The slight flaw being as I understand it that most merchants will now no
longer process 'cardholder not present' transactions without the security
code as an anti fraud measure! Some merchants may not do this but my wife
runs a local box office as part of her day to day role and their merchant
asks for the security code in order to process the payment.

Assuming the hotel's merchant does the same then the hotel would be unable
to process any payment once the individual has done a runner. That said it
is entirely possible there may be some mechanism to get around this in
circumstances where a customer has left without paying but it would depend
on the specific merchant/hotel agreement.

Contravening the terms of any agreement between the merchant and the hotel
does not automatically render the processing unlawful.

I'm not saying that this isn't a problem (which it is) and that I condone
the hotel's practices but to arbitrarily say that there has been a breach of
the DPA doesn't consider the broader circumstances of the situation. 

As I said in my previous email, before Roland's judicious editing which
clearly ignored the best practice issues, it would be better practice for
the hotel to partially process a charge against the card for the cost of the
room which is then either fully processed when the guest checks out or does
a runner. Something done in several hotels I have stayed in.

I don't disagree with the security issues as my previous email clearly
states so I'm not sure why this has been highlighted.

-----Original Message-----
From: Roland Perry [mailto:[log in to unmask]] 
Sent: Fri 20 October 2006 07:53
To: [log in to unmask]
Subject: Re: [data-protection] Hotel keeping card details...

In message
<[log in to unmask]>, at
13:44:39 on Thu, 19 Oct 2006, Lee Gardiner <[log in to unmask]>
writes
>Not sure I agree that it is a breach, poor practice definitely but a
breach?

Merchants are not allowed to keep a record of the 3-digit number on the
back. To do so would dilute its fraud-prevention potential.

>Given that the hotel has a degree of legitimacy in collecting the 
>information in case the guest does a runner without paying (and having 
>worked in the hospitality industry it is a common and growing 
>occurrence) I would argue that there are grounds for processing.

Hotels routinely keep card numbers and accountholder names (so they have
information in the event of a moonlight flit). That's not the problem. 
What's being objected to here is:

1) Keeping the 3-digit number also (that's a specific issue with the
     card company's T&C)
2) Keeping the data in an insecure place like a box on the reception
      desk (that's a more general DPA issue).

>I do accept that there are security concerns but they are no different 
>to buying concert tickets over the phone and giving the same 
>information to a ticket agency. What is to say that the ticket agent 
>isn't going to retain that info and then authorise a payment of £X to buy
themselves tickets?

If the ticket agent refrains from keeping a record of the 3-digit number,
then it (the three-digit number) cannot *later* be used to commit a fraud
(either because the entire database is stolen, or a dishonest person within
the organisation misuses some of the data).

--
Roland Perry

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses using Sophos 
anti-virus software.

www.mimesweeper.com
www.sophos.com
**********************************************************************

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^