GDPR: Controller – Processor relationship in Card Acquiring business

The distinction between data controllers and data processors can have significant consequences in the real world of online card payments from many points of view. It could be confusing on the part of some organisations as to their respective roles and therefore their data protection responsibilities under GDPR.

To determine weather an organisation is a data controller or data processor it might prove difficult, especially in the card acquiring industry. The lifecycle of a card purchase is quite complex. When a customer makes a purchase using a payment card, the data travels through many different entities (acquirers, merchants, card issuers, card scheme associations, payment facilitators, other scheme member’s or merchant’s agents, etc). Also there are specific industry rules (card schemes rules) and specific payment security standards (Payment Card Industry Data Security Standard – PCI DSS) to be observed.

* in terms of personal data, I am referring here to the cardholder personal data (e.g., Cardholder name, Primary Account Number, Expiration date, amount, address, e-mail, shipment address) and not merchant data (i.e., personal data relating to merchant or its employees, officers or contractors).
** in terms of configuration of the merchant website to accept card payments, I am referring here to the situation when the entire payment page is received from the acquirer and the merchant website does not store, process or transmit cardholder data and does not control how the data is collected.

I. General Data Protection Regulation (GDPR)
Under GDPR, the Controller is defined as the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data, whilst the Processor has been defined as the entity which processes personal data on behalf of the Controller.

In other words, the data Controller (on its own or jointly or in common with other organisations) determines the purpose for which and the manner in which personal data is processed. This means that the data controller(s) exercises overall control over the ‘why’ and the ‘how’ of a data processing activity, but the definition is flexible.

II. Acquiring Services – Parties’ relationship
Merchant acquiring services are payment services provided by an acquiring bank member of the card schemes (e.g., VISA, MasterCard), enabling merchants to accept credit or debit card payments for their business. Whether for accepting payments in a physical store or online, acquiring services can be provided by the banks themselves, by payment institutions or e-money institutions dully licensed for this type of payment service (the „Acquirer”).

PSD2 defines the ‘acquiring of payment transactions’ as a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee.

IFR defines the ‘acquirer’ as a payment service provider contracting with a payee to accept and process card-based payment transactions, which result in a transfer of funds to the payee.

What is the role of the Acquirer under GDPR? In its acquiring activity, is acting as a data Processor on behalf of the merchant or is acting as a data Controller (with respect to the processing of cardholder’s personal data) or there is a joint relationship depending of the type of data to be processed?

The purpose of processing cardholder data is to provide acquiring services to the merchant and its customers paying for products/services on the merchant’s website. But whom is considered to determine the purpose and the means of processing the cardholder data?

The Acquirer (together with the card schemes or other organizations involved) decides which information it needs from merchant’s customers (cardholders) in order to process their payments correctly, the manner of processing and it has legal and industry contractual requirements of its own to meet (for example relating to the use and retention of payment card data). Also, certain data could be required in case of chargebacks.

Is there a joint Controller relationship with the Merchant or just a Controller (Acquirer) – Processor (Merchant) one or vice-versa?
As mentioned above, the GDPR definition of the „Controller” provides a degree of flexibility. For example it can allow one data controller to mainly, but not exclusively, control the purpose of the processing with another data controller. It can also allow another data controller to have some say in determining the purpose whilst being mainly responsible for controlling the manner of the processing.

In the online card payments market it seems that the acquiring organizations opted for a Processor (Acquirer) – Controller (Merchant) relationship with respect to the processing of the cardholder data. Is that correct? It reflects the reality? Yes and no.
The Acquirer (together with the card scheme organizations) determines what cardholder data is to be processed and provides detailed processing instructions which the merchant must follow. The merchant following the instructions is tightly constrained in what it can do with the card data (if it can) and has no say over its content or how it is processed.

III. What the Card Schemes say?
Wile MasterCard Rules are not that clear (at least for me) and straight in this respect, Visa Rules state that a Member (including an Acquirer) must understand and accept that it is either:
. A data controller, as specified by European Data Protection legislation, with regard to all personal data that the Member and/or Visa collects from Cardholders and Merchants with Visa and its subcontractors being the data processor.
. Primarily responsible for fulfilling all data protection responsibilities toward cardholders and merchants with whom it has a direct relationship.
or that the Acquirer is:
. A joint data controller together with Visa, as specified by European Data Protection legislation, with regard to all personal data that the Memeber and/or Visa collects from Cardholders and Merchants with Visa and its subcontractors being the joint data controller.
. Jointly responsible with Visa for fulfilling all data protection responsibilities toward cardholders and merchants.

Also the rules (which are „very” binding for the members) are imposing specific data protection responsibilities on the Acquirer for both scenarios (when acting as a sole Controller or as a joint Controller with Visa).
While is not possible to be in the same time Controller and Processor when collecting the same personal data (cardholder data) and for the same purpose (acquiring services), one can say that an Acquirer is a Controller not only in its relationship with Visa but also in its relationship with the Merchant.

IV. An important aspect
In accordance with GDPR, where a data Processor, in breach of the GDPR, determines the purposes and means of any processing activity, that Processor is treated as a Controller in respect of that processing activity.
Organizations should be cautious of this provision. In principal, any time they processes personal data in their acquiring activity, it may be qualified as a Controller, and thus subject to the full compliance obligations of a Controller in relation to that processing during the acquiring activity.

Source: Tudor Nistor – Payments | FinTech Lawyer