With the development of online commerce, Internet users must communicate information concerning their bank card (card number, cryptogram, etc.). How long is this bank data kept, under what security conditions? The CNIL informs you.
How Long Can Bank Data Be Kept?
Bank details must be deleted once the transaction has been completed. This requirement is intended to limit cases of fraudulent use of bank card numbers.
Under What Conditions Can A Merchant Site Nevertheless Keep My Bank Data?
Yes, the merchant sites can keep this data provided that they have received your express agreement and that they inform you of the objective pursued. This agreement requires an active approach on your part. To materialize it on an online store, it is advisable to use for example a check box. By default, this box must be unchecked. The conservation of the bank card number should not constitute a condition of use of the service. The fact for a customer to refuse that a merchant site keeps his bank details should not prevent him from accessing the services offered by the site to protect high risk merchant processing.
In addition to the bank card number, you must often provide the three digits of the visual cryptogram located on the back of the card. Is this practice allowed? In order to protect against fraud, a merchant site may ask you for the visual cryptogram of your bank card. The goal is to verify that you are the card holder. This visual cryptogram must in no case be kept.
What are the obligations of publishers of merchant sites in terms of security and confidentiality regarding bank data? The CNIL requires that bank data be encrypted using a so-called “strong” encryption algorithm. This means that the bank details are rendered incomprehensible except for the publisher of the website. Access to the file containing this data must also be restricted to website staff. Access and links to the merchant site must also be secure. This means that the address of the pages of the payment forms must be in https for example, which you can check by looking at the address of the site.
During a purchase, some sites also ask for the date of birth to verify that it is indeed the holder of the bank card. Is this not an attempted scam on the part of malicious people? No, it is a recent device called ” 3D Secure “. It serves to strengthen the security of your purchases made on the internet and to verify that you are indeed the holder of the bank card.
The CNIL recommends, however, the use of a non-repayable authentication mechanism, that is to say a single-use code. This can for example be sent to you by SMS. In this case, this SMS will be sent to you on the mobile phone number you gave to your bank.
How Will The Cooperation Between The CNIL And The DGCCRF Be Organized?
This new system allows the exchange of information between the two authorities in order to strengthen their control actions. Thus, the CNIL will be notified of breaches of the “Data Protection” law observed by investigators from the National Investigation Service (SNE) of the DGCCRF. On the basis of this information, the CNIL will then be able to control, or even sanction, merchant sites that do not comply with the law. The measures for informing Internet users and securing transactions constitute are particularly likely to be verified during these controls.