GDPR for Payments

by | Jul 25, 2018

GDPR for Payments

 

GDPR is an important EU wide regulatory mandate. It provides increased protection of individual privacy and gives individuals more control over the information they share.

 

In our view GDPR is an important element of building a scalable data centric service infrastructure. When individuals are confident about privacy and control then they are more likely to interact and share. This ultimately results in vendors being able to offer better data centric products and services to consumers.

 

There is a lot that has been said and written about GDPR, its purpose, impact and the myths surrounding it. The penalties for non compliance are severe and the regulatory language not always clear, this has resulted in a number of misconceptions and over-reactions.

 

The purpose of this article is to look at the online payments value chain and the impact of GDPR for data collected on the payment page of a website.

 

Data on payment page

While the consumer may share personal data at other interaction points with the merchant our focus is the information exchanged on the check out or payments page.

 

Typically this information collected on the payment page consists of three categories:

 

Personal details of the individual such as name

 

Payment instrument details such as card number, expiry date etc

 

Address details for delivery of physical goods, for fraud monitoring or for the creation of the appropriate VAT invoice

 

Capture only essential information

Merchants should take care to only collect information that is actually going to be used to process/authorise the payment and prevent fraud.

 

For example, is it necessary to collect the individual’s date of birth to process the particular payment instrument chosen by the individual or to perform risk and fraud checks on the transaction?

 

Consent not needed

As the information is being captured for legitimate business purposes (processing of the transaction) the merchant does not need to obtain explicit consent from the individual.

 

Take adequate measures for protection of the information

If the merchant relies on their payment partner for the capture of payment information (e.g. re-directs or hosted payment pages) then responsibility for the safe capture and storage of the information rests with the payment partner.

 

If the merchant captures the information but does not store it then adequate measures should be taken to ensure the safety of the information in transit to the payment partner.

 

If the merchant stores payment information then adequate measures should be taken for the protection of information while stored at the merchant. Before any payment data is saved for future use, be sure to check local laws to determine whether this requires opt-in consent from the consumer (this varies based on the applicable national laws).

 

Only store information for as long as necessary

If the refund or chargeback periods for the payment method chosen by the individual have expired and the individual has not opted in for information storage for subsequent one click checkout functionality then personal information should be deleted unless it needs to be retained for another permissible legal reason (e.g., in the event of a pending legal dispute).

 

Data requests from individuals

Under GDPR an individual has the right to request access to the personal data collected about them, enquire what information is being stored about them, to receive a copy of this information and to have this information deleted only if the lawful basis of processing is based on obtaining the individual’s consent. However since payment information must be captured and processed in order for a payment to be made in exchange for products or services, merchants do not need the consent of individuals to process their data. Instead, they can rely on other lawful grounds for processing (e.g., legitimate interest or pursuant to a contract) and are not required to provide access to or a copy of the data in a portable format, or delete such information in response to a data subject access request.

 

Contracts with payment suppliers

Be sure you have data processing agreements/addendums (DPAs) in place with all of your third party suppliers who process your customer’s personal data and be sure to conduct due diligence to confirm that they are meeting their contractual obligations to you as a data controller.

 

Updates to privacy policies and terms and conditions in relation to GDPR

GDPR requires the specific disclosure of how personal data is collected and used. In the past, many privacy policies included broad statements of how personal data might be used in order to give businesses greater flexibility to modify or expand their processing activities without having to provide updates to consumers. This is no longer possible under GDPR – businesses must provide concise, specific descriptions of how personal data is collected and used.

 

Other items to watch out for

Consent is necessary in order to store payment information for subsequent purchases or other transactions but the requirements for such consent to be valid are different across Europe as it can be impacted by national laws. To avoid non-compliance, many businesses have decided to rely on opt-in consent to store and reuse this data in order to have one uniform approach to storing and reusing payment data.

 

If information is being collected on the payment page that is not necessary for processing the payment (legitimate interest) but is to be used for subsequent marketing to the individual then explicit consent should be obtained for the capture, use and storage of this information. It is also recommended good practice to separate the capture of legitimate business interest information and information for marketing purposes.

 

Merchants and payment providers also need to be mindful of so-called privacy impact assessments (PIAs), broader notification duties for data breaches, the requirement to appoint a Data Protection Officer (exceptions apply) and the partially new, partially stricter requirements for ‘privacy by design’ and ‘privacy by default’, i.e. the obligation to implement appropriate technical and organisational measures to aptly protect the personal data of clients.

 

Conclusion

GDPR is an important regulatory development. Entities in the online payments sector must stay vigilant and compliant in order to avoid related fines and penalties. Where possible our advise is to seek out experts who have experience with payments and GDPR to receive tailored advice. For a list of Gropay’s GDPR related services see here – http://bit.ly/2HwN1ni

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

About

Gropay provides management consulting and interim management services globally in the areas of online payments, mobile payments and point of sale POS payments. Our clients span the entire payments value chain from schemes to merchants and also include private equity investors, technology and mobile companies. The Gropay team consists of proven industry leaders with extensive experience both on the demand (merchant) and supply (Payment Service Provider, acquirer, scheme) sides with a focus on sales and business development, operations, risk, compliance, valuation and due diligence.

Visit our homepage

YOU MIGHT ALSO LIKE

US Supreme Court repeal of PASPA

US Supreme Court repeal of PASPA

US Supreme Court repeal of PASPA On Monday, May 14, 2018, the Supreme Court of the United States held in the Murphy v. National Collegiate Athletic Association case that the federal Professional and Amateur Sports Protection Act (“PASPA”) violated the Tenth Amendment...

read more
Gropay’s 5 Tips For The Holiday Season!

Gropay’s 5 Tips For The Holiday Season!

GROPAY'S 5 TIPS FOR THE HOLIDAY SEASON With all the preparations for the holiday, last week deadlines, the multitude of drinks, parties, last minute shopping as well as high expectations from family and friends, it is easy to get lost in this busy time before the...

read more
Is the future of payments happening in India now?

Is the future of payments happening in India now?

India Makes Important Advances in Biometric Payments In India it’s already possible for a consumer to authorise and authenticate a payment with their fingerprint or iris scan. As a largely cash based economy India has leapfrogged the use of Cards and Smart Phones for...

read more
How Do Bitcoins Impact Online Merchants?

How Do Bitcoins Impact Online Merchants?

How do bitcoins impact online merchants? There’s a lot that has been said and written about bitcoins. They are the talk of the town these days. Undoubtedly bitcoins and related distributed ledger technologies will have a lasting impact on payments and financial...

read more
PSD2 What Will Really Change?

PSD2 What Will Really Change?

PSD2 What Will Really Change? There has been a lot written about the PSD2 and rightly so, it is important regulation soon to be enacted into legislation that will bring significant innovation and change to electronic payments. But what will actually change in the day...

read more
SafeCharge Three Years After IPO

SafeCharge Three Years After IPO

SafeCharge 3 Years After IPO In this post we look at SafeCharge, a medium sized payment processor and recently formed acquirer. We look at the following items; history, the IPO, recent performance, drivers of growth so far, recent strategic moves and execution...

read more
The Stamina Of Clinton Or Trump?

The Stamina Of Clinton Or Trump?

The Stamina of Clinton Or Trump There have been lot of comments made by presidential candidate Donald Trump triggering a lot of media attention and public debates recently. Not the most notorious comment, but still one that made me pause in the work I was doing....

read more
GDPR – Data Protection Gets Serious

GDPR – Data Protection Gets Serious

GDPR - Data Protection Gets Serious On 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR) The GDPR will have considerable impact on all companies that provide goods or services to Europe, regardless of the company’s...

read more
Authentication – Payer! Reveal Thyself

Authentication – Payer! Reveal Thyself

Authentication - Payer! Reveal Thyself EPC releases results of latest consultations for e-mandate today: what does this mean for authentication and your online business? Earlier today, 5 April 2016, the European Payments Council (EPC) announced the launch of the...

read more
Fantasy Sports – It’s All A Fantasy

Fantasy Sports – It’s All A Fantasy

Fantasy Sports - It's All A Fantasy Fantasy Sports continue to gain popularity California recently introduced a bill to allow online sports betting. The motivation of this bill is believed to be the increasing popularity of fantasy sports. Although, the bill has yet...

read more
Cash – Kicking The Habit

Cash – Kicking The Habit

Cash - Kicking The Habit There was an interesting article in The Economist recently about strikes on the London Underground (Tube). Such strikes are commonly believed to have a short term net cost to the economy. However the article quoted a study by Oxford and...

read more
Data Protection – To Russia With Love

Data Protection – To Russia With Love

Data Protection - To Russia With Love Data Protection Russia Russia’s new data protection law came into effect on the 1st of September 2015. It’s now required by law to store personal details of Russian citizens on servers physically located in Russia. Copies of the...

read more

Dressing For Work – Looking The Part

I had a manager once who was a real mover and shaker in HR, brilliant in strategy and amazing to work with. Although visionary in his business outlook, there were some basic things that could really set him off when meeting new people: things like scruffy shoes. You...

read more

Tattoos – Ink At Work

Are Tattoos ever OK at work? I was HR Director at a large organization when I suddenly completely got caught by a curb ball thrown by one of my main stakeholders. “What is our HR policy on tattoos?”  I had to take a two second pause before responding with a gigantic...

read more

Wirecard’s $9 Billion Bid For Worldpay

Wirecard with a market value of $ 5.2 billion made a $9 billion bid for Worldpay. Is this a serious bid? What will Wirecard do with Worldpay? Wirecard has extensive experience with M&A and also in acquiring companies larger than itself and making it a success; as many...

read more

Changing Jobs – Stay Or Go?

Changing jobs - How long should you stay in your current job? In this day and age, most employees are not even aware that organisations used to have tenure incentives like a fancy watch, a toaster or at least a bunch of flowers when you reached your 20 or 25 years of...

read more

Distracted Living – A Simple Life

Distracted Living Psychology Today published an interesting blog on distracted living. Distracted living is where you miss out on much of your life because you generally aren’t paying attention, or your attention is so torn in many directions that your really do not...

read more

Is Visa Worried About Paypal?

Is Visa worried about Paypal? Visa recently published a report on Visa Checkout in which they stated that Visa Checkout delivers 17% better conversion than Paypal. One of the interesting points about this report is that Visa considers Paypal as enough of a threat to...

read more

Mergers And Acquisitions

How do I deal with my company going through a merger or acquisition? Working in the payments sector? There is a big chance that your company is engaged in a merger, is taking over another company or is about to become an acquisition. 2014 was a big year for payments...

read more

FOLLOW GROPAY

Pin It on Pinterest

Share This