PandaDoc is not a PCI-compliant platform, which means collecting credit card data through text fields in your documents violates PandaDoc's Acceptable Use Policy and exposes your business to compliance and security risks. This article explains what's allowed, how to identify and remove non-compliant data, and how to switch to PandaDoc Payments for secure, compliant payment collection.
What is and isn't allowed
Not allowed: Using text fields (including masked fields) to collect credit card data — cardholder name, card number, expiration date, CVV, or card type. Even if a field is masked, it can be unmasked by any user in the account, so it does not meet PCI compliance standards. Collecting even partial card data (e.g., only the last four digits) in a text field is still non-compliant.
Allowed: Collecting bank account information such as ACH, routing numbers, or international wire transfer details via text fields. PCI compliance applies specifically to credit and debit card data — bank information is not subject to the same restrictions.
Allowed: Using the Card Details field (new editor) or Billing Details field (classic editor), integrated with Stripe. This field is PCI-compliant and only available in accounts with a connected Stripe gateway.
Note: If you attempt to add a Card Details or Billing Details field without a connected Stripe gateway, PandaDoc will prompt you to connect Stripe first.
How to identify documents with non-compliant credit card fields
There is currently no in-app tool or reporting view that automatically flags documents or templates containing non-compliant text fields.
To identify affected documents and templates, review them manually and look for text fields collecting any of the following:
Cardholder name
Card number (full or partial)
Expiration date
CVV/security code
Card type
Note: Reach out to our Support team if you don't have one – with your approval, PandaDoc's internal team can pull a report of affected documents in your account.
How to remove stored credit card data
Once you've identified non-compliant documents, here's how to fully remove the data from PandaDoc:
Download each affected document to save a copy in a separate, secure system if needed.
Delete the document from your documents list.
Go to Archive in your documents list.
Select the archived document and choose Delete forever to permanently remove it from PandaDoc.
Warning: Deleting a document from the archive using Delete forever is permanent and cannot be undone. Download a copy before proceeding if you need to retain a record.
For templates, open each affected template, remove the non-compliant text fields, and save the updated version.
What happens to stored card data after you connect Stripe
Connecting Stripe does not automatically remove or migrate any credit card data already stored in text fields. You need to remove that data manually using the steps above.
Going forward, once Stripe is connected, you can use the Card Details field (new editor) or Billing Details field (classic editor) to securely collect card information at signing. This field passes card data directly to Stripe — PandaDoc never stores it.
Does migrating to Stripe affect existing templates?
Connecting Stripe does not break existing templates. However, any non-compliant text fields collecting card data need to be removed and replaced with the Card Details or Billing Details field manually — there is no automatic conversion.
Payment blocks in existing templates do not automatically switch to Stripe. You'll need to reconfigure each template to use the compliant Card Details field (new editor) or Billing Details field (classic editor) after connecting.
Is there a bulk migration tool?
No. There is currently no bulk tool to update documents or templates. Each document and template needs to be updated manually.
How card details appear in PandaDoc after connecting Stripe
When a signer enters their card details using the Card Details field (new editor) or Billing Details field (classic editor), PandaDoc passes that information securely to Stripe. The card data is not stored in PandaDoc itself. Within PandaDoc, you'll see a confirmation that card details were collected — not the card number itself.
How to charge a client once card details have been collected
After a signer submits their card details, the card is tokenized and stored in your Stripe account, not in PandaDoc. Use your Stripe dashboard or the payment controls within the completed PandaDoc document to process the payment.
Do clients need to re-enter card details after switching to Stripe?
If a client previously entered card details into a non-compliant text field, that data needs to be removed (see above). Because it was never passed to Stripe, it cannot be migrated — clients will need to re-enter their card details using the Card Details or Billing Details field in an updated document or template.
Using PandaDoc Payments as your compliant solution
PandaDoc Payments lets you collect credit card (and other payment) information securely at the time of signing, in full alignment with PCI standards.
To get started, connect Stripe as your payment gateway in your PandaDoc account settings, then add the Card Details field (new editor) or Billing Details field (classic editor) to your templates.
Note: PandaDoc Payments is available on eligible plans. Contact your CSM or visit the PandaDoc Payments help center for more details.
Need more help?
Our Learning Team hosts regular PandaDoc Payments office hours where you can see the feature in action, ask questions specific to your workflow, and get guidance on switching from non-compliant text fields.