Can I store my users' credit card's expiration date & last 4 digits? The reasons for this is so we can notify the user that their card is about to expire and that they should change their account over to their new card. Storing the last four digits will allow the user to identify what card they have stored with our system.
27
votes
3 Answers
40
votes
There's a whole set of rules about what you can and cannot store, Google for PCI-Compliance. However, in short, yes, the expiration date and last-4 would be ok to store. The huge no-no is storing the CID number (number on the back of the card), but there are many other rules too.
Edit: This is based on the US rules.
1
votes
Most acquirers (Chase Paymentech , for example) provide a service that sends you (and the customer , if you want) an email about card expiration & a bunch of other stuff (like credit limit reached ) - So you don't need to store any information except maybe the 4 last digits for recognition purposes.