The European Data Protection Board (EDPB) has adopted a new recommendation on the legal basis for the storage of credit card data by e-commerce merchants for the purpose of one-click payment of further online transactions (02/2021, “Recommendation”). The Recommendation does not cover recurring and payment institutions operating in online stores, and only applies to e-merchants that store credit-card data after the payment for the sole purpose of facilitating further online transactions.
The Recommendation is the result of the rapid growth of e-commerce during the pandemic, which also increased the share of online bank-card payments. Multi-factor authentication rules and the need to re-enter credit card data for every new purchase with the same merchant have made customers less comfortable with online payments. In order to make online payments easier, faster and more user friendly, many merchants turned to 'one-click payments' where the user can store credit card data with the merchant and use it via a one-click process for future transactions. In this case, the merchant stores the credit card data (e.g. the card holder’s name, card number, expiration date) in its own IT environment, which raises several data protection issues.
Because the laws governing this data processing activity varies from jurisdiction to jurisdiction within the EU despite of the common provisions of the GDPR, the EDPB adopted the new Recommendation in order to create a EU-wide legal basis for the storage of credit card data by e-commerce merchants for one-click payments.
Bank cards hold highly personal, sensitive financial data
The EDPB emphasises in the Recommendation that credit cards hold financial data that are highly personal in nature and their violation can seriously impact a data subject’s daily life. It also noted that the merchant's storage of credit card information for further payment transactions increases the risk of credit-card security breaches.
Who is the data subject?
In case of e-commerce transactions, the customer and cardholder is not always the same person. A customer ordering a product online may use a relative’s bank card for payment, which means that, while the customer is the data subject of the personal data processed for performance of the order (e.g. name, address, etc.), the third-party cardholder will be the subject of the processing of credit-card data used for the payment. Therefore, merchants must be careful when preparing privacy notices and when requesting consent for the processing of credit-card data.
Legal basis of data storage
The remaining two legal foundations for credit-card data processing can be the legitimate interest of the data controller or a third party, or consent. According to the EDPB’s Recommendation, this type of data processing would most likely not pass the legitimate interest balancing test and the fundamental rights and freedoms of the data subjects would likely take precedence over the controller’s legitimate interest, because:
it is not evident that the storage of credit card data for further payments is necessary to pursue the legitimate interest of the controller;
credit card data are highly personal and sensitive, and its violation can seriously impact the data subject’s daily life;
data subjects do not reasonably expect credit-card data to be stored for the purpose of other further payments (i.e. longer than what is necessary to pay the fee of the products/services they are currently buying).
Therefore, the EDPB stipulates that consent is the sole appropriate legal basis of this data processing. However, merchants must be cautious when requesting consent and when determining the data subject (i.e. whether it is the customer or cardholder) whose consent needs to be obtained.
Higher level of data security for credit card data
According to the risk-based approach of the GDPR, when determining the appropriate level of data security, merchants may consider the fact that credit card data are highly personal and vulnerable to fraud. Therefore, merchants must store data in a highly secure IT environment. The card-scheme rules require a PCI-DSS compliant or equivalent card-storage environment with strong encryption of cardholder data, prohibition of storage of CVV/CVC codes, track data, PIN, and PIN Block even in an encrypted form.
Practical steps to take
Merchants storing credit-card data for one-click payments must check the legal basis of their data processing, identify from whom they need to obtain consent, create an appropriate consent checkbox in the payment process and check the security measures of their card-data storage IT systems.