We store your credit and debit card information in our billing system database using strong 256-bit AES encryption to facilitate automated invoice payments, domain renewals, and other billing-related services. The CVV or security code is never stored. All stored data is encrypted and protected with a passphrase of 32 random characters known to only two employees. Our database is not publicly accessible, uses randomly generated passwords changed every 180 days, and is kept separate from the billing web server. We exceed PCI DSS requirements through prompt software updates, custom monitoring scripts, and continuous threat monitoring.

Storing this data enables seamless recurring transactions without repeated card entry, but security remains paramount. The measures described below follow defense-in-depth principles: encryption at rest, strict access controls, network isolation, timely patching, and active threat detection. This combination substantially reduces risk even if one layer is compromised.

#Card Information We Store

To support convenient automated services, we retain specific card details in encrypted form within the billing database. Full card numbers are required for processing future charges. Retaining the last four digits allows secure display and verification in account summaries without exposing the complete number. Expiration or issue dates confirm card validity before any automated transaction is attempted.

  • - Full card number - Last 4 numbers of the card - Expiration date and/or the issue date

These fields are stored only after the initial transaction clears. Storing them removes friction for customers on recurring plans while still requiring explicit authorization for the first payment. Context matters: without this capability, every renewal would demand manual intervention, increasing abandoned transactions and administrative overhead.

#Information We Never Store

We never store the CVV or security code. This value is collected only at the moment of transaction, transmitted securely to the payment processor, and then immediately discarded from our systems. Omitting CVV from long-term storage is a deliberate risk-reduction decision required by PCI DSS and recognized as a core best practice. It ensures that even if encrypted card data were somehow accessed, it would still be insufficient to complete a card-not-present transaction.

#Encryption and Access Controls

Every piece of stored card data is protected by 256-bit AES encryption, an algorithm with no practical breaks when properly implemented and keyed. The encryption key is derived from a 32-character random passphrase. Only two employees possess this passphrase, ensuring the data cannot be decrypted without it. This approach follows least-privilege access and protects against both external breaches and insider threats. The passphrase itself is never written down in plain text and is rotated on a strict schedule.

powershell 
# PowerShell example illustrating generation of a 32-character random passphrase
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+'
$passphrase = -join ((1..32) | ForEach-Object { $chars[(Get-Random -Maximum $chars.Length)] })
Write-Output $passphrase

The snippet above demonstrates the style of cryptographically sound random generation used to create such passphrases. In production we rely on platform-provided secure random sources rather than simple character selection, but the principle of high entropy remains identical.

#Database and Infrastructure Security

The database housing user records, service details, invoices, and support tickets has no public exposure. It is secured with randomly generated passwords that are changed every 180 days. The database server is isolated from the billing system web server, preventing direct access even if the web tier is compromised. Firewall rules, network segmentation, and hardened operating system configurations further restrict lateral movement. These controls ensure that card data remains in a protected enclave accessible only through tightly controlled application pathways.

#Maintenance, Monitoring, and Compliance

We install new releases of our billing software as soon as they become available, addressing vulnerabilities before they can be exploited. Custom monitoring scripts continuously scan for intrusion attempts, SQL injection patterns, fraudulent signup activity, and anomalous behavior. These scripts feed into alerting systems that trigger immediate investigation by on-duty staff. Our overall card-handling practices exceed PCI DSS requirements, incorporating additional controls beyond the baseline standard.

No system can be 100% secure, yet we continuously monitor for new threats and vulnerabilities. Logs are reviewed daily, third-party security tools are kept current, and internal audits occur regularly. This proactive stance keeps defenses aligned with the evolving threat landscape.

The combination of strong encryption, minimal data retention, network isolation, strict access rules, rapid patching, and active monitoring provides robust protection for your card information. Review your stored payment methods periodically and contact support with any security questions.