← Back to Payments

Payments

Store Payment Methods as Provider Tokens Never as Raw Card Data

April 3, 2026 8 min read

Raw card data must never touch your servers. Store provider payment method tokens and let the provider handle sensitive data under PCI compliance.

Rule

Payment method storage must exclusively use provider-issued tokens.

Why

Storing raw card data creates PCI DSS scope, legal liability, and catastrophic breach risk.

Must

Never transmit or store raw PANs, CVVs, or full track data.
Use provider tokenization for all card saves.
Confirm user consent before saving a payment method for reuse.
Display only masked card details (last 4 digits, brand) to users.
Allow deletion of saved payment methods.

Should

Support multiple saved payment methods per customer.
Indicate card expiry and prompt for renewal before it lapses.

Anti-patterns

Logging card details in any server-side request log.
Storing CVV for recurring charges.
No explicit consent before saving payment method on first transaction.

Test Cases

Server logs contain no card numbers during checkout.
Expired card prompts user to update before next charge.

Telemetry

payment_method_saved
payment_method_deleted
expired_card_update_prompted