The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information (in French), replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information.
Under the CNIL’s analysis, the principle purpose for which consumers provide payment information to a merchant is to complete a given online transaction, for example buying a book. In theory, the card information should be used only for that specific transaction. If a merchant or service provider wants to retain card information to provide additional services, such as the ability to make subsequent purchases without having to enter credit card information a second time, the CNIL considers this as a separate “purpose” for which the online merchant must seek separate consent. Consistent with the CNIL’s recent sanction decision against Google, the CNIL said that a user’s consent to the terms and conditions is not sufficient. There must be a separate check-the-box consent pursuant to which the consumer explicitly agrees that the online merchant may keep payment details in order to facilitate future transactions. (The box cannot be pre-checked, by the way.) The online merchant must then give users a visible and easy-to-use opt-out to later revoke their content.
The CNIL’s new recommendation also specifies that merchants cannot keep the visual cryptogram (for example, the additional three digit number on the back of the card) that card holders provide in order to prove that they possess the physical card, the storage of the cryptogram by the merchant is not necessary for the transaction and creates an undue security risk. Likewise, merchants may not ask for a photocopy of the card.
In terms of security measures, the CNIL encourages the use of privacy impact assessments and privacy by design. Recommended security measures include limiting access to card data only to employees who absolutely need access, using obfuscation or tokenisation techniques, and keeping logs to show who had access to card information. The CNIL says that merchants and application providers cannot store card data on the user’s terminal. The recommendation also states that merchants or service providers that are victims of security breaches be obligated to inform card holders of the loss of their data. (Data breach notifications are not yet obligatory under French or European law outside the telecommunications industry, although this is likely to change under pending EU legislation.)
The new recommendation covers online merchants but also service providers who offer alternative payment services. The CNIL points out that merchants who use a service provider to facilitate online payments must enter into a data processing agreement with the service provider to ensure that the service provider applies adequate security as “data processor.”
For the recommendations adopted by CNIL, click here (in French).