In message
<[log in to unmask]>, at
13:44:39 on Thu, 19 Oct 2006, Lee Gardiner <[log in to unmask]>
writes
>Not sure I agree that it is a breach, poor practice definitely but a breach?
Merchants are not allowed to keep a record of the 3-digit number on the
back. To do so would dilute its fraud-prevention potential.
>Given that the hotel has a degree of legitimacy in collecting the
>information in case the guest does a runner without paying (and having
>worked in the hospitality industry it is a common and growing occurrence) I
>would argue that there are grounds for processing.
Hotels routinely keep card numbers and accountholder names (so they have
information in the event of a moonlight flit). That's not the problem.
What's being objected to here is:
1) Keeping the 3-digit number also (that's a specific issue with the
card company's T&C)
2) Keeping the data in an insecure place like a box on the reception
desk (that's a more general DPA issue).
>I do accept that there are security concerns but they are no different to
>buying concert tickets over the phone and giving the same information to a
>ticket agency. What is to say that the ticket agent isn't going to retain
>that info and then authorise a payment of £X to buy themselves tickets?
If the ticket agent refrains from keeping a record of the 3-digit
number, then it (the three-digit number) cannot *later* be used to
commit a fraud (either because the entire database is stolen, or a
dishonest person within the organisation misuses some of the data).
--
Roland Perry
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|