We need someone with legal training here to look at this sentence: "Contravening the terms of any agreement between the merchant and the hotel does not automatically render the processing unlawful." If breaking a contract is unlawful, which I feel is likely, but am not certain about, then that does make the processing unlawful because the DPA says that data may only be used for lawful purposes, and may only be processed fairly and lawfully. -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lee Gardiner Sent: 20 October 2006 08:41 To: [log in to unmask] Subject: Re: [data-protection] Hotel keeping card details... The slight flaw being as I understand it that most merchants will now no longer process 'cardholder not present' transactions without the security code as an anti fraud measure! Some merchants may not do this but my wife runs a local box office as part of her day to day role and their merchant asks for the security code in order to process the payment. Assuming the hotel's merchant does the same then the hotel would be unable to process any payment once the individual has done a runner. That said it is entirely possible there may be some mechanism to get around this in circumstances where a customer has left without paying but it would depend on the specific merchant/hotel agreement. Contravening the terms of any agreement between the merchant and the hotel does not automatically render the processing unlawful. I'm not saying that this isn't a problem (which it is) and that I condone the hotel's practices but to arbitrarily say that there has been a breach of the DPA doesn't consider the broader circumstances of the situation. As I said in my previous email, before Roland's judicious editing which clearly ignored the best practice issues, it would be better practice for the hotel to partially process a charge against the card for the cost of the room which is then either fully processed when the guest checks out or does a runner. Something done in several hotels I have stayed in. I don't disagree with the security issues as my previous email clearly states so I'm not sure why this has been highlighted. -----Original Message----- From: Roland Perry [mailto:[log in to unmask]] Sent: Fri 20 October 2006 07:53 To: [log in to unmask] Subject: Re: [data-protection] Hotel keeping card details... In message <[log in to unmask]>, at 13:44:39 on Thu, 19 Oct 2006, Lee Gardiner <[log in to unmask]> writes >Not sure I agree that it is a breach, poor practice definitely but a breach? Merchants are not allowed to keep a record of the 3-digit number on the back. To do so would dilute its fraud-prevention potential. >Given that the hotel has a degree of legitimacy in collecting the >information in case the guest does a runner without paying (and having >worked in the hospitality industry it is a common and growing >occurrence) I would argue that there are grounds for processing. Hotels routinely keep card numbers and accountholder names (so they have information in the event of a moonlight flit). That's not the problem. What's being objected to here is: 1) Keeping the 3-digit number also (that's a specific issue with the card company's T&C) 2) Keeping the data in an insecure place like a box on the reception desk (that's a more general DPA issue). >I do accept that there are security concerns but they are no different >to buying concert tickets over the phone and giving the same >information to a ticket agency. What is to say that the ticket agent >isn't going to retain that info and then authorise a payment of £X to >buy themselves tickets? If the ticket agent refrains from keeping a record of the 3-digit number, then it (the three-digit number) cannot *later* be used to commit a fraud (either because the entire database is stolen, or a dishonest person within the organisation misuses some of the data). -- Roland Perry ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses using Sophos anti-virus software. www.mimesweeper.com www.sophos.com ********************************************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^