How do I take payments without storing card data?
Use your payment processor's tokenization so the raw card details go to them, not through your servers. Store the token they return and the last four digits for display, and never persist the full card number or the verification code. That keeps you on the right side of PCI DSS Requirement 3 and shrinks how much of PCI scope applies to you.
Tokenize at the edge
Collect card details with the processor's hosted fields or SDK, so the raw number goes straight to them and you get back a token. The card data never lands in your application.
Store the token, not the card
Persist the processor token and the last four digits for display. Never store the full card number, and never store the card verification code, which must not be kept after authorization.
Shrink your PCI scope
The less card data touches your systems, the smaller your PCI scope. Tokenization is the standard way to shrink it, so prefer it to handling the raw number yourself.
// paymentMethodId is a token from the processor's hosted fields (no raw card here)- await orders.insert({ id, pan: card.number })+ await processor.charge(paymentMethodId, amount)+ await orders.insert({ id, paymentMethodId, last4 })return ok()The raw card is captured by the processor's hosted fields and never reaches your server; the order stores only the payment token and the last four digits, not the card number or the verification code.