Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
If you run a business that takes card payments, it’s only natural to think about saving customers’ card details for faster checkout, subscriptions, or repeat bookings.
But storing card details isn’t just a tech decision - it’s a legal and risk decision, too. When you store (or even access) card details, you’re taking on extra responsibilities around privacy, security, contracts, and customer trust.
In this guide, we’ll walk you through what NZ small businesses need to know, including key legal obligations, common pitfalls, and practical steps to protect your business from day one. (This is general information only, not legal advice.)
What Counts As “Storing Credit Card Details” In Practice?
Before we dive into legal obligations, it helps to get clear on what “storing credit card details” actually means. Many business owners assume they “don’t store cards” because they use an online payment provider - but the reality can be more complicated.
Common Ways Businesses End Up Storing Card Details
You may be storing credit card details (or sensitive payment data) if your business does any of the following:
- Saves a full card number (PAN) anywhere in your systems, including a CRM, spreadsheet, booking tool, or POS notes.
- Keeps card details in emails or messages (e.g. a customer sends a card number by email and you keep it in your inbox).
- Records card details on paper (booking forms, signed authorisations, takeaway dockets) and retains them.
- Stores card data in a third-party platform because you enabled “save card” or “card on file” features.
- Uses recurring billing where your provider stores a tokenised version of the card for future charges.
Tokenisation Vs Storing “Raw” Card Details
Many modern payment systems store a token rather than the raw card details. Tokenisation means your system holds a reference that can charge the card again, without holding the actual card number.
This is usually safer and lower risk than storing raw card data yourself - and it can reduce your PCI DSS exposure. But it doesn’t remove your obligations altogether. If the token (and related account data) can be linked to an identifiable customer, it may still be personal information, and it still needs to be handled securely and transparently.
What NZ Laws Apply When You’re Storing Credit Card Details?
New Zealand doesn’t have a single “credit card storage law” for all businesses. Instead, your obligations come from a few key legal frameworks - especially privacy law and consumer protection rules - plus industry standards and contract requirements imposed by banks and payment providers.
The Privacy Act 2020 (And Why It Matters Here)
If you’re storing credit card details (or even payment-related identifiers that can be linked to a person), you’re handling personal information. That means the Privacy Act 2020 is likely to apply.
In plain terms, the Privacy Act requires you to:
- Collect personal information fairly and only when you have a legitimate reason to do so.
- Tell people what you’re collecting and why (and who you might share it with).
- Keep information secure against loss, unauthorised access, or misuse.
- Only keep it for as long as you need it (not “just in case”).
- Give customers access to, and the ability to request correction of, their personal information where applicable (subject to certain exceptions).
If your website or app collects customer details during checkout (even if a payment provider processes the actual card), it’s usually a good idea to have a clear Privacy Policy that matches what you actually do.
Also, if your business is in the health sector (or collects health information as part of bookings or services), the Health Information Privacy Code may apply in addition to the Privacy Act, and you may need to take extra care with how you collect, use, store and disclose information.
The Fair Trading Act 1986 (Don’t Overpromise Security Or “No Storage”)
The Fair Trading Act 1986 is all about misleading or deceptive conduct in trade. If you tell customers you “never store card details” (or imply it), but in reality your systems do store them, that can create risk - even if what’s stored is a token linked to their customer profile.
Similarly, if you claim to be “fully secure” or “hack-proof”, that’s the kind of absolute statement that can come back to bite you if something goes wrong.
A safer approach is to describe your practices accurately in your policies and customer-facing statements - and keep them updated as your tools change.
PCI DSS (Not A Law, But Often A Non-Negotiable Requirement)
If you’re storing credit card details, you’ll almost certainly run into the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS isn’t legislation - it’s an industry standard created by card schemes - but it often becomes legally and commercially important because:
- your bank, merchant facility provider, or payment gateway may require compliance under contract; and
- non-compliance can lead to serious consequences after a breach (including fees, loss of processing privileges, and reputational damage).
Practically, this is why most small businesses choose not to store raw card details themselves, and instead use reputable providers that offer tokenisation and compliant storage.
Do You Actually Need To Store Credit Card Details? (Risk Vs Convenience)
For many small businesses, the best legal and security strategy is simple: don’t store card details unless you genuinely need to.
Storing card details increases your risk profile - and if something goes wrong, customers won’t care whether the breach was caused by a “tech issue” or a “third party”. They’ll remember it was your business they trusted.
When Storing Card Details Might Be Legitimate
There are plenty of legitimate business reasons to keep cards on file, including:
- Recurring subscriptions (weekly/monthly billing)
- Memberships (gyms, clubs, services)
- Bookings with no-show fees (beauty, medical, trades, events)
- Ongoing service retainers (consultants, agencies)
- Payment plans (where instalments are charged automatically)
If those are core to your business model, you can still do it - but it’s worth doing it in the lowest-risk way available (usually tokenisation via a compliant payment provider).
When You Probably Shouldn’t Store Card Details
If the only reason is “it’s convenient” or “we might need it later”, that’s often a red flag. You may be better off:
- sending payment links for each transaction;
- using invoices with online payment options;
- using a checkout flow that lets customers opt into saving a card with your provider.
From a privacy perspective, data minimisation (only collecting what you need) is a strong default position.
How To Store Credit Card Details Lawfully: Key Compliance Steps
Once you’ve decided that storing credit card details (or payment tokens) is necessary for your business, the next step is making sure your processes are legally defensible and commercially sensible.
1) Be Transparent And Get Clear Authorisation For Ongoing Charges
Under NZ privacy law, you won’t always need “consent” as the legal basis to collect and use personal information - but you do need to collect it for a lawful purpose and be clear with customers about what you’re doing.
Separately, if you plan to charge a customer’s card in the future (for subscriptions, deposits, no-show fees, cancellation fees, late fees, or agreed payment plans), you should get clear authorisation and make it meaningful. Customers should understand:
- what you’re storing (e.g. a tokenised card reference rather than the raw card number, if that’s the case);
- why you’re storing it (subscriptions, booking protection, payment plans);
- how it will be used (e.g. when you may charge the card and for what types of fees); and
- how they can remove/update the stored payment method.
Where you’re charging fees like cancellation fees, late fees, or no-show fees, make sure your customer terms clearly explain when a card may be charged. If your business has broader online terms, it may be worth putting the rules in your Website Terms and Conditions so you’re not relying on informal messages or verbal conversations.
2) Only Collect What You Need (And Avoid DIY Storage Methods)
If there’s one practical rule that avoids a lot of legal trouble, it’s this: never store raw card details in a spreadsheet, email inbox, notes app, or CRM free-text field.
These methods are usually not secure enough, often not auditable, and can easily lead to unauthorised access by staff or contractors. They also make it harder to control retention (how long you keep the data) and deletion.
If you need a “card on file” model, consider using tokenisation through a reputable payment provider so your business never touches the raw card number.
3) Build Security Into Your Systems (Not As An Afterthought)
Under the Privacy Act 2020, you’re expected to take reasonable steps to keep personal information secure. What’s “reasonable” depends on your business size, the sensitivity of the data, and the harm that could be caused if it’s misused.
For card-related data, reasonable steps often include:
- Access controls (only staff who need access should have it)
- Multi-factor authentication for systems storing customer information
- Encryption (at rest and in transit, where applicable)
- Logging and monitoring of access to customer records
- Vendor due diligence (choosing reputable providers and confirming security standards)
- Staff training on handling payment details and phishing risks
If you’re working with developers or IT providers to implement these systems, it’s worth getting the legal side right too - including clear contracts around responsibilities, security, and liability. Depending on your setup, an Data Processing Agreement may be relevant where another provider processes personal information on your behalf.
4) Have A Plan For Privacy Breaches
Even well-run businesses can get hit with phishing attempts, credential leaks, or system vulnerabilities. What matters is how you prepare and respond.
Under the Privacy Act 2020, you may need to notify the Privacy Commissioner (and affected individuals) if there’s a privacy breach that causes, or is likely to cause, serious harm.
Having a documented Data Breach Response Plan helps you move quickly and consistently. It also shows you’re taking your obligations seriously, which can matter when you’re dealing with customers, banks, insurers, or regulators.
5) Set Retention And Deletion Rules (And Actually Follow Them)
Holding onto customer payment details longer than necessary is risky. The longer you keep it, the more likely it is that something will eventually go wrong - and the harder it is to justify why you kept it.
A practical approach is to set internal rules like:
- delete stored payment methods when a subscription ends (unless the customer chooses to keep it on file);
- remove card details after a booking is completed and the dispute window has passed;
- review and purge old customer records on a regular schedule.
If your systems make deletion difficult, that’s usually a sign your process needs improvement. “We didn’t know how to remove it” isn’t a great defence if a breach happens.
Common Mistakes NZ Small Businesses Make (And How To Avoid Them)
Most businesses don’t get into trouble because they’re trying to do the wrong thing. It usually happens because “storing credit card details” is treated as a quick operational fix rather than a compliance issue.
Keeping Card Details In Emails Or DMs
Customers sometimes send card details via email or social media messages. If you keep those messages, you may be storing credit card details without intending to.
It’s a good idea to train staff to:
- ask customers not to send card details by email;
- use secure payment links instead;
- delete messages containing card details as soon as possible (where appropriate and lawful).
Using Vague Or Missing Customer Terms
If you charge no-show fees, cancellation fees, or late fees using a stored card, your legal risk increases if your terms aren’t clear.
Clear written terms can reduce disputes, chargebacks, and complaints. For service businesses, it may make sense to document key payment rules in a tailored Service Agreement (especially if you do ongoing or higher-value work).
Assuming Your Provider Handles Everything
Even if a third party stores the card, you may still be responsible for:
- what you tell customers about how their information is used;
- who in your team has access to customer profiles and payment settings;
- how long you keep customer accounts active;
- how you respond to suspected fraud or unauthorised charges.
Think of it like this: outsourcing the technology doesn’t outsource your accountability.
Key Takeaways
- Storing credit card details can include keeping full card numbers, saving card information in emails, retaining paper forms, or enabling “card on file” features through third-party systems.
- The Privacy Act 2020 is a core legal framework here - if card-related data is linked to an identifiable customer, you need to collect it for a proper purpose, be transparent about it, keep it secure, and not retain it longer than necessary.
- The Fair Trading Act 1986 also matters because you must not mislead customers about whether you store card details (including tokens) or how secure your systems are.
- PCI DSS isn’t a law, but it’s often a contractual requirement with banks and payment providers - and it heavily influences what “good practice” looks like.
- If you need cards on file, tokenisation via reputable providers is usually safer than storing raw card details yourself (but it doesn’t eliminate privacy and security responsibilities).
- To reduce legal and commercial risk, make sure you have clear customer terms, meaningful authorisation for future charges, strong security controls, and a documented breach response process.
If you’d like help reviewing your customer terms, setting up privacy compliance, or making sure your card-on-file process is legally solid, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
