Anyone know what the rules are?
Thanks. 🙂
It's quite complicated. You could start here:
[url= https://www.pcisecuritystandards.org/ ]https://www.pcisecuritystandards.org/[/url]
That should sort out my insomnia! Thanks. 😉
If it's a particular site you are concerned/interested in you could check they are PCI certified. Most/all big ones will be as there were big fines promised for ones that didn't comply to the standard.
e.g. for Wiggle:
[url= http://www.wiggle.co.uk/h/option/ISIS_IDIS ]http://www.wiggle.co.uk/h/option/ISIS_IDIS[/url]
PCI mentioned towards the bottom.
Its better if you dont store clients details.. theres all sorts of questionaires and security scans performed on your website and you have to be PCI compliant
Retailers in Scotland aren't allowed to store customers card details.
Thanks for the replies. It's the consent angle that I'm particularly interested in so, for example, if I use a card to pay for something does that give them the right to keep my details for ever more?
Oddly enough, I spent two and a half hours today going through all the security issues involved with working in a GC/PCI Level 1 compliant employer. (Gambling Commission/Payment Card Industry)
Along with the Data Protection Act, it's very daunting, the level of responsibility each employee has, especially those who work in the three secure areas, like me.
I'm not allowed [i]any[/i] personal possessions within my workspace, not even my keyring which has a little Fenix torch and a brass pen, or a music player, like an iPod Classic or Nano.
Nor any money, or my wallet.
Outdoor clothing is verboten, too, and as for mobile phones...
Certainly, the retaining of credit card details along with security codes is an absolute no-no!
An infringement of the Data Protection Act can get a fine of up to £500,000/infringement, lost of the right to work in that line of business, and other penalties.
Yikes!
Online retailers are required to store the card details for 18 months so they can connect a transaction to a charge back as far as I know. After that PCI requires tier 1/2 to remove the details. While stored they should also be encrypted securely and access to them tightly controlled. If you are concerned about the retailer, aim for PayPal if they are integrated. Or better still, use a trusted retailer 🙂