Is it Illegal to Have Copies of Credit Cards in an Office?


Running a business can give you access to some of the most private and sensitive information of your customers, including their credit cards. While it is not illegal for businesses to retain credit card information, several watchdog groups and government agencies advise against the practice to avoid customer information being compromised.

Reasons Businesses Retain Credit Card Data

As more consumers use credit cards to make purchases, especially online, merchants are requesting that they allow it to store their credit card information on their systems. This is convenient for the shopper because they do not have to re-enter the information every time they make a purchase. For the merchant, it helps to ensure a seamless transaction because they are using verified and confirmed credit card data. Retaining and storing credit card information is also common for utility companies and other service providers who automatically bill your credit card on a predetermined frequency.

How Credit Information is Stored

If your are determined to keep copies of credit cards on file, it is crucial that you take great care in keeping your customers’ credit card information private. As a business owner, the onus is on you to protect this information as if it were your own. One of the worst ways to store information is by making copies of the credit card and leaving them in a file in an office. This is especially true if this office is accessible to several people with whom you cannot monitor as far as their comings and goings in that particular office. To avoid credit card information getting into the wrong hands, you shouldn’t make copies of the credit card at all. There are several companies that provide software and services that allow you to retain such information on your servers or through a system that is less likely to be compromised.

PCI Securities Standards Council

Storing copies of customers' credit cards could put businesses at odds with credit card companies.
Rayes/Photodisc/Getty Images

While there are no federal or state laws that make having copies of customer credit cards stored in an office illegal, doing so can put you on the wrong end of the stick with credit card companies. American Express, Discover, MasterCard, and Visa are among the credit card providers that created the Payment Card Industry Securities Standards Council to protect consumers, merchants and the major card brands. The council outlines the specific guidelines businesses must abide by to minimize the possibility of data security breaches.

Violating PCI Policies

If you store cardholder information, such as credit card numbers and expiration dates, in any of the following ways, you are in violation of PCI’s data security standards. These include taking several actions without the customer's consent, including recording the information into a logbook, filing them away or entering the card numbers into a spreadsheet. If you can retrieve the full account number from the system you use, then your filing system is not PCI DSS-compliant and your company is subject to security breaches.

Ramifications of Breach

If you are determined to keep copies of credit cards in your office, you should be aware that, as a business owner, you open yourself up to a wide array of issues. They may not land you in jail, but they can cause you to lose your business. If it is found that you were negligent in protecting your customers’ credit card information by making copies of it and not securely storing it, you will face fines and penalties from the credit card companies. They may even terminate their contract with you. If a customer’s credit card information is stolen because you had it in an unsecured office, that customer can sue you. You will then have to face hefty legal costs, judgments and/or settlements.

Rule of Thumb

If you worry about the legal issues that can arise if a customer’s credit card information is breached because you have copies of the information stored in your office, you should probably abandon that practice. The Federal Trade Commission notes that you should not retain the account number and expiration date unless you have an essential business need to do so because keeping this information, or keeping it longer than necessary raises the risk that the information could be used to commit fraud or identity theft.



About the Author

Valerie Fox is a business reporter and editor specializing in consumer affairs and debt management. She has been a writer since 1994, also covering politics, housing and the stock and bond markets. Fox has written for Cox, Gannett and Knight-Ridder newspapers. She holds a Bachelor of Science in economics from the University of Florida.