FOI Request - Credit Card and Debit Card Security
We are investigating the security issues surrounding the way public sector organisations keep customer credit card and debit card data secure. Please can you answer as many of these questions as possible. If you do not have precise details please provide an approximate figure.
1. How many times has your organisation been fined for losing confidential customer data during the past three years (from June 1, 2010 to present day)?
2. How many of these instances involved the loss or theft of credit card or debit card details?
3. How much were these fines for in total - feel free to list them separately if you prefer?
4. Approximately, how many credit card or debit card transactions did your organisation process over the phone over the past 12 months (from June 1, 2012 to present day)?
5. What was the approximate total value of these transactions?
6. As a percentage, what proportion of these phone transactions are handled internally by your staff, and what proportion is handled by a third-party call centre organisation.
7. Assuming a record of these phone transactions are kept for training purposes, for how many years do you typically keep them?
8. Do you store recordings of these phone transactions on your own IT/storage systems, or do you pass them to a third-party supplier to manage?
9. In either case, are these recordings stored in a Level 1 PCI-DSS compliant data centre?
4. We processed approximately 20,745 card payment transactions by telephone in this period.
5. These transactions had a value of £2,024,132.
6. No transactions are dealt with by a third-party call centre organisation.
7. Records of these phone transactions are typically kept for three years. Call recording (without payment information) are stored for four months.
8. Phone transactions at the council's Contact Centre are generally recorded and held by the council, but recording is automatically switched off when payment information is obtained.