How banks should handle data on 'terminated merchants'

Databases on "terminated" merchants help banks and other financial institutions fight payment card fraud, allowing them to check whether they should be signing a contract with a particular new merchant. If used across Europe the databases could result in fraud savings of €200 million, says the Commission.

However, the databases must also comply with the EU Data Protection Directive, and as this has not been implemented in exactly the same way in all national legislation, banks in some Member States have been reluctant to report fraudulent merchants to the databases, fearing possible breaches of national laws.

The Commission, responding to requests to re-establish legal certainty in the area, has negotiated guidelines with VISA Europe and MasterCard Europe setting out the best practice to be taken by financial institutions. These have now been approved by the Data Protection Working Party.

The guidelines set out the conditions under which payment systems, banks and other payment service providers may operate national or cross-border databases on merchants whose contracts to participate in their systems have been terminated.

According to the guidelines, merchants' contracts must be terminated and their names listed based on objective criteria related to specified irregularities or risks, mostly linked to fraud. The databases do not contain data on individual cardholders.

The guidelines are a comprehensive catalogue of data protection rules that VISA and MasterCard are committed to respect – for example, on who can use the database, for what purposes, how long data can be kept, how and when merchants should be informed and how and when they can obtain the correction or deletion of incorrect information.

The transfer of data to non-EU countries is not covered by the guidelines. The card schemes will carry out these transfers in compliance with the rules in the Data Protection Directive, including by using standard contractual clauses.

"This is a positive step towards clarifying how data protection principles apply to financial services and an excellent example of cooperation between businesses and data protection authorities," said Single Market Commissioner Charlie McCreevy. "I am pleased that the banks have shown a serious commitment to complying with data protection rules."

The guidelines will be implemented by Visa and MasterCard this year and that implementation will be reviewed by the Article 29 Working Party in early 2006.