On February 25, 2014, the French Data Protection Authority (“CNIL”) issued a press release regarding new guidelines adopted last November on the processing of bank card details relating to the sale of goods and the provision of services at a distance (the “Guidelines”). Due to the increase of on-line transactions and the higher number of complaints received by the CNIL from customers in recent years, the CNIL decided to update and repeal its previous guidelines, which dated from 2003. The new guidelines apply to all types of bank cards including private payment cards and credit cards.
Purposes of processing
The CNIL defines the main purpose of using a bank card number as processing a transaction with a view to delivering goods or providing a service in return for payment. In addition, bank card details may be processed for the following purposes:
- to reserve a good or service;
- to create a payment account to facilitate future payments on a merchant’s website;
- to enable payment service providers to offer dedicated payment solutions at a distance (e.g., virtual cards or wallets, rechargeable accounts, etc.); and
- to combat fraud.
Types of data collected
As a general rule, the types of data that are strictly necessary to process online payments should be limited to:
- the bank card number;
- the expiry date; and
- the 3 digit cryptogram number on the back of the card.
The cardholder’s identity must not be collected, unless it is necessary for a specific and legitimate purpose, such as to combat fraud.
Period of retention
Bank card details may only be stored for the duration that is necessary to process the transaction, and must be deleted once the payment has taken place (or, where applicable, at the end of the period corresponding to the right of withdrawal). Following this period, the bank card details may be archived and kept for 13 months (or 15 months in the case of a deferred debit card) for evidence purposes (e.g., in case of a dispute over a transaction).
Beyond this period, the bank card details may be kept only if the cardholder’s prior consent is obtained or to prevent fraudulent use of the card. In particular, the merchant must obtain the customer’s prior consent in order to create a payment account that remembers the customer’s bank card details for future payments.
However, the CNIL considers that the 3-digit cryptogram on the card is meant to verify that the cardholder is in possession of his/her card, and thus, it is prohibited to store this number after the end of the transaction, including for future payments.
Due to the risk of fraud, controllers must implement appropriate security measures, including preventing unauthorized access to, or use of, the data. These security measures must comply with applicable industry standards and requirements, such as the Payment Card Industry Data Security Standards (PCI DSS), which must be adopted by all organizations with payment card data.
The CNIL recommends that the customer’s bank card details are not stored on his/her terminal equipment (e.g., computer, smartphone) due to the lack of appropriate security measures. Furthermore, bank card numbers cannot be used as a means of customer identification.
For security reasons (including those that are imposed on the cardholder), the controller (or processor) cannot request a copy of the bank card to process a payment.
Finally, the CNIL recommends notifying the cardholder if his/her bank card details are breached in order to limit the risk of fraudulent use of the bank card details (e.g., to ask the bank to block the card if there is a risk of fraud).
In light of the anticipated adoption of the Data Protection Regulation, organizations will face more stringent obligations, including privacy-by-design, privacy impact assessments and more transparent privacy policies.