1
CNIL’s Recommendations to the Card Payment Industry
The French Data Protection Authority (hereafter: “CNIL”) recently released a short guide explaining the
functioning of contactless payments to cardholders. The guide targets the card payment industry in line
with CNIL’s previous Recommendation on the processing of payment card data for online payments.
I. Guide on Contactless Payment Cards
On May 19, 2015, CNIL released a practical guide on contactless payment cards highlighting the privacy
risks contactless cardholders (half of the cardholders’ population in France) are subject to and specifying
some obligations that banks and financial institutions are expected to comply with.
Definition of Contactless Payments: Contactless payments pertain to (i) near field
communication (10 centimeters distance), (ii) amounts inferior to 20 euro within certain limits in
case of cumulated transactions, and (iii) payments abroad subject to the merchant’s own policy.
Notice and Objection Rights: Cardholders must be informed about the contactless
functionality and must be able to object to it. Banks must offer an alternative solution to those
cardholders who object to the processing. More specifically, CNIL recommends that, in case of
opt out, banks (i) issue a new payment card that does not rely on the contactless technology, (ii)
allow cardholders to deactivate the contactless functionality via the bank’s website, or (iii) deliver
payment cards that do not offer the contactless option by default so that cardholders may decide
if they want to activate it. CNIL favors this last solution as it provides cardholders with control
over their data and meets the requirements of a “privacy-by-default” framework. CNIL highlights
that a deactivation or the delivery of a new payment card must be free of charge.
Security Measures: Although banks have complied with CNIL’s previous recommendations not
to disclose the name and the history of transactions of a cardholder on the contactless interface of
a payment card, CNIL points out to that other payment card data is still widely accessible and
may be collected and used by third parties. Accordingly, CNIL recommends that banks encrypt all
data flows to prevent any unauthorized access.
II. Recommendation on the Processing of Payment Card Data for Online Payments
On November 14, 2013, CNIL issued a Recommendation No 2013-358 regarding the processing of payment card
data in relation to the sale of goods and provision of services by distance payments (hereafter: “Recommendation”). The
Recommendation applies to the online payments industry, and more specifically to financial
establishments specialized in consumer credit, payment services providers, online merchants, anti-fraud
service providers and store cards retailers.
Definition of Payment Card Data: Payment card data includes card number, expiry date and
cryptogram. Because the cryptogram serves as evidence that a cardholder is in possession of
his/her payment card, it should not be retained after a transaction has occurred. Furthermore,
data controllers and processors are not entitled to obtain a copy (including a scan) of both sides
of the payment card as this would be inconsistent with security provisions in the French
Monetary and Financial Code.
Legal Basis for the Processing of Online Payment Data: Payment card data may be
collected for legitimate purposes such as (i) the provision of goods or services, (ii) the
2
booking/reservation of goods or services, (iii) the provision of payment solutions services by
payment service providers, (iv) the facilitation of further purchases on a website, and (v) fraud
prevention. The payment data may be collected and processed without the consent of the
cardholders except where it is retained to facilitate further purchases. In the latter case, the
explicit (opt-in) consent of the cardholders must be collected, e.g. via a check box (not pre-
checked by default). Consent to general terms and conditions does not amount to valid consent.
Data Retention: Online merchants may retain the payment card data up to 13 to 15 months
after a transaction has occurred, provided the data (i) does not include the cryptogram, (ii) is
retained in separate archiving systems, and (iii) is only used for evidence purposes in disputes
pertaining to a transaction. Where the data is retained longer, cardholders should provide their
express (opt-in) consent. However, this framework does not apply to fraud tracking services
providers, which may retain the data until the cardholder’s account is closed.
Notice and Access Rights: Any collection, use and retention of payment card data are subject
to prior notice. Individuals must be informed about (i) the identity of the data controller, (ii) the
purposes for which the data are used, (iii) whether providing the data is voluntary or mandatory,
(iv) access and correction rights, (v) types of recipients and (vi) whether data is being transferred
outside the EU. Cardholders must be able to exercise their access rights with payment services
providers as much as with online merchants.
Security Measures: Online merchants and payment services providers must (i) develop security
measures that are well known and referenced at an EU or international level (e.g. standard PCI
DSS), (ii) develop a strict policy to ensure that limited personnel may access the data on a strictly
“need to know basis”, (iii) implement measures of obfuscation and tokenization, (iv) not
encourage cardholders to record their data on their terminal devices, (v) apply encryption
technologies when the data is collected via a publicly available service, in particular when in
transit, (vi) develop tracking functions to identify individuals responsible for illegitimate access
or misuse of data, (vii) notify cardholders about any data security breaches, (viii) develop
technical means preventing illegitimate secondary use of data when the data is retained for fraud
prevention purposes (e.g. cryptographic hashing with secret key-code), and (ix) reinforce
authentication measures to ensure that it is the actual cardholder, and not someone else, which is
making the payment.
The Guide on contactless payment cards is available (in French) at:
http://www.cnil.fr/documentation/fiches-pratiques/fiche/article/carte-de-paiement-sans-contact-mode-
demploi/?tx_ttnews%5BbackPid%5D=91&cHash=c2df40d70cec4d4da855a39b28cfb246
The Recommendation No. 2013-358 is available (in French) at:
http://www.cnil.fr/documentation/deliberations/deliberation/delib/13/
Written by:
Jan Dhont, Partner and Lead Data Privacy and Binding Corporate Rules
+32 2 239 20 08
3
Delphine Charlot, Associate Data Privacy and Binding Corporate Rules
+32 2 239 20 06
Top Related