it as well.

However, there may be situations where you may need to retain credit card numbers, such as postal payments or written authorizations for recurring payment authorizations.

Believe it or not, some vendors store credit card information on paper. Such a storage system can range from scribbling card numbers on sticky notes to keeping detailed records in organized files. Regardless, writing credit card information on paper is one of the riskiest and most insecure methods of storing credit card information. It also does not comply with PCI compliance standards.

See Also: PCI Requirements For Storing Credit Card Information

The number one risk associated with storing sensitive data on paper is theft. Employees and bad actors alike steal paper records. Even if traders keep their data in a locked filing cabinet, there is always a theft risk.

If you’re still storing paper documents that contain credit card numbers, make sure they’re always locked in a secure place like a safe or file drawer when not in use. One of the biggest mistakes you or your workers may make is manually recording credit card numbers on paper and storing them insecurely. Credit card information is private and should only be used during the transaction.

Electronic storage of credit card numbers is standard, for example, when you handle recurring or recurring transactions. If you do, you need to make sure that you never store these files unencrypted.

You must ensure that any electronic storage is encrypted using a robust encryption algorithm. That way, you have some protection for credit card numbers if your computer is stolen or someone in your office gains unauthorized access.

What Are the Consequences of Storing Credit Card Data on Paper?

When you run a business, you have access to some of your clients’ most private and sensitive information, including their credit cards. While storing credit card information is not unlawful, you should take the required security precautions.

Let’s say you’re careless with your client’s credit card information, duplicating it and not storing it securely. If you insist on having credit card copies at your office, you should be aware that you are exposing yourself up to a slew of issues as a business owner. Credit card issuers will levy fees and penalties in this situation. They might even choose to end the relationship with you.

If a customer’s credit card information is stolen from an unsecured office, that customer has the right to sue you. Then you’ll have to deal with costly legal fees, provisions, or compromises.

If you’re worried about legal issues that could arise if a customer’s credit card information is breached because they are copies of data stored in your office, you should probably opt out of this practice.

PCI DSS states that you should not withhold the account number and expiration date unless you have an essential business need. Keeping this information or retaining it for longer than necessary makes it vulnerable to fraud or identity theft.

Dos and Don’ts When Storing Credit Card Information

There are a few critical do’s and don’ts to make sure you’re compliant with PCI standards. Following this essential checklist of dos and don’ts will help you get closer to PCI compliance:

  • NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.
  • NEVER obtain or disclose any cardholder’s credit card information without the cardholder’s consent, including but not limited to:
    • Partial sixteen (16) digit card number
    • CVV/CVC (three or four-digit verification code on back of card)
    • PIN (personal identification number)
  • NEVER transmit or accept cardholder information via email, fax, scan, or end-user messaging technologies.
  • Never save important authentication data on a computer, server, or piece of paper, such as:
    • The card’s storage chip or magnetic stripe
    • CVV/CVC (three or four-digit verification code on back of card)
  • NEVER use a press to process credit card payments unless it is part of your business processes or is required.
  • NEVER leave unset stacks on terminals at the end of a working day. You can set automatic shutdown programming or have batches turn off manually each night.
  • NEVER share passwords and use them on any computer you access.
  • NEVER leave sensitive information unattended on your desk, screen, or any public area.

All records containing cardholder data must be in a secure environment, including the physical security of paper and electronic media such as computers, removable electronic media, receipts, reports, or faxes.

Secure environments include locked drawers and safes with limited access to credit card processors only. Departments should conduct a media inventory and maintain inventory logs and audit trails of all paper and electronic media.

Any cardholder information in paper format should be kept to a minimum due to recording, writing, or storing cardholder information. The transaction should be processed as soon as possible, and the credit card number should be immediately darkened to the last four digits. In addition, all Sensitive Cardholder Data must be masked.

When keeping cardholder data on hard copy or paper, you must comply with PCI DSS requirements 9.5 to 9.8.2. These controls include the secure storage of paper documents, proper access control of paper documents, and the destruction of paper documents when they are no longer needed.


PCI DSS requirement 9.8.1 requires that you shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. It’s great if you additionally utilize secure storage containers for any materials that need to be discarded.

Can the entire credit card number be printed on the copy of the receipt of the consumer?

PCI DSS requirement 3.3 specifies that when displayed, you must mask the PAN with the first six and last four digits being the maximum number of digits to display.

PCI DSS requirement 3.3 does not replace the more stringent requirements for displaying cardholder data. For example, the PCI DSS requirement cannot replace legal needs or payment card branding requirements for point-of-sale (POS) receipts.

All paper receipts stored by merchants must comply with PCI DSS requirement nine regarding physical security.

How Does Receiving Credit Cards in the Mail Work with PCI?

Receiving sensitive payment information by mail or fax, as with obtaining credit cards over the phone, may raise concerns about your organization’s PCI compliance process. When card data is processed manually, the relevant security controls are procedural and physical, and the technology systems are used.

See Also: PCI Compliance Recommendations for Mail and Fax Orders

Often, organizations that accept credit card information by mail or fax process other sensitive information and card data such as phone numbers, email addresses, or physical addresses.

This is why all personally identifiable information (PII) needs to be handled. Because sensitive information is essential, you need to take a holistic approach to your security process.

PCI DSS Requirement 9 covers the basics of physical controls and sensitive data your business undertakes. You should also review PCI DSS Requirement 3, which outlines the protection of stored cardholder data.

An example of best practice for an institution that receives credit cards by mail and fax is as follows:

  1. Data is collected every day and is securely transported.
  2. Movements of data are recorded until another authorized person processes them in an isolated area or at a monitored terminal.
  3. After the data is processed, it is placed safely and securely stored according to legal requirements.
  4. The data is destroyed when it is no longer needed.
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Related posts

Latest posts

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!