What to do with credit card data?
Government organisations manage a range of payment applications for the general public.
Public Record Office Victoria (PROV) advises agencies not to retain credit card details on any records once the transaction has been completed.
See Classes 5.1.9 and 5.1.10 in PROS 07/01 Common Administrative Functions Retention and Disposal Authority (RDA) for more information.
Credit card details should be located on the form in such a way that they can be easily removed without undermining the integrity of the record. Well established business processes and policies would ensure that transactions and any redaction of specific credit card references are well documented.
Keeping credit card details can have serious and long-term negative consequences, some of which include compromising the agency’s reputation and the ability to conduct business effectively.
Security requirements when keeping credit card data
Sufficient protection and security measures should be in place in circumstances where credit card details are retained due to legitimate business, legal, and/or regulatory purposes. The Payment Card Industry (PCI) Data Security Standards provide an actionable framework for developing a payment card data security process and measures for storing and recording credit card data, such as truncation or masking of credit card details.
Retrospective actions to remove credit card details are recommended, in particular where:
- the associated risks are high;
- the protection and security measures are not in place; and
- retaining these credit card details would contravene Victorian legislation and/or contractual agreements you may have with third parties.