GDPR for Payments
GDPR for Payments
GDPR is an important EU wide regulatory mandate. It provides increased protection of individual privacy and gives individuals more control over the information they share.
In our view GDPR is an important element of building a scalable data centric service infrastructure. When individuals are confident about privacy and control then they are more likely to interact and share. This ultimately results in vendors being able to offer better data centric products and services to consumers.
There is a lot that has been said and written about GDPR, its purpose, impact and the myths surrounding it. The penalties for non compliance are severe and the regulatory language not always clear, this has resulted in a number of misconceptions and over-reactions.
The purpose of this article is to look at the online payments value chain and the impact of GDPR for data collected on the payment page of a website.
Data on payment page
While the consumer may share personal data at other interaction points with the merchant our focus is the information exchanged on the check out or payments page.
Typically this information collected on the payment page consists of three categories:
Personal details of the individual such as name
Payment instrument details such as card number, expiry date etc
Address details for delivery of physical goods, for fraud monitoring or for the creation of the appropriate VAT invoice
Capture only essential information
Merchants should take care to only collect information that is actually going to be used to process/authorise the payment and prevent fraud.
For example, is it necessary to collect the individual’s date of birth to process the particular payment instrument chosen by the individual or to perform risk and fraud checks on the transaction?
Consent not needed
As the information is being captured for legitimate business purposes (processing of the transaction) the merchant does not need to obtain explicit consent from the individual.
Take adequate measures for protection of the information
If the merchant relies on their payment partner for the capture of payment information (e.g. re-directs or hosted payment pages) then responsibility for the safe capture and storage of the information rests with the payment partner.
If the merchant captures the information but does not store it then adequate measures should be taken to ensure the safety of the information in transit to the payment partner.
If the merchant stores payment information then adequate measures should be taken for the protection of information while stored at the merchant. Before any payment data is saved for future use, be sure to check local laws to determine whether this requires opt-in consent from the consumer (this varies based on the applicable national laws).
Only store information for as long as necessary
If the refund or chargeback periods for the payment method chosen by the individual have expired and the individual has not opted in for information storage for subsequent one click checkout functionality then personal information should be deleted unless it needs to be retained for another permissible legal reason (e.g., in the event of a pending legal dispute).
Data requests from individuals
Under GDPR an individual has the right to request access to the personal data collected about them, enquire what information is being stored about them, to receive a copy of this information and to have this information deleted only if the lawful basis of processing is based on obtaining the individual’s consent. However since payment information must be captured and processed in order for a payment to be made in exchange for products or services, merchants do not need the consent of individuals to process their data. Instead, they can rely on other lawful grounds for processing (e.g., legitimate interest or pursuant to a contract) and are not required to provide access to or a copy of the data in a portable format, or delete such information in response to a data subject access request.
Contracts with payment suppliers
Be sure you have data processing agreements/addendums (DPAs) in place with all of your third party suppliers who process your customer’s personal data and be sure to conduct due diligence to confirm that they are meeting their contractual obligations to you as a data controller.
Updates to privacy policies and terms and conditions in relation to GDPR
GDPR requires the specific disclosure of how personal data is collected and used. In the past, many privacy policies included broad statements of how personal data might be used in order to give businesses greater flexibility to modify or expand their processing activities without having to provide updates to consumers. This is no longer possible under GDPR – businesses must provide concise, specific descriptions of how personal data is collected and used.
Other items to watch out for
Consent is necessary in order to store payment information for subsequent purchases or other transactions but the requirements for such consent to be valid are different across Europe as it can be impacted by national laws. To avoid non-compliance, many businesses have decided to rely on opt-in consent to store and reuse this data in order to have one uniform approach to storing and reusing payment data.
If information is being collected on the payment page that is not necessary for processing the payment (legitimate interest) but is to be used for subsequent marketing to the individual then explicit consent should be obtained for the capture, use and storage of this information. It is also recommended good practice to separate the capture of legitimate business interest information and information for marketing purposes.
Merchants and payment providers also need to be mindful of so-called privacy impact assessments (PIAs), broader notification duties for data breaches, the requirement to appoint a Data Protection Officer (exceptions apply) and the partially new, partially stricter requirements for ‘privacy by design’ and ‘privacy by default’, i.e. the obligation to implement appropriate technical and organisational measures to aptly protect the personal data of clients.
GDPR is an important regulatory development. Entities in the online payments sector must stay vigilant and compliant in order to avoid related fines and penalties. Where possible our advise is to seek out experts who have experience with payments and GDPR to receive tailored advice. For a list of Gropay’s GDPR related services see here – http://bit.ly/2HwN1ni
YOU MIGHT ALSO LIKE
ASSAULT AGAINST DATA BROKERS LAUNCHED BY PRIVACY INTERNATIONAL COMPLAINTS ALLEGING GDPR NON-COMPLIANCE
ASSAULT AGAINST DATA BROKERS LAUNCHED BY PRIVACY INTERNATIONAL COMPLAINTS ALLEGING GDPR NON-COMPLIANCE Privacy International, a UK-based activist group, complained in early November 2018 that a number of data brokers, ad-tech companies and credit-reference agencies...read more
US Supreme Court repeal of PASPA On Monday, May 14, 2018, the Supreme Court of the United States held in the Murphy v. National Collegiate Athletic Association case that the federal Professional and Amateur Sports Protection Act (“PASPA”) violated the Tenth Amendment...read more
MasterCard introduces changes for subscription and card on file transactions that will help to significantly increase online merchant’s revenues Recurring (subscription) and returning (card on file) transactions are a growing part of online merchant revenue streams....read more
GROPAY'S 5 TIPS FOR THE HOLIDAY SEASON With all the preparations for the holiday, last week deadlines, the multitude of drinks, parties, last minute shopping as well as high expectations from family and friends, it is easy to get lost in this busy time before the...read more
THE PAYMENT CHALLENGES OF OTAs Who hasn’t used an online travel agency (OTA) in the last 12 months? They are an integral part of our lives and are part of a colossal $600 billion + a year online travel market. The OTA industry is at a juncture where it faces some...read more
Strong Customer Authentication (SCA) - Impact on Online Merchants The details around the European Banking Authority (EBA’s) proposal for Strong Customer Authentication (SCA) are final and the requirements for SCA are expected to come into force by February 2019. What...read more
Did Star Trek predict bitcoins and what does it mean for the future? If you are like me, a Star Trek fan then it’s interesting to note that many of the futuristic technologies and gadgets used on the show have come true or are close to coming true. This is likely more...read more
India Makes Important Advances in Biometric Payments In India it’s already possible for a consumer to authorise and authenticate a payment with their fingerprint or iris scan. As a largely cash based economy India has leapfrogged the use of Cards and Smart Phones for...read more
How do bitcoins impact online merchants? There’s a lot that has been said and written about bitcoins. They are the talk of the town these days. Undoubtedly bitcoins and related distributed ledger technologies will have a lasting impact on payments and financial...read more
PSD2 What Will Really Change? There has been a lot written about the PSD2 and rightly so, it is important regulation soon to be enacted into legislation that will bring significant innovation and change to electronic payments. But what will actually change in the day...read more
SafeCharge 3 Years After IPO In this post we look at SafeCharge, a medium sized payment processor and recently formed acquirer. We look at the following items; history, the IPO, recent performance, drivers of growth so far, recent strategic moves and execution...read more
The Stamina of Clinton Or Trump There have been lot of comments made by presidential candidate Donald Trump triggering a lot of media attention and public debates recently. Not the most notorious comment, but still one that made me pause in the work I was doing....read more
GDPR - Data Protection Gets Serious On 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR) The GDPR will have considerable impact on all companies that provide goods or services to Europe, regardless of the company’s...read more
Authentication - Payer! Reveal Thyself EPC releases results of latest consultations for e-mandate today: what does this mean for authentication and your online business? Earlier today, 5 April 2016, the European Payments Council (EPC) announced the launch of the...read more
Fantasy Sports - It's All A Fantasy Fantasy Sports continue to gain popularity California recently introduced a bill to allow online sports betting. The motivation of this bill is believed to be the increasing popularity of fantasy sports. Although, the bill has yet...read more
Cash - Kicking The Habit There was an interesting article in The Economist recently about strikes on the London Underground (Tube). Such strikes are commonly believed to have a short term net cost to the economy. However the article quoted a study by Oxford and...read more
Data Protection - To Russia With Love Data Protection Russia Russia’s new data protection law came into effect on the 1st of September 2015. It’s now required by law to store personal details of Russian citizens on servers physically located in Russia. Copies of the...read more
I had a manager once who was a real mover and shaker in HR, brilliant in strategy and amazing to work with. Although visionary in his business outlook, there were some basic things that could really set him off when meeting new people: things like scruffy shoes. You...read more
Are Tattoos ever OK at work? I was HR Director at a large organization when I suddenly completely got caught by a curb ball thrown by one of my main stakeholders. “What is our HR policy on tattoos?” I had to take a two second pause before responding with a gigantic...read more
Wirecard with a market value of $ 5.2 billion made a $9 billion bid for Worldpay. Is this a serious bid? What will Wirecard do with Worldpay? Wirecard has extensive experience with M&A and also in acquiring companies larger than itself and making it a success; as many...read more
Changing jobs - How long should you stay in your current job? In this day and age, most employees are not even aware that organisations used to have tenure incentives like a fancy watch, a toaster or at least a bunch of flowers when you reached your 20 or 25 years of...read more
Distracted Living Psychology Today published an interesting blog on distracted living. Distracted living is where you miss out on much of your life because you generally aren’t paying attention, or your attention is so torn in many directions that your really do not...read more
Is Visa worried about Paypal? Visa recently published a report on Visa Checkout in which they stated that Visa Checkout delivers 17% better conversion than Paypal. One of the interesting points about this report is that Visa considers Paypal as enough of a threat to...read more
How do I deal with my company going through a merger or acquisition? Working in the payments sector? There is a big chance that your company is engaged in a merger, is taking over another company or is about to become an acquisition. 2014 was a big year for payments...read more