How To Collect And Store Credit Card Details In New Zealand

If your business takes payments online, over the phone, or by recurring subscription, it’s only a matter of time before you run into this question: can you collect and store customers’ credit card details?

It’s a practical issue (stopping churn, getting paid on time, reducing admin), but it’s also a legal and security issue. If you collect or store credit card details the wrong way, you can expose your customers to fraud, your business to serious reputational damage, and your team to a messy compliance problem.

The good news is you don’t need to be a bank to do this properly. With the right approach, you can set up a payment process that’s convenient for customers, secure, and aligned with New Zealand’s privacy and consumer law expectations.

This article is general information only and isn’t legal advice. Below, we’ll walk through what “credit card details” really means, when you can (and shouldn’t) store them, the privacy and security obligations that apply in New Zealand, and the practical steps small businesses can take to stay compliant.

What “Credit Card Details” Means (And Why It Matters)

“Credit card details” is a broad phrase, and it’s worth being specific because different parts of “card information” carry different risks and compliance requirements.

Depending on how you take payment, you might handle:

• Card number (PAN) – the long number on the front of the card.
• Cardholder name – often treated as personal information when connected to an identifiable customer.
• Expiry date.
• Security code (CVV/CVC) – the 3–4 digit code (this is especially sensitive).
• Billing address and contact details – often collected for verification and fraud prevention.
• Transaction records – amounts, time, reference, and what was purchased.

In most cases, credit card details will be “personal information” under the Privacy Act 2020 because they relate to an identifiable individual. Even if you only store a tokenised reference (rather than the raw card number), you may still be storing personal information if it can be linked back to a customer account.

From a business perspective, the key takeaway is simple: the more sensitive the credit card details you store, the higher the risk and the higher the standard of care you’ll be expected to meet.

Can You Collect And Store Credit Card Details In New Zealand?

Generally, yes - a business can collect and store credit card details in New Zealand if it has a lawful purpose for doing so and it handles that information in a way that meets privacy and security expectations.

But “can” doesn’t always mean “should”. For many small businesses, the safest approach is to avoid storing full credit card details at all and instead use secure payment methods that store them on your behalf.

Common Legitimate Reasons To Store Credit Card Details

Storing credit card details may be justifiable where you need it to run your business, for example:

• Recurring billing (subscriptions, memberships, retainers, instalment plans).
• Stored card for faster checkout (customer convenience).
• Deposits / pre-authorisations (e.g. booking-based services).
• Merchant-initiated transactions (charging later for approved variations or additional usage).

When Storing Credit Card Details Is Risky (Or Usually Not Worth It)

For many businesses, storing full card numbers or security codes introduces risk that outweighs the benefit. In practice, you should treat these as “avoid if possible” scenarios:

• Storing CVV/CVC (even temporarily).
• Keeping card details in spreadsheets, CRMs, email inboxes, or notes apps.
• Recording card details during phone calls without a secure process and strong access controls.
• Using paper forms and filing cabinets without strict handling and destruction procedures.

If your current process involves staff writing down card numbers and entering them later, that’s a sign you should revisit your setup before it becomes a serious issue.

Privacy Act 2020: What Your Business Must Do When Handling Credit Card Details

When you collect or store customers’ credit card details (or any associated personal information), the Privacy Act 2020 matters because it sets expectations around why you collect information, how you store it, and what you do if something goes wrong.

In plain English, you should think about privacy compliance as four practical obligations:

1) Collect Only What You Need

One of the easiest ways to reduce risk is to reduce what you hold. If you don’t truly need to store raw credit card details, don’t.

As a practical checklist, ask:

• Do we need to store the card number, or would a secure token/reference work?
• Can we use a third-party payment system for recurring charges instead?
• Are we collecting extra information “just in case”?

2) Be Clear With Customers About What You’re Doing

If you’re collecting card details for ongoing billing or storing a card for later use, customers should understand:

• what you’re collecting and why
• how it will be stored (at a high level)
• who it may be shared with (e.g. payment providers)
• how long you keep it
• how they can request access/correction of their personal information

This is usually documented through a Privacy Policy and (depending on your model) your checkout terms or subscription terms.

3) Keep It Secure (Reasonable Safeguards)

The Privacy Act expects organisations to protect personal information with reasonable safeguards against loss, unauthorised access, use, modification, or disclosure.

What’s “reasonable” depends on your business and the sensitivity of the information. For card data, the bar is higher because misuse can cause direct financial harm.

“Reasonable safeguards” typically includes:

• access controls (need-to-know permissions)
• multi-factor authentication (especially for admin access)
• encryption in transit and at rest (where applicable)
• secure disposal/destruction processes
• staff training and clear procedures

Many businesses formalise these expectations through an Information Security Policy so staff know exactly what’s allowed (and what isn’t).

4) Have A Plan For Privacy Breaches

If your stored card data (or related personal information) is accessed by the wrong person, leaked, or lost, you may have a “privacy breach”. Some privacy breaches can be “notifiable”, meaning you may have to notify affected individuals and the Privacy Commissioner.

Having an incident plan in place before anything happens makes a huge difference in how quickly you can respond. A Data Breach Response Plan helps you set out who does what, how you contain the issue, and how you make notification decisions in a structured way.

Payment Security Standards (PCI DSS) And Merchant Rules: The Extra Layer Many Businesses Miss

In addition to New Zealand privacy law, most businesses that accept cards are also contractually required to follow card scheme rules and the Payment Card Industry Data Security Standard (PCI DSS). These requirements typically flow through your bank (acquirer) and your payment gateway/provider.

In practice, PCI DSS and merchant rules are a major reason why many businesses avoid storing “raw” card data themselves. For example, storing CVV/CVC is generally prohibited (even if you think it’s only for a short time), and storing full card numbers can trigger significant security and compliance obligations.

If you’re unsure what you’re allowed to store (and how), check your merchant agreement and your payment provider’s requirements, and get tailored advice if your process involves phone orders, manual entry, or recurring billing.

How To Collect Credit Card Details Safely (Practical Options For Small Businesses)

The safest way to handle credit card details is usually to structure your process so you never “touch” the raw card data, or you minimise the time and systems that come into contact with it.

Here are common collection methods, from lowest to highest risk.

Option 1: Use A Hosted Payment Page (Preferred For Many Businesses)

In this model, your customer enters their credit card details into a secure payment page hosted by a payment provider, and your business receives confirmation of payment (and sometimes a stored token for future charges).

Why businesses like this approach:

• your systems don’t store raw card details
• the security burden is significantly reduced
• it’s usually easier to implement and scale

This is a common setup for eCommerce stores, bookings, and subscription businesses.

Option 2: Tokenisation For Recurring Billing

Tokenisation means the card details are exchanged for a “token” (a reference value). Your business stores the token, not the actual card number. The payment provider uses the token to process future payments.

Tokenisation can be a strong approach if you genuinely need “card on file” functionality, but you want to avoid storing raw card numbers.

Option 3: Phone Payments (Higher Risk If You Don’t Have A Process)

Taking card details over the phone is common in service businesses. The risk is that details can end up in notes, emails, call recordings, or shared systems.

If you take payment by phone, aim for a setup where:

• staff enter details directly into a secure virtual terminal (not written down first)
• calls are not recorded where card data could be captured (or recording is paused at the right time)
• staff are trained on what they must never store (especially CVV)

If you do record calls for training or quality assurance, you should be careful about how that intersects with privacy obligations and payment security rules. (This is one of those areas where getting tailored advice is worth it.)

Option 4: Collecting Details Via Forms, Email Or Messages (Usually A Bad Idea)

As a general rule, you should avoid collecting credit card details via email, social messages, or standard online forms unless you have specialist secure handling in place.

Even if you have good intentions, these channels are difficult to secure properly and easy to mishandle, especially as your team grows.

How To Store Credit Card Details Securely (If You Really Need To)

Sometimes, despite best efforts, you may still need to store some form of credit card details (or card-related information) to run your operations. If that’s your situation, focus on two principles:

• minimise what you store (store the least sensitive form possible)
• control access and retention (only the right people, only for as long as needed)

1) Avoid Storing Full Card Numbers Where Possible

For many small businesses, the practical “compliance win” is to store:

• a token (from a payment provider)
• the last 4 digits (for reference)
• expiry month/year (where needed for customer service)

This can give you enough information to manage accounts and customer support without holding full credit card details.

2) Never Store CVV/CVC

The CVV/CVC is meant to be used for verification during a transaction, not stored. Storing it creates significant security risk and is commonly prohibited under PCI DSS and payment network (card scheme) rules.

If your process currently involves keeping CVVs “for later”, that’s a red flag to fix immediately.

3) Set Strong Access Controls (And Actually Enforce Them)

Ask yourself:

• Who in our business truly needs access to stored payment information?
• Can we restrict access by role (e.g. finance only)?
• Do we have a process for removing access when staff leave or change roles?

It’s also smart to keep an audit trail of who accessed what and when, particularly if you store any sensitive information.

4) Decide Where It Lives (And Keep It Out Of “Everyday” Tools)

Storing credit card details in general business tools (like shared drives, email inboxes, project management tools, or your CRM notes field) is one of the most common ways things go wrong.

If storage is unavoidable, it should be in a purpose-built secure system with appropriate encryption and controls. In practice, many small businesses choose to avoid direct storage entirely and instead rely on tokenisation.

5) Have A Retention And Deletion Process

A simple but often-missed step is having clear rules for:

• how long you keep stored card tokens or payment authorisations
• when you delete customer payment details (e.g. after cancellation)
• what happens when a customer requests deletion (where applicable)

This is not just about privacy; it’s also about reducing the “blast radius” if something ever goes wrong.

Overseas Processing: Using Payment Providers That Store Or Process Data Offshore

Many payment gateways and platforms store or process payment information (and related personal information) on servers located outside New Zealand. If you use a third-party provider, it’s worth confirming where data is processed and making sure your customer-facing privacy disclosures match what actually happens in your setup.

Practically, this is usually handled by choosing a reputable provider, reviewing its terms and security materials, and ensuring your Privacy Policy is up to date.

What To Put In Your Customer Terms, Privacy Documents, And Internal Policies

Collecting and storing credit card details isn’t just a technical setup - it’s also something you should clearly document so customers understand the arrangement and your team follows a consistent process.

Your Customer-Facing Terms

If you’re taking ongoing payments, pre-authorisations, deposits, or subscription charges, your terms should be clear about:

• when you can charge the stored card (and for what)
• how customers cancel or update details
• refund rules and any fees (where applicable)
• what happens if payment fails
• how disputes are handled

Depending on how you sell, this might be covered in your Website Terms And Conditions or your E-Commerce Terms And Conditions.

If you provide services to business customers (or you have more complex payment milestones), you may also want those payment rules embedded in a tailored Service Agreement so there’s no confusion about authority to charge and timing.

Your Privacy Disclosures

Your privacy documentation should match what you actually do. If customers can save a card for later, or you use payment providers that process data offshore, make sure that’s reflected in your Privacy Policy and any collection notices you use at checkout or sign-up.

This is also where you can set expectations about fraud prevention and verification checks (without oversharing security details).

Your Internal “Do’s And Don’ts” For Staff

Many small businesses have privacy issues not because the owner doesn’t care, but because staff are trying to be helpful and take shortcuts (“Just email me your card number and I’ll run it later”).

To prevent that, your internal policy and training should clearly spell out:

• approved payment channels only (and what’s not allowed)
• never writing down card numbers or storing CVV
• how to handle phone payments
• how to recognise suspicious requests and social engineering
• what to do immediately if information is sent to the wrong place

This is where an Information Security Policy becomes a practical day-to-day tool, not just a document you file away.

Key Takeaways

• “Credit card details” can include card numbers, expiry dates, CVV, billing details and transaction records - and much of it will be personal information under the Privacy Act 2020.
• You can collect and store credit card details in New Zealand if there’s a genuine business purpose, but for many small businesses it’s safer to avoid storing full card data and use tokenised or hosted payment solutions instead.
• If you handle credit card details, you should collect only what you need, be transparent with customers, protect the data with reasonable safeguards, and have a breach plan ready in case something goes wrong.
• As a practical rule: don’t store CVV/CVC, don’t keep card details in emails/spreadsheets/notes, and restrict access to any stored payment information to people who truly need it.
• Alongside privacy law, most businesses also need to comply with PCI DSS and card scheme/merchant rules, which often make storing raw card data (especially CVV) a high-risk option.
• Your customer terms should clearly explain how payments work (especially recurring billing and authority to charge), and your privacy and security documents should reflect your real process and systems (including any overseas processing by payment providers).
• If you’re unsure whether your current process is compliant (especially for phone payments, stored cards, or recurring billing), getting tailored advice early can save you serious headaches later.

If you’d like help setting up the right customer terms, privacy documents, and internal processes for handling credit card details, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.