Paying thru credit card is very common nowadays. That is why it is necessary for merchants to get a credit card processing merchant account that will serve as the payment gateway to receive card payments. Data information is required to process each and every credit card transaction. There are different data levels of the credit card transaction.
- Level 1 transaction requires only the basic data such as the Merchant Doing Business As name, billing zip code and the transaction amount. Additional information like the date and time of a transaction and other cardholder information are automatically recorded by the bank but is not reported to the merchant processing the transaction.
- Level 2 transaction includes the three data as level 1 transaction with an addition of sales tax amount, customer reference number or code, merchant zip/postal code, tax id, merchant minority code, and state code.
- Level 3 transaction is the highest data level which includes the maximum amount of information gathered and processed. Adding up to the date included in both Level 1 and Level 2 transactions are ship-from postal code, ship-to or destination zip code, invoice number, order number, item product code, item commodity code, item description, quantity, and item unit of measure, item extended amount and freight and duties amount.
Major credit card companies require level 2 or level 3 data to approve a transaction even for merchant accounts for small businesses.
General Data Protection Regulation or GDPR which was adopted in 2016 becomes effective last May 25, 2018, and is surely to have worldwide implications. GDPR is a regulation established by the European Parliament and Council that is set to protect how personal information of data subjects or EU customers are gathered and processed. It empowers EU customers of controlling their personal data by having the right for their data to be erased.
So how and who will be affected by the implementation of GDPR.
- All businesses worldwide that markets to EU customers.
- All third parties that analyze data from EU customers.
- All merchant that sells or has sold products to EU customers.
The personal data identified includes the name of the person, credit card number used, location data, IP addresses, user-generated content from social media, or any online identifier of the person.
GDPR is set to replace the EU Data Directive which can now be considered inadequate to deal with current challenges because it was established in 1995 during the early days of the internet. Guidelines are established in the new legislation on how companies must handle customer privacy, secured storing of date and how to properly respond to security breaches. A unified standard is offered across Europe so that the companies should worry about dealing with different country regulations. GDPR also addresses the processing of EU citizens that are not based in the EU.
Certainly, GDPR will affect online credit card processing. Merchants must strictly follow the set rules and policies.
1. Data subjects can request for full transparency and full access to data generated from them. They may inquire for how long the said data are to be processed. When requested, merchants must comply within one month or coordinate with the EU customer and explain as to how their request cannot be fulfilled.
2. An EU customer can request to erase his personal data from data processing. This can be done provided that the ff conditions are met.
- The personal data being requested to be erased or deleted are no longer necessary in relation to the purpose it was collected.
- The data subject retracts the consent initially given and there is no legal reason to continue processing the said personal data.
- The personal data collected has been unlawfully processed.
- The EU or an EU country has advised to erase the personal data.
- The data subject raised an objection with how his or her personal data is used in automated processing and profiling except if that is included in the contract between the merchant and the customer.
3. There will be restrictions on how personal data are processed; consent must be given by the data subject.
4. All data processed should be provided when requested in machine-readable format and should also be transferable.
5. Personal data must be secured during data processing and must meet the following criteria to be considered secured.
- A special encryption must be embedded within the personal data to prevent the data breach.
- A standard must be followed and checked on a regular basis to ensure that all procedure meet the necessary confidentiality, integrity, availability, and resilience.
- In case of the technical incident, availability and access to personal data must be restored in a timely manner.
- All process must be tested, accessed and evaluated regularly to ensure the effectiveness of the technical capabilities in securing the personal data.
The purpose of the data processing must be specified and consent must be provided for each one. Chargeback processing is not significantly affected and can still be considered lawful provided that it meets at least one of the following conditions.
- The data subjects have agreed for their data to be processed for one or more purposes.
- The person or the company that will process the data has legal rights to do so.
- Processing the data is part of the contract engaged with the data subject and is necessary to be performed to be able to fulfill the contract.
- Processing data will benefit the data subject as part of the chargeback management which can help protect the customers and the merchant’s business from fraudulent activity and possible disputes.
EU countries are still in the process of introducing more specific provisions related to GDPR and it is advisable to wait and review these provisions together with the country’s data regulation. As this is simply an evolution of the regulations that are placed in to protect consumer privacy and standardizing the existing best practices across multiple countries. It provides a more consistent, clearer guidance and less cross-border confusion for merchants among EU countries and also helps non-EU businesses to identify how the law in EU matches with their own country’s law.
To find out about iPayTotal’s merchant services for credit card processing merchant account, speak with a live representative directly at +44 800 776 5988 or get in touch with us through our website.