According to PCI standards, a merchant may never store lists with customer’s card data on any medium which is not PCI compliant. Word documents and spreadsheets, even if they have a strong password, are not PCI compliant, and thus may never be used to store lists with card info. Even if you create a custom program with many levels of security, it is still not PCI compliant.
(The exception to this regulation would be to store the info of one card on a piece of paper. However, multiple numbers are never allowed, even on paper)
A merchant that does store such data will be held 100% liable in the event of any data breach! The gateways and processing software that are employed by merchant service providers use special encryption, and go through a rigorous PCI approval process. Even the “recurring billing” feature on these gateways never really stores the actual data on your computer, and the card data is always completely secure.
Bottom line: If your method of storing customer data is not via an approved PCI medium, you are risking many thousands of dollars in fines, and the possibility of losing your entire business. Don’t think it can’t happen to you. Unfortunately we’ve seen it too many times.
If you have any questions, don’t hesitate to give us a call and a payment professional will be glad to answer you!