Storing credit cards for automatic payments?

There are lots of different ways in which PCI impacts what you do; I'd point out the data security standards (PCI-DSS). Among many other things, they require strong authentication for anyone accessing the system remotely, and have a wide variety of restrictions on what kind of data you can keep.

Don't even think about storing credit cards without understanding PCI.

At high levels of sales, you will have to be audited by an accredited third party, and the audits can be quite strict, so start documenting early with that in mind.


You are referring to PCI (Payment Card Industry) Compliance.

Plus any legal requirements for the area your business operates.


Like Steve and SteveS said, storing credit cards would make your business fall under PCI-DSS. Without the proper infrastructure already in place, this can be a monumental task. Here are a few things I can think of off the top of my head:

  • Transmission of credit card info has to be encrypted.
  • The networks and every server/workstation on the network require an active firewall and IDS.
  • Workstations and servers require antivirus.
  • Passwords need to change every 90 days.
  • Access to machines on the network has to be restricted.

That is just a very short version of a very long list, you find the full version: https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf. There is also PCI training, which can help you better understand PCI requirements. There are consultants who specialize in PCI compliance, you might want to check with other companies or IT security auditing firms in the area for any recommendations. Best of luck.