Book a demo Log in / Sign up

Credit Card Information Form Template for England and Wales

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Credit Card Information Form?

A credit card information form collects the card details needed to process a payment or establish a payment authorisation in England and Wales. Handling cardholder data triggers obligations under UK GDPR, the Data Protection Act 2018, and the Payment Card Industry Data Security Standard (PCI DSS). The form must include a privacy notice explaining the purpose and legal basis for collecting card data, and organisations must implement technical safeguards (tokenisation, access controls, and secure destruction) to meet both regulatory and card-scheme requirements.

Frequently Asked Questions

What is a credit card information form?

It's a document used to capture a payer's card details (card number, expiry date, cardholder name, and CVV) in order to process a payment, set up a recurring billing mandate, or hold a payment authorisation. In England and Wales, collecting card data triggers obligations under UK GDPR, PCI DSS, and the Payment Services Regulations 2017.

Is it legal to collect card details on a paper form in England and Wales?

It is technically lawful but strongly discouraged. PCI DSS requires that any organisation collecting, transmitting, or storing cardholder data meets rigorous security standards. Paper forms present a high risk of data breach; most card scheme rules prohibit retaining the CVV on paper entirely. Digital forms with tokenisation are the industry standard and significantly reduce compliance risk.

What PCI DSS obligations apply to this form?

PCI DSS Level 1 through Level 4 requirements apply depending on transaction volume. Key obligations include: never storing the CVV after authorisation, encrypting stored card numbers, restricting access to card data, conducting regular vulnerability scans, and completing an annual Self-Assessment Questionnaire. Non-compliance can result in card scheme fines and withdrawal of processing facilities.

What UK GDPR rights do cardholders have over their data?

Cardholders have the right to access the data held (subject access request), the right to erasure where data is no longer needed, the right to restrict processing, and the right to object to processing based on legitimate interests. The organisation must respond to access requests within one calendar month and must have a clear retention schedule for card data.

What is the section 75 Consumer Credit Act right?

Where a consumer pays between 100 pounds and 30,000 pounds by credit card, section 75 of the Consumer Credit Act 1974 makes the card issuer jointly and severally liable for the supplier's breach of contract or misrepresentation. Collecting card information correctly ensures that transactions are linked to the correct cardholder and supports dispute resolution.

Can an organisation retain card details for future payments?

Yes, but only with the cardholder's explicit consent and under a tokenised system that replaces the full card number with a secure token. Storing raw card numbers beyond immediate processing is prohibited by PCI DSS. The form must explain clearly how stored payment credentials will be used and how the payer can withdraw authority for future charges.

What strong customer authentication requirements apply?

Under the Payment Services Regulations 2017 (implementing the UK's retained version of PSD2), online card payments above defined thresholds require strong customer authentication (SCA), combining two or more of: something the cardholder knows, something they have, and something they are. Physical card information forms used for mail order or telephone payments may qualify for SCA exemptions but should be documented.

How long should a completed card information form be retained?

The minimum necessary period consistent with the purpose. For payment authorisation records, most organisations retain transaction evidence for six years to align with the Limitation Act 1980 and HMRC requirements. However, the actual card number and CVV should be destroyed or masked as soon as authorisation is obtained; long-term retention of full card details is prohibited by PCI DSS.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

England and Wales

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Authorization Form

Sector

Business

Cost

Free to use

Last updated

About the Credit Card Information Form

When you accept credit card payments for your business, you need a properly structured Credit Card Information Form that complies with federal and state regulations. This document serves as both a data collection tool and a legal protection mechanism, ensuring you meet strict security standards while establishing clear authorization from your customers for payment processing.

When do you need this document?

You'll need a Credit Card Information Form whenever you process credit card payments, whether for one-time purchases, recurring billing, or service agreements. E-commerce businesses require this for online transactions, while brick-and-mortar stores need it for manual card processing or phone orders. Service providers like contractors, consultants, and subscription-based businesses use these forms to establish ongoing payment authorization. Additionally, any business that stores customer payment information for future use must have a compliant form that meets PCI DSS requirements and provides proper legal disclosures.

Key legal considerations

Your Credit Card Information Form must include specific legal elements to protect both your business and your customers. The authorization statement is crucial—it must clearly explain what charges the customer is agreeing to and establish their consent for payment processing. Privacy notices are mandatory under federal law, explaining how you'll use, store, and protect their sensitive financial information. The form must also comply with PCI DSS security standards, which means implementing proper data encryption, secure storage protocols, and limited access controls. Additionally, you need clear terms regarding dispute resolution, refund policies, and data retention practices to avoid potential legal complications.

Legal requirements in United States

Federal regulations heavily govern credit card information collection in the United States. The Payment Card Industry Data Security Standard (PCI DSS) mandates specific security measures for any business handling credit card data, including secure transmission protocols and restricted access to sensitive information. The Gramm-Leach-Bliley Act requires financial institutions and businesses processing payments to provide privacy notices and implement data safeguarding measures. Under the Fair Credit Reporting Act, you must ensure accuracy in credit information handling and provide appropriate privacy protections. The Federal Trade Commission enforces additional data security requirements and mandates clear privacy disclosures in financial transactions. State-level regulations add another layer of compliance, with laws like California's CCPA requiring enhanced privacy protections and data handling transparency. Your form must also include required disclosures about data sharing practices and customer rights regarding their personal information.

GOVERNING LAW

Applicable law

This Credit Card Information Form is drafted to comply with England and Wales law. Key legislation includes:

UK GDPR (Articles 5, 6, and 9): Credit card numbers are financial personal data; collecting them requires a clear legal basis, strict security measures, and a privacy notice explaining how the data will be used and for how long it will be retained.

Data Protection Act 2018: Supplements UK GDPR; gives the ICO enforcement powers and provides the framework for handling personal financial data in England and Wales.

Payment Card Industry Data Security Standard (PCI DSS): Although not a statute, PCI DSS is a mandatory industry framework for any organisation that stores, processes, or transmits cardholder data; compliance is required by card scheme rules and failure can result in fines and loss of card-processing facilities.

Consumer Credit Act 1974: Section 75 provides consumers with a claim against a credit card issuer for breach of contract or misrepresentation by a supplier where the transaction value is between 100 pounds and 30,000 pounds, a right that underpins the regulatory context for card-data collection.

Electronic Commerce (EC Directive) Regulations 2002: Online merchants collecting card information must provide clear pre-contract information and obtain explicit confirmation before charging a consumer's card.

Payment Services Regulations 2017: Govern the rights and obligations around payment transactions in the UK, including strong customer authentication requirements for online card payments processed by FCA-regulated payment service providers.

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it