Jump to content

B&B keeping credit card details


chocccie
 Share

Recommended Posts

not sure where to put this on the forum ... let's try it here..

I have made enquiries at a UK b&b where I have stayed a couple of times recently.  I was told that they'd want a deposit and could put it on the same credit card as last time ..... I was a little surprised to hear that they still had it!

Is this common practice, or is the credit card logged on his own records and quite normal.

(Having seen his office - a PC on a landing, accesible by anybody with half a mind to snoop - I'm a little off-put by the idea that he has retained my card details.)

Or am I being fussy?

Link to comment
Share on other sites

No your not being fussy.

I thought this was an interesting question and I didn't know the answer (I don't keep anyone's CC details by the way, far to risky for me). I have tried a few different searches on Google and can't find much (if anything really) but then I might be asking the wrong questions. I have a sneaky feeling that there is some law about this but I can't find it. I have a feeling that its covered by the Data Protection Act and that he/she has to comply and be audited. Might be worth you investigating that route. Theres something about it being 'sensitive data'. Be interested to know how you get on.

Link to comment
Share on other sites

[quote user="chocccie"] I have made enquiries at a UK b&b where I have stayed a couple of times recently.  I was told that they'd want a deposit and could put it on the same credit card as last time ..... I was a little surprised to hear that they still had it!

Is this common practice, or is the credit card logged on his own records and quite normal.[/quote]

When I buy something from Amazon and I get to the 'pay by' screen I am offered a choice of cards I have previously used to pay them. So, obviously, this card detail retention is possible; but  IMHO Amazon is/are a huge - hopefully secure - company who follow the rules and don't do something they shouldn't.

Personally I would be worried to learn what you have learnt and would question the B&B owner re his methods and his security.

Sue

Link to comment
Share on other sites

Thinking about this perhaps it would be better if the OP could remember and inform us as to how they gave him their credit card details in the past. Was it over the phone, via a third party company like PayPal or a booking agent like Last Minute.

With large Internet trading companies like Amazon its a totally different ball game to that of a small B&B.

As far as I can ascertain based on the theory that the OP gave their credit card detail over the phone to the owner then they are covered by the European Commission’s Directive on Data Protection which is signed by all 27 members thus breach of any one or more of the following is a breach in law and the owner of the B&B is at fault.

  1. Notice—data subjects should be given notice when their data is being collected;

  2. Purpose—data should only be used for the purpose stated and not for any other purposes;

  3. Consent—data should not be disclosed without the data subject’s consent;

  4. Security—collected data should be kept secure from any potential abuses;

  5. Disclosure—data subjects should be informed as to who is collecting their data;

  6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and

  7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles.

You can read more about it HERE

Link to comment
Share on other sites

It was given to the B&B owner over the phone - to pay a £25 deposit for my stay... the rest way paid in cash.

It's not even my card (as he is aware) - it's my husband's mother's card!  She would not be best pleased to know it had been retained!!!

Link to comment
Share on other sites

Firstly try the nice approach and ask him to destroy all information related to the card and to send you confirmation in writing that he has done so. With the current postal situation in the UK and France I would suggest you mention 21 days in which to do this.

In the event that he fails to do this then write to him (recorded delivery) stating that he has breached the Data Protection Act and in particular the parts 1, 4 and 7 of the bit I gave before. Tell him that failure to purge your (or your mother-in-laws) information, including the credit card details from his system and giving you proof in writing you will have no other course than to complain under the Data Protection Act.

How you complain can be found HERE . He can be fined up to £5,000 and there is legislation currently before parliament to impose a custodial sentence, more information HERE .

Link to comment
Share on other sites

  • 3 months later...
I know its an old thread but I thought I would add a few details, as I have a background in credit card trading in the UK.

The DPA info provided earlier is correct.

The way that CC data is retained by reputable companies in the UK is that, yes, the card number, exp date, and start date are held on file, but this is hidden from view as soon as it has been recorded. Encryption ensures that no one can ever see the details, only the system can read it.

The 3 digit security code on the back of the card, or the 4 digit number on the front of American Express cards is never held on file.

If existing card details are used for a repeat transaction then the 3 digit security number must be provided again by the card holder.

In the case of auto-renewal (eg insurance) then the card holder has to expressly agree to this during the original transaction. They always have an opt-out. Opting in is not a security issue and in the case of any known company is a perfectly acceptable way to avoid manually renewing etc.

If a business does not say 'we will retain your card details on file..is this ok?' then they are breaking DPA rules.

The employee that uses the system can only ever see the last 4 digits of the original card number, they see no other details at all. So, if someone calls to place an order and wants to use the existing card details, then they will be asked to confirm the last 4 digits on their card. The employee will never provide those numbers, the caller has to do this. If the caller cannot remember them, or a new card has been issued, then new card details must be provided.

In any event, the security number must always be provided by the caller to validate the transaction.

During online data verification with the card issuer, if the data does not match then the transaction will be rejected.

These basic rules, which are built into any IT system, ensure that the company cannot fraudulently use customer CC data to process transactions without the card holders permission. No reputable company would ever deploy a system that had any measure of risk that allowed a miscreant employee to misuse data.

That said, the only risk would be when the original details are supplied, as someone could simply write the details down and take them home. It is one of the reasons why you get the 'all calls are recorded' message, as at least in the event of fraud there is a trace to the employee, on top of which all systems will log the user id at the company every time anybodys records are accessed. If your CC data was misused, then CC companies will refund your loss, as long as you have taken basic precautions to protect things like the password. Never provide a PIN number for remote transactions, it is only ever required on point of sale terminals.

If you ever lose a card, cancel it and get another one immediately, even if you recover it you have no idea who has had it during the period of loss.

The comment that a small business has recorded CC data is a little disturbing. Unless they have a bona fide booking system running that incorporates security measures, then there is a very real risk that anyone can access the CC data in unencrypted format. Simply storing it in an Excel spreadsheet is simply not good enough.

Other information:

If the data was used to purchase products online, then the seller should only ever send goods to the card holders registered address.

If someone attempted to change the registered address with the card issuing company then various id checks would be required before they would do that (hence always keep passwords, dob, addresses etc secure).

If a refund is due on a CC transaction then the refund will always be returned to the original card number, even if it has expired. In this event the card issuer will contact the card holder and tell them that they have funds for them. The same is true of refunds to bank accounts.

Fraudsters:

Just as an example:

Caller purchases product over the phone using fraudulently obtained CC data.

Transaction is processed.

After a short while caller cancels transaction over the phone.

Caller is told that a refund is due, but then caller requests that the refund is made to a bank account, or a cheque is sent.

In reality the card details were stolen, and they would get 'clean money' via a refund and disappear.

I could give loads of examples, but it is a constant war zone, and the crooks use some incredibly elaborate schemes to hijack the system. If people follow the rules then the system is safe and secure, but it is always down to the card holder to ensure that they are dealing with honest people.

I hope that this helps.

Rob G

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...