On 15 November 2017 the CNIL created a special page on its website with a view to highlighting its 2013 guidelines on processing of payment card data for online transactions (The 2013 guidelines were modified in July 2017).

The guidelines highlight the following:

  • The permitted purposes some of which have to be presented as separate to the data subject (e.g. retaining data for card fraud detection) or require a separate consent (e.g. retaining data or for future transaction),
  • The necessary data (identity of the cardholder is not one of them, except for fraud prevention),
  • The retention periods (in any event, the cryptogram cannot be retained after the transaction)
  • Information of the data subjects
  • Security measures