Contents
- Why You Should Never Write Down Credit Card Information
- Executive Summary
- The Real Cost of Written Payment Data in 2025
- Small Businesses Are Prime Targets
- Securing Phone Payments and Recorded Calls
- Best Practices for Phone Payment Security
- Speech-to-Text Considerations
- Legal Requirements: PCI DSS 4.0 Is Now Mandatory
- Common Misconceptions That Get Organizations in Trouble
- Special Considerations for Government and Public Sector
- To Reduce and Eliminate Risk and Safeguard Credit Card Data
- Cyber Insurance: What You Need to Know
- Use Virtual Terminals
- Tokenization and End-to-End Encryption
- Simple to Install, Customizable Solutions
- 90-Day Action Plan: Eliminate Written Payment Data
- Questions Every Business Owner Should Ask
- Frequently Asked Questions
- About IntelliPay
Why You Should Never Write Down Credit Card Information
A Complete Guide for Private and Public Sector Business Owners and Managers | 14 Minute Read
By Dale Erling | 15+ Year Payments Strategist & Compliance Expert | Updated January 2026
Executive Summary
The Risk: Writing down credit card information—on paper, in spreadsheets, or in recorded phone calls—exposes your organization to data breaches averaging $10.22 million in the U.S. (2025). Small businesses face average costs of $3.31 million, and 43% of all cyberattacks specifically target small businesses.
The Compliance Reality: PCI DSS 4.0 became fully mandatory on April 1, 2025. Non-compliance penalties range from $5,000 to $100,000 per month, and can result in losing your ability to accept card payments entirely.
The Solution: Virtual terminals with tokenization and end-to-end encryption eliminate the need to write, store, or handle raw card data. Implementation can be completed within a single business day.
Action Required: Audit all payment touchpoints, deploy secure alternatives, train staff, destroy existing written records, and establish ongoing compliance controls within 90 days.
Now more than ever, your business must accept payments whenever and however your customer wants to pay. In their well-intentioned efforts to help customers make payments, employees might be putting you and your business at risk—including your PCI compliance.
How? Let’s look at two examples:
- A staff member takes a phone order and uses a tablet—one they also use for everyday notes—to write down the payment information.
- An employee has a customer who wants to make a phone payment, and the call is recorded.
Both scenarios create serious vulnerabilities. In the first example, that tablet is likely unencrypted, may be left unattended in break rooms or on desks, and probably syncs automatically to cloud storage like iCloud or Google Drive. When payment data lives alongside grocery lists and meeting notes, it becomes nearly impossible to track, secure, or properly dispose of. If the tablet is lost, stolen, or simply accessed by another employee, you have a data breach on your hands.
The second example is equally dangerous and often overlooked. That recorded call now contains the customer’s full card number spoken aloud—and possibly their CVV, expiration date, billing address, and other personally identifiable information. These recordings are typically stored for months or years, accessed by multiple supervisors and quality assurance staff, and rarely encrypted. Some organizations even use speech-to-text software that automatically transcribes recordings, creating written records of card numbers scattered across servers without anyone realizing the compliance risk.
Writing down credit or debit card information on paper creates a physical record susceptible to theft or misplacement. If this information falls into the wrong hands, it could lead to a data breach, exposing your customers’ financial data to unauthorized individuals.
Not only should you never write down credit card data on paper, but you should also not store credit card data onsite. Ever. Not on a computer, not in the customer’s paper file, or anywhere in your office. Period.
The Real Cost of Written Payment Data in 2025
The risks of recording credit card information aren’t theoretical—they come with staggering financial consequences that affect businesses of all sizes.
According to IBM’s 2025 Cost of a Data Breach Report, the average cost of a data breach in the United States reached $10.22 million—an all-time high for any region. For small and medium-sized businesses, the average breach cost is $3.31 million. For many organizations, a single incident means closing the doors permanently.
| Cost Category | Financial Impact |
| Average U.S. data breach cost (2025) | $10.22 million |
| Small/medium business breach cost | $3.31 million |
| Malicious insider breach cost | $4.92 million |
| PCI non-compliance penalties (monthly) | $5,000 – $100,000 |
| Merchant cost per $1 of fraud | $3.75 |
The multiplier effect is particularly damaging: for every dollar lost to fraud, merchants lose $3.75 when you factor in chargebacks, investigation costs, and staff time. A seemingly minor $1,000 fraud incident becomes a $3,750 problem—and that’s before considering the reputational damage.
Small Businesses Are Prime Targets
If you think cybercriminals only go after large corporations, think again. According to Verizon’s research, 43% of all cyberattacks target small businesses, and small businesses represented 46% of all breaches in 2024. Criminals know smaller organizations often have weaker defenses—and written payment records are among the easiest targets.
Securing Phone Payments and Recorded Calls
Since phone payments present such significant risks, your organization needs clear protocols for handling them securely. The sensitive data at stake goes beyond card numbers to include personally identifiable information (PII) such as:
Name, Social Security number, date and place of birth, mother’s maiden name, biometric data, email address, telephone number, IP address, geographical details, and employment information.
Best Practices for Phone Payment Security
To eliminate risk from phone payments entirely, use a virtual terminal or secure payment link instead of recording card numbers in any format. When call recording is required for other business purposes, implement these safeguards:
- Pause recording during payment capture: Most modern phone systems can automatically pause recordings when customers enter payment information, then resume afterward
- Use DTMF tone masking: Have customers enter card numbers via phone keypad instead of speaking them aloud—the tones are captured but the actual digits remain secure
- Implement secure payment IVR: Transfer customers to an automated system for payment entry, then return them to the agent for confirmation
- Password protection: Restrict access to any recordings to authorized personnel only
- File encryption: Secure the content of any recordings containing sensitive data against unauthorized access or interception
Speech-to-Text Considerations
If your business uses speech-to-text conversion software for call transcription, you face additional compliance risks. Transcribed card numbers become written records scattered across your systems. To mitigate this:
- Exclude payment portions of calls from transcription entirely when possible
- Convert speech data to encrypted text as quickly as possible
- Ensure the original audio and any converted text files are stored in encrypted formats
- Implement automated redaction tools that detect and mask card numbers in transcripts
Legal Requirements: PCI DSS 4.0 Is Now Mandatory
Businesses that handle customer credit card information are legally required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard sets forth specific guidelines on how organizations should secure and protect sensitive cardholder data to prevent unauthorized access and potential data breaches.
As of April 1, 2025, PCI DSS version 4.0 is fully mandatory. This represents the most significant update to payment security standards in nearly two decades. Key requirements include:
- Mandatory encryption: All cardholder data must be encrypted in transit and at rest. Paper records with handwritten card numbers cannot meet this requirement.
- Multi-factor authentication: Required for all access to systems storing cardholder data.
- Documented data retention policies: You must define exactly how long you retain sensitive data and how you dispose of it.
- Annual scope documentation: Organizations must document all systems, people, and processes that interact with cardholder data—including anyone with access to written payment information.
Adhering to PCI DSS requirements helps ensure that customer credit card information is stored securely and that the risk of fraudulent activities is minimized.
Protect credit card data by never writing down card information.
Businesses can face lawsuits and financial penalties when sensitive data is exposed. Not to mention the risk to your PCI compliance—and your ability to accept credit cards—by violating PCI DSS standards.
Common Misconceptions That Get Organizations in Trouble
“We outsource payment processing, so we’re exempt.” False. Even if you use a third-party processor and never store card numbers yourself, you must still complete an annual Self-Assessment Questionnaire and maintain an Attestation of Compliance.
“PCI is just an IT issue.” PCI DSS 4.0 explicitly addresses people, processes, and technology. Your legal team, compliance officers, and front-line staff all play roles in maintaining compliance.
“We’re too small to be targeted.” Small businesses are targeted precisely because they often have weaker defenses.
Special Considerations for Government and Public Sector
Government agencies, housing authorities, municipal utilities, and public sector organizations face heightened scrutiny when handling payment data. The stakes extend beyond financial loss to public trust and mission integrity.
Federal agencies accepting card payments must comply with PCI DSS requirements in addition to Office of Management and Budget guidelines for Personally Identifiable Information. The Treasury Department’s Card Acquiring Service explicitly requires all participating agencies to maintain full PCI DSS compliance. Non-compliance puts your ability to accept card payments at risk.
As of September 30, 2025, federal agencies were required to transition from paper checks to digital payments. This modernization push is filtering down to state and local governments. Organizations still relying on manual payment recording methods will find themselves increasingly out of step with constituent expectations and regulatory direction.
According to recent studies, 78% of citizens prefer paying government fees online when given the option. Digital payment systems reduce processing costs by an average of 40% while lowering fraud rates by up to 60%.
To Reduce and Eliminate Risk and Safeguard Credit Card Data
Below are common sense dos and don’ts you can use today to safeguard your operations and protect your PCI compliance.
NEVER:
- Physically write down any credit card information
- Use an imprint machine to process credit card payments
- Leave sensitive information unattended on a desk or in any public area
- Copy the front and back of a credit card
- Store physical credit card information onsite or in places like Google Drive, Dropbox, etc.
- Email credit card numbers or store them in unencrypted spreadsheets
- Keep recorded phone calls containing spoken card numbers without encryption
ALWAYS:
- Closely supervise all staff and visitors to areas where credit card information could be available
- Collect only the information you need to complete the transaction
- Use a fully-hosted virtual terminal that encrypts card data upon entry and transmission for phone payments
- Have strict credit card handling policies in writing
- Hold regular credit card handling training with your staff
- Rely on a reputable payment processor with a PCI DSS Level 1 certified network
- Get customer permission before storing any card data
- Complete your annual PCI Self-Assessment Questionnaire
Cyber Insurance: What You Need to Know
Cyber insurance has evolved from a nice-to-have to a business necessity, but coverage isn’t automatic and claims aren’t guaranteed.
Nearly 80% of cyber insurance carriers now require multi-factor authentication and documented security controls before issuing coverage. If you suffer a breach while storing handwritten card data in violation of PCI standards, your insurer may deny your claim entirely.
The five core security controls most insurers require are: multi-factor authentication, endpoint detection and response, encrypted offline backups, identity and access management, and a documented incident response plan. Organizations missing any of these may face application denial or significantly higher premiums.
For small businesses, typical recommended coverage ranges from $1 million to $2 million. When evaluating policies, verify coverage for PCI-related fines and assessments, breach notification costs, forensic investigation expenses, and business interruption during incident response.
Use Virtual Terminals
For simplicity, let’s look at virtual terminals. Think of a virtual terminal as an online checkout form in your store or office. Virtual terminals are web-based and allow your staff to accept payments by telephone, mail order, fax, email, or in person. You can have as many virtual terminals as you need. IntelliPay’s One Terminal is a good example of a virtual terminal.
Virtual terminals do not require new software or hardware. Existing desktops, laptops, tablets, smartphones, or POS systems can host a virtual terminal. An in-person transaction would require the installation of an external card reader.
Tokenization and End-to-End Encryption
Transactions on virtual terminals are made on payment processor secure systems—not your systems—that use tokenization and end-to-end encryption to protect sensitive data during transmission.
For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID—a token meaningless to everyone except the payment processor.
The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. A virtual terminal frees you from storing sensitive data in your system and minimizes PCI scope and liability.
Simple to Install, Customizable Solutions
Web-based virtual terminals are easy to install and use and offer comprehensive reporting features. They simplify payment management, especially formerly time-consuming reconciliations.
Intelligent payment processing platforms like IntelliPay make it easy to start using virtual terminals. They offer a solution for every need, and all are customizable and easy to install. Customization and set-up are free, and many virtual terminal options can be configured within a single business day.
90-Day Action Plan: Eliminate Written Payment Data
Here’s a practical implementation plan you can execute this quarter:
Weeks 1-2: Audit your current state. Walk through every location where payments are accepted. Check order forms, appointment books, paper receipts, scratch pads near phones, filing cabinets, Excel files, and email folders. Interview staff who handle payments and ask directly: “If a customer reads you their card number, what do you do with it?”
Weeks 3-4: Deploy secure alternatives. Implement virtual terminals for phone payments. For in-person payments, ensure you’re using EMV chip readers with SRED certification. For recurring payments, use payment links or secure customer portals.
Weeks 5-6: Train your team. Security awareness training is now a PCI DSS requirement. Cover what to do when systems are down, how to handle customers who insist on reading card numbers aloud, and what constitutes a reportable incident.
Weeks 7-8: Destroy existing records. Conduct a thorough purge of all existing written payment data. Cross-cut shred physical documents. Permanently delete electronic files using secure deletion tools. Document everything you destroy.
Weeks 9-12: Establish ongoing controls. Create clear written policies prohibiting the recording of card numbers. Post reminders at payment stations. Implement random audits. Include prohibitions in employee handbooks.
Questions Every Business Owner Should Ask
Use these questions to evaluate your current payment security posture:
- If I walked to every payment station right now, would I find any handwritten card numbers?
- Do our recorded phone calls include customers speaking their card numbers?
- Have we completed our annual PCI Self-Assessment Questionnaire?
- Does our cyber insurance policy cover PCI-related incidents?
- Who has access to payment data, and have they received security training?
- What happens if our payment system goes down? Do staff have secure fallback procedures?
- Do we have a documented incident response plan?
Frequently Asked Questions
Is it illegal to write down credit card numbers?
While not illegal per se, writing down credit card numbers violates PCI DSS requirements that are contractually mandated for any business accepting card payments. Non-compliance can result in fines of $5,000 to $100,000 per month, liability for fraud losses, and termination of your ability to accept credit cards. If a breach occurs due to written records, your organization may also face lawsuits from affected customers.
What is the safest way to take credit card payments over the phone?
The safest method is using a virtual terminal where your staff enters card information directly into a secure, PCI-compliant web interface. The card number is immediately tokenized and encrypted—it never touches your systems and nothing is written down. For recorded calls, pause recording during payment or use DTMF tone masking where customers enter digits via keypad instead of speaking them aloud.
How much does a credit card data breach cost a small business?
According to IBM’s 2025 Cost of a Data Breach Report, small and medium-sized businesses face average breach costs of $3.31 million. This includes forensic investigation, customer notification, legal fees, regulatory fines, and lost business. Additionally, for every $1 of fraud, merchants lose $3.75 when factoring in chargebacks and related costs. Many small businesses never recover—studies show approximately 60% close within six months of a significant breach.
What is PCI DSS and does it apply to my business?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every organization that accepts, processes, stores, or transmits credit card information—regardless of size or transaction volume. If you accept even one credit card payment, you must comply. As of April 2025, version 4.0 is fully mandatory, with stricter requirements for encryption, multi-factor authentication, and documentation.
Can I store credit card numbers in an encrypted spreadsheet or Google Drive?
No. Storing credit card numbers in spreadsheets, Google Drive, Dropbox, or similar services violates PCI DSS requirements, even if the files are password-protected or encrypted. These platforms are not designed for cardholder data storage and lack the security controls required for compliance. The only compliant approach is to use a PCI-certified payment processor that tokenizes card data so you never store actual card numbers.
Do government agencies have to comply with PCI DSS?
Yes. All federal, state, and local government agencies that accept credit or debit card payments must fully comply with PCI DSS. Federal agencies must also meet Office of Management and Budget (OMB) guidelines for Personally Identifiable Information. The Treasury Department’s Card Acquiring Service requires full PCI compliance from all participating agencies. Non-compliance can result in losing the ability to accept card payments from constituents.
What is tokenization and how does it protect my business?
Tokenization replaces sensitive card data with a randomly generated alphanumeric ID (a “token”) that has no exploitable value if stolen. When a customer provides their card number through a virtual terminal, the payment processor instantly converts it to a token before it ever touches your systems. You can use this token for recurring charges or refunds, but criminals cannot reverse-engineer it to obtain the actual card number. This dramatically reduces your PCI compliance scope and liability.
Will my cyber insurance cover a breach if I wrote down card numbers?
Likely not. Most cyber insurance policies require PCI DSS compliance as a condition of coverage. If you suffer a breach while knowingly storing unencrypted card data—including handwritten records—your insurer may deny the claim or significantly reduce payout. Nearly 80% of insurers now require multi-factor authentication, endpoint detection, and documented security controls before issuing policies.
How quickly can I implement a virtual terminal?
Most virtual terminal solutions can be configured within a single business day. They require no new hardware or software—any device with a web browser (desktop, laptop, tablet, or smartphone) can access the terminal. Staff training typically takes less than an hour. The speed of implementation means there is no reason to delay eliminating written payment records from your operations.
What should I do with existing written credit card records?
Destroy them immediately and securely. Physical documents should be cross-cut shredded (strip shredding is insufficient). Electronic files must be permanently deleted using secure deletion tools—not just moved to trash. Wipe old hard drives before disposal. Document everything you destroy as part of your compliance records. This demonstrates good faith if questions arise later and establishes your commitment to data protection.
About IntelliPay
IntelliPay has provided traditional (processing costs are absorbed as a cost of doing business) and cardholder-pays swipe or interchange fee-based options to businesses of all sizes since 2011. As a PCI DSS Level 1 certified payment processor, IntelliPay helps organizations across private and public sectors eliminate the risks associated with written payment data while reducing processing costs.
To learn more about your virtual terminal options and how to protect your organization from payment data risks, contact IntelliPay today.
Sources
IBM Cost of a Data Breach Report 2025; Federal Trade Commission Consumer Sentinel Network Data 2024; PCI Security Standards Council; Verizon Data Breach Investigations Report 2025; U.S. Treasury Bureau of the Fiscal Service; Government Finance Officers Association.
Last updated: January 2025
Disclaimer
This article is provided for informational and educational purposes only and does not constitute legal, financial, or professional compliance advice. While we strive to provide accurate and up-to-date information, payment security regulations, PCI DSS requirements, and industry standards are subject to change. The statistics and data referenced herein are derived from third-party sources believed to be reliable, but IntelliPay makes no warranties regarding their accuracy or completeness.
Every organization’s compliance obligations depend on its specific circumstances, including transaction volume, payment channels, industry sector, and geographic location. The information provided should not be relied upon as a substitute for consultation with qualified legal counsel, certified PCI Qualified Security Assessors (QSAs), or other professional advisors familiar with your specific situation.
IntelliPay is a PCI DSS Level 1 certified payment processor. However, using IntelliPay’s services does not automatically ensure your organization’s full PCI compliance, as compliance depends on your complete cardholder data environment and business practices. Organizations should conduct their own compliance assessments and consult with qualified professionals to determine their specific obligations.
Neither IntelliPay nor the authors of this content shall be liable for any damages, losses, or consequences arising from decisions made based on the information contained herein. References to specific products, services, or third-party organizations do not constitute endorsements. All trademarks and registered trademarks are the property of their respective owners.