On the case - September 2005September 2005
This is a question from a worried website owner who wants to know whether it is fair to store this information, if it is only used once at the point of purchase (not for subscription or recurring billing).
He also wonders if retaining the sensitive credit card data after the clearing house has responded at the time of purchase is allowed and even advisable as he has not been authorised to use this information for any other purpose; he thinks retaining it presents a significant security headache for him and an unnecessary risk to the user.
Given the recent high profile instances of information theft, internet users and site owners are much more aware of the possible security risks. The question raises an issue of good data practice as much as it does a legal issue.
Website operators are responsible for the security of the processing of personal data which they undertake. Under European data protection guidelines they must adopt appropriate technical and organisational measures to protect personal data which would include credit card information. Most other data protection laws cover this area also.
Website owners need to be particularly careful when obtaining and storing credit card information. In the UK, storage for an extended period beyond the transaction date may well be regarded as a breach of the Fifth data protection principle which says that,
"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."
The Information Commissioner's Office advises that website operators must obtain information is a way that is sufficiently secure recommending secure, encryption based transmission. The Office also recognises the enhanced threat posed once the data is decrypted and held on a website operator's server. The advice goes on to say
"Personal data that are in any way sensitive or otherwise pose a risk to individuals should not be held on a website server or, if they are, should be properly secured by encryption or similar techniques"
Whilst credit card information is not in the classes of “sensitive data” covered in the European Data Protection Directive, it is clear that this sort of information poses a real threat to individuals if it is abused and, if retained, should be carefully guarded.
Further information is available at http://www.informationcommissioner.gov.uk
Other recent items: