The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:

  • Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
  • This consent is not presumed and must take the form of an unambiguous act of will, for example by means of a checkbox (not pre-checked by default).
  • The acceptance of the general conditions of use or sale is not considered as a sufficient mechanism of the collection of the consent of the persons.
  • The e-merchant should integrate directly into the merchant site a simple way to withdraw, without charge, the consent given.
  • The credit card data can also be used in the fight against payment card fraud.
  • Merchants can rely on their legitimate interest to keep the credit card data of those of their customers who subscribe to a subscription in order to benefit, free or not, of additional services to facilitate their purchases.
  • When doing so merchants must (1) disclose retaining this data, (2) allow an opt out, (3) allow deletion and (4) implement appropriate security measures.

Details from CNIL.