On 14 November 2013, the CNIL (in decision n° 2013-358) replaced its previous decision of June 2003 on data processing in relation to card payments for online traders engaged in distance selling of goods and services.  The intent of this decision was to provide “concrete answers to the various stakeholders, taking into account the evolution of the legal and technical framework.”

The key elements as to how online traders may use payment data are as follows:


Essential data that may be collected includes only the card number, the expiry date and the security code. The identity of the card holder is not necessary, and may only be collected if it is justified for a specific and legitimate purpose, such as the fight against fraud. Making a copy of the payment card is prohibited.

Duration of data retention

In principle, data should only be held for the “time required to complete the transaction”.  However, online traders may retain part, but not all, of the data for the management of any claims in intermediate archives for a certain period of time.  In cases where the number of the card would be used for other purposes, the retention period must be strictly limited to what is necessary for this current purpose.

Consent for future transactions

The CNIL requires a “free, specific and informed,” and moreover express, consent on all data retention that is merely for the simplification of future transactions.  In addition, there has to be a straightforward way of revoking that consent, without charge.

Security measures

The CNIL has emphasized the critical need to implement security measures adapted to this type of sensitive information.

It provides a number of recommendations in that respect including, amongst other things :

  • The use of on line security payments in accordance with state of the art and recognizable regulations. “In this respect, only devices that conform to recognized standards at an international or European level (for example the PCI DSS standard) should be used”. Furthermore, data controllers should put in place steps for the management of risks.
  • In relation to data collection by telephone, security measures must be implemented, such as the traceability of access to card numbers. Secure alternatives should be provided at no extra cost for customers who do not wish to have their personal card information transmitted in this manner.
  • Breach notification.

The CNIL considers that it is necessary to notify persons whose personal information has been the subject of a data breach, so that they may take the appropriate steps to limit the risk that such information is reused fraudulently (challenge fraudulent payments, card misuse etc).

Contact Stéphanie Faber in our Paris office for more information.