Retention Periods for Credit/Debit Card Details

Credit card/debit card details may be retained to comply with an audit. It is not justifiable to retain this data beyond the end of a particular audit period (unless it is required for ongoing direct debit purposes and the donor has consented to this). The Office of the Data Protection Commissioner pre-GDPR issued the following notification:

“personal data obtained from a credit/debit card would only need to be retained for a period of at most 13 months to allow for copy voucher requests only in cases where the customer has had to sign a receipt for their transaction to be processed. In these cases the information should be retained separately and solely for the purpose of previous payment queries and not for use for future transactions/further purposes. In the case of card transactions processed using Chip and PIN (EMV) technology, it is not necessary for vendors (data controllers) to hold on to the receipts at all, as the electronic record is available directly from the cardholder’s card issuer”.