Consumers are increasingly choosing to store their credit or debit card information with retailers for future use. As a result, more businesses are offering this convenience.
But businesses beware – there are right and wrong ways to provide this service.
To securely store credit card information:
Know that if you accept credit or debit cards, PCI Security Standards apply to you. These standards cover technical aspects of handling and managing cardholder data.
Partner with a PCI-compliant payment processor, such as Stripe or Square. By using a third party who has specialized security controls to secure customers’ data, you lessen the risks involved in storing card data.
Use secure forms and appropriate form fields for collecting card data. For example, Cognito Forms’ Card-on-File feature directly passes this data to your payment processor for storage. You can then use it to process payments and manage subscriptions while keeping the data secure.
Have a signed agreement/terms of service in place before saving customers’ cards. Include your reasons for storing the card, the charges it could be used for, and when and how you would charge the card. Be as specific as possible.
Require customers to opt-in. This can be a simple check box on your form.
Never collect credit card information using a form’s text field. Even an encrypted text field doesn’t comply with PCI standards. Use a credit-card-specific field only.
Don’t store credit card information in your form builder, in your own database or on paper. Not only are these practices not PCI-compliant, they leave your customers’ personal information far too accessible to hackers and those up to no good.