Can I store my users' credit card's expiration date & last 4 digits? The reasons for this is so we can notify the user that their card is about to expire and that they should change their account over to their new card. Storing the last four digits will allow the user to identify what card they have stored with our system.
+15
A:
There's a whole set of rules about what you can and cannot store, Google for PCI-Compliance. However, in short, yes, the expiration date and last-4 would be ok to store. The huge no-no is storing the CID number (number on the back of the card), but there are many other rules too.
Edit: This is based on the US rules.
WaldenL
2009-03-11 04:57:50
Would've been better if you linked to the first link in google, but that's only because I'm lazy. Thanks.
Ryan Bigg
2009-03-11 05:19:33
...As requested. :-)
WaldenL
2009-03-11 05:22:52
A:
This is not something which you can decide and the rules change from country to country. last 4 digits and expiry date are safe to store but its better to check the rules.
Shoban
2009-03-11 05:06:03
A:
Most acquirers (Chase Paymentech , for example) provide a service that sends you (and the customer , if you want) an email about card expiration & a bunch of other stuff (like credit limit reached ) - So you don't need to store any information except maybe the 4 last digits for recognition purposes.
yossale
2009-08-11 08:54:28