Is it illegal to keep credit card details

eggheadriding1

Hi

Is it illegal for a hotel to keep guests credit card details written in a diary??

RuthnJasper

I would have thought so - if the diary is kept in a general area, like on the reception desk. If the diary was kept in a safe, to which only a few staff had access, it might be OK.

I expect someone more knowledgeable than me will be along to offer proper advice in a bit! x

suicidebob

I don't think there's much difference between storing it on a computer or in a manual diary. The general rule is that they should not hold onto your details for longer than is necessary.

MichaelCR

eggheadriding1 wrote: »

Hi

Is it illegal for a hotel to keep guests credit card details written in a diary??

I'm sure i wouldn't want my details being held in a diary !

It may not be illegal if the cardholder has given the details to you, And you have made them aware that they will be stored. But its certainly unethical and provides quite a high security risk if it where to get into the wrong hands.

Most places use computers with secure systems where the card details are kept on file, However you only can see the last 4 digits of the card number.

jd87

If you give them your card details then they can store the information in any way they want. As long as they don't deliberately pass it on to someone who may use it for illegal purposes then they have committed no crime. If they were burgled and someone stole it, then you may have a civil case against them for not protecting your data more, but still there would be no criminal case for them to answer.

If the card data also includes your name and address then this counts as personal data and the Data Protection Act applies. In this case they do have legal obligations to protect your data and keeping it in a diary is probably not very appropriate, but I still wouldn't say it is illegal.

briankelleher

At my work, if our computer system goes down we do everything on paper, if it's down for a few days like it was recently, that can be over 1000 credit card details (along with name, address, DOB etc) all written on paper, scanned once a day and sent to india to be keyed into the system.

dunstonh

It's not illegal. As long as the data is secure then they are complying with the DPA.

chanz4

Its as safe as sonys ps3 network

thenudeone

jd87 wrote: »

If you give them your card details then they can store the information in any way they want.

This is completely untrue. You should do more research before posting your opinions as if they were fact.

The DPA (which you quote later in your post so you are aware of it) requires the following:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx

So an organisation CANNOT "store the information in any way they want"

A credit card number taken for the purpose of processing a payment through an automated system is clearly data; even if it is later stored manually in written form.

Whether their controls and procedures are adequate to comply with the DPA is difficult to say, but given the large number of staff in a hotel who may have access to such a book (whether they should have or not), I would suggest not.

jd87

thenudeone wrote: »

This is completely untrue. You should do more research before posting your opinions as if they were fact.

You obviously didn't read my post properly as you have just agreed with everything I said...

My point was "card details" on their own (card number, expiry, CVV, etc) are not personal data and the DPA does not apply.

As I said, if the data is personal data, then appropriate measures must be taken. I said that and you also said it.

HappyMJ

jd87 wrote: »

You obviously didn't read my post properly as you have just agreed with everything I said...

My point was "card details" on their own (card number, expiry, CVV, etc) are not personal data and the DPA does not apply.

As I said, if the data is personal data, then appropriate measures must be taken. I said that and you also said it.

I bet the details also have been stored with the customers name and address and with that a transaction can be made so it makes it subject to the DPA. I consider my credit card number to be personal details and expect it to be stored appropriately and certainly not in a handwritten diary. I would expect it to be stored securely. Is the diary locked in a safe each night to which only staff have access and whenever front desk staff leave their work station?