Credit cards expire, get lost, stolen, or get maxed out. People might also switch their bank or credit card provider. Whenever any of these things happen, your users will want to update their stored credit card details. Many people believe they just need to edit the number. There is just one hurdle: PCI compliance.

 

PCI DSS Compliance

The Payment Card Industry Data Security Standard governs how merchants can store credit card data. You can’t store the security code and while you are allowed to store the credit card number, you have to encrypt it with a hash function. 

Since hash functions are irreversible, it is technically impossible to edit data encrypted by them, usually credit card numbers and passwords. That’s why stores only show you the last four digits of your credit card number. 

Let’s take an example of a customer whose credit card number is 1234 5678 9101 1213. When entered, the number is put through a hash function and comes out the other end as 899130624a21feb843c5b71a6fdd1eb9. The hash is 32 characters long and this is what gets stored on a database. If you only know the first four digits of the credit card number (i.e. 1234), they’ll generate the hash ff0eb2864feb22354747f8c85d42ccb5, also 32 characters long. 

Since there is no way to reverse a hash function in order to determine the original number, websites can only verify your credit card number and password based on the hash the entered data generates after being put through the same function that generated the stored data. If the hashes don’t match, you get an error message. 

Because hashes are generated for the 16-number string as a whole rather than for every individual character, editing a stored credit card number is just not possible. The only technically feasible option when someone wants to edit their credit card number is to delete their old number and then have them add a new one.

But your average customer probably doesn’t understand the technical reason that makes editing their card number impossible. The whole Delete then Add operation strikes them as weird and counterintuitive when they feel they could just clear the last 12 digits of their card number and add new ones.    

 

A more elegant solution

The best way to approach this is by combining the Delete + Add operation into a single Edit operation. The “Edit” button would delete the old credit card number in the background. You then prompt them to enter their new credit card details and store those. That way, customers get to update their card details in a single operation instead of two.