Best Practices

Guide to Securely Storing Credit Card Information

Gabriela Jhean
Gabriela Jhean
December 5, 2022

When trust is the foundation of the attorney-client relationship, law firms are responsible for keeping clients' sensitive data secure. Safely storing credit card information is one way to cultivate long-lasting relationships with a loyal client base. It's also required by law.

While far from simple, understanding how to store credit card information is a rewarding process that protects clients and your firm's reputation.

Are Merchants Allowed To Store Customer Credit Card Information?

Yes, merchants are allowed to store customer credit card information. However, it is imperative to understand which data you are legally entitled to hold and which you cannot under PCI compliance. There are strict guidelines regulating how and where this information can be stored, which we'll cover in the following sections.


What Are the Legal Requirements for Storing Customer Credit Card Information?

Any business that accepts, stores, or transmits credit card information, including law firms, must uphold Payment Card Industry Data Security Standard (PCI DSS) compliance. These security standards dictate how businesses can safely store sensitive cardholder data and minimize the risk of fraudulent activity or a harmful data breach.

While there is no single governing rule for storing credit card information, PCI compliance ensures that businesses adhere to the most secure practices. Below are some trusted and PCI-compliant ways of creating a secure environment for storing credit cards:

  • Cryptography: Adhering to encryption protocols, cryptography converts payment information into an illegible form.

  • Truncation: This process removes all but the first six and last four digits of the primary account number (PAN).

  • Tokenization: This method replaces card details with an arbitrary number called a "token." While the token alone is worthless to outsiders (since it can never be reverted to the original card details), it allows businesses to access the real data through their security solution provider.

  • Hashing: In specific situations where the original card number is not required, hashing permanently transforms data into a unique index data element (hash value or hash). This process is irreversible since there is no way to get the PAN with only the hash value.

Why Is Properly Storing Credit Card Information Important?

Data breaches can be catastrophic events for both clients and law firms. While the client's financial security is compromised, the law firm's integrity and reputation are also at stake. They corrupt clients' trust and can lead to severe repercussions that may negate a firm's continued operations.

Improperly storing customer credit card information can also be costly, with penalties, fines, and possible legal action against your firm. For PCI non-compliance, fines can range from $5K-$100K per month until violations are rectified. Additional expenses can reach even higher if a client or business chooses to sue.

Ultimately, securely storing credit cards is a responsibility of your firm that should not be taken lightly. PCI compliance and properly managing sensitive data are crucial to operating a successful firm that preserves its clients' trust.

Best Practices for Storing Credit Card Information

While storing credit card information can feel like an intimidating feat, there are a few best practices that reduce risk and keep your clients' data safe and your firm's reputation intact.

Use Approved Hardware and Software

Whether you accept payments by phone, mail, in person, or digitally, it's imperative that every method is secure. This includes the hardware and software used to collect and store each payment method.

One way to guarantee that your chosen hardware and software are PCI-compliant is to verify its status on the PCI DSS website. The PCI Security Standards Council (PCI SSC) makes this data readily available and easily searchable by company name, model number, or approval number. All products and solutions have been tested by third parties to PCI payment security standards.

To check your device's security status, view the list of PCI-Approved Products and Solutions.

Be Aware of What You Can and Cannot Store

When storing credit cards, knowledge is power. There is no greater responsibility than upholding the trust of your clients and the integrity of your firm's reputation. Even though the endeavor to understand what data can and cannot be stored isn't always straightforward to navigate—it is guaranteed to be worth it. For do's and don'ts at a glance, here is a breakdown of which data you can and cannot store.

You Are Allowed To Store (When Encrypted):

  1. Cardholder name
  2. Expiration date
  3. Primary account number (PAN) - The 14-, 15-, or 16-digit number printed on the card.
  4. Service code - This data lies within the magnetic stripe and is not visible to the naked eye.

You Are NOT Allowed To Store (Even When Encrypted):

  1. Card validation value (CVV) - The 3- or 4-digit security code printed on the card.
  2. PIN
  3. PIN block - The encrypted version of the PIN
  4. Full magnetic stripe data

Encryption of Sensitive Information

When storing credit cards is necessary, encryption keeps sensitive data secure. Recurring payments are a prime example of when this process is inevitable. To receive automatic payments, law firms must collect credit card information securely, then store its data for future processing. Depending on how the original card's information was collected will determine what kind of encryption needs to take place.

For example, digital payments will require a strong encryption algorithm to minimize their vulnerability to theft and unauthorized use. Data encryption will be built into their software if your firm uses a service provider that performs credit card processing and secure storage.

Encryption can also be applied to audio files for payments processed over the telephone. While easily overlooked or forgotten, audio recordings can leave sensitive data vulnerable to risk. These recordings should be password-protected and encrypted to store their content safely. Furthermore, if speech-to-text conversion software is in place, it's also crucial to encrypt the data as soon as possible.

Finally, while writing down card details on paper is never recommended, if your business process explicitly requires it, you will want to store the information in a secure vault (like a safe).

Use Only Trusted Service Providers

One of the most secure ways of offloading risk is to leave it to the professionals. Third-party payment service providers, like LawPay, handle every component of safely accepting, managing, and storing customer credit card information. These platforms remove the burden off your firm so you can focus on handling cases, growing your clientele, and accepting credit card payments without worrying about dangerous data breaches and their consequences.

Using a trusted service provider will save time on annual audits required for PCI compliance. A Qualified Security Assessor will audit the service provider's payment policies, procedures, and systems to ensure they meet established security regulations—without you lifting a finger.

Manage Your Legal Clients' Credit Card Information

Make accepting payments more straightforward and secure with legal billing software that takes the guesswork out of PCI compliance. At LawPay, our secure payment technology provides the highest level of protection and mitigates your firm's risk when handling payments. Collect credit card information securely, then safely store it for future use via our proprietary Card Vault. Your clients' data will benefit from advanced data encryption, and your firm can breathe easy knowing that your practice is PCI-compliant.

As a Level 1 service provider, LawPay holds itself to superior standards for regular security assessments. In addition to the required annual audit, a Qualified Security Assessor also performs non-compulsory quarterly scans of the payment system to give law firms peace of mind that clients have the most up-to-date protection.

To learn more about how LawPay can manage your legal clients' sensitive card data, read our Security Overview or contact us to speak with a Certified Payments Specialist.