March 5, 2021

Volume XI, Number 64

Advertisement

March 05, 2021

Subscribe to Latest Legal News and Analysis

March 04, 2021

Subscribe to Latest Legal News and Analysis

March 03, 2021

Subscribe to Latest Legal News and Analysis

Is a Company that Accepts Credit Cards a Service Provider Under the CCPA with Respect to Credit Card Related Information?

Potentially.

Some consumers may assume that a company owns the payment card-related information that it collects when it accepts payment cards (e.g., credit or debit cards). In order to process payment cards, however, a company typically must enter into a written contract with a payment processor or merchant-bank. Those contracts often specify that payment card-related data is “owned” by the payment brands (i.e., Visa, MasterCard, American Express, and Discover) and require the company that accepts the payment card to agree to the payment brands’ published rules and procedures (collectively referred to as the “payment brand rules”).1 The payment brand rules contractually govern how a company may use payment-card related information.

The CCPA requires that a service provider agree to three substantive restrictions involving their use, disclosure, and retention of personal information. The CPRA amended the CCPA to require that, beginning on Jan. 1, 2023, a written contract with a service provider include additional clarifications and provisions regarding the use, disclosure, and retention of personal information.

The following chart compares the substantive requirements within the CCPA’s definition of a service provider with those requirements that would be contractually imposed upon a company that has agreed to comply with the payment brand rules:

Requirement

CCPA

Payment Brand Rules

1. Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions.

2

3

2. Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality.

4

5

3. Delete or return data. Service provider will delete or return data at the end of the engagement.

6

7


1 See, e.g., American Express Merchant Operating Guide § 3.5 (stating that all Cardmember information is the “sole property” of American Express.

2 Cal. Civ. Code 1798.140(v) (Oct. 2020).

3 For example, American Express’s Merchant Operating Guide states that a merchant must not “use” Cardmember information for any purpose not specified in the Merchant Operating Guide. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5).

4 Cal. Civ. Code 1798.140(v) (Oct. 2020).

5 For example, Mastercard’s rules prohibit a merchant from “in any manner disclos[ing] Account or Transaction data, including but not limited to the Account PAN [Primary Account Number] . . . or personal information of or about a Cardholder to anyone other than its Acquirer, to the Corporation, or in response to a valid government demand.” Mastercard Rules dated Aug. 4, 2020, at 110 (Rule 5.13). The American Express Merchant Operating Guide also provides that a member may not “disclose Cardmember Information” other than as permitted by American Express. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5).

6 Cal. Civ. Code 1798.140(v) (Oct. 2020).

7 For example, American Express’s Merchant Operating Guide states that a merchant must not “store” Cardmember information for any purpose not specified in the Merchant Operating Guide. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5). It further states that after the termination of the agreement, such information may only be retained as permitted by the PCI DSS. Id.

 

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 15
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement