[BrokenArrow]

I've been going through some shopping websites removing my card details from them because I no longer use the sites. I managed to delete my card from a few until I got to a certain one which I won't name. They had no option on the site to remove my details, so I emailed them to which they replied asking why I wanted to take my details off. I explained I was removing my card from some websites. The reply I got was:

Quote:

Hi,

Your card is secure with us.

By law we have to keep all transactions details for 6 years therefore we
can't really cancel your details

Sorry I can't help you at this time

Regards

If that's the case, how come I can easily remove my details from other sites? I thought it was illegal for anyone to hold card details without my permission.

[Singh400]

Tell them to link you to the law that requires this.

[Paul_HDLover]

My understanding is that all information a company holds on you, including your original application for services, which would subsequently include your bank details must be held for a period of 6 years before being securely destroyed.

This is for audit purposes and must be satisfied by law.

The other companies may have allowed you to delete your details, but they are still held historically I reckon, and will remain in this state for 6 years.

The thing with systems is that just because you cant see it anymore, by no means confirms they arent there as more often than not its all recorded and archived.

[Mr_Wistles]

Quote:

Originally Posted by Paul_HDLover

The thing with systems is that just because you cant see it anymore, by no means confirms they arent there as more often than not its all recorded and archived.

This is my understanding also.

I don't store card details but the banks I use do, I however cannot see them.

[pixelpixel]

Quote:

Originally Posted by Paul_HDLover

My understanding is that all information a company holds on you, including your original application for services, which would subsequently include your bank details must be held for a period of 6 years before being securely destroyed.

This is for audit purposes and must be satisfied by law.

The other companies may have allowed you to delete your details, but they are still held historically I reckon, and will remain in this state for 6 years.

The thing with systems is that just because you cant see it anymore, by no means confirms they arent there as more often than not its all recorded and archived.

Yes correct, the details are removed from public view but for audit reasons your another number they need to store.

Have a look at http://www.out-law.com/page-431

[KeithO]

My company (Amadeus) is currently undergoing a PCI (Payment Card Industry) audit. This is driven mainly by the large credit card companies such as Visa, Mastercard, Amex etc, but covers all forms of payment cards.

You can check out a bit more about it here if you're interested https://www.pcisecuritystandards.org/ but basically we have to justify to a team of independant authorised auditors (Deloitte Touche in our case) why we store payment card details, how we protect them, how we control access etc. In many cases we are being forced to change processes because they fall foul of the PCI standards. They are very thorough, and whilst they might not be so vigilant on a smaller company, they have the ability to prevent us accepting payment via card if we fail to satisfy the auditors. This would be disastrous to most businesses today, as you can imagine.

Some of the requirements do conflict with national laws to keep financial data for certain periods of time, but where this is the case, the security of the data is even more paramount.

Whilst I'd prefer no-one kept my credit card details, I think in this day and age that's not really practical, but I do think this initiative will make that data as secure as it can be.

[BrokenArrow]

Thanks for clearing things up.

I don't mind them keeping details for audits. But it's the "removed from public view" bit that I've got problems with. Are audit details kept online?

I was sent another email saying "Will be easy and simple cancel the card and will be more secure for you". I don't want to cancel my card. They then said if I was worried I shouldn't bother to ever buy anything online.

[Paul_HDLover]

Quote:

Originally Posted by BrokenArrow

I don't mind them keeping details for audits. But it's the "removed from public view" bit that I've got problems with. Are audit details kept online?

I was sent another email saying "Will be easy and simple cancel the card and will be more secure for you". I don't want to cancel my card. They then said if I was worried I shouldn't bother to ever buy anything online.

talking generally (As I dont know what company it is you are dealing with) Websites talk to databases. In the easiest way possible to explain a typical web application, when you buy something and are already a member, the website will display your current data. If you have cancelled your account or card, using your example when you log into your account, you see no details. Your details will however exist on the database still, but with a flag set showing your details as historic. This means when you pull a page requesting to see your details, it omits any data where this historic flag is set.

Sometimes this data is held in the same table, sometimes archived data is held in separate secure tables. In any case the environment is highly secure with only select DBA's allowed to access and even then their actions are traced.

Hope this gives you an idea of how your information is being looked after.

[Steve.J.Davies]

Quote:

Originally Posted by BrokenArrow

I've been going through some shopping websites removing my card details from them because I no longer use the sites. I managed to delete my card from a few until I got to a certain one which I won't name. They had no option on the site to remove my details, so I emailed them to which they replied asking why I wanted to take my details off. I explained I was removing my card from some websites. The reply I got was:




If that's the case, how come I can easily remove my details from other sites? I thought it was illegal for anyone to hold card details without my permission.

Sure they keep transaction history. But that does not mean they are incapable of removing the C-C details from its 'on-line part'.
Of course if they have a poorly designed and managed system (those pesky PFCSKs..) it may be more difficult...Those other sites maybe have better systems but bearing in mind the number of off the shelf e-commerce solutions out there it seems likely that the site in question probably has the same capabilities. (name 'em, you will not be accusing them of anything, merely stating the facts of your customer experience).

Sounds like the brush off to me...
Send 'em a data protection subject access request maybe...

[Steve.J.Davies]

Quote:

Originally Posted by Paul_HDLover

talking generally (As I dont know what company it is you are dealing with) Websites talk to databases. In the easiest way possible to explain a typical web application, when you buy something and are already a member, the website will display your current data. If you have cancelled your account or card, using your example when you log into your account, you see no details. Your details will however exist on the database still, but with a flag set showing your details as historic. This means when you pull a page requesting to see your details, it omits any data where this historic flag is set.

Sometimes this data is held in the same table, sometimes archived data is held in separate secure tables. In any case the environment is highly secure with only select DBA's allowed to access and even then their actions are traced.

Hope this gives you an idea of how your information is being looked after.

You are right in that iit should be done along those lines. Often when you look under the covers though the reality is not so well delineated (have looked under a lot of covers...). prod data leaking into test, poor GRANTS, priviledge escalation, expediency subverting good practice etc etc.
Fact is that unless you look real close there is no way to tell. A surprising number of large (well known) companies have dodgy practices. Heck half of them are below average to start with

[Paul_HDLover]

A Subject access request is essentially an audit albeit usually from the client, but can be instructed by other parties such as external auditors. Its due to SAR's and the necessity to audit financial records, that these details are held in the first place.

[pixelpixel]

Quote:

Originally Posted by KeithO

My company (Amadeus) is currently undergoing a PCI (Payment Card Industry) audit. This is driven mainly by the large credit card companies such as Visa, Mastercard, Amex etc, but covers all forms of payment cards.

You can check out a bit more about it here if you're interested https://www.pcisecuritystandards.org/ but basically we have to justify to a team of independant authorised auditors (Deloitte Touche in our case) why we store payment card details, how we protect them, how we control access etc. In many cases we are being forced to change processes because they fall foul of the PCI standards. They are very thorough, and whilst they might not be so vigilant on a smaller company, they have the ability to prevent us accepting payment via card if we fail to satisfy the auditors. This would be disastrous to most businesses today, as you can imagine.

Some of the requirements do conflict with national laws to keep financial data for certain periods of time, but where this is the case, the security of the data is even more paramount.

Whilst I'd prefer no-one kept my credit card details, I think in this day and age that's not really practical, but I do think this initiative will make that data as secure as it can be.

Oh forgot about this.....I remember the fun and games. Good Luck.

[BrokenArrow]

Thanks for the info, everyone. They say ignorance is bliss, but knowing what I do now I'm not so peeved.

Quote:

Originally Posted by Steve.J.Davies

(name 'em, you will not be accusing them of anything, merely stating the facts of your customer experience).

Nah, I just wanted to know what they were on about, not start a potential slagging off.

[OldAndSenile]

As far as I'm aware, they have no right to hold your credit card details... They don't need them for any form of identification or anything, as whoever they submit your details to to take payment from your card (the bank) provides them with a unique reference that is used to trace this information if it's ever needed by auditors or the like.

You CAN ask them if they've got your CV2 data stored (the 3 digit number on your sig strip). If they have (which is illegal), or they have marked your card as "verified" (i.e. "they've supplied the CV2 number before, so we know they're legit"), you can ask them to un-mark your card - so no-one who gets onto their system can use your card without re-providing the CV2 number.

Not all payment gateways take the CV2 number though, so this might not be of any help!

[Steven]

Interesting OldAndSenile. Every site I shop on asks me to re-enter my CV2 number, implying to me that they don't store it. Amazon UK are the only site that never asks to double check the details. I think I've only been asked to do so once in 6 months of purchases. Oh well!

[KeithO]

Quote:

Originally Posted by OldAndSenile

As far as I'm aware, they have no right to hold your credit card details... They don't need them for any form of identification or anything, as whoever they submit your details to to take payment from your card (the bank) provides them with a unique reference that is used to trace this information if it's ever needed by auditors or the like.

It depends what you're buying. We absolutely need to keep the CC number, because we use it for verification when we issue e-tickets. Also a lot of people actually like vendors holding CC data because it saves them having to enter the data every time they buy off the site if they purchase regularly. I agree you should be able to prevent this if you want though.

But if you're worried about private data, don't ask me about the stuff we send the US Immigration Dept every time you fly to the States

[OldAndSenile]

Quote:

Originally Posted by KeithO

It depends what you're buying. We absolutely need to keep the CC number, because we use it for verification when we issue e-tickets. Also a lot of people actually like vendors holding CC data because it saves them having to enter the data every time they buy off the site if they purchase regularly. I agree you should be able to prevent this if you want though.

But if you're worried about private data, don't ask me about the stuff we send the US Immigration Dept every time you fly to the States

That's for identification purposes that you presumably clearly outline in your Terms and Conditions, though... If someone asked after their e-tickets were issued to have their details removed, would that be a problem?

I've worked for a few large internet-based retailers and whenever anyone has asked for their details to be removed, we've obliged. Auditors have never seemed to have a problem with it.

Besides - when you update credit card details, I doubt the retailer in question (from the original post) keeps a historical record of ALL your card changes from the past 6 years? If they don't, just change your card details to a load of gibberish.

If they start to play silly buggers with you, use the Data Protection Act to request a copy of all the details on their system they hold about you - that should annoy them enough for them to remove you from their system!

[Joe90sDad]

Why not just update your card details on the site and put in any old crap?

[KeithO]

Quote:

Originally Posted by OldAndSenile

That's for identification purposes that you presumably clearly outline in your Terms and Conditions, though... If someone asked after their e-tickets were issued to have their details removed, would that be a problem?

Not sure. I think the difficulty for the consumer would be in knowing who to ask. Eg you might buy a ticket on BA from a travel agent, who issues you with an e-ticket. But it's not the travel agent, or even BA who holds the CC data, but Amadeus, who the general public have probably never heard of. If you did ask, I guess it could be done, but I'm not aware of anyone ever asking.

Quote:

Originally Posted by OldAndSenile

I've worked for a few large internet-based retailers and whenever anyone has asked for their details to be removed, we've obliged. Auditors have never seemed to have a problem with it.

I doubt our Auditors would either, although it's never been mentioned. The whole focus has been on keeping CC data we hold secure, not on letting the public know what we have and deleting it if asked.

Quote:

Originally Posted by OldAndSenile

Besides - when you update credit card details, I doubt the retailer in question (from the original post) keeps a historical record of ALL your card changes from the past 6 years? If they don't, just change your card details to a load of gibberish.

Yeah I doubt they do too - but you never know

Quote:

Originally Posted by OldAndSenile

If they start to play silly buggers with you, use the Data Protection Act to request a copy of all the details on their system they hold about you - that should annoy them enough for them to remove you from their system!

Getting more and more difficult I'm afraid, as many companies doing business are not UK based. For example, we're based in Germany and not subject to UK Data Protection Act (although in many respects the UK DP Act is deficient when compared to EU legislation)

[Steve.J.Davies]

Aren't there about 17 pieces of relevant legislation in Germany ?

[Paul_HDLover]

Quote:

Originally Posted by LFC_SL

Interesting OldAndSenile. Every site I shop on asks me to re-enter my CV2 number, implying to me that they don't store it. Amazon UK are the only site that never asks to double check the details. I think I've only been asked to do so once in 6 months of purchases. Oh well!

CVC is different. its meant to be an additional security measure that convinces companies you are who you say you are i.e. the card holder. So if someone else got into your Ladbrokes account for instance, they wouldnt be able to do this. particularly relevent on a shared / public computer. Amazon obviously arent too worried about this, or have other measures in place to ensure they know who their customers are.

[KeithO]

Quote:

Originally Posted by Steve.J.Davies

Aren't there about 17 pieces of relevant legislation in Germany ?

I'd be surprised if it wasn't more like 170