The Dos and Don'ts of Storing Credit Card Information

Can you store 16-digit card numbers, CVV, and expiration dates?

Payment card data is an important topic for merchants. It doesn’t matter how big an organization is, or how many years they’ve been in business, if they handle credit card data, chances are they store it inappropriately somewhere on their devices and systems.

Your customer's credit card data is sensitive information, and if you process major credit cards, you have agreed to maintain PCI compliance. PCI compliance requires merchants to take measures to secure payment card data as well as prevent data breaches.

An example of insecure credit card number storage comes from one of our PCI assessors, where a company explained how they processed their credit cards. They told him how their secretary had a secure way of storing the inner-office credit cards.

In one example of unencrypted credit card number storage, a secretary believed she had “encrypted” the credit cards at her company because she stored them in an Excel file and when the rows were shortened, the numbers reformatted to a line of asterisks:

‍

See also: Infographic: 63% of Businesses Don't Encrypt Credit Cards

Watch the video to learn more about what card data you can and can’t store.

To summarize what you can and can't store:

‍If data is encrypted: here’s what you’re allowed to store:

• PAN (Primary Account Number) (e.g., 16 digit number on front of card)
• Cardholder name (e.g., John Smith)
• Expiration date (e.g., 5/18)
• Service code (Note: You can’t actually see this data on a physical card because it resides in the magnetic stripe)

Even if data is encrypted, you can NEVER store:

• Sensitive authentication data (i.e., full magnetic stripe info)
• PIN
• PIN block (i.e., the encrypted PIN)
• Card validation value (CVV), also known as three/four-digit service code or card security code