Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business takes payments over the phone, by email, or using recurring billing, you’ve probably been asked at some point: “Do you have a credit card details form we can fill out?”
A credit card details form can feel like a simple admin tool - a quick way to capture card numbers and process a payment later. But in Australia, collecting, storing and handling card details comes with real legal and compliance obligations. If you get it wrong, the risks aren’t just “a chargeback”. You could be looking at customer complaints, reputation damage, payment processor issues, or even privacy and security breaches.
So if you’re using (or thinking of using) a credit card details form, it’s worth setting it up the right way from day one. Below is a practical checklist that focuses on what small businesses need to think about in Australia, including privacy, security, consumer law, and contract terms.
This article is general information only and does not constitute legal advice.
What Is A Credit Card Details Form (And When Do Businesses Use One)?
A credit card details form is a document (paper or digital) that collects a customer’s payment card information so you can process a payment now or later. Some businesses also use it to:
- take a deposit to secure a booking;
- set up recurring payments (for memberships or retainers);
- charge a cancellation or no-show fee;
- keep card details on file for incidental charges (common in accommodation or hire arrangements);
- take payment “by authority” where the customer can’t pay via a normal checkout.
The moment you collect card details, you’re handling highly sensitive payment information. That triggers practical security obligations, and it may also trigger privacy obligations depending on your circumstances.
It’s also important to understand that a form is not just “a payment slip”. It’s usually part of your broader legal relationship with the customer - and the way it’s drafted can affect whether you can enforce deposits, cancellation fees, and authorisations.
Before You Create A Credit Card Details Form: Your Payment Process Checklist
Before you draft the form itself, step back and map out what you’re actually trying to achieve. This helps you avoid collecting more information than you need (which reduces your legal risk).
1) Do You Really Need To Store Card Details?
If you can, it’s generally safer to avoid storing card details entirely. Consider whether you can use alternatives such as:
- payment links;
- online invoices that take card payments;
- direct debit arrangements;
- a secure online booking system that tokenises card data.
From a risk perspective, the best “data security plan” is not collecting or retaining sensitive data in the first place.
2) If You Must Store Details, What Exactly Will You Keep?
Be clear about whether you will:
- process a single payment immediately (no storage);
- store details briefly (e.g. until the deposit clears);
- store details long-term for future charges.
The longer you keep information, the more important retention controls and deletion processes become.
3) Do You Need Clear Permission To Charge Later?
Many disputes happen because a customer didn’t clearly understand (or agree) that you would charge a cancellation fee, a balance payment on a later date, or extra fees.
This is where your form and your broader customer terms must align. For many businesses, it’s sensible to have properly drafted Terms of Trade or service terms that explain when you can charge a card and what happens if a payment fails.
Privacy And Data Handling: What You Need To Do If You Collect Card Details
In Australia, handling personal information can trigger obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) if they apply to your business (for example, depending on your turnover, business activities and whether you handle certain types of information). Even if the Privacy Act doesn’t strictly apply to you, customers and payment providers still expect proper handling and security.
Collect Only What You Need
A common mistake is collecting “just in case” information. Your credit card details form should only ask for what is necessary to process the payment and verify authorisation.
For example, you may need:
- cardholder name;
- card number;
- expiry date;
- CVV (only if necessary and only for immediate processing - storing CVV is high-risk and often prohibited by payment industry rules);
- billing address (sometimes);
- customer contact details for receipts and payment issues.
If you don’t need a field, remove it. Less data collected usually means less compliance risk.
Tell Customers Why You’re Collecting It
Your form should clearly explain:
- what the information will be used for (e.g. deposit, recurring payments, cancellation fees);
- whether the details will be stored or used once and destroyed;
- who the details may be shared with (e.g. your payment processor, accounting provider, booking platform);
- how customers can contact you with questions or complaints.
In practice, many small businesses handle this by combining a clear notice on the form with a Privacy Policy and internal procedures. If you collect customer details through forms (including payment forms), having a properly drafted Privacy Policy is often a smart baseline.
Secure Storage And Access Controls
Security isn’t just an IT issue - it’s also a legal and commercial issue. If card data is exposed due to poor practices (for example, staff email card details to each other, or paper forms are left in an unlocked drawer), that can become a serious incident quickly.
At a minimum, you should consider:
- Access controls: limit who can view or use card information.
- Storage controls: avoid storing in email inboxes, unencrypted spreadsheets, or shared drives without permissions.
- Physical security: if paper forms are used, lock them away and restrict access.
- Retention rules: delete or securely destroy information once it’s no longer needed.
- Breach plan: have a basic plan for what you’ll do if there’s suspected unauthorised access.
If your staff handle customer data (including payment details), a clear internal privacy and security framework helps avoid mistakes. Some businesses choose to formalise this with an Information Security Policy, especially as they grow.
Card Payment Security Rules: What Small Businesses Commonly Miss
Even though “PCI DSS” (Payment Card Industry Data Security Standard) sounds like something only big companies worry about, many small businesses are still required to comply with card payment security requirements through their payment provider, card scheme rules and/or their merchant agreement.
In plain terms: if you store, process, or transmit card information, your payment provider may require specific security practices - and if you don’t follow them, you can be exposed to fees, loss of merchant facilities, or other consequences (especially after a breach).
Key Practical Rules To Build Into Your Credit Card Details Form Process
- Don’t store CVV: storing CVV is often prohibited and high risk. If you don’t need it, don’t collect it.
- Avoid email: customers emailing card details is unsafe. If customers insist on emailing, you should have a safer alternative ready.
- Use secure systems: whenever possible, use secure payment gateways or tokenisation tools rather than manual entry.
- Restrict copying: don’t photocopy cards or keep screenshots of card details.
- Train your team: human error is a major source of data incidents.
If you’re not sure what your payment provider expects, check your merchant terms or ask them directly. It’s better to design your process correctly now than to try to “fix it later” after a complaint or incident.
Consumer Law And Contract Terms: Making Sure Your Charges Are Enforceable
Most credit card disputes aren’t really about the card. They’re about the underlying agreement.
For example, a customer might say:
- they never agreed to a cancellation fee;
- the deposit was “non-refundable” but the business cancelled;
- the amount charged was more than quoted;
- the business charged earlier than agreed;
- they didn’t authorise a recurring payment.
This is where your customer contract terms matter, and where the Australian Consumer Law (ACL) comes into play - especially around misleading conduct, unfair contract terms, and refund rights.
If you rely on deposits, cancellations, and refunds, it’s important your wording is consistent with ACL requirements. It can also help to understand what you can (and can’t) promise about warranties and customer rights under the ACL, including issues around timeframes and consumer guarantees. For example, many businesses get questions about how long warranties last and what rights apply - which is why it’s useful to be across topics like ACL warranty rights.
Include Clear Authority To Charge (And When)
If your credit card details form is used to charge later, it should state clearly:
- what you are authorised to charge (deposit, remaining balance, cancellation fee, no-show fee, damage fees, late fees if applicable);
- when you can charge it (e.g. on a specific date, or in the event of a cancellation within a certain window);
- how you will notify the customer before charging (where appropriate);
- what happens if the payment fails (e.g. you may suspend services or require another payment method).
Be Careful With “Non-Refundable” Language
Many small businesses use “non-refundable” as a blanket rule, but that can cause problems if it contradicts the ACL or your own cancellation obligations. Your terms should be drafted carefully and in a way that matches the reality of how your business operates.
It’s also important that your website copy, quotes, invoices, and customer communications don’t conflict with what’s on the form.
Don’t Forget Unfair Contract Terms Risk
If you use standard terms with customers (especially consumers or small businesses), contract terms that are overly one-sided can be challenged as unfair. That’s one reason why it’s worth getting your terms reviewed and tailored, rather than relying on generic templates.
What To Include In Your Credit Card Details Form (A Practical Checklist)
Once you’ve mapped your process and understood your compliance obligations, the form itself should support that process clearly.
Here’s a practical checklist of what many Australian small businesses include in a credit card details form (tailored to their payment method and risk profile):
Customer And Transaction Details
- Customer name and contact details
- Invoice number or booking reference
- Description of what the payment is for
- Amount to be charged (or how it will be calculated)
- Date the charge will be made (if known)
Card Details (Minimise Where Possible)
- Cardholder name
- Card number
- Expiry date
- CVV only if required for immediate processing (and not stored)
Authority And Consent Wording
- Clear authority to charge the card for the nominated amount
- If relevant, authority to charge for specific scenarios (cancellations, no-shows, recurring payments)
- Consent to store details (if you will store them) and how long you will keep them
- Confirmation the customer is authorised to use the card
Privacy And Handling Notice
- How the information will be stored and protected (high-level description)
- Who may have access (e.g. accounts team only)
- When the information will be destroyed
- Link or reference to your Privacy Policy
Signature And Date
- Customer signature (or e-signature method) and date
- If the cardholder is different from the customer, include a separate cardholder authorisation section
If your form is part of a broader set of customer terms, it should be consistent with your customer contract or terms. For product-based businesses, this might sit alongside broader eCommerce terms and conditions. For service-based businesses, it often sits alongside service terms and payment policies.
Key Takeaways
- A credit card details form is not just admin - it’s part of your legal and compliance framework for taking payments, deposits, and sometimes charging fees later.
- Try to avoid storing card details where possible; if you must store them, collect only what you need and set clear retention and access rules.
- Privacy and security expectations apply in practice even for small businesses, and poor handling (like email storage or uncontrolled access) can create serious risk.
- Your form should clearly explain what customers are authorising, when you can charge the card, and what happens in cancellation or no-show scenarios.
- Make sure your payment and refund wording aligns with the Australian Consumer Law, especially if you use standard terms across customers.
- Strong terms and policies (including Privacy Policy and customer terms) make it much easier to manage disputes and reduce chargeback risk.
If you’d like help reviewing your payment process or drafting customer terms that support a compliant credit card details form, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
