27
votes

Can I store my users' credit card's expiration date & last 4 digits? The reasons for this is so we can notify the user that their card is about to expire and that they should change their account over to their new card. Storing the last four digits will allow the user to identify what card they have stored with our system.

3

3 Answers

40
votes

There's a whole set of rules about what you can and cannot store, Google for PCI-Compliance. However, in short, yes, the expiration date and last-4 would be ok to store. The huge no-no is storing the CID number (number on the back of the card), but there are many other rules too.

Edit: This is based on the US rules.

1
votes

Most acquirers (Chase Paymentech , for example) provide a service that sends you (and the customer , if you want) an email about card expiration & a bunch of other stuff (like credit limit reached ) - So you don't need to store any information except maybe the 4 last digits for recognition purposes.

0
votes

This is not something which you can decide and the rules change from country to country. last 4 digits and expiry date are safe to store but its better to check the rules.