What's the law on websites holding card details?

[BrokenArrow]

I've been going through some shopping websites removing my card details from them because I no longer use the sites. I managed to delete my card from a few until I got to a certain one which I won't name. They had no option on the site to remove my details, so I emailed them to which they replied asking why I wanted to take my details off. I explained I was removing my card from some websites. The reply I got was:

Quote:

Hi,

Your card is secure with us.

By law we have to keep all transactions details for 6 years therefore we
can't really cancel your details

Sorry I can't help you at this time

Regards

If that's the case, how come I can easily remove my details from other sites? I thought it was illegal for anyone to hold card details without my permission.

[Singh400]

Tell them to link you to the law that requires this.

[Paul_HDLover]

My understanding is that all information a company holds on you, including your original application for services, which would subsequently include your bank details must be held for a period of 6 years before being securely destroyed.

This is for audit purposes and must be satisfied by law.

The other companies may have allowed you to delete your details, but they are still held historically I reckon, and will remain in this state for 6 years.

The thing with systems is that just because you cant see it anymore, by no means confirms they arent there as more often than not its all recorded and archived.

[Mr_Wistles]

Quote:

Originally Posted by Paul_HDLover

The thing with systems is that just because you cant see it anymore, by no means confirms they arent there as more often than not its all recorded and archived.

This is my understanding also.

I don't store card details but the banks I use do, I however cannot see them.

[pixelpixel]

Quote:

Originally Posted by Paul_HDLover

My understanding is that all information a company holds on you, including your original application for services, which would subsequently include your bank details must be held for a period of 6 years before being securely destroyed.

This is for audit purposes and must be satisfied by law.

The other companies may have allowed you to delete your details, but they are still held historically I reckon, and will remain in this state for 6 years.

The thing with systems is that just because you cant see it anymore, by no means confirms they arent there as more often than not its all recorded and archived.

Yes correct, the details are removed from public view but for audit reasons your another number they need to store.

Have a look at http://www.out-law.com/page-431

[KeithO]

My company (Amadeus) is currently undergoing a PCI (Payment Card Industry) audit. This is driven mainly by the large credit card companies such as Visa, Mastercard, Amex etc, but covers all forms of payment cards.

You can check out a bit more about it here if you're interested https://www.pcisecuritystandards.org/ but basically we have to justify to a team of independant authorised auditors (Deloitte Touche in our case) why we store payment card details, how we protect them, how we control access etc. In many cases we are being forced to change processes because they fall foul of the PCI standards. They are very thorough, and whilst they might not be so vigilant on a smaller company, they have the ability to prevent us accepting payment via card if we fail to satisfy the auditors. This would be disastrous to most businesses today, as you can imagine.

Some of the requirements do conflict with national laws to keep financial data for certain periods of time, but where this is the case, the security of the data is even more paramount.

Whilst I'd prefer no-one kept my credit card details, I think in this day and age that's not really practical, but I do think this initiative will make that data as secure as it can be.

[BrokenArrow]

Thanks for clearing things up.

I don't mind them keeping details for audits. But it's the "removed from public view" bit that I've got problems with. Are audit details kept online?

I was sent another email saying "Will be easy and simple cancel the card and will be more secure for you". I don't want to cancel my card. They then said if I was worried I shouldn't bother to ever buy anything online.

[Paul_HDLover]

Quote:

Originally Posted by BrokenArrow

I don't mind them keeping details for audits. But it's the "removed from public view" bit that I've got problems with. Are audit details kept online?

I was sent another email saying "Will be easy and simple cancel the card and will be more secure for you". I don't want to cancel my card. They then said if I was worried I shouldn't bother to ever buy anything online.

talking generally (As I dont know what company it is you are dealing with) Websites talk to databases. In the easiest way possible to explain a typical web application, when you buy something and are already a member, the website will display your current data. If you have cancelled your account or card, using your example when you log into your account, you see no details. Your details will however exist on the database still, but with a flag set showing your details as historic. This means when you pull a page requesting to see your details, it omits any data where this historic flag is set.

Sometimes this data is held in the same table, sometimes archived data is held in separate secure tables. In any case the environment is highly secure with only select DBA's allowed to access and even then their actions are traced.

Hope this gives you an idea of how your information is being looked after.

[Steve.J.Davies]

Quote:

Originally Posted by BrokenArrow

I've been going through some shopping websites removing my card details from them because I no longer use the sites. I managed to delete my card from a few until I got to a certain one which I won't name. They had no option on the site to remove my details, so I emailed them to which they replied asking why I wanted to take my details off. I explained I was removing my card from some websites. The reply I got was:




If that's the case, how come I can easily remove my details from other sites? I thought it was illegal for anyone to hold card details without my permission.

Sure they keep transaction history. But that does not mean they are incapable of removing the C-C details from its 'on-line part'.
Of course if they have a poorly designed and managed system (those pesky PFCSKs..) it may be more difficult...Those other sites maybe have better systems but bearing in mind the number of off the shelf e-commerce solutions out there it seems likely that the site in question probably has the same capabilities. (name 'em, you will not be accusing them of anything, merely stating the facts of your customer experience).

Sounds like the brush off to me...
Send 'em a data protection subject access request maybe...

[Steve.J.Davies]

Quote:

Originally Posted by Paul_HDLover

talking generally (As I dont know what company it is you are dealing with) Websites talk to databases. In the easiest way possible to explain a typical web application, when you buy something and are already a member, the website will display your current data. If you have cancelled your account or card, using your example when you log into your account, you see no details. Your details will however exist on the database still, but with a flag set showing your details as historic. This means when you pull a page requesting to see your details, it omits any data where this historic flag is set.

Sometimes this data is held in the same table, sometimes archived data is held in separate secure tables. In any case the environment is highly secure with only select DBA's allowed to access and even then their actions are traced.

Hope this gives you an idea of how your information is being looked after.

You are right in that iit should be done along those lines. Often when you look under the covers though the reality is not so well delineated (have looked under a lot of covers...). prod data leaking into test, poor GRANTS, priviledge escalation, expediency subverting good practice etc etc.
Fact is that unless you look real close there is no way to tell. A surprising number of large (well known) companies have dodgy practices. Heck half of them are below average to start with

[Paul_HDLover]

A Subject access request is essentially an audit albeit usually from the client, but can be instructed by other parties such as external auditors. Its due to SAR's and the necessity to audit financial records, that these details are held in the first place.

[pixelpixel]

Quote:

Originally Posted by KeithO

My company (Amadeus) is currently undergoing a PCI (Payment Card Industry) audit. This is driven mainly by the large credit card companies such as Visa, Mastercard, Amex etc, but covers all forms of payment cards.

You can check out a bit more about it here if you're interested https://www.pcisecuritystandards.org/ but basically we have to justify to a team of independant authorised auditors (Deloitte Touche in our case) why we store payment card details, how we protect them, how we control access etc. In many cases we are being forced to change processes because they fall foul of the PCI standards. They are very thorough, and whilst they might not be so vigilant on a smaller company, they have the ability to prevent us accepting payment via card if we fail to satisfy the auditors. This would be disastrous to most businesses today, as you can imagine.

Some of the requirements do conflict with national laws to keep financial data for certain periods of time, but where this is the case, the security of the data is even more paramount.

Whilst I'd prefer no-one kept my credit card details, I think in this day and age that's not really practical, but I do think this initiative will make that data as secure as it can be.

Oh forgot about this.....I remember the fun and games. Good Luck.

[BrokenArrow]

Thanks for the info, everyone. They say ignorance is bliss, but knowing what I do now I'm not so peeved.

Quote:

Originally Posted by Steve.J.Davies

(name 'em, you will not be accusing them of anything, merely stating the facts of your customer experience).

Nah, I just wanted to know what they were on about, not start a potential slagging off.

[OldAndSenile]

As far as I'm aware, they have no right to hold your credit card details... They don't need them for any form of identification or anything, as whoever they submit your details to to take payment from your card (the bank) provides them with a unique reference that is used to trace this information if it's ever needed by auditors or the like.

You CAN ask them if they've got your CV2 data stored (the 3 digit number on your sig strip). If they have (which is illegal), or they have marked your card as "verified" (i.e. "they've supplied the CV2 number before, so we know they're legit"), you can ask them to un-mark your card - so no-one who gets onto their system can use your card without re-providing the CV2 number.

Not all payment gateways take the CV2 number though, so this might not be of any help!

[LFC_SL]

Interesting OldAndSenile. Every site I shop on asks me to re-enter my CV2 number, implying to me that they don't store it. Amazon UK are the only site that never asks to double check the details. I think I've only been asked to do so once in 6 months of purchases. Oh well!