Website operators are responsible for the security of the processing of personal data which they undertake. Under European data protection guidelines they must adopt appropriate technical and organisational measures to protect personal data which would include credit card information.
Website owners need to be particularly careful when obtaining and storing credit card information.
In the UK, storage for an extended period beyond the transaction date may well be regarded as a breach of the Fifth data protection principle which says that,
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
The Information Commissioner’s Office advises that website operators must obtain information is a way that is sufficiently secure recommending secure, encryption based transmission.
In reality, personal data that are in any way sensitive or otherwise pose a risk to individuals and should not be held on a website server or, if they are, should be properly secured by encryption or similar techniques.
Whilst credit card information is not in the classes of “sensitive data” covered in the European Data Protection Directive, it is clear that this sort of information poses a real threat to individuals if it is abused and, if retained, should be carefully guarded.
In order to be GDPR compliant , Payment Service Provider (PSP) must ensure that the personal data they process are:
Processed legally and appropriately and with a clear view of how the information will be used;
Collected for specified, explicit and legitimate purposes;
Relevant and limited to the respective purposes;
Accurate and kept up to date;
Retained for no longer than is necessary for the relevant purposes;
Only processed if the data are kept appropriately secure.
Furthermore, PSP should
Review all of their data-processing activities and keep verifiable records of these activities;
Ensure that they have implemented appropriate technical and organisational measures to adequately protect the security of the personal data of their clients (‘data protection by design and by default’);
Ensure compliance with the ‘accountability principle’ and cooperate with the relevant supervisory authority where appropriate;
Ensure that they have appropriate processes and templates in place for identifying, reviewing and promptly reporting data breaches to the relevant supervisory authority