Recurring Payments: Storing Card Holder’s Data Safely

Visit Website View Our Posts

By David Goodale of

One of the biggest concerns you hear when setting up modern payment systems is about security. How can we safely store a card holder’s data securely? In part one of this three-part article on recurring payments, we look at storing cardholder data.

Storing Cardholder Data (Avoid when possible!)

When e-commerce payments were still a relatively new concept there was no standard for the protection of cardholder data.  This left merchants to, more or less, do what they wanted when it came to handling card data.  Of course, breaches occurred causing headaches for cardholders, merchants, issuing banks, and the card brands.

When card data was stolen or compromised it led to lost funds, as well as the cost of creating and re-issuing the stolen cards.  In 2004 the card brands worked together to address this with the advent of the PCI standard.  The creation of this security standard has provided the benefit of a clear guideline that merchants can follow for the protection of cardholder data, but it's created a tremendous challenge for merchants to deal with.

The Payment Card Industry Data Security Standard is a complex, technically challenging standard that even large and technically sophisticated organizations can find challenging. For regular businesses, it can be intimidating or perhaps in some cases outright impossible to comply with.

One of the best ways to minimize the headache is to avoid holding the data.  In general, you want to avoid storing sensitive data whenever you can avoid it. (Unless you have strong technical expertise within your organization, or perhaps just an unhealthy appetite for unnecessary liability.)

The PCI security standard appreciates and takes into account that some businesses simply do not have the ability, time or expertise, to satisfy the technical requirements of the standard. Fortunately, merchants can rely on service providers to touch, handle and store credit card numbers, which will keep cardholder data away from your organization. There is a simplified version of the PCI self-assessment questionnaire that you can qualify for if you rely on PCI complaint 3rd parties for the collection and storage of all cardholder data.  This allows you to complete the simplified version of the PCI self-assessment questionnaire, by basically stating that you rely on 3rd party providers to handle the cardholder data for your business and that they are PCI compliant. Said more plainly, you are outsourcing the headaches.

This is sometimes referred to as credit card tokenization. If you want to store credit card numbers, but you don't want the sensitive information to be poking around your server environment, you can give the sensitive bits to your service provider. They will store the card number and give you a "token" in its place. For example, if you gave a credit card number to your provider, they might return a response to you that says "we'll call this token #50". Any time you want to bill this card again in the future, you just tell them to bill token #50. This all happens at a technical / API level behind the scenes.

CRM Dynamics employs this tokenization method in our payment pathways solutions. If you’d like to learn more about how we can assist you in keeping your card holder’s data safe, give our experts a shout.

About the Author

David Goodale is CEO of, and is one of Canada's leading experts in the field of e-commerce payment processing. Over the past 20 years, David has worked with thousands of merchants across Canada, the USA and throughout Europe. David consults for large and complex e-commerce businesses on issues such as cross border payments, interchange optimization, and particularly on approval for hard-to-approve businesses such as airlines, travel businesses, crypto payments, and also for unique and interesting start-ups.

1 thought on “Recurring Payments: Storing Card Holder’s Data Safely”

Comments are closed.

Show Buttons
Hide Buttons