Credit card authorization form template: free download and guide

A signed credit card authorization form is the document that separates a legitimate recurring charge from a chargeback you cannot win. Most professional services businesses treat it as an afterthought. A PDF they send at the end of onboarding, or a checkbox buried in the engagement letter. Then a client disputes a charge and there is nothing in the file that constitutes clear, signed proof they agreed to that billing schedule.

This article includes free downloadable templates for both one-time and recurring payment authorization. It also covers what PCI DSS v4.0.1 actually requires when you store card details, how to deliver the form in a way that holds up in a dispute, and why the cleanest approach eliminates the separate form entirely.

Key Takeaways

• A signed credit card authorization form is a legal record of consent, not just administrative paperwork. Without one on file, a business cannot reliably defend against chargebacks or demonstrate PCI DSS compliance when storing or processing card details manually.‍
• One-time and recurring payment forms have different field and language requirements. Using a generic form for recurring billing creates gaps in authorization that can invalidate the consent record, even if the client signed something.
• ‍Collecting CVV on any form, paper or digital, is a PCI DSS violation the moment that form is stored. Per the PCI Security Standards Council, card verification codes cannot be retained after the authorization process is complete, not in any format, not even encrypted.

What Is a Credit Card Authorization Form (And Why You Need One)

A credit card authorization form is a document signed by a cardholder giving a business explicit permission to charge their payment card for a specified amount, on a specified date or recurring schedule. The signed form creates a legal record of consent and is required documentation for PCI DSS compliance when a business stores or manually processes card details outside of an integrated payment terminal.

Authorization and the actual charge are two different things. The form captures consent. The charge execution happens separately, when the business manually enters the card details into a payment processor or runs an automated billing cycle. A common mistake is treating the signed form as the end of the compliance obligation. It is the beginning of it. The form establishes permission. What happens to the card data after that is where most compliance problems start.

For any professional services firm billing on a recurring schedule, monthly bookkeeping retainers, quarterly tax packages, ongoing marketing retainers, or subscription advisory services, the authorization form is the legal foundation the billing relationship sits on. Without it, every recurring charge is technically unverified.

How They Protect Your Firm

A signed authorization form gives you two things: a legal defense against chargebacks and documented proof of scope for billing disputes. Both matter.

On the chargeback side, the numbers are not favorable for merchants who go into a dispute without documentation. Merchants win only 20-30% of chargeback disputes overall, according to data from Justt.ai and ClearlyPayments. When a client disputes a charge claiming they never authorized it, a signed authorization form shifts that dynamic. It is not a guarantee you win, but it is the specific evidence Visa and Mastercard require merchants to produce in an "unauthorized transaction" dispute. Without it, the dispute defaults to the cardholder's favor.

On the billing scope side, a properly written authorization form documents exactly what was agreed: the amount, the schedule, the service description, and the cancellation terms. When a client pushes back on a recurring charge, the form answers the question before it becomes an argument.

When you need one

You need a credit card authorization form any time you plan to charge a client's card without them physically present at the transaction:

• Any recurring billing arrangement: monthly retainers, subscription services, quarterly fee packages
• One-time charges where the card will be stored on file for future use
• Any situation where you manually enter card details into a payment processor rather than collecting payment at point of service

For professional services firms, this covers most of the billing model. If a client signed an engagement letter and you bill them monthly against it, that billing relationship needs documented authorization on file.

What Should Your Authorization Form Include?

Think of a credit card authorization form as a formal handshake between you and your client. It’s a document that gives you their explicit permission to charge their card for your services. Getting this form right is non-negotiable—it protects your firm from chargebacks and builds a foundation of trust with your clients. While it might seem like just another piece of paperwork, the details matter. A clear, comprehensive, and secure form ensures everyone is on the same page and payments happen without a hitch.

Let’s break down the essential components you absolutely need to include.

One-time vs. recurring payment authorization

One-time and recurring authorization forms are not interchangeable. The fields differ, the authorization language differs, and the compliance requirements differ. Using a one-time form for a recurring billing arrangement leaves a gap: the client authorized a single charge, not an ongoing schedule.

The authorization language distinction is the one that trips firms up most often in disputes. A one-time authorization statement does not cover subsequent charges on the same card, even if the client verbally agreed to a recurring arrangement. If your billing is recurring, your authorization form needs to say so explicitly.

Free credit card authorization form template

Two templates follow: one for one-time payments, one for recurring billing. Both are formatted as working forms with complete field sets and authorization language. Copy the version that matches your billing arrangement, add your business name, and adjust the cancellation notice period to match your engagement agreement. Downloadable PDF and Word versions are linked below each template.

One-time payment authorization template

[YOUR BUSINESS NAME] Credit card authorization form, one-time payment

Date: _______________

Cardholder information

Cardholder full name: _______________ Billing address: _______________ City / State / ZIP: _______________ Email address: _______________ Phone number: _______________

Card information

Card type: ☐ Visa  ☐ Mastercard  ☐ American Express  ☐ Discover  ☐ Other: ___

Card number: _______________

Expiration date: ___ / ___

Important: Do not enter your CVV/security code on this form. CVV will be collected at the point of the transaction only and will not be stored.

Payment details

Authorized amount: $_______________

Payment date: _______________

Service or payment description: _______________

Authorization statement

I, [Cardholder name], authorize [Business name] to charge the credit or debit card listed above in the amount of $[Amount] on [Date] for [Description]. I confirm that I am the authorized holder of this card and that the information above is accurate.

Cardholder signature: _______________

Printed name: _______________

Date signed: _______________

Recurring payment authorization template

[YOUR BUSINESS NAME] Credit card authorization form, recurring billing

Date: _______________

Cardholder information

Cardholder full name: _______________ Billing address: _______________ City / State / ZIP: _______________ Email address: _______________ Phone number: _______________

Card information

Card type: ☐ Visa  ☐ Mastercard  ☐ American Express  ☐ Discover  ☐ Other: ___

Card number: _______________

Expiration date: ___ / ___

Important: Do not enter your CVV/security code on this form. CVV will be collected at the point of the first transaction only and will not be stored.

Recurring billing details

Billing frequency: ☐ Weekly  ☐ Monthly  ☐ Quarterly  ☐ Other: _______________

First billing date: _______________

Ongoing billing date (e.g., "the 1st of each month"): _______________

Amount per billing period: $_______________

Total number of payments: _______________  ☐ Until cancelled

Service or billing description: _______________

Cancellation and card update terms

To cancel this authorization, I must provide written notice to [Business name] at least [30] business days before the next scheduled billing date. Cancellation takes effect on the next billing cycle after the notice period has been satisfied. Continued use of services does not constitute cancellation.

If my card is replaced, expired, or updated, I agree to notify [Business name] within [10] business days and provide updated card information to avoid disruption to services.

Authorization statement

I, [Cardholder name], authorize [Business name] to charge the credit or debit card listed above in the amount of $[Amount] on a [frequency] basis beginning [First billing date], continuing until the total number of payments listed above is reached or until I provide written cancellation notice per the terms above. I confirm that I am the authorized holder of this card and that this authorization covers all future charges at the stated frequency and amount until cancelled.

Cardholder signature: _______________

Printed name: _______________

Date signed: _______________

How to customize the template for your business

The templates above are functional as written. Four customizations cover the most common firm-specific needs:

1. Add your business name and logo. Replace every instance of "[Your Business Name]" with your legal entity name. Add your logo to the header. The form should match your other client-facing documents in appearance, a generic template that looks different from your proposals and agreements undermines client confidence.

2. Adjust the authorization language for your jurisdiction. The authorization statement above is a practical starting point for US commercial transactions. If your firm operates across multiple states or works with international clients, have a business attorney review the authorization language before you use it with clients. This is especially relevant for the recurring billing version, where cancellation terms and billing rights can have state-specific implications.

3. Set your cancellation notice period. The recurring template uses "[30] business days" as a placeholder. Replace this with whatever your engagement agreement already states. Consistency between your agreement and your authorization form matters, a dispute where the two documents contradict each other weakens both.

4. Format for digital delivery. If you are sending this form digitally rather than printing it, remove the handwritten signature line and replace it with a dedicated e-signature field via a platform like DocuSign, Dropbox Sign, or PandaDoc. Include a note that the electronic signature is valid under the ESIGN Act for commercial transactions. Do not collect authorization via a name typed in the body of an email, that is not a legally sufficient record for dispute purposes.
   ‍

What to include in a credit card authorization form

A compliant credit card authorization form needs four categories of information: cardholder identity, card details (minus CVV after authorization), the specific payment terms for the transaction or schedule, and a signed authorization statement. Missing any one of these does not just create a compliance gap, it creates a document that may not hold up when a client disputes a charge.

The templates above include all four. This section explains what each category covers and why the details within it matter.

Cardholder details

What it is: The cardholder information section identifies who authorized the payment and connects that person to the card on file. Required fields are full legal name, billing address, email address, and phone number.

Why it matters: Card networks use Address Verification Service (AVS) during dispute resolution. If the billing address on your authorization form doesn't match the address tied to the card, that discrepancy actively works against you in a chargeback review, even if the rest of the form is clean. Keep entries specific and current. An outdated address or a nickname instead of a legal name creates questions you'll be answering under pressure.

Business information and payment terms

What it is: This section documents what is being charged, why, and on what schedule. Required fields are your legal business name, a specific service description, the exact authorized amount, and the payment date or recurring billing schedule.

Why it matters: The service description field is the most commonly misused part of the form. "Services rendered" or "consulting fees" leaves a dispute wide open, a client can credibly claim they didn't understand what they were authorizing. "Monthly bookkeeping retainer, QuickBooks Online, bank reconciliation, and monthly close reporting, per engagement agreement dated [Date]" creates a paper trail that connects the charge to a documented, agreed scope. Specific descriptions are substantially harder to dispute.

Security and verification fields

What it is: Collect card type, full card number, and expiration date. Do not include a CVV field on the form at all.

Why it matters: This is where most manual authorization processes create a compliance violation they don't know they have. PCI DSS v4.0.1 Requirement 3 (Sensitive Authentication Data) prohibits storing card verification codes, CVV, CVC, CID, after the authorization process is complete, in any format. Paper form in a locked drawer. Scanned PDF on an encrypted drive. It doesn't matter. The prohibition applies regardless of how the data is stored. Card numbers and expiration dates can be retained if encrypted and access-restricted. CVV cannot be retained under any circumstances. If your current form has a CVV field, remove it before the next form goes out.

Authorization statement and signature block

What it is: The authorization statement is the clause that converts the form from a data collection document into a legally binding record of consent. Without it, a signed form proves the client shared their card details, not that they authorized a charge.

Why it matters: A valid authorization statement must name the business being authorized to charge, identify the cardholder by name, specify the exact amount or billing schedule, and include an explicit statement that the cardholder is authorizing the transaction. For recurring billing, the statement must also name the frequency and acknowledge the cardholder's right to cancel with written notice.

Model statement, one-time payment: "I, [Name], authorize [Business name] to charge my [card type] card ending in [last 4 digits] in the amount of $[Amount] on [Date] for [Description]. I confirm I am the authorized holder of this card."

Model statement, recurring billing: "I, [Name], authorize [Business name] to charge my [card type] card ending in [last 4 digits] in the amount of $[Amount] on a [frequency] basis beginning [Date], continuing until I provide written cancellation notice per the terms stated above. I confirm I am the authorized holder of this card and that this authorization covers future charges at the stated frequency until cancelled."

The signature block requires cardholder signature, printed name, and date signed. For digital forms, the legal weight comes from the platform's audit trail, the timestamped, IP-logged record of the signing event, not from the signature image itself. That audit trail is what makes an electronic signature equivalent to a wet signature under the ESIGN Act (2000) and the Uniform Electronic Transactions Act (UETA), adopted in 49 US states.

Credit card authorization form mistakes and risks

The most common errors with authorization forms are not in the form design. They are in what happens to the form after it is signed. Storing CVV data, keeping forms in shared email threads, and using a one-time template for a recurring billing relationship are the three patterns that most often surface when a chargeback dispute becomes difficult to defend.

Storing CVV data (and why you must not)

This is not a best practice. It is a compliance requirement with no exceptions.

According to the PCI Security Standards Council, card verification codes, the three or four digit number printed on the front or back of a payment card, cannot be retained after the authorization process is complete. PCI DSS v4.0.1 Requirement 3 (Sensitive Authentication Data) prohibits storing this data regardless of format: paper, digital, encrypted, locked cabinet. The PCI SSC states directly: "The requirement that prohibits retaining sensitive authentication data after authorization applies even if that data is encrypted."

The rule applies to recurring billing contexts specifically. The PCI SSC confirms that card verification codes "are not needed for card-on-file or recurring transactions, and PCI DSS prohibits storage for these purposes." There is no workaround. A client's written permission for you to store their CVV has no validity under PCI DSS, the standard does not recognize client consent as an exception.

The compliant process: collect CVV at the point of the first transaction, use it for that authorization, then destroy it. If your current authorization form has a CVV field, remove it.

"The most common compliance mistake we see from firms using manual authorization forms is a CVV field on the form itself. The business collects it, stores the signed form, and has no idea they've been non-compliant from the moment they filed it. CVV storage is not a gray area in PCI DSS, it is a hard prohibition, and the penalty clock starts the day the form goes in the drawer."

— Tal Ben Bassat, CPA, COO & CFO, Anchor

Insecure storage and handling

A signed authorization form contains sensitive cardholder data. That means it cannot live in an email thread, a shared Google Drive folder with broad team access, or a physical filing cabinet without documented access controls.

PCI DSS v4.0.1 Requirement 7 requires that access to cardholder data be restricted to individuals whose job requires it. In a small firm, "everyone can see the client folder" is not a compliant access policy. The question to ask: if a team member left tomorrow, would they still have access to files containing signed authorization forms? If the answer is yes, that is the problem to fix.

Physical forms are a specific liability. A misplaced document, an office visitor who glances at a desk, or improper disposal creates exposure that digital encrypted storage does not. Filing cabinets are better than nothing. They are not a PCI DSS compliance strategy on their own.

PCI DSS compliance requirements

Four requirements apply most directly to businesses managing manual authorization forms:

1. Never store CVV after authorization (PCI DSS v4.0.1 Requirement 3, Sensitive Authentication Data). No exceptions, no workarounds, see the section above.
2. Encrypt stored card data (PCI DSS v4.0.1 Requirement 3, Protection of Stored Account Data). Card numbers and expiration dates can be stored, but only in encrypted form. A PDF on a desktop or a spreadsheet on a shared drive does not meet this standard.
3. Restrict access to cardholder data (PCI DSS v4.0.1 Requirement 7). Access controls must be documented and enforced, "only people who need it" must be defined in writing, not assumed.
4. Maintain an audit trail (PCI DSS v4.0.1 Requirement 10). Log who accessed cardholder data and when. Manual audit trails are a significant operational burden that automated systems handle at the platform level.

The full PCI DSS v4.0.1 standard is available at pcisecuritystandards.org. These four requirements are not a complete compliance checklist, they are the ones most directly relevant to manual authorization form workflows. Full compliance involves network security, vulnerability scanning, and system-level controls well beyond a form management policy.

Non-compliance fines are imposed by acquiring banks and escalate with time: $5,000 to $10,000 per month in the first quarter, rising to $25,000 to $50,000 per month between months four and six, and up to $100,000 per month beyond that, according to compliance sources including Clone Systems and Compyl. At the lower end, the cost of a non-compliance period can exceed the cost of building a compliant process.

Manual data entry errors and system integration

The authorization form captures card details. Someone still has to enter those details into a payment processor before the charge can execute. Every manual transcription is an error opportunity: a transposed digit in the card number, an expired date entered incorrectly, a name that does not match the card record. Each error results in a declined transaction and a follow-up conversation with the client.

Authorization form data also lives outside your billing system unless someone manually enters it. That disconnection means your payment records and your authorization records are two separate files that need to be cross-referenced. For firms billing 40 or 50 recurring clients, that cross-referencing is a monthly administrative task with no upside.

Chargeback risk without a signed form

Merchants win only 20-30% of chargeback disputes overall. When a client disputes a charge claiming they did not authorize it, the primary evidence card networks expect is documented proof of cardholder consent.

A signed authorization form is that proof. Without it, the dispute relies on whatever secondary documentation exists: the engagement letter, email correspondence, any record of the billing relationship. That secondary evidence can work. It is not as clean as a signed form, and it puts the firm in the position of reconstructing consent rather than presenting it.

79% of merchants reported experiencing friendly fraud in 2024, up from 34% in 2023, according to Justt.ai. Friendly fraud, where a client disputes a legitimate charge claiming it was unauthorized, is precisely the scenario a signed authorization form defends against. The trend is moving in the wrong direction for businesses not keeping authorization documentation current.

How to send a credit card authorization form

There are four common ways to deliver a credit card authorization form to a client, and they carry meaningfully different compliance risk. For professional services businesses billing recurring retainers, one approach is clearly preferable, and it is not the one most businesses currently use.

Email vs. secure online form

Sending a PDF authorization form by email is the most common delivery method. It is also the highest-risk option.

When you email a PDF containing card details, that form travels through email infrastructure and comes to rest in both parties' inboxes, where it may sit indefinitely. The card data is now stored in at least two email systems, yours and the client's, neither of which is a PCI DSS-compliant storage environment.

For recurring billing, a secure online form is not a nice-to-have. It is the compliant alternative to email delivery. Platforms that collect card data via encrypted submission, tokenize it at entry, and never route it through email are the appropriate infrastructure for ongoing authorization.

Embedding authorization in a digital proposal

The cleanest delivery method for professional services firms is to eliminate the separate form entirely by embedding payment authorization in the proposal or engagement agreement signing flow. The client signs the scope of work and authorizes their payment method in one step.

This creates a single documented record connecting scope agreement and payment authorization. The signing event is timestamped, IP-logged, and tied directly to the proposal the client agreed to. It is a stronger evidentiary record than a standalone PDF precisely because it links the payment authorization to the agreed scope, not a separate document that must be cross-referenced.

Anchor builds payment authorization directly into the proposal workflow. When a client signs an Anchor agreement, they connect their payment method, ACH or credit card, at the same step. The authorization is embedded in the signing flow, not sent as a separate document. Ignition handles a similar combined proposal-and-payment flow for accounting firms. HoneyBook offers this for creative agencies.

Getting a legally valid electronic signature

Electronic signatures are legally valid for commercial transactions in the US under the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 2000) and the Uniform Electronic Transactions Act (UETA), adopted in 49 states.

What constitutes a valid e-signature for authorization purposes:

• A typed name or drawn signature captured via a dedicated signature platform (DocuSign, Dropbox Sign, PandaDoc), which logs the signing event with timestamp and IP address
• A checkbox acknowledgment within a proposal or agreement platform that includes a full audit trail

What does not constitute a valid e-signature:

• A name typed in the body of an email, with no platform logging the signing event
• A scanned wet signature pasted into a Word document, no authentication record, no tamper detection

What to retain: the signed document, the signing timestamp, the IP address associated with the signing event, and the email address of the signer. E-signature platforms generate this audit trail automatically.

79% of agreements are signed within 24 hours when using e-signature platforms, according to Certinal's 2025 eSignature market research, compared to the days or weeks that physical form collection typically requires. For a firm onboarding 30 new clients per year, that difference is material in both cycle time and the number of follow-up reminders the team does not have to send.

Beyond the template: automating credit card authorization

The templates in this article are a compliant starting point for any firm that needs a manual authorization process in place today. They cover the required fields, the authorization language, and the CVV compliance note.

The manual form workflow carries structural costs that a better template does not fix: a separate document to send, track, and store; a manual entry step to get card data into a payment processor; compliance exposure every time a form sits in an email inbox. Those costs are inherent to the approach, not to any particular template design.

Built-in authorization at the point of signing

The structural alternative is to move payment authorization upstream, into the proposal, rather than treating it as a separate step that follows agreement.

When authorization is embedded in the engagement, the client signs once. They see the scope, the billing terms, and the payment method connection in one workflow. There is no second form, no follow-up email, no separate tracking. The authorization is part of the agreement record, not a standalone document that needs to be cross-referenced later.

Anchor works this way: the agreement and the payment method are captured in a single client action. Once the agreement is active, billing executes automatically on the schedule defined in the proposal without further action required from the firm or the client.

From proposal to automated payment in one step

For firms currently billing on monthly retainers, the manual form process typically runs five steps: send the engagement letter, wait for it back, send the authorization form, wait for it back, manually enter card details and set up the recurring charge. Four of those five steps require client action.

The proposal-to-payment model collapses this to one client action: sign the proposal and connect the payment method. Everything after that is automated. No card entry to do manually. No authorization record to file separately. No form to track.

Security, tokenization, and PCI compliance

In an integrated proposal-to-payment system, the business never handles raw card data. The client enters their details directly into the payment processor's secure environment. The processor tokenizes the data at entry, the business receives a token reference, not the card number. PCI compliance is managed at the platform level.

For a solo bookkeeper or a small CPA firm, that shift removes a significant operational obligation: no encrypted storage to manage, no access control policy to document, no card data audit trail to maintain manually.

Frequently asked questions

Is a credit card authorization form legally binding?

Yes, when it contains the required elements. A signed authorization form is a legally binding document for commercial transactions when it includes the cardholder's name, the business name, the authorized amount or billing schedule, and a clear authorization statement with signature. Electronic signatures are valid under the ESIGN Act and UETA for this purpose. A form missing the authorization statement, or using language too vague to identify what was specifically agreed, may not hold up in a dispute even if it was signed.

Can you store credit card information on an authorization form?

Card numbers and expiration dates can be stored if encrypted and access-restricted per PCI DSS v4.0.1 Requirement 3. CVV security codes cannot be stored after the authorization process is complete under any circumstances. The PCI Security Standards Council is explicit: "The requirement that prohibits retaining sensitive authentication data after authorization applies even if that data is encrypted." If your current authorization form has a CVV field and you are storing completed forms, remove that field. The compliance violation occurs at the point of storage, not at the point of collection.

What is the difference between a one-time and a recurring authorization form?

A one-time authorization form documents consent for a single charge of a specific amount on a specific date. A recurring authorization form documents consent for ongoing charges on a defined schedule until the cardholder provides cancellation notice. The recurring version requires additional fields, billing frequency, first billing date, cancellation notice terms, and an authorization statement that explicitly covers future charges. Using a one-time form for a recurring billing arrangement creates an authorization gap: the client consented to one charge, not a schedule.

Does a credit card authorization form need to be signed in person?

No. Electronic signatures are legally valid for credit card authorization forms in US commercial contexts under the ESIGN Act. The standard is authentication, not physical presence: the signing platform must log the event with a timestamp and IP address. A name typed in the body of an email does not meet this standard, there is no authenticated record of the signing event. Platforms like DocuSign, Dropbox Sign, and PandaDoc create ESIGN-compliant audit trails automatically.

The form is not the hard part. A compliant template takes less than an hour to set up.

The hard part is the workflow the form lives inside, how it gets to the client, what happens to the card data after it is returned, who has access to it, and whether anyone is cross-referencing authorization records against the billing system each month. Firms that run clean billing operations are not the ones with the best-designed forms. They are the ones who moved the authorization question upstream, into the moment the client agrees to the engagement, before the first invoice ever goes out.

See how Anchor handles authorization from proposal to payment: sayanchor.com/features