cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Do credit cards have a privacy issue?

2 Replies
leroux
Community Champion

Website operators are responsible for the security of the processing of personal data which they undertake. Under European data protection guidelines they must adopt appropriate technical and organisational measures to protect personal data which would include credit card information.

 

Website owners need to be particularly careful when obtaining and storing credit card information.

In the UK, storage for an extended period beyond the transaction date may well be regarded as a breach of the Fifth data protection principle which says that,

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

The Information Commissioner’s Office advises that website operators must obtain information is a way that is sufficiently secure recommending secure, encryption based transmission.

In reality, personal data that are in any way sensitive or otherwise pose a risk to individuals and should not be held on a website server or, if they are, should be properly secured by encryption or similar techniques.

Whilst credit card information is not in the classes of “sensitive data” covered in the European Data Protection Directive, it is clear that this sort of information poses a real threat to individuals if it is abused and, if retained, should be carefully guarded.

leroux
Community Champion

In order to be GDPR compliant , Payment Service Provider (PSP) must ensure that the personal data they process are:

  • Processed legally and appropriately and with a clear view of how the information will be used;
  • Collected for specified, explicit and legitimate purposes;
  • Relevant and limited to the respective purposes;
  • Accurate and kept up to date;
  • Retained for no longer than is necessary for the relevant purposes;
  • Only processed if the data are kept appropriately secure.

Furthermore, PSP should

  • Review all of their data-processing activities and keep verifiable records of these activities;
     
  • Ensure that they have implemented appropriate technical and organisational measures to adequately protect the security of the personal data of their clients (‘data protection by design and by default’);
     
  • Ensure compliance with the ‘accountability principle’ and cooperate with the relevant supervisory authority where appropriate;
     
  • Ensure that they have appropriate processes and templates in place for identifying, reviewing and promptly reporting data breaches to the relevant supervisory authority