Feature Requests
Share ideas, discuss and vote on requests from other users in community

Auto Delete Cardholder Data

Shane Mc Cormack shared this idea 7 years ago

Requirement 3.1 of PCI DSS requires merchants keep cardholder data storage to a minimum and Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes.

Our company policy requires us to delete cardholder data after a number of months after expiry or if there are no active services - but WHMCS doesn't appear to have any settings for this.

As this is a requirement for PCI Compliance, WHMCS should have something built in to allow this.

Comments (3)


I don't know/think that applies to 3rd party? We use the authorize.net CIM module. We receive an attestation of PCI compliance statement from them every quarter to hand over to our merchant provider. If you don't maintain a SAQ-D level compliance attestation or use a QSA then I would not store the CC data at all on your servers. IMHO

Things to consider for not storing card holder data:

  1. The encryption hash is accessible to any employee with shell access, ftp access
  2. IF they have shell / ftp access they now know the mysql user and password
  3. They may query the DB for the encrypted string and decode it from the key stored in configuration.php
  4. I don't think the whmcs web application has a QSA certification which would cost them several thousand dollars. =(
  5. Any application I *think* that handles card holder data must have a QSA?

Things that could be address are the ability to change the secret question and answer once they are logged on. There should NOT be a need to enter the OLD answer if they cannot even remember it!

ADD ePKI features which generate a self-signed client side certificate for admin users to authenticate with a client side SSL cert password. That would meet the higher standards for two part authentication methods. A super whmcs admin could manage the revocation file and the creation and / or modification of the certificate authority file.

Have WHMCS store a public and private email certificate pair for each support department email address and sign the out going emails to fight email spoofing. It already will insert DKIM signatures if you configure an SMTP account with it's settings.

Require a certian web server cipher suite=> RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES:!DES-CBC3-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES256-SHA as an example and warn admin they are not in a high secure SSL environment. See if SSLabs.com has an API to pull the grade level after a check, perhaps.

Force Admin password reset every 90 days. Old passwords are stored for 30 days and cannot be reused.

Check the server remote access hash. If it's different, sell a module to us that manages IPTABLES so a user can login to the client area and remove the block in the firewall. Something like andybev.com IPTABLES PHP script


+1 for this feature


Hi there,

I've been doing some housekeeping and noticed that recently implemented new features meet the requirements of this request!

WHMCS has always had the option to delete stored card data when it expires: https://docs.whmcs.com/Automation_Settings#CC_Expiry_Notices_Date

The Data Retention Policy Automation features added in v.7.5 can automatically delete client data (including credit card number) after a user-defined period of inactivity: https://docs.whmcs.com/Data_Retention_Policy_Automation