Author: Government recordkeeping

Government organisations manage a range of payment applications for the general public. What’s the best way to manage the data created via these financial transactions?

Public Record Office Victoria (PROV) advises agencies not to retain credit card details on any records once the transaction has been completed. [1]

Credit card details should be located on the form in such a way that they can be easily removed without undermining the integrity of the record. Well established business processes and policies would ensure that transactions and any redaction of specific credit card references are well documented.

Keeping credit card details can have serious and long-term negative consequences, some of which include compromising the agency’s reputation and the ability to conduct business effectively.

Sufficient protection and security measures should be in place in circumstances where credit card details are retained due to legitimate business, legal, and/or regulatory purposes. The Payment Card Industry’s Data Security Standard provides an actionable framework for developing a payment card data security process and measures for storing and recording credit card data, such as truncation or masking of credit card details.

Retrospective actions to remove credit card details are recommended, in particular where:

  • the associated risks are high

  • the protection and security measures are not in place

  • retaining these credit card details would contravene Victorian legislation and/or contractual agreements you may have with third parties.

The State Records Authority of New South Wales and the Queensland State Archives have also released guidance relating to the management of credit card data.

[1] Please refer to PROS 07/01 General Retention and Disposal Authority for Records of Common Administrative Functions for more information.