If you take peoples credit cards details over the phone to be used on a pdq machine (customer not present) What do you do with the details after?

I mean, what if you have customers that order every week. Are you allowed to store the details or is it illegal??

My understanding of the Data Protection Act is that you are allowed to hold customer data, but you must inform them of what data you are holding, name, address, credit card etc.

Also, you are only allowed to hold data for a "reasonable" amount of time, say 2 years, after which you must get the customers permission to continue to hold the data (not really practical) or you must destroy it.

Undoubtedly, there are alot of companies who hold the data of every customer they have every had, but, AFAIK this is technically illegal.

Other than the DPA, there is of course the security implications of holding customers credit card details.

You can hold it electronically if you have the customer's permission.