Storing Customer Credit Card Information Guide | LawPay (2024)

When trust is the foundation of the attorney-client relationship, law firms are responsible for keeping clients' sensitive data secure. Safely storing credit card information is one way to cultivate long-lasting relationships with a loyal client base. It's also required by law. While far from simple, understanding how to store credit card information is a rewarding process that protects clients and your firm's reputation.

Are Merchants Allowed To Store Customer Credit Card Information?

Yes, merchants are allowed to store customer credit card information. However, it is imperative to understand which data you are legally entitled to hold and which you cannot under PCI compliance. There are strict guidelines regulating how and where this information can be stored, which we'll cover in the following sections.

What Are the Legal Requirements for Storing Customer Credit Card Information?

Any business that accepts, stores, or transmits credit card information, including law firms, must uphold Payment Card Industry Data Security Standard (PCI DSS) compliance. These security standards dictate how businesses can safely store sensitive cardholder data and minimize the risk of fraudulent activity or a harmful data breach.

While there is no single governing rule for storing credit card information, PCI compliance ensures that businesses adhere to the most secure practices. Below are some trusted and PCI-compliant ways of creating a secure environment for storing credit cards:

Why Is Properly Storing Credit Card Information Important?

Data breaches can be catastrophic events for both clients and law firms. While the client's financial security is compromised, the law firm's integrity and reputation are also at stake. They corrupt clients' trust and can lead to severe repercussions that may negate a firm's continued operations.

Improperly storing customer credit card information can also be costly, with penalties, fines, and possible legal action against your firm. For PCI non-compliance, fines can range from $5K-$100K per month until violations are rectified. Additional expenses can reach even higher if a client or business chooses to sue.

Ultimately, securely storing credit cards is a responsibility of your firm that should not be taken lightly. PCI compliance and properly managing sensitive data are crucial to operating a successful firm that preserves its clients' trust.

Best Practices for Storing Credit Card Information

While storing credit card information can feel like an intimidating feat, there are a few best practices that reduce risk and keep your clients' data safe and your firm's reputation intact.

Use Approved Hardware and Software

Whether you accept payments by phone, mail, in person, or digitally, it's imperative that every method is secure. This includes the hardware and software used to collect and store each payment method.

One way to guarantee that your chosen hardware and software are PCI-compliant is to verify its status on the PCI DSS website. The PCI Security Standards Council (PCI SSC) makes this data readily available and easily searchable by company name, model number, or approval number. All products and solutions have been tested by third parties to PCI payment security standards.

To check your device's security status, view the list of PCI-Approved Products and Solutions.

Be Aware of What You Can and Cannot Store

When storing credit cards, knowledge is power. There is no greater responsibility than upholding the trust of your clients and the integrity of your firm's reputation. Even though the endeavor to understand what data can and cannot be stored isn't always straightforward to navigate—it is guaranteed to be worth it. For do's and don'ts at a glance, here is a breakdown of which data you can and cannot store.

You Are Allowed To Store (When Encrypted):

  1. Cardholder name
  2. Expiration date
  3. Primary account number (PAN) - The 14-, 15-, or 16-digit number printed on the card.
  4. Service code - This data lies within the magnetic stripe and is not visible to the naked eye.

You Are NOT Allowed To Store (Even When Encrypted):

  1. Card validation value (CVV) - The 3- or 4-digit security code printed on the card.
  2. PIN
  3. PIN block - The encrypted version of the PIN
  4. Full magnetic stripe data

Encryption of Sensitive Information

When storing credit cards is necessary, encryption keeps sensitive data secure. Recurring payments are a prime example of when this process is inevitable. To receive automatic payments, law firms must collect credit card information securely, then store its data for future processing. Depending on how the original card's information was collected will determine what kind of encryption needs to take place.

For example, digital payments will require a strong encryption algorithm to minimize their vulnerability to theft and unauthorized use. Data encryption will be built into their software if your firm uses a service provider that performs credit card processing and secure storage.

Encryption can also be applied to audio files for payments processed over the telephone. While easily overlooked or forgotten, audio recordings can leave sensitive data vulnerable to risk. These recordings should be password-protected and encrypted to store their content safely. Furthermore, if speech-to-text conversion software is in place, it's also crucial to encrypt the data as soon as possible.

Finally, while writing down card details on paper is never recommended, if your business process explicitly requires it, you will want to store the information in a secure vault (like a safe).

Use Only Trusted Service Providers

One of the most secure ways of offloading risk is to leave it to the professionals. Third-party payment service providers, like LawPay, handle every component of safely accepting, managing, and storing customer credit card information. These platforms remove the burden off your firm so you can focus on handling cases, growing your clientele, and accepting credit card payments without worrying about dangerous data breaches and their consequences.

Using a trusted service provider will save time on annual audits required for PCI compliance. A Qualified Security Assessor will audit the service provider's payment policies, procedures, and systems to ensure they meet established security regulations—without you lifting a finger.

Manage Your Legal Clients' Credit Card Information

Make accepting payments more straightforward and secure with legal billing software that takes the guesswork out of PCI compliance. At LawPay, our secure payment technology provides the highest level of protection and mitigates your firm's risk when handling payments. Collect credit card information securely, then safely store it for future use via our proprietary Card Vault. Your clients' data will benefit from advanced data encryption, and your firm can breathe easy knowing that your practice is PCI-compliant.

As a Level 1 service provider, LawPay holds itself to superior standards for regular security assessments. In addition to the required annual audit, a Qualified Security Assessor also performs non-compulsory quarterly scans of the payment system to give law firms peace of mind that clients have the most up-to-date protection.

To learn more about how LawPay can manage your legal clients' sensitive card data, read our Security Overview or contact us to speak with a Certified Payments Specialist.

Storing Customer Credit Card Information Guide | LawPay (2024)


How to securely store customer credit card information? ›

6 Tips for Proper Handling of Credit Card Information
  1. Understand your obligation to protect information.
  2. Use only approved equipment and software.
  3. Encrypt and secure electronic credit card account numbers and paper storage.
  4. Encrypt phone recordings that contain credit card account numbers.

What is the standard for storing credit card information? ›

You Are Allowed To Store (When Encrypted):

Cardholder name. Expiration date. Primary account number (PAN) - The 14-, 15-, or 16-digit number printed on the card. Service code - This data lies within the magnetic stripe and is not visible to the naked eye.

Is it legal to store customer credit card information? ›

To answer briefly, yes, merchants can store credit card information. The long answer is that merchants must be PCI compliant to store their credit card data. However, there's also some data you can keep and some you can't make sure you securely handle your customers' credit card information.

How do I keep track of my credit card information? ›

If you're using one or multiple credit cards, it's always best to make a list of the info on each card so you know which card is being used and what it's used for. Start out by naming the creditors, current balance and limit, the due date, the minimum balance, and the payment you're making for the month.

Is it illegal to store CVV codes? ›

Essentially, it provides a check of the information embossed on the card. This information is not permanently stored because that action is prohibited by law. The Visa USA Inc. Operating Regulations explicitly prohibits merchants and/or their agents from storing the CVV-2 data.

What credit card information cannot be stored? ›

Even if data is encrypted, you can NEVER store:

Sensitive authentication data (i.e., full magnetic stripe info) PIN. PIN block (i.e., the encrypted PIN) Card validation value (CVV), also known as three/four-digit service code or card security code.

What is the simple rule to protect cardholder data? ›

Do not store cardholder data unless there is a legitimate business need; truncate or mask cardholder data if full PAN is not needed and do not send PAN in unencrypted emails, instant messages, chats, etc..

What is a standard protocol for securing credit card transactions? ›

Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet.

What must you never do when processing cardholder data? ›

NEVER physically write down any credit card information unless you are explicitly required to do so as part of your business processes. NEVER acquire or disclose any cardholder's credit card information without the cardholder's consent, including but not limited to: the partial sixteen (16) digit card number.

What does it mean to mask a PAN? ›

PAN masking hides a portion of the long card number, or PAN, on a credit or debit card, protecting the card account numbers when displayed or printed. DTMF masking is used in specific technology when a customer enters their card details over the phone.

What is a credit card vault? ›

A credit card vault service stores customers' credit details in a secure manner. Typically, the data remains in the vault until it needs to be used to process a payment.

Which helps in protecting the confidential data like credit card number? ›

Credit card encryption is a security measure intended to reduce the likelihood of credit card information being stolen. Encryption makes it extremely difficult to access that information without the corresponding encryption key.

What is the most common way credit card data is stolen? ›

Remember: the most common type of individual card theft is through phishing. If a scammer has access to other personal information, it can lead to many other kinds of identity theft.

How to manage multiple credit card accounts? ›

Managing Multiple Credit Cards: Tips for Staying Organized and...
  1. Keep Track of Due Dates and Payment Reminders: ...
  2. Set a Realistic Budget and Track Spending: ...
  3. Prioritize High-Interest Debt Repayment: ...
  4. Limit the Number of Cards: ...
  5. Review Credit Card Statements Regularly: ...
  6. Utilize Credit Card Benefits and Rewards:

Who tracks all of your credit card information? ›

Nationwide consumer reporting companies

There are three big nationwide providers of consumer reports: Equifax, TransUnion, and Experian. Their reports contain information about your payment history, how much credit you have and use, and other inquiries and information.

Can merchants store CVV? ›

Merchants are not allowed to store CVV codes in any way if they want to be PCI compliant — helping protect customers from a data breach as well as making it more difficult for fraudsters to get their hands on the CVV code.


Top Articles
Latest Posts
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 6179

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.