PYMNTS-MonitorEdge-May-2024

European Data Protection Supervisor Urges Increased Data Protection in Card Payments 

The European Union’s independent data protection authority has identified how data collected during card-based payment transactions can be used to profile customers and, if not handled adequately, can increase the risks of cyberattacks.  

The European Data Protection Supervisor (EDPS), in a report published on December 20, acknowledged that “different actors in the card payment ecosystem need to process different personal data based on the purposes they must achieve,” but it continued suggesting that “other actors do not have to, and data subjects may face risks of misuse of personal data.”

The regulator emphasized the importance of protecting special categories of data that are created with card-based payments. For instance, when data obtained from the payment process is used by merchants in tailoring their offering, using profiling techniques to understand a payer’s spending capacity or their preferences to increase the effectiveness of certain marketing campaigns, this may be positive for both the merchant and the consumer.  

The problem is when payment data is used for purposes other than those related to the payment transaction. For example, some payment providers may collaborate with private credit scoring companies that tell creditors and service providers about the score of potential customers, EDPS noted. Furthermore, under certain circumstances, data from the transactions may allow companies to infer consumers’ racial or ethnic origin, political and religious beliefs, union membership, health and sexual life and orientation. When this happens, there are risks.  

Additionally, consumers could suffer biased or unfair decisions that have been made based on opaque algorithms or inaccurate data. The report also mentions the case of China, where the government uses payment data to profile their citizens and to influence certain behavior. 

Therefore, understanding who decides what personal data is necessary to collect in a payment transaction is essential to determine who will have to notify a possible data breach or to whom data subjects should refer to in case they would need to exercise their right of access, EDPS wrote.  

The regulator also includes two examples of data breaches and the potential harmful effects for consumers. One of the biggest breaches of all time came in 2009 and involved Heartland Payment Systems, the payment processor. At the time, millions of credit card and debit card transactions were stolen. Among the data exposed was information encoded in the magnetic stripe of cards, enabling criminals to manufacture counterfeit cards.  

More recently, a security flaw in the payment software has been exploited against a supermarket chain in Sweden. It led to the suspension of the business for a weekend. These examples demonstrate that ensuring the confidentiality, integrity and availability of the data processed within the card-based payment ecosystem is key to maintaining the trust of payers in the market and to ensuring business continuity, EDPS said. 

As a result, many security standards have increased in the payment field. Magnetic stripes have been deprecated and new verification methods have been introduced, from PIN numbers to biometric sensors. 

While the General Data Protection Regulation (GDPR) provides a good legal framework to deter malpractices and to detect data breaches, the European Commission decided to propose new regulation to protect the financial sector against cyberattacks and to diminish the risk of personal data leaks. The recently proposed Digital Operational Resilience Act (DORA) aims to create a more resilience financial sector and monitor third-party information and communication technology (ICT) providers. 

Under the proposal, DORA aims to enhance the ICT risk management requirements applicable to financial entities in the EU, streamline ICT-related incident reporting requirements and reduce single market fragmentation. In addition, and most controversially, the proposal suggests a set of rules addressing the sound management of third-party ICT risk by financial entities, including requirements on key contractual provisions in (outsourcing) arrangements with ICT third-party service providers and through the establishment of an oversight framework applicable to critical ICT TPPs.  

The proposal, which is now in the EU parliament, could be approved in 2022 after it receives the opinions of the European Central Bank and other relevant committees.  

 

 

PYMNTS-MonitorEdge-May-2024