PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - September 2005

September 2005

What are the rules regarding storage of credit card information within an ecommerce application?


This is a question from a worried website owner who wants to know whether it is fair to store this information, if it is only used once at the point of purchase (not for subscription or recurring billing).


He also wonders if retaining the sensitive credit card data after the clearing house has responded at the time of purchase is allowed and even advisable as he has not been authorised to use this information for any other purpose; he thinks retaining it presents a significant security headache for him and an unnecessary risk to the user.





Given the recent high profile instances of information theft, internet users and site owners are much more aware of the possible security risks. The question raises an issue of good data practice as much as it does a legal issue.


Website operators are responsible for the security of the processing of personal data which they undertake. Under European data protection guidelines they must adopt appropriate technical and organisational measures to protect personal data which would include credit card information. Most other data protection laws cover this area also.


Website owners need to be particularly careful when obtaining and storing credit card information. In the UK, storage for an extended period beyond the transaction date may well be regarded as a breach of the Fifth data protection principle which says that,


"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."


The Information Commissioner's Office advises that website operators must obtain information is a way that is sufficiently secure recommending secure, encryption based transmission. The Office also recognises the enhanced threat posed once the data is decrypted and held on a website operator's server. The advice goes on to say


"Personal data that are in any way sensitive or otherwise pose a risk to individuals should not be held on a website server or, if they are, should be properly secured by encryption or similar techniques"


Whilst credit card information is not in the classes of “sensitive data” covered in the European Data Protection Directive, it is clear that this sort of information poses a real threat to individuals if it is abused and, if retained, should be carefully guarded.


Further information is available at

Other recent items: