0

Let's say I want to charge a user's credit card with their permission after a sale takes place. But, I don't want to have to ask them their credit card a second time.

Is it legal to store the credit card information as they're filling it out on the checkout, for say 6 hours or something, on a PCI compliant data store, and then only if they perform the action which lets them know their card will be billed again, then and only then charge it.

And then just delete records of cards after some number of time?

Tallboy
  • 105
  • 4
  • For what it's worth, the PCI guidelines don't have any real _legal_ force. If you violate them, the card networks may prevent you from taking cards, and if you're breached you could be liable for negligence, but as far as I know, there's no direct crime. That doesn't mean you should pay any less attention to them, though. – Bobson Apr 19 '20 at 00:52

1 Answers1

2

Yes, PCI allows you to store a customer's card provided you do so in compliance with the PCI DSS. Specifically, Requirement 3: Protect stored cardholder data outlines what you may (card number) and may not (CVV, mag stripe) store and describes acceptable methods of protecting the data (§3.4).

In essence, you'll need to properly encrypt card numbers, and have acceptable key management processes for your encryption keys. Alternately, your Card Processor likely supports tokenization, where they keep (and protect) the card and you keep a token that allows you to charge against that card. This offloads the chore of protecting the cards from you to your processor.

You can get the most recent version of PCI DSS from the PCI SSC Document Library.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198