Payment data and GDPR: How can your customers be protected?


Post Image

In this age of ubiquitous online commerce, electronic transactions have become common currency.

This phenomenon has become so widespread that most consumers make electronic payments on an almost daily basis, whether by bank card, electronic wallet or different types of direct debit. 

However, this ease of access to goods and services is accompanied by growing concern about the security of personal data, particularly payment data

In this context, the General Data Protection Regulation (GDPR), with its interpretation of the basic concepts published in 2016 by the European Data Protection Board (EDPB), plays a crucial role in guaranteeing the confidentiality and integrity of sensitive customer information. 

In this article, we explore the importance of protecting payment data, the implications of GDPR for merchants and best practice for ensuring compliance for merchants and consumers alike. 

Payment data and its sensitivity

Payment data covers a wide range of information, from credit card numbers through to full bank details. 

The French Data Protection Authority (CNIL) defines payment data as “all personal data used to provide a payment service to a natural person”.

According to the CNIL, payment data falls into three main categories: 

  • Actual payment data: this means the identifiers of the payment method used, the amount of the transaction, the date and time of the payment, the identity of the merchant, the identity of the beneficiary, the IBAN, the user’s anti-fraud score, etc. This data is traditionally recorded by banks.
  • Purchase or checkout data: this includes the characteristics of the products or services purchased, the date and place of purchase, loyalty card identifiers where applicable, etc. This data can be observed during the act of purchase and is conventionally collected and recorded by merchants (traditional or online service providers).
  • Contextual or behavioural data: this includes customer knowledge data, geolocation, characteristics of the terminal used for an online purchase, characteristics of products searched prior to purchase, time spent searching, etc. This data is easier to collect during an online purchase, and is easily accessible to the major players in digital services.

This data is extremely sensitive, exposing individuals to the risk of fraud, identity theft and invasion of privacy. 

Protecting this information is thus imperative to guarantee customer confidence and maintain the integrity of online commerce.

In the 4th quarter of 2020, the quarterly barometer of the e-commerce audience in France published by FEVAD-Médiamétrie highlighted that 68% of online shoppers believe that security in terms of data protection and transactions on an e-commerce site remains a selection criterion

Legal framework: GDPR in detail

So what does GCPR actually involve? 

The General Data Protection Regulation, which came into force on 25 May 2018, represents a major step in the regulation of data privacy in the European Union. 

It establishes strict and clear standards for professionals concerning the collection, storage and processing of personal data, including payment data, with a particular emphasis on protecting the rights and privacy of individuals.

→ One of the key principles of GDPR is the right to transparency

It requires companies to clearly inform users how their data will be used. 

This means that when customers make an online purchase, they must be made fully aware of how their payment data will be collected, stored and used. 

The right to transparent information is fundamental to the contractual relationship. 

→ Consent, another pillar of GDPR, means that no company may collect or process personal data from individuals without their explicit agreement

In other words, customers must give their clear and voluntary consent before their payment details are used for specific purposes. 

This consent must be freely given, informed, specific and unambiguous, thus putting an end to implicit or ambiguous data collection practices.

→ Another crucial requirement of GDPR is the limit to data collection

A company is only authorised to collect the data that is strictly necessary to achieve the purpose specified at the time of collection. 

According to Article 5 1(b) of GDPR, personal data may only be obtained for “specified, explicit and legitimate purposes”. 

For example, when a customer makes an online payment, only the information required to process the transaction, such as the bank card number and expiry date, may be collected. 

The aim of this limit is to minimise the amount of personal data in circulation, thus limiting the potential risks associated with its manipulation. 

→ Finally, GDPR places great emphasis on data security

Each company is required to put in place appropriate measures to protect customer data against any unauthorised use or disclosure. 

This includes security practices such as data encryption, two-factor authentication, and incident management procedures in the event of a data breach. 

These measures are designed to guarantee the integrity of customer data, thus strengthening confidence in the use of online services and electronic transactions.

For a full account of the principles of personal data protection in France, we recommend the article by Emmanuel Pernot-Leplay, data protection & privacy consultant.

How is customers’ personal data protected?

To ensure rigorous compliance with GDPR, merchants are required to put in place practices for collecting and storing customer payment data that scrupulously respect the confidentiality and security requirements set out in the regulation. 

Above all, this means using advanced encryption technologies

In addition, robust authentication procedures are crucial to ensure that only authorised users can access payment data. 

Two-factor authentication, which requires two different forms of identification before granting access to sensitive information, is increasingly being adopted as a security standard.

Another central aspect of RGPD compliance is obtaining explicit consent from customers for the use of their payment data. 

This consent must be freely given, informed and voluntary. 

Finally, merchants must guarantee that customer payment data is not used for unauthorised purposes

→ This means not only putting in place security measures to prevent unauthorised access, but also implementing strict controls to ensure that only authorised people within the company can access this data. 

By adopting these practices and incorporating these principles into their day-to-day operations, merchants can not only ensure compliance with GDPR, but also strengthen customer trust. 
By demonstrating that they attach great importance to the protection of personal data, merchants can build a solid relationship of trust with their customers, which is essential in today’s online commercial landscape.

To learn more about SlimPay and how we can help make your payment processes GDPR compliant, contact us for a personalized quote based on your needs.

A lire aussi :

Using SEPA Direct Debit for your subscriptions and recurring payments – 2024 Guide

SEPA area: Europe, single economic area, history and regulations.

Eurozone countries: How can transaction costs be optimised in Europe?

Cancellation of a SEPA Direct Debit: how it works and the impact for merchants.

Banking mobility: Good or bad for your recurring payments?