Credit Card Privacy Compliance In New Zealand: What Businesses Must Do

If you run a small business, taking card payments can feel like a no-brainer. It's fast, it's convenient, and your customers expect it.

But the moment you collect, use, store or even see credit card information, you're stepping into a compliance zone that's part privacy law, part cybersecurity hygiene, and part "please don't let this become tomorrow's headline".

The good news is that you don't need to be a tech expert to get this right. You just need a clear plan, good systems, and the right documents in place from day one.

Below, we'll break down what credit card information is, how privacy law in New Zealand applies, and what practical steps you should take to stay compliant (and protect your customers and your business).

What Counts As Credit Card Information (And Why It Matters)

"Credit card information" isn't just the card number typed into a checkout screen. In practice, there are a few different categories of data that can trigger privacy, security and operational risks.

Common Types Of Credit Card Information

• Primary account number (PAN): the long card number on the front of the card.
• Cardholder name: the name printed on the card (often collected during online checkout).
• Expiry date: the month/year the card expires.
• Security code (CVV/CVC): the extra verification digits (usually on the back of the card).
• Billing address: sometimes collected for verification or invoicing (often personal information).
• Receipts and transaction records: can include partial card details and customer identifiers.

Even if you never store the full card number, you might still handle information that can identify a person (like name, email address, order history, and partial card details). That combination can still be sensitive from a privacy and security perspective.

Personal Information vs "Payment Data"

Under the Privacy Act 2020, "personal information" is information about an identifiable individual. Credit card information often is personal information (either on its own, or when combined with other data you hold).

That means your obligations aren't only about preventing fraud. They're also about how you collect, use, disclose, store, and give access to the information you hold about your customers.

A Quick Reality Check: You Might Handle Credit Card Information Without Meaning To

Some common "accidental" ways small businesses end up handling credit card information include:

• Customers emailing card details to "pay the invoice".
• Staff writing card details on paper or saving them in job notes.
• Taking card details over the phone and entering them into a system later.
• Using a booking form that asks for card details without strong security controls.

Even if your intentions are good, these practices can create major risk. A safer approach is to design your payment process so you don't receive or store card details at all (more on this below).

Which New Zealand Laws Apply When You Handle Credit Card Information?

When you deal with credit card information, there isn't a single "credit card information law" in New Zealand. Instead, your obligations usually come from a mix of privacy law, consumer law expectations, and (depending on what happens) cybercrime and reporting obligations.

Privacy Act 2020 (Core Privacy Obligations)

The Privacy Act 2020 is the big one for most SMEs. It sets out information privacy principles that affect your business if you collect or hold personal information.

In a credit card context, key expectations include:

• Collect only what you need: don't collect card details "just in case" if you can avoid it.
• Be transparent: customers should understand what you collect and why (this usually sits in your Privacy Policy).
• Keep it secure: you must take reasonable steps to protect personal information from loss, misuse, or unauthorised access.
• Limit use and disclosure: don't share customer info unless it's for the purpose you collected it for, or you have another lawful basis.
• Allow access and correction: customers can request access to the personal information you hold about them and ask for corrections.

What's "reasonable" security depends on your business, but when payment data is involved, the bar tends to be higher because the harm from a breach can be significant.

Notifiable Privacy Breaches (Mandatory Reporting In Some Cases)

If your business has a privacy breach that causes, or is likely to cause, serious harm, you may need to notify:

• the affected individuals; and
• the Office of the Privacy Commissioner.

Credit card information exposure is one of the scenarios that can quickly become "serious harm", particularly if the breach could lead to financial loss or identity fraud.

This is why it's worth having a plan ready to go, like a Data breach response plan, rather than scrambling after something happens.

Fair Trading Act 1986 (Be Careful What You Promise Customers)

If you make claims about how secure your checkout is, how you store information, or how you handle refunds and disputes, those statements need to be accurate. Under the Fair Trading Act 1986, misleading or deceptive conduct can create legal risk.

For example, if your website says "we never store card details" but you actually keep them in email inboxes or spreadsheets, that mismatch can create issues (even before you get to the breach itself).

Industry Standards (Not Law, But Often Required)

Many payment systems operate under industry security standards for card data (for example, PCI DSS), usually imposed contractually through your payment provider, your acquiring bank, or your e-commerce platform. While these standards aren't usually "law", failing to follow them can still lead to:

• loss of payment processing privileges;
• chargebacks and disputes;
• contractual penalties; and
• major commercial fallout if a breach occurs.

As a small business, your easiest compliance win is usually to reduce your exposure by using payment flows where you don't store or handle card details directly.

How To Handle Credit Card Information Safely: A Practical Compliance Checklist

When you're busy running a business, compliance needs to be practical. Here's a checklist approach that covers the key risk areas.

1. Design Your Payment Process To Avoid Storing Card Details

The safest approach is usually: avoid storing credit card information at all.

Practical ways to do that include:

• Using hosted payment pages or secure payment links.
• Using a reputable point-of-sale terminal for in-person payments.
• Using an online checkout where your system doesn't retain card numbers or security codes.

If customers are sending card details by email or text, you should stop that practice and redirect them to a secure payment method.

2. Never Store Security Codes

As a general rule, you should not store CVV/CVC security codes. If your team is writing these down or saving screenshots, treat that as a "red flag" practice and fix it immediately.

3. Lock Down Access Internally

If staff can access customer records, bookings, invoices, or order notes, think about what credit card information might be sitting inside those systems.

Reasonable internal security steps often include:

• unique logins for each staff member (no shared accounts);
• multi-factor authentication where possible;
• role-based access (staff only see what they need to do their job);
• policies on not recording card details in free-text notes;
• staff training (especially frontline staff taking bookings and payments).

4. Make Sure Your Website And Checkout Are Properly Set Up

Online businesses should also think about the legal and operational foundations of the website itself, including clear customer-facing terms.

Depending on how you sell, you might need:

• E-commerce terms and conditions that reflect your delivery, returns, subscriptions, and payment processes; and
• Website terms and conditions to set rules around site use and limit certain risks.

These documents won't replace technical security, but they do help you set expectations and reduce disputes if something goes wrong.

5. Have A Data Retention Routine (Delete What You Don't Need)

A simple but often overlooked step: don't keep data forever.

If you have old customer records, email chains with payment discussions, or archived invoices, decide:

• what you actually need to keep (for tax, accounting, disputes, warranties);
• how long you'll keep it; and
• how you'll delete or anonymise it securely.

The less sensitive information you hold, the less you have to protect (and the less you can accidentally expose).

Working With Payment Providers And Other Third Parties (You're Still Responsible)

Most small businesses use third parties for payments, e-commerce, bookings, invoicing, CRM, and customer support. That's normal.

But from a privacy perspective, using a third party doesn't mean you can "outsource" responsibility completely.

Know Who Is Handling The Credit Card Information

Map your payment flow. For example:

• Does the customer enter card details into your website, or a hosted payment page?
• Does your team ever see the card number?
• Do you receive a token (a reference) instead of the card number?
• Where do receipts and transaction logs get stored?

This helps you work out what your business actually "holds" and what security obligations are realistic for you.

Use Appropriate Contracts When Vendors Process Data For You

If you use suppliers who process personal information on your behalf (for example, handling customer records or payments as part of a platform), it's often worth putting the right contract terms in place.

Depending on the setup, a Data processing agreement can help clarify:

• what data the vendor can access;
• what security measures they must maintain;
• breach notification timeframes;
• subcontracting rules;
• where data is stored (including overseas hosting); and
• what happens when you stop using the service (deletion/return of data).

This is especially useful as you grow, start integrating systems, or handle higher volumes of customer information.

Overseas Storage And Transfers

It's common for business tools to host data offshore. If you disclose personal information to an overseas recipient, New Zealand's Privacy Act has specific rules you may need to meet (for example, taking steps to ensure the recipient is subject to comparable privacy safeguards, or relying on another permitted basis).

In practice, that means you should be clear (internally and in your privacy disclosures) about where information may go and what safeguards exist.

If you're unsure whether your current setup is "reasonable", it's worth getting tailored Privacy advice so you can tighten the gaps before a problem arises.

What Policies And Legal Documents Should You Have In Place?

Strong privacy compliance isn't just about what your systems do. It's also about what you tell customers, what you instruct your team to do, and what your contracts say.

Privacy Policy (Customer-Facing Transparency)

If you collect personal information online (and most businesses do), you should have a clear Privacy Policy that explains, in plain language:

• what personal information you collect (including transaction and billing information);
• how you collect it (website forms, checkout, phone, email);
• why you collect it (processing payments, fulfilment, support, fraud prevention);
• who you disclose it to (payment processors, booking platforms, couriers, accountants);
• how you keep information secure (high-level, without giving attackers a roadmap);
• how customers can request access/correction; and
• how customers can complain.

One common mistake is copying a privacy policy template that doesn't match your actual business practices. If your policy says one thing and your systems do another, that mismatch can create legal and trust issues.

Website/E-Commerce Terms (Reducing Disputes Around Payments)

Your customer terms can help clarify payment-related issues like:

• when payment is taken (immediately, on dispatch, on completion);
• pre-authorisations and deposits (if applicable);
• refund processing timeframes;
• cancellations and chargebacks;
• what happens if an order can't be fulfilled.

For many online sellers, properly drafted E-commerce terms and conditions make a real difference in how smoothly payment disputes are resolved.

Internal Policies (So Your Team Doesn't Accidentally Create Risk)

Most "credit card information problems" happen in day-to-day operations, not in dramatic hacker-movie scenarios.

Consider putting simple internal rules in place, such as:

• Do not accept card details by email, SMS, or chat.
• Do not record card details in booking notes or CRMs.
• Do not store photos/scans of cards.
• Escalate suspicious payment activity to a manager.
• Follow the breach response plan if information is accidentally disclosed.

If you operate an online platform where users or staff interact with systems (for example, accounts, uploads, user-generated content), having an Acceptable Use Policy can also help set clear boundaries around misuse and security expectations.

What To Do If Something Goes Wrong (And Why A Plan Matters)

Even with strong processes, mistakes can happen. A staff member might receive a customer email containing card details. A laptop might be lost. An admin account might be compromised.

What matters is how quickly you can contain the issue and respond appropriately.

Examples Of "Credit Card Information" Incidents

• A customer accidentally emails their full card number and CVV, and it sits in an inbox accessible to multiple staff.
• Your website form collects card details but stores them in plain text in your database.
• Someone gains access to your admin panel and downloads customer order history (which includes partial card details and addresses).
• A staff member records card details in a spreadsheet that gets shared or synced to a personal device.

Immediate Steps To Take

While every situation is different, a sensible first response often includes:

• Contain: stop the unauthorised access or disclosure (disable accounts, remove access links, take systems offline if needed).
• Assess: what information was involved, how many people are affected, and the likelihood of misuse.
• Document: record what happened and what you did in response.
• Notify (if required): consider whether the breach is notifiable under the Privacy Act 2020.
• Prevent repeat: patch the process gap that caused the incident.

This is much easier if you've already prepared a Data breach response plan and your team knows where to find it.

When Should You Get Legal Help?

If you suspect a serious breach, if customers are impacted, or if you're unsure whether notification is required, it's worth getting legal advice early. The way you communicate with customers and regulators can affect both legal risk and customer trust.

Key Takeaways

• Credit card information can include card numbers, expiry dates, cardholder names, security codes, and transaction records, and it often overlaps with "personal information" under the Privacy Act 2020.
• Your business should design payment processes to minimise exposure, ideally so you don't store or directly handle credit card information at all.
• The Privacy Act 2020 requires you to take reasonable steps to protect personal information, and some privacy breaches must be reported if they are likely to cause serious harm.
• Internal processes matter: many risks come from everyday practices like accepting card details by email, recording them in notes, or allowing broad staff access to customer records.
• Having the right legal foundations (like a clear Privacy Policy and properly drafted customer terms) helps you stay transparent with customers and reduce disputes around payments.
• If third parties process customer data for you, putting the right contractual safeguards in place (like a Data processing agreement) can significantly reduce compliance and breach risk.
• A prepared incident response process (like a Data breach response plan) makes it much easier to respond quickly and appropriately if something goes wrong.

If you'd like help reviewing how your business collects and protects credit card information, or you want your privacy and website documents set up properly, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.