24/7 Support: 800.608.6482

Get Started

Reference Guide

Appendix 1: Best Practices for Managing Credit Card Data

A portion of the PCI-DSS (Payment Card Industry Data Security Standard) relates to encrypting your payment data. In most cases you are required to meet these standards, although they are also considered best practices:

  • Enable encryption in your store. After you enable encryption, payment information on new orders will be encrypted.
  • Encrypt existing payment information. If you have existing orders with unencrypted payment information, you have to encrypt the payment information on those orders.
  • Delete payment information from orders. PCI has several requirements for when you should delete payment information:
    • It is never acceptable to keep unencrypted credit card numbers in your database, even temporarily.
    • You should not keep credit card data longer than you need to. For example, the PCI standards let you keep credit card information to cover your return policy, or if you sell custom products that may be paid for in installments. However, you should delete credit card information when you no longer need it to process or refund an order.
    • Under no circumstances should you store payment information in your database for more than 1 year.
    • You may never store the entire stripe data (which includes the CVV code) even if it’s encrypted.

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

This website uses cookies to identify visitors, track visitors to our website, store login session information and to remember your user preferences. By continuing to use this site you agree to our use of cookies. Learn More.

This website uses cookies. By continuing to use this site you agree to our use of cookies. Learn More.


Copyright © 1997 – 2019 Miva©, Miva Merchant©, MivaPay©, MivaCon© Miva, Inc. All Rights Reserved.