Accepting card payments is essential for most Australian businesses. But the moment you store a customer’s credit card details, you take on serious legal and security responsibilities.
It’s not just about “keeping data safe.” There are specific Australian privacy rules and global security standards you’re expected to meet. And if something goes wrong, the consequences can be costly and reputationally damaging.
In this guide, we’ll walk you through when you can store card details, what laws and standards apply in Australia, and how to set up practical safeguards and documents that protect your business and your customers.
If you’re weighing up whether to store card data yourself or lean on a third‑party provider, we’ll help you make an informed, low‑risk decision.
Can Australian Businesses Store Credit Card Details?
Yes-businesses can store card details in limited circumstances, but you need a lawful reason to collect the information, strong security measures, and clear transparency with customers about what you’re doing and why.
Two key principles guide your decision:
- Data minimisation: Only collect and retain what you genuinely need for a lawful purpose (for example, to process recurring subscriptions or a security deposit).
- Security by design: If you store card data, you must implement robust technical and organisational controls that match the sensitivity of the information.
In practice, most small and medium businesses should avoid holding raw card numbers altogether. Instead, use tokenisation through a PCI DSS compliant payment gateway. Tokenisation replaces the primary account number (PAN) with a non‑sensitive token that you can store and use for repeat billing-without you handling the underlying card details.
Bottom line: if you don’t need to store card data, don’t. If you do need to, treat it as one of the highest‑risk data categories in your business and manage it accordingly.
What Laws And Standards Apply To Card Data In Australia?
Several legal frameworks and industry standards apply at the same time. Understanding how they interact helps you decide whether to store card data and, if so, how to do it safely.
Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
If you’re an APP entity (most businesses with $3m+ turnover and many smaller businesses in certain sectors), the Privacy Act and APPs require you to collect information lawfully, use it only for permitted purposes, protect it with reasonable security, and securely destroy it when no longer needed.
Card details can be personal information where they relate to an identifiable individual. That means you must be transparent about collection, get valid consent where necessary (for example, for card‑on‑file arrangements), and implement safeguards proportionate to the sensitivity of the data.
Notifiable Data Breaches (NDB) Scheme
If card data is accessed or disclosed without authorisation, and a reasonable person would conclude it’s likely to result in serious harm, you may need to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals. Having an up‑to‑date incident response plan and clear decision‑making criteria is essential.
PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS is a global security standard set by the major card schemes. It applies to any business that stores, processes or transmits cardholder data. Even if you’re not legally “required” by statute to comply, your merchant agreement and gateway terms will effectively mandate it.
Compliance expectations scale with your risk profile. For many businesses, the simplest path to compliance is to avoid storing or transmitting card data directly and use a hosted payment page or iFrame from a PCI DSS compliant provider.
Consumer Law Considerations
Under the Australian Consumer Law, you must be transparent about payment terms, recurring billing, and any surcharges. Don’t bury key details in fine print-make them clear and easy to understand before a customer enters their card details.
Contractual Obligations With Payment Providers
Your acquirer, merchant facility, or gateway agreement may impose additional controls (for example, breach reporting timelines, audit rights, and limits on storage). These obligations are enforceable contract terms-make sure your processes and policies align with what you’ve signed.
Practical Compliance: How To Store Card Data Safely
If you decide there’s a legitimate business case to store card details, build your compliance program around security by design. Here’s a practical roadmap.
1) Map Your Data Flows
Identify exactly where card data enters your ecosystem, where it’s stored (systems, databases, apps), who can access it, and where it leaves. You can’t protect what you haven’t mapped.
2) Minimise Collection And Use Tokenisation
Avoid storing the PAN wherever possible. Use tokenisation via your payment gateway so you can bill repeat transactions without holding the underlying numbers. Disable any logs or analytics that might inadvertently capture card data.
3) Encrypt In Transit And At Rest
Where you handle any sensitive fields, apply strong encryption for data in transit (TLS) and at rest. Manage keys securely and restrict administrative access to the smallest possible group.
4) Restrict Access On A Need‑To‑Know Basis
Implement least‑privilege access, role‑based permissions, and multi‑factor authentication (MFA) for admin users. Log access attempts and review them regularly.
5) Establish And Maintain Security Policies
Document clear expectations for your people and systems. For many businesses, an Information Security Policy and an Acceptable Use Policy provide the baseline. Align these documents to your actual practices so they’re useful in day‑to‑day operations.
6) Vendor And Cloud Risk Management
If third parties process or store card data on your behalf (for example, a payment gateway, CRM, or subscription platform), ensure your contracts reflect privacy and security expectations. A Data Processing Agreement helps set out security requirements, breach notification duties, and sub‑processor controls.
7) Staff Training And Access Hygiene
Human error is a leading cause of breaches. Train staff regularly, prohibit copying card data into spreadsheets or tickets, and make it easy for employees to report suspicious activity quickly.
8) Incident Response And Breach Readiness
Prepare for the worst. A tested Data Breach Response Plan sets out who does what in the first 24-72 hours, how you assess likely harm, and how you meet NDB notification obligations.
9) Retention And Secure Deletion
Don’t keep card data “just in case.” Set a firm retention schedule that aligns with your legal and operational needs, then securely delete or de‑identify data when it’s no longer required.
10) Continuous Improvement
Review your controls regularly, track PCI DSS updates, and run periodic risk assessments. As your systems and vendors change, your security and privacy measures should evolve with them.
Do You Need Consent And A Privacy Policy?
Customers should never be surprised by how you handle their card details. Transparency is a core requirement under the APPs and good business practice.
Collection Notices And Transparency
Before or at the time you collect card details, clearly explain why you’re collecting them, how they’ll be used (for example, one‑off payment vs recurring billing), who you share them with (for example, your gateway provider), and how long you’ll keep them.
Privacy Policy Essentials
Your Privacy Policy should address payment information in plain English-what you collect, how you protect it, and how customers can access or correct their information. If you rely on tokenisation through a third‑party gateway, say so and name the categories of providers you use.
It’s also wise to set clear rules around billing, subscriptions, renewals, refunds, and chargebacks in your online terms. If you sell through your site or app, align your Privacy Policy with your Website Terms and Conditions so customers have a consistent view of how payments work.
Marketing And Communications
If you intend to send promotional messages linked to a transaction, ensure your consent, opt‑out, and preference mechanisms are compliant with Australian spam and privacy rules. Keep this separate from the consent for storing card details-bundling consents can cause issues.
Special Scenarios To Watch Out For
Some business models create extra risk around card‑on‑file arrangements. Plan for these scenarios upfront.
Recurring Payments And Subscriptions
For subscriptions and memberships, make renewal dates, billing frequency, and cancellation terms clear and prominent. Provide easy ways for customers to update their card details safely (ideally through your PCI DSS compliant gateway rather than by email or phone).
Card‑On‑File For Security Deposits
If you keep a token or hold for a security deposit (common in rentals or bookings), be transparent about when and how the card may be charged. Limit access to deposit functions to appropriately authorised staff and keep an audit trail of any charges.
Direct Debits And Stored Details
If you operate direct debits from cards or bank accounts, make sure your authorities, notices, and cancellation processes comply with the applicable rules. Our guide to direct debit laws explains the key compliance points and customer rights.
Remote Work And Support Channels
Never accept full card numbers over email, chat, or support tickets. Disable content recording in support tools, redact card fields in logs, and train staff to redirect customers to secure payment pages instead of handling card details themselves.
Surcharges And Pricing Transparency
If you apply card surcharges, make them clear upfront and keep them within the regulatory limits set by the card schemes and Australian consumer law principles. Hidden or excessive charges can trigger disputes and complaints.
Chargebacks And Disputes
Have a simple process for customers to raise billing concerns and fix obvious mistakes quickly. Good documentation (for example, timestamps, IP addresses, and checkout confirmations) helps you respond if a bank initiates a chargeback.
What Legal Documents Should You Have In Place?
The right documents help you meet your obligations, set customer expectations, and align your internal processes. Depending on your business, consider the following:
- Privacy Policy: Explains what personal information you collect (including payment data), why you collect it, who you share it with, and how you protect it.
- Website Terms and Conditions: Sets out payment terms, subscriptions, renewals, refunds, and chargebacks for online purchases.
- Data Processing Agreement: Ensures vendors that process card‑related personal information meet security, confidentiality, and breach notification standards.
- Information Security Policy: Documents your security controls, access restrictions, and technical measures for protecting sensitive data.
- Acceptable Use Policy: Sets staff rules for handling systems and data (for example, banning storage of card numbers in emails or spreadsheets).
- Data Breach Response Plan: Guides your team through containing, assessing, and notifying an incident under the Notifiable Data Breaches scheme.
You might not need all of these from day one. But if you store or process card data in any meaningful way, it’s important to cover the basics and then add depth as your risk profile grows.
Common Mistakes To Avoid (And What To Do Instead)
- Storing full card numbers “temporarily” in spreadsheets or inboxes. Instead, use your gateway’s tokenisation and purge any legacy data.
- Letting logs or analytics capture card fields. Instead, mask, redact, or disable logging for sensitive inputs.
- Keeping card details longer than necessary. Instead, enforce a clear retention policy and schedule secure deletion.
- Assuming your gateway’s compliance covers everything. Instead, secure your environment, train staff, and review contracts and policies regularly.
- Vague or bundled consents. Instead, use clear, separate consents for card‑on‑file, recurring billing, and marketing.
- No incident playbook. Instead, maintain a tested Data Breach Response Plan and run practice scenarios.
Key Takeaways
- Only store credit card details in Australia if you have a genuine business need, and prefer tokenisation via a PCI DSS compliant provider wherever possible.
- The Privacy Act, the Notifiable Data Breaches scheme, PCI DSS, consumer law, and your payment contracts all shape how you collect, secure, use, and retain card data.
- Build security by design: minimise collection, encrypt data, restrict access, train staff, manage vendors, and be ready to respond if something goes wrong.
- Be transparent: use clear collection notices, a tailored Privacy Policy, and consistent Website Terms and Conditions to set fair expectations.
- Support your operations with the right documents, including an Information Security Policy, Data Processing Agreement, Acceptable Use Policy, and a tested Data Breach Response Plan.
- When in doubt, reduce your exposure-store less, keep it for less time, and lean on proven, compliant payment providers.
If you’d like a consultation on storing customer card details safely and legally for your Australian business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.
