Information Security
pci-dss credit-card compliance pci-scope e-commerce
Updated Mon, 05 Sep 2022 10:52:53 GMT

Is it legal to post card data from an ecommerce checkout to a PCI compliant 'store'

Let's say I want to charge a user's credit card with their permission after a sale takes place. But, I don't want to have to ask them their credit card a second time.

Is it legal to store the credit card information as they're filling it out on the checkout, for say 6 hours or something, on a PCI compliant data store, and then only if they perform the action which lets them know their card will be billed again, then and only then charge it.

And then just delete records of cards after some number of time?


Yes, PCI allows you to store a customer's card provided you do so in compliance with the PCI DSS. Specifically, Requirement 3: Protect stored cardholder data outlines what you may (card number) and may not (CVV, mag stripe) store and describes acceptable methods of protecting the data (§3.4).

In essence, you'll need to properly encrypt card numbers, and have acceptable key management processes for your encryption keys. Alternately, your Card Processor likely supports tokenization, where they keep (and protect) the card and you keep a token that allows you to charge against that card. This offloads the chore of protecting the cards from you to your processor.

You can get the most recent version of PCI DSS from the PCI SSC Document Library.

External Links

External links referenced by this document: