Skip to content
    Picture of Basis Theory ·
    Payments

    Storing Credit Card Data on Paper: PCI-DSS Rules

    Requirements for Storing Credit Card Information on Paper

    Ordering over the phone is almost nostalgic at this point. But for many legacy merchants or online travel agencies, it’s a Tuesday.

    Like collecting credit card information over the phone, or storing credit card information on paper.

    To ensure that merchants are properly protecting and securing consumer credit card information while taking payments, the credit card industry publishes and enforces PCI-DSS. Much of the focus of the standards is on the electronic treatment of personally identifiable information (PII), whether the data is in motion or at rest, but PCI-DSS also deals with non-electronic elements of data management, including both employee and contractor access, as well how to manage physically-recorded information.

    Failure to meet stringent standards for storing data on paper is no less serious a miss than setting up insecure databases or payment data collection processes.

    What payment information can merchants store on paper? 

    Broadly speaking, merchants who execute credit card transactions can store:

    • Primary Account Number (PAN)
    • Cardholder Name
    • Service Name
    • Expiration Date

    By contrast, merchants are not permitted to store:

    • Full magnetic stripe data.
    • CAV2/CVC2/CVV2/CID
    • PIN/PIN Block

    The media on which this information is stored, whether physical or digital, is irrelevant: PCI-DSS requires merchants to ensure that the data, even when necessary to complete a sale, is promptly and irrevocably destroyed after use.

    Return to Top

    Why would a merchant store credit card data on paper? 

    In the vast majority of cases, there is no good reason to store credit card data on paper at all. In a physical retail environment, the vast majority of sales are made through electronic terminals, which scan, use, and discard credit card information; in online sales, the card is not present and details are passed electronically.

    That said, manual flatbed readers are still technically viable in emergencies (e.g. when power is out or when internet connectivity is unavailable), and the slips that they produce include credit card information, although not the CVV, PIN, or full magnetic stripe data.

    Additionally, a telephone operator attempting to make a sale may need to write information down when the processing system is unavailable, so that they can process the transaction at a later time.

    Return to Top

    Who should access credit card information? 

    Once credit card information is written down on paper, it falls under the same strict rules as it would if it were stored digitally, with the exception that it cannot, of course, be encrypted.

    This means that:

    • It must only be accessed by authorized personnel, with an audit trail maintained.
    • It must be stored in a secure location (such as a locked safe)
    • It can only be transmitted via approved, secure systems. In other words, through a payments system with strong encryption, and absolutely never by way of standard communications software like email or SMS. Fax transmissions are only permitted where the machines at both ends are in verifiably secure locations.
    • PAN details and CVV/CVC information should never be stored together.
    • Paper receipts must be destroyed in such a way that account information cannot be identified or reconstructed.

    There are three situations in which credit card information is most frequently collected on paper:

    • When using manual flatbed machines to take numbers.
    • When accepting credit card information over the telephone for submission by a customer service operator.
    • When accepting forms for smaller organizations (such as charities or community groups.)

    When using manual flatbed machines, it is crucial to ensure that receipts are retained only as long as necessary to confirm completion of the submission, at which point the physical record should be properly destroyed.

    Credit card information collected by telephone operators can be more complicated to manage, as it may be written on anything from an official form to a Post-It note by operators doing their best to close out deals. The key to avoiding PCI-DSS violations is to anticipate this situation ahead of time and to have a published and well-publicized policy in place that outlines acceptable and unacceptable activities.

    For instance, operators should write these details only onto prepared forms and have a process for submitting them through correct channels; and whoever within the organization receives the forms should have a clear process for using the information, then either storing it in a secure location or properly destroying it. Operators should never retain copies of the information.

    While smaller organizations may collect credit card information on physical forms (e.g. for donations to a charity, or to contribute to a social group), it is very hard to manage these appropriately, except insofar as strong policies and procedures are in place to submit the transactions, then to verifiably destroy the information. There are no circumstances under which it is recommended to collect credit card information on self-designed forms, and including the CVV/CVC on a form alongside the PAN presents significant compliance and data breach risk.

    Return to Top

    Why Online Travel Agencies Are Especially Vulnerable 

    Online travel agencies (OTAs) face a uniquely high-risk version of this problem. Unlike a retail merchant who can rely entirely on electronic point-of-sale systems, OTAs regularly accept bookings over the phone, via email, and through manual intake forms, often for high-value transactions where the urgency to close the sale creates pressure to take shortcuts with data handling.

    In practice, this means card numbers are written on booking forms, typed into email threads, or entered into spreadsheets that lack any meaningful access controls. PAN details and CVV/CVC codes frequently end up stored together, in violation of PCI-DSS requirements. And because OTAs often work with multiple airline, hotel, and ground transportation partners, that sensitive data may be passed downstream to third parties through equally insecure channels.

    The result is a significantly expanded attack surface, compounded compliance risk, and a direct line to the kind of data breach that ends customer relationships.

    Return to Top

    How to Avoid Violations 

    When paper storage of credit card information is unavoidable, merchants must follow strict rules to avoid PCI-DSS violations, including:

    • Publish a clear policy and set of procedures for how to record, store, and access information, as well as how to destroy it.
    • Establish clear audit trails to track who has access to stored information until its destruction.
    • Never store PAN and CVV/CVC together, under any circumstances.
    • Only use manual flatbed machines when absolutely necessary, and have a clear set of procedures on both when to use them, and how to handle their physical output.

    For merchants who regularly take payments over the phone or through manual intake — travel agencies especially, a programmable payment vault like Basis Theory eliminates the paper trail entirely. Card data is captured and tokenized at the point of collection, meaning agents never handle raw PAN details and nothing sensitive hits a spreadsheet, an inbox, or a sticky note.

    The data stays secure, your PCI scope stays manageable, and your team stays focused on closing bookings, not auditing paper trails.

    Return to Top

    View an Interactive Demo   See how the Basis Theory platform secures payment data and significantly reduces PCI compliance burden from day 1.  

    Stay Connected

    Receive the latest updates straight to your inbox