Data protection: New guidelines on payment card fraud prevention databases
European Commission - IP/05/246 02/03/2005
Brussels, 2 March 2005
The EU Committee of Data Protection Authorities (“Article 29 Working Party”) has endorsed guidelines on the collection and processing of data on merchants whose contracts to accept payment cards have been terminated. The guidelines will help banks prevent fraud and ensure that merchants’ privacy is better protected. Databases on “terminated” merchants are very important for the banking industry. In the UK, one of the EU countries where the operation of these databases does not pose any legal problems, substantial fraud savings have been made. Their use across Europe could potentially generate savings of € 200 million.
Single Market Commissioner Charlie McCreevy said: “This is a positive step towards clarifying how data protection principles apply to financial services and an excellent example of cooperation between businesses and data protection authorities. I am pleased that the banks have shown a serious commitment to complying with data protection rules.”
The Commission and data protection experts negotiated these guidelines with VISA Europe and MasterCard Europe. The results were drawn up under the guidance of Irish Data Protection Commissioner Joe Meade.
The guidelines set out the conditions under which payment systems, banks and other payment service providers may operate national or cross-border databases on merchants whose contracts to participate in their systems have been terminated. Merchants’ contracts must be terminated and their names listed based on objective criteria related to specified irregularities or risks, mostly linked to fraud. Banks consult the databases before signing contracts with new merchants and can take an informed decision. The databases do not contain data on individual cardholders.
The guidelines are a comprehensive catalogue of data protection rules that VISA and MasterCard are committed to respect: for example, on who can use the database, for what purposes, how long data can be kept, how and when merchants should be informed and how and when they can obtain the correction or deletion of incorrect information.
The transfer of data to non-EU countries is not covered by the guidelines. The card schemes will carry out these transfers in compliance with the rules in the Data Protection Directive, including by using standard contractual clauses (model contracts, see IP/05/12).
The payment card sector’s national and cross-border fraud prevention databases rely on input from banks. As the EU Data Protection Directive is not applied in the same way in all national legislation, banks in certain Member States have been reluctant to report fraudulent merchants to these databases, as they were concerned about possible breaches of national data protection laws.
The banks asked the Commission to re-establish legal certainty. Clarification of the application of EU data protection legislation to fraud prevention is one of the main objectives of the Commission Action Plan 2004-2007 to prevent payment fraud (see IP/04/1291).
The guidelines will be implemented by Visa and MasterCard in 2005 and that implementation will be reviewed by the Article 29 Working Party in early 2006. They are available at:
For more information on EU policy on data protection, see:
 From 16 March 2005 Vice-President Frattini has responsibility for data protection.