Is it Illegal to Have Copies of Credit Cards in an Office?

Running a business can give you access to some of the most private and sensitive information of your customers, including their credit cards. While it is not illegal for businesses to retain credit card information, several watchdog groups and government agencies advise against the practice to avoid customer information being compromised.

As more consumers use credit cards to make purchases, especially online, merchants are requesting that they allow it to store their credit card information on their systems. This is convenient for the shopper because they do not have to re-enter the information every time they make a purchase. For the merchant, it helps to ensure a seamless transaction because they are using verified and confirmed credit card data. Retaining and storing credit card information is also common for utility companies and other service providers who automatically bill your credit card on a predetermined frequency.

If your are determined to keep copies of credit cards on file, it is crucial that you take great care in keeping your customers’ credit card information private. As a business owner, the onus is on you to protect this information as if it were your own. One of the worst ways to store information is by making copies of the credit card and leaving them in a file in an office. This is especially true if this office is accessible to several people with whom you cannot monitor as far as their comings and goings in that particular office. To avoid credit card information getting into the wrong hands, you shouldn’t make copies of the credit card at all. There are several companies that provide software and services that allow you to retain such information on your servers or through a system that is less likely to be compromised.

While there are no federal or state laws that make having copies of customer credit cards stored in an office illegal, doing so can put you on the wrong end of the stick with credit card companies. American Express, Discover, MasterCard, and Visa are among the credit card providers that created the Payment Card Industry Securities Standards Council to protect consumers, merchants and the major card brands. The council outlines the specific guidelines businesses must abide by to minimize the possibility of data security breaches.

If you store cardholder information, such as credit card numbers and expiration dates, in any of the following ways, you are in violation of PCI’s data security standards. These include taking several actions without the customer's consent, including recording the information into a logbook, filing them away or entering the card numbers into a spreadsheet. If you can retrieve the full account number from the system you use, then your filing system is not PCI DSS-compliant and your company is subject to security breaches.

If you are determined to keep copies of credit cards in your office, you should be aware that, as a business owner, you open yourself up to a wide array of issues. They may not land you in jail, but they can cause you to lose your business. If it is found that you were negligent in protecting your customers’ credit card information by making copies of it and not securely storing it, you will face fines and penalties from the credit card companies. They may even terminate their contract with you. If a customer’s credit card information is stolen because you had it in an unsecured office, that customer can sue you. You will then have to face hefty legal costs, judgments and/or settlements.

If you worry about the legal issues that can arise if a customer’s credit card information is breached because you have copies of the information stored in your office, you should probably abandon that practice. The Federal Trade Commission notes that you should not retain the account number and expiration date unless you have an essential business need to do so because keeping this information, or keeping it longer than necessary raises the risk that the information could be used to commit fraud or identity theft.