Also, certain data could be required in case of chargebacks. The Acquirer (actually, the card schemes or other financial organizations involved) decides which information it needs from merchant's customers (cardholders) in order to process their payments correctly, the manner of processing and it has legal and industry contractual requirements of its own to meet (for example relating to the use and retention of payment card data). The purpose of processing cardholder data is to provide acquiring services to the merchant and its customers paying for products/services on the merchant's website.īut whom is considered to determine the purpose and the means of processing the cardholder data? What is the role of the Acquirer under GDPR? In its acquiring activity, is acting as a data Processor on behalf of the merchant or is acting as a data Controller (with respect to the processing of cardholder's personal data) or there is a joint relationship depending on the type of data to be processed? IFR defines the ‘ acquirer’ as a payment service provider contracting with a payee to accept and process card-based payment transactions, which result in a transfer of funds to the payee. PSD2 defines the ‘ acquiring of payment transactions’ as a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee. Whether for accepting payments in a physical store or online, acquiring services can be provided by the banks themselves, by payment institutions or e-money institutions dully licensed for this type of payment service (the " Acquirer").
Merchant acquiring services are payment services provided by an acquiring bank member of the card schemes (e.g., VISA, MasterCard), enabling merchants to accept credit or debit card payments for their business. Acquiring Services - Parties' relationship This means that the data controller(s) exercises overall control over the ‘why’ and the ‘how’ of a data processing activity, but the definition is flexible.
In other words, the data Controller (on its own or jointly with other organisations) determines the purpose for which and the manner in which personal data is processed. Under GDPR, the Controller is defined as the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data, whilst the Processor has been defined as the entity which processes personal data on behalf of the Controller. General Data Protection Regulation (GDPR) ** in terms of configuration of the merchant website to accept card payments, I am referring here to the situation when the entire payment page is received from the acquirer and the merchant website does not store, process or transmit cardholder data and does not control how the data is collected. * in terms of personal data, I am referring here to the cardholder personal data (e.g., Cardholder name, Primary Account Number, Expiration date, amount, address, e-mail, shipment address) and not merchant data (i.e., personal data relating to merchant or its employees, officers or contractors). Also there are specific industry rules (card schemes rules) and specific payment security standards (Payment Card Industry Data Security Standard - PCI DSS) to be observed. When a customer makes a purchase using a payment card, the data travels through many different entities (acquirers, merchants, card issuers, card scheme associations, payment facilitators, other scheme member's or merchant's agents, etc). The lifecycle of a card purchase is quite complex.
To determine weather an organisation is a data controller or data processor it might prove difficult, especially in the card acquiring industry. It could be confusing on the part of some organisations as to their respective roles and therefore their data protection responsibilities under GDPR. The distinction between data controllers and data processors can have significant consequences in the real world of online card payments from many points of view.
0 kommentar(er)
