# Security best practices

# Do not store payment card details in your system

  • Whenever possible, avoid storing card details.
  • If you need, you can store the expiry date or BIN (the first 6 digits of the card number). However, you should never store the complete card number.
  • You should never store the CVV/CVC.

Following this advice will significantly limit security requirements set out by PCI DSS.

With Straal, card registration takes place in our system, where card details are encrypted. When you charge a card, you use a Straal reference, which acts as a secure token. Read more about tokenization.

# Hide error details from the customer.

If a transaction fails, Straal returns an error specifying the reason it failed. It can contain the phrase "dropped by antifraud". It's intended for you, and it's good practice to hide it from the customer, and instead display a generic "Transaction failed" message. Exposing the customer to detailed error messages could give fraudsters useful information.