If you run a small business, getting paid on time can be one of the biggest pressure points - especially if you deal with ongoing services, late cancellations, deposits, milestone payments, or “pay by instalment” arrangements.
That’s where a credit card authorisation form can be a practical tool. Used properly, it helps you collect payment smoothly, manage risk, and reduce awkward back-and-forth chasing invoices.
But because you’re dealing with payment card details and other personal information, a credit card authorisation form also comes with legal and compliance responsibilities. If your form is unclear, overly broad, or you store details unsafely, you could expose your business to disputes, chargebacks, complaints, and reputational damage.
Below, we’ll walk you through how to create a compliant credit card authorisation form for an Australian business - what it should include, the key laws and standards to keep in mind, and how to use it in a way that is fair (and enforceable).
A credit card authorisation form is a document where your customer gives you permission to charge their credit card for specific amounts, on specific dates, or in specific situations.
It’s commonly used when:
- you want to take a deposit to secure a booking;
- you need to charge a card for recurring payments (such as monthly services);
- you want a “card on file” to charge after services are delivered; or
- you need a way to charge for late fees or missed appointments (where your contract allows it).
Importantly, a credit card authorisation form is not a magic “permission slip” that lets you charge whatever you want, whenever you want. To be useful, it needs to be:
- clear about what will be charged and when,
- consistent with your customer contract / booking terms, and
- supported by good evidence that the customer agreed (and understood what they agreed to).
Sometimes business owners use “direct debit” and “credit card authorisation” interchangeably, but they’re not the same thing.
- Credit card authorisation is permission to charge a card (Visa/Mastercard etc) via your payment provider.
- Direct debit is typically a bank-account debit set up through the Bulk Electronic Clearing System (BECS) (and in some setups, it can also include other “debit authority” products offered by payment providers).
If you’re setting up ongoing withdrawals, it’s worth checking whether you’re using a true BECS direct debit arrangement (bank account) or recurring card payments - because the compliance steps, notices, and cancellation rules can differ depending on the product and provider. That’s where understanding direct debit laws becomes relevant.
A credit card authorisation form can be useful in lots of everyday small business scenarios - but it’s most valuable when you have a genuine payment risk to manage and you can clearly explain why you need the authorisation.
Common Use Cases For Small Businesses
- Bookings and appointments: taking deposits, charging no-show fees, or charging late cancellation fees (if properly disclosed).
- Professional services: staged payments for projects, retainers, or charging after delivery of services.
- Ongoing services: recurring monthly charges (with clear billing cycles and amounts).
- Security / incidentals: accommodation, equipment hire, venue hire, or services where additional charges may apply (damage, extra time, etc).
A credit card authorisation form can create problems if it’s used as a shortcut instead of putting proper written terms in place.
For example, you’re more likely to run into disputes if:
- the customer didn’t understand what they were agreeing to,
- you charge amounts that don’t match what you disclosed,
- you rely on a form without clear service terms (scope, pricing, cancellations, delivery), or
- you store card details insecurely.
As a rule of thumb: your authorisation form should support your overall payment process - not replace clear contractual terms.
There isn’t one single Australian law called “the credit card authorisation form law”. Instead, compliance usually comes from a few overlapping areas: consumer protection, privacy, payment security standards, and contract law.
Australian Consumer Law (ACL): Don’t Mislead Customers
If you sell to consumers (and many small businesses do, even if you’re B2B sometimes), you need to ensure your payment terms aren’t misleading or unfair in practice.
In plain terms, that means:
- you should clearly disclose fees, deposits, cancellation charges, and how/when you will charge the card;
- you shouldn’t “surprise” customers with unexpected charges;
- your authorisation needs to match what you promised in your quote, booking page, or invoice terms.
This is also why it helps to get your pricing and due dates clear in writing upfront, including your invoice payment terms.
Unfair Contract Terms (UCT): Be Careful With “We Can Charge Whatever We Want” Clauses
If your authorisation form (or your broader customer terms) gives you a very broad right to charge fees at your discretion, this can create legal risk.
Clauses that are one-sided, unclear, or go beyond what’s reasonably necessary to protect your legitimate business interests can be challenged - especially if you use standard-form terms.
A safer approach is to:
- define specific fee types (eg late cancellation fee, replacement cost, additional hours),
- explain how they’re calculated, and
- require reasonable notice where possible.
Card details and billing information are generally personal information under Australian privacy law (even if they won’t usually be “sensitive information” as that term is defined in the Privacy Act 1988 (Cth)). Either way, it’s still information that needs to be handled carefully and securely.
Depending on your business size and what information you collect, the Privacy Act 1988 (Cth) may apply. Even where it doesn’t strictly apply, privacy best practice still matters (and customers expect it).
At a minimum, it’s usually sensible to have a clear Privacy Policy explaining what personal information you collect, why you collect it, and how you store and disclose it.
Payment Industry Security Standards (Including PCI DSS)
Most businesses will also be impacted by payment security rules imposed by their bank and payment provider - and by PCI DSS (Payment Card Industry Data Security Standard) requirements.
Even if you’re not a technical expert, the practical takeaway is simple:
- avoid storing full card details unless you have strong controls and a compliant system, and
- prefer tokenised “card on file” tools via reputable payment platforms (where the platform stores the sensitive details, not you).
If you’re unsure what your obligations look like in practice, it’s worth reading up on storing credit card details before you build your process.
A compliant credit card authorisation form should be clear, specific, and consistent with your broader customer terms.
Think of it as two things:
- a permissions document (what the customer authorises you to do), and
- a record (evidence that the customer agreed).
1. Your Business Details
- Business name (and legal entity name if different)
- ABN/ACN (where relevant)
- Contact details (email/phone/address)
This helps customers understand who is charging the card and reduces disputes when a charge appears on their statement.
2. Customer Details
- Customer full name
- Billing address (if needed)
- Email and phone number
- Customer reference / booking number / invoice number
Keep it to what you genuinely need. Collecting extra information “just in case” can increase privacy risk.
3. Card Details (Only If You Truly Need Them)
If your system allows tokenisation or payment links, consider avoiding manual collection of full card details entirely.
If you do need to collect card details, your form may ask for:
- Name on card
- Card number
- Expiry date
- CVC (only if required - and be extremely cautious about storage)
Tip: If you are collecting CVC, you should be especially careful about whether you’re allowed to store it (many systems and standards prohibit storing CVC after authorisation).
4. Exactly What The Customer Is Authorising You To Charge
This is the heart of a strong credit card authorisation form.
You should set out:
- Amount: a fixed amount, or a clearly defined way the amount is calculated
- Timing: date(s) you will charge, billing cycle, or trigger event (eg “upon delivery”)
- Description: what the charge relates to (deposit, invoice, late cancellation fee, etc)
- One-off vs recurring: whether it’s a single charge or ongoing authority
If the amount may vary (for example, “additional hours”), you should be careful to explain how it’s calculated and what notice you’ll give before charging.
5. Cancellation, Refund And Dispute Process
A lot of disputes happen not because you charged the card, but because the customer didn’t understand what happens if plans change.
Where relevant, your form should align with your cancellation and refund terms, including:
- how customers can cancel an ongoing authority
- how much notice is required (if any)
- how refunds are handled (if applicable)
- how the customer can contact you if they believe a charge is incorrect
It’s usually best practice for these rules to live in your overarching customer terms (not only on the authorisation form). Depending on how you sell, that may be in Terms of Trade or a more tailored agreement.
6. A Clear Customer Acknowledgement And Signature
To help with enforceability and reduce misunderstandings, include a short acknowledgement that the customer:
- authorises you to charge the card as described,
- confirms the card details are correct and they are authorised to use the card, and
- has read and agrees to the relevant terms (and where those terms are found).
Then include signature fields:
- customer signature (or e-signature)
- date
- optional: witness / staff member handling the authorisation (useful for internal record-keeping)
7. A Link Or Reference To Your Customer Terms (So Everything Matches)
Your authorisation form should not contradict your broader customer terms - it should support them.
If you operate online, your Website Terms and Conditions can help you set out important rules around payments, chargebacks, cancellations, and service delivery (tailored to your model).
If you provide services (especially B2B), it may also make sense to use a dedicated Customer Contract so scope, pricing, and payment triggers are clear from day one.
Having a good form is only half the job. The other half is using it in a way that’s consistent, secure, and easy to evidence later if something goes wrong.
Use A “Point Of Agreement” Process (Not Just A PDF On File)
You want a process that shows the customer actively agreed - not that you quietly collected a form somewhere in your admin folder.
Some practical approaches include:
- using an online checkout or secure payment link where the customer enters card details directly,
- using e-sign tools that clearly record time/date/IP address,
- sending a confirmation email summarising what the customer authorised (amount, timing, purpose).
If there’s ever a dispute, these records can be just as important as the form itself.
Only Charge What You Said You Would Charge
This sounds obvious, but it’s where many businesses get into trouble.
Before charging, check:
- does the charge match the authorised amount or authorised calculation method?
- has the trigger event occurred (eg service delivered, cancellation within the fee window)?
- have you provided any required notice?
- is the charge consistent with your contract, quote, and communications?
If something has changed, it may be safer to get written confirmation of the updated amount before charging again.
Be Extremely Careful With Storage And Access
If you store card details yourself, you take on a serious security burden.
At a minimum, you should consider:
- data minimisation: store only what you need, for only as long as you need it
- restricted access: limit who can see the information (and log access where possible)
- secure storage: avoid plain text files, shared inboxes, and unencrypted spreadsheets
- secure disposal: shred physical copies and securely delete digital copies when no longer required
Many small businesses choose to avoid storing card details at all by using payment providers that store tokenised details securely. This can significantly reduce your risk profile.
Make Sure Your Staff Follow The Same Rules Every Time
Consistency matters. If you have staff handling bookings or billing, create a simple internal process document so everyone knows:
- when an authorisation form is required,
- how it should be completed,
- where it is stored,
- who can charge the card and under what circumstances.
This reduces the chance of a well-meaning team member “winging it” and accidentally charging in a way that creates a dispute.
Keep Your Payment Terms And Customer Communications Tight
A credit card authorisation form works best when it’s part of a broader, well-structured payment setup. That includes things like:
- clear quotes (including expiry dates and inclusions/exclusions),
- clear invoices,
- consistent due dates,
- transparent fee rules (late fees, cancellation fees, additional work).
When all of this lines up, the authorisation form becomes a simple confirmation - not a source of confusion.
Key Takeaways
- A credit card authorisation form is a practical way to manage payment risk, but it must be clear and specific about what you can charge and when.
- Your authorisation form should match your broader customer terms (pricing, cancellations, deposits, and refund rules) so you don’t end up with disputes or chargebacks.
- Australian Consumer Law (ACL), unfair contract terms principles, privacy obligations, and payment security standards can all affect how you collect and handle card details.
- A compliant form should include business and customer details, a clear payment authority, cancellation/refund processes, and strong evidence of consent (especially for recurring charges).
- Where possible, avoid storing full card details yourself - using secure payment tools and minimising data storage can significantly reduce compliance and security risk.
This article is general information only and does not constitute legal advice. If you’d like advice tailored to your business and payment processes, get in touch with a lawyer.
If you’d like help putting together a compliant credit card authorisation form (and the supporting terms you need around payments, cancellations, and privacy), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
