How To Comply With Australian Laws When Collecting And Storing Payment Card Info

Making payments simple is great for business. But when cardholder data is involved, you also take on serious legal and security responsibilities. Whether you accept cards online, over the phone or in-store, handling payment card info correctly protects your customers, reduces risk and builds trust in your brand.

In this guide, we’ll walk through what “payment card info” includes, which Australian laws and industry standards apply, what you can and can’t store, and a practical, step-by-step way to set things up safely. We’ll also cover the key legal documents you should have in place before you start taking card payments.

Why Cardholder Data Compliance Matters In Australia

Cardholder data is highly sensitive. If it’s mishandled or breached, customers can face fraud and identity theft, and your business can face penalties, disputes and reputational damage.

From a legal and commercial standpoint, getting this right matters because:

• Customers expect you to keep their details safe, and many won’t return after a scare.
• Payment providers (banks, gateways and merchant acquirers) impose strict security requirements in their contracts.
• Australian privacy and consumer laws can apply to the way you collect, store and use personal information.
• Responding to an incident is expensive and disruptive, even if you do everything right afterward.

If your business model involves saving cards for subscriptions, pre-orders or repeat customers, it’s important to design a secure process up front. If you’re unsure where to start, reviewing your approach to storing credit card details is a helpful first step.

Which Laws And Standards Apply?

Privacy Act 1988 and the Australian Privacy Principles (APPs)

Payment card info that can identify an individual (for example, a card number tied to a name and contact details) is personal information. If you are an “APP entity” under the Privacy Act 1988, you must comply with the Australian Privacy Principles when collecting, using, storing and disclosing it.

Many small businesses with annual turnover under $3 million are not APP entities. However, there are important exceptions. You are covered if, for example, you provide health services, trade in personal information, are related to an APP entity, or are a contractor to the Commonwealth (among others). Even if you’re not legally bound by the APPs, following their security and transparency standards is strongly recommended and often expected by customers and enterprise partners.

APP entities must also comply with the Notifiable Data Breaches scheme, which can require notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals if a breach is likely to cause serious harm.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a global security standard created by the major card schemes (Visa, Mastercard and others). It sets out how card data must be processed, transmitted and stored safely (think strong encryption, access controls, logging and regular testing).

PCI DSS is not Australian legislation. However, if you accept card payments, your bank or payment provider will almost always require PCI DSS compliance under your merchant agreement. Non‑compliance can lead to fines, higher fees or loss of your ability to process cards. For most businesses, the simplest way to reduce PCI scope is to use a reputable, PCI‑compliant payment gateway that tokenises card data so you never actually “see” or store the raw details.

Australian Consumer Law (ACL)

The Australian Consumer Law applies to how you deal with customers, including statements about security, charging practices and dispute handling. If your processes are misleading or you fail to handle issues fairly (for example, after a suspected fraud charge), you could risk contravening the ACL. Clear, accurate customer terms and sound complaint procedures help you stay on track.

Contracts With Banks and Payment Providers

Your merchant services and gateway agreements set the rules of engagement-often requiring you to implement specific controls, complete PCI self‑assessment questionnaires, and cooperate if there’s a suspected compromise. Make sure someone in your team reads and owns these obligations, and check how they align with your internal policies and technical setup.

What Can You Store (And What You Must Not)?

Before you keep any card details, ask a simple question: do you actually need to store them at all? The safest approach is to avoid storing card data and rely on tokenisation through your payment provider.

• Don’t store sensitive authentication data. PCI DSS prohibits storing CVV/CVC (the 3–4 digits), full magnetic stripe data or PIN data-ever, even if encrypted.
• Minimise the data you hold. If you must retain cardholder data, keep only what’s necessary (for example, last four digits and expiry for reference) and remove it as soon as it’s no longer required.
• Use strong encryption in transit and at rest. Card data that passes through or lives in your systems should be encrypted using current best practice, with keys safeguarded and access tightly restricted.
• Restrict access on a “need‑to‑know” basis. Limit access to specific roles, enforce multi‑factor authentication for administrative functions and maintain audit logs.
• Harden and patch your environment. Keep your applications and infrastructure up to date, and run vulnerability scans or penetration tests where appropriate.
• Set clear retention and disposal rules. Define how long cardholder data is kept and how it’s destroyed. Align your approach with your broader obligations under data retention laws and your provider contracts.

If you take payments by phone, avoid writing full card details down. Instead, use secure virtual terminals or payment links provided by your gateway so card data goes straight to the payment provider, not into your inbox or notes.

Step‑By‑Step: Collecting And Storing Card Data Safely

1) Map Your Payment Flows

Document where card data could enter your business (website checkout, POS, phone orders), which systems it may touch, who has access and where data leaves your control. This helps you minimise exposure and identify PCI DSS scope.

2) Choose a PCI‑Compliant Payment Solution

Use a trusted provider that supports tokenisation and hosted fields/checkout so raw card data bypasses your systems. This can dramatically reduce your compliance burden and risk.

3) Decide Whether You Really Need To Store Card Details

For subscriptions or repeat billing, rely on tokens generated by your gateway instead of storing PANs (primary account numbers). If your business also offers bank account debits, review your obligations under direct debit laws.

4) Build Security Into Your Tech Stack

Enforce HTTPS everywhere, implement access controls and MFA, encrypt data at rest, log access and changes, and keep everything patched. If you operate a contact centre or phone ordering, consider call‑recording configurations that automatically suppress card digits.

5) Set Clear Policies And Train Your Team

Write down how payment details are collected, who can access them, how to verify customers, and what’s prohibited (for example, storing CVV, emailing card numbers). Train staff regularly and keep records of that training.

6) Update Your Customer‑Facing Terms

Explain how payments are processed, how recurring charges work and how disputes or refunds are handled. Having clear Terms of Sale and website Terms & Conditions helps you set expectations and align with the ACL.

7) Publish A Transparent Privacy Policy (If Required) And Consider Best Practice

If you are an APP entity, you must have a Privacy Policy that explains what personal information you collect, how you use and store it, who you disclose it to (including any overseas disclosure) and how people can contact you. Many small businesses choose to adopt a Policy even if not legally required-for transparency, to meet platform expectations and to win customer trust. A tailored Privacy Policy is the easiest way to cover these points in plain English.

8) Prepare For Incidents

Even with strong controls, incidents can happen. Create an incident playbook and a formal Data Breach Response Plan so you can act quickly, notify stakeholders where required and limit harm.

Do You Need A Privacy Policy And Other Legal Documents?

Different businesses need different documents, but if you handle personal information or accept card payments, you’ll usually need a core set of contracts and policies. Here’s a quick checklist.

• Privacy Policy: Required for APP entities and best practice for everyone handling customer data, setting out how personal information is collected, used and secured. A customised Privacy Policy also helps meet platform and enterprise procurement expectations.
• Website Terms & Conditions: The rules for using your site or app, including acceptable use, user accounts and payment processes. See Website Terms & Conditions.
• Terms of Sale or Customer Agreement: How you charge, bill and refund, how recurring payments work, and how disputes are handled, aligned with the ACL. Refer to Terms of Sale.
• Data Breach Response Plan: Roles, steps and notification criteria for responding to a suspected incident, including obligations under the Notifiable Data Breaches scheme for APP entities. Explore a Data Breach Response Plan.
• Supplier and Payment Provider Agreements: Make sure contracts with gateways, IT providers and cloud hosts include appropriate security, confidentiality, PCI responsibilities and incident cooperation clauses.

Not every business will need all of these, but putting the right documents in place early helps you comply with law and contract requirements and prevents confusion later.

Practical Questions We’re Often Asked

Can I Store Card Details For Recurring Payments?

It’s safer to avoid storing PANs yourself. Use a PCI‑compliant gateway that tokenises card data and stores it on your behalf, and never store the CVV/CVC. Your customer terms should clearly explain how recurring charges work and how they can cancel.

What If I Use An Overseas Payment Processor Or Cloud Host?

If you are an APP entity and personal information is disclosed overseas, you must take reasonable steps to ensure the recipient protects it in line with the APPs, and you should explain the cross‑border disclosure in your Privacy Policy. Many payment providers publish compliance statements you can review as part of your due diligence.

What Happens If There’s A Data Breach?

Act quickly. Contain the issue, investigate, and follow your incident plan. APP entities must assess whether the breach is likely to cause serious harm and, if so, notify the OAIC and affected individuals.

Can We Take Card Details Over The Phone?

Yes, but design the process to avoid exposure. Use a secure virtual terminal, do not write down full details or email them, and configure call recording to auto‑redact card numbers if recording is necessary for other reasons.

Do We Need Customer Consent To Store Card Details?

If you plan to retain card details (for example, for subscriptions or booking deposits), be transparent. Explain why you hold them, for how long and how customers can request deletion. Your Terms of Sale and Privacy Policy should cover this in plain language.

Key Takeaways

• Map your payment flows and minimise exposure-tokenise card data through a PCI‑compliant gateway so you don’t store raw details.
• Know which rules apply to you: the Privacy Act (for APP entities), PCI DSS via your merchant contracts, and the Australian Consumer Law for fair and transparent customer dealings.
• Never store CVV/CVC; if you retain any cardholder data, encrypt it, restrict access, log activity and set strict retention and disposal rules aligned with data retention laws.
• Back your processes with clear customer terms, website terms and a suitable Privacy Policy (required for APP entities and recommended for most businesses handling personal information).
• Prepare for incidents with a tested Data Breach Response Plan so you can act quickly and meet notification obligations.
• If you’re unsure, get tailored advice early-aligning your technical setup, contracts and policies now will save time, cost and risk later.

If you would like a consultation on your business’s payment card info and data compliance, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.