1

CNIL’s Recommendations to the Card Payment Industry

The French Data Protection Authority (hereafter: “CNIL”) recently released a short guide explaining the

functioning of contactless payments to cardholders. The guide targets the card payment industry in line

with CNIL’s previous Recommendation on the processing of payment card data for online payments.

I. Guide on Contactless Payment Cards

On May 19, 2015, CNIL released a practical guide on contactless payment cards highlighting the privacy

risks contactless cardholders (half of the cardholders’ population in France) are subject to and specifying

some obligations that banks and financial institutions are expected to comply with.

Definition of Contactless Payments: Contactless payments pertain to (i) near field

communication (10 centimeters distance), (ii) amounts inferior to 20 euro within certain limits in

case of cumulated transactions, and (iii) payments abroad subject to the merchant’s own policy.

Notice and Objection Rights: Cardholders must be informed about the contactless

functionality and must be able to object to it. Banks must offer an alternative solution to those

cardholders who object to the processing. More specifically, CNIL recommends that, in case of

opt out, banks (i) issue a new payment card that does not rely on the contactless technology, (ii)

allow cardholders to deactivate the contactless functionality via the bank’s website, or (iii) deliver

payment cards that do not offer the contactless option by default so that cardholders may decide

if they want to activate it. CNIL favors this last solution as it provides cardholders with control

over their data and meets the requirements of a “privacy-by-default” framework. CNIL highlights

that a deactivation or the delivery of a new payment card must be free of charge.

Security Measures: Although banks have complied with CNIL’s previous recommendations not

to disclose the name and the history of transactions of a cardholder on the contactless interface of

a payment card, CNIL points out to that other payment card data is still widely accessible and

may be collected and used by third parties. Accordingly, CNIL recommends that banks encrypt all

data flows to prevent any unauthorized access.

II. Recommendation on the Processing of Payment Card Data for Online Payments

On November 14, 2013, CNIL issued a Recommendation No 2013-358 regarding the processing of payment card

data in relation to the sale of goods and provision of services by distance payments (hereafter: “Recommendation”). The

Recommendation applies to the online payments industry, and more specifically to financial

establishments specialized in consumer credit, payment services providers, online merchants, anti-fraud

service providers and store cards retailers.

Definition of Payment Card Data: Payment card data includes card number, expiry date and

cryptogram. Because the cryptogram serves as evidence that a cardholder is in possession of

his/her payment card, it should not be retained after a transaction has occurred. Furthermore,

data controllers and processors are not entitled to obtain a copy (including a scan) of both sides

of the payment card as this would be inconsistent with security provisions in the French

Monetary and Financial Code.

Legal Basis for the Processing of Online Payment Data: Payment card data may be

collected for legitimate purposes such as (i) the provision of goods or services, (ii) the

2

booking/reservation of goods or services, (iii) the provision of payment solutions services by

payment service providers, (iv) the facilitation of further purchases on a website, and (v) fraud

prevention. The payment data may be collected and processed without the consent of the

cardholders except where it is retained to facilitate further purchases. In the latter case, the

explicit (opt-in) consent of the cardholders must be collected, e.g. via a check box (not pre-

checked by default). Consent to general terms and conditions does not amount to valid consent.

Data Retention: Online merchants may retain the payment card data up to 13 to 15 months

after a transaction has occurred, provided the data (i) does not include the cryptogram, (ii) is

retained in separate archiving systems, and (iii) is only used for evidence purposes in disputes

pertaining to a transaction. Where the data is retained longer, cardholders should provide their

express (opt-in) consent. However, this framework does not apply to fraud tracking services

providers, which may retain the data until the cardholder’s account is closed.

Notice and Access Rights: Any collection, use and retention of payment card data are subject

to prior notice. Individuals must be informed about (i) the identity of the data controller, (ii) the

purposes for which the data are used, (iii) whether providing the data is voluntary or mandatory,

(iv) access and correction rights, (v) types of recipients and (vi) whether data is being transferred

outside the EU. Cardholders must be able to exercise their access rights with payment services

providers as much as with online merchants.

Security Measures: Online merchants and payment services providers must (i) develop security

measures that are well known and referenced at an EU or international level (e.g. standard PCI

DSS), (ii) develop a strict policy to ensure that limited personnel may access the data on a strictly

“need to know basis”, (iii) implement measures of obfuscation and tokenization, (iv) not

encourage cardholders to record their data on their terminal devices, (v) apply encryption

technologies when the data is collected via a publicly available service, in particular when in

transit, (vi) develop tracking functions to identify individuals responsible for illegitimate access

or misuse of data, (vii) notify cardholders about any data security breaches, (viii) develop

technical means preventing illegitimate secondary use of data when the data is retained for fraud

prevention purposes (e.g. cryptographic hashing with secret key-code), and (ix) reinforce

authentication measures to ensure that it is the actual cardholder, and not someone else, which is

making the payment.

The Guide on contactless payment cards is available (in French) at:

http://www.cnil.fr/documentation/fiches-pratiques/fiche/article/carte-de-paiement-sans-contact-mode-

demploi/?tx_ttnews%5BbackPid%5D=91&cHash=c2df40d70cec4d4da855a39b28cfb246

The Recommendation No. 2013-358 is available (in French) at:

http://www.cnil.fr/documentation/deliberations/deliberation/delib/13/

Written by:

Jan Dhont, Partner and Lead Data Privacy and Binding Corporate Rules

j.dhont@lorenz-law.com

+32 2 239 20 08

3

Delphine Charlot, Associate Data Privacy and Binding Corporate Rules

d.charlot@lorenz-law.com

+32 2 239 20 06