Opt-4’s Jenny Moseley gives her expert view on data protection issues relating to credit card information
Is fair to store credit card information, if it is only used once at the point of purchase (not for subscription or recurring billing).
Is retaining the confidential credit card data after the clearing house has responded at the time of purchase allowed and even advisable?
Given high profile instances of information theft, internet users and site owners are much more aware of the possible security risks. The question raises an issue of good data practice as much as it does a legal issue.
Website operators are responsible for the security of the processing of personal data which they undertake. Under European data protection guidelines they must adopt appropriate technical and organisational measures to protect personal data which would include credit card information.
Website owners need to be particularly careful when obtaining and storing credit card information. In the UK, storage for an extended period beyond the transaction date may well be regarded as a breach of the Fifth data protection principle which says that,
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
The Information Commissioner’s Office advises that website operators must obtain information is a way that is sufficiently secure recommending secure, encryption based transmission. In reality, personal data that are in any way sensitive or otherwise pose a risk to individuals and should not be held on a website server or, if they are, should be properly secured by encryption or similar techniques.
Whilst credit card information is not in the classes of “sensitive data” covered in the European Data Protection Directive, it is clear that this sort of information poses a real threat to individuals if it is abused and, if retained, should be carefully guarded.