Last updated: Dec 17, 2025, 5:15 PM
What steps can I take to protect my guests' credit card data?
In order to protect your guests’ cardholder data (CHD), you should never store it outside of the Toast application payment field—whether in the freeform text field of a receipt or menu item or in an email, Word doc, text file, instant message, or on a piece of paper.
Storing credit card information (including sensitive authentication data [SAD]) in this way is not compliant with the Payment Card Industry Data Security Standards (PCI DSS), and may put you at an increased risk of a data breach. Cardholder data should only be obtained when it can be swiped, dipped, tapped or directly entered into the payment field on the Toast application, where it will be processed for payment and stored appropriately in accordance with applicable requirements.
Failure to properly obtain CHD puts your security at risk and is not compliant with PCI DSS. It can also make that data more susceptible to bad actors and ultimately, data breaches.
Toast restaurants are responsible for ensuring that their employees are trained and aware of best practices at all times and for maintaining compliance. To help maintain the safety and security of your guest data, we strongly recommend reviewing your CHD storage practices on a periodic basis.
The Toast platform may collect and store certain information about your guests in a searchable database. The Toast platform automatically saves guest information in the database every time you:
More specifically, the Toast platform typically stores the following information that guests may provide:
In summary, cardholder data should only be obtained when it can be immediately swiped, dipped, tapped, or directly entered into the payment field on the Toast application. It should never be stored elsewhere, including places such as the free form text field of a receipt or menu item or in an email, word doc, text file, instant message, or on a piece of paper.