Should I Collect Credit Card Details?

Summarise with: ChatGPT Perplexity Microsoft Copilot

---

Table of Contents

• What is PCI compliance?
• What Happens if I Am Non-Compliant With the PCI DSS?
• Collecting Physical Records of Customer Credit Card Information
• Mitigating the Risk of Security Breaches
• Key Takeaways

As a business, collecting your customer’s credit card details on a paper form or other kind of physical record may make practical sense. However, it is important to be aware of the security risks and consequences if there is a security breach. Most businesses must also ensure they are PCI compliant when handling a customer’s credit card information. In this article, we discuss the PCI guidelines and how a business can mitigate the risk of security breaches when keeping physical records of customer’s credit card details.

What is PCI compliance?

If you are an organisation that processes, stores or transmits credit card details, you must comply with the Payment Card Industry Data Security Standards (PCI DSS).

The PCI DSS sets out what a compliant business must do to safely and securely accept, store, process and transmit cardholder data during credit card transactions to prevent fraud and data breaches.

There are currently 12 PCI DSS requirements that state how businesses must: 

• build and maintain a secure network and systems;
• protect cardholder data;
• maintain a vulnerability management program;
• implement strong access control measures;
• regularly monitor and test networks; and
• maintain an information security policy.

What Happens if I Am Non-Compliant With the PCI DSS?

A business that breaches the PCI DSS could receive a range of penalties, the severity of which will vary depending on:

• the specific circumstance;
• the extent of the breach; and 
• how quickly the business addresses the non-compliance.

A non-compliant business may receive a significant fine from the payment provider. Payment providers may also revoke a business’ ability to process credit card transactions, which is likely to have detrimental implications. 

If a customer’s credit card information is stolen from an unsecured location, that customer may also have the right to bring action against the business in court. This will result in various time and money associated with engaging in litigation. 

Collecting Physical Records of Customer Credit Card Information

If you are a PCI-compliant business, you may be able to collect physical records of your customer’s credit card details. Still, you must ensure you are complying with the PCI DSS requirements, including:

• using secure methods to store and transmit the data;
• only allowing authorised personnel to access the records; and 
• maintaining a secure environment that meets the PCI DSS requirements. 

Handling and storing sensitive cardholder information without proper security measures in place increases the risk of data breaches and fraud. Breaches can occur by loss of the physical forms, staff fraud or otherwise, leading to significant consequences. 

If you do need to collect a customer’s card details on paper, you should include the following details on the form:

• cardholder’s name;
• card number;
• card network (for instance, Visa, Mastercard, etc.);
• expiration date;
• cardholder’s billing postcode;
• business name;
• statement authorising the charges; and 
• cardholder’s signature and the date they signed.

If you are charging a credit card surcharge, you will need to make this clear and respect the laws on credit card surcharges. 

Once you have collected a form containing a customer’s credit card information, you may need to keep the form for proof that you had the authority to process the payment. This may limit the chance of a successful charge-back by the customer. However, keeping the forms also presents a security risk.

Mitigating the Risk of Security Breaches

It is generally best not to store physical records of customer’s credit card data and instead utilise secure payment processing solutions that handle this data without requiring manual entry or storage by the business. 

However, where a business needs to collect physical records of a customer’s credit card information, there are various actions they can take to help mitigate the risks of security breaches and fraud.

In a secure environment, you should appropriately store any paper or physical records containing cardholder data. This may include using locked filing cabinets, safes or secure storage rooms with limited access. 

Only those employees who need to know the customer’s credit card information should have access to the records. Therefore, a business should implement access controls such as keycards or pin codes to limit physical access. 

Businesses also should develop and maintain comprehensive policies and procedures for handling physical credit card records. Training employees on these policies and ensuring they understand the importance of compliance will help promote the secure handling of the information. 

Finally, businesses should only keep credit card records for as long as necessary for the business to perform its services to the customer or uphold its legal obligations. Businesses should ensure they safely dispose of any records that they no longer need. 

2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Key Takeaways

Businesses need to consider the security risks of keeping physical records of their customer’s credit card details. In most cases, businesses must comply with the PCI DSS requirements for accepting, storing, processing and transmitting cardholder data during credit card transactions. Non-compliance with these requirements can result in significant monetary penalties and reputational damage. Additionally, banks may even refuse to continue working with the business.