Data Mapping for Payment Processors
For the purpose of data mapping, payment processors should be broken into two categories: traditional card processors and consumer wallet services.
Traditional Card Processors
These are the companies that a business contracts with to process their debit & credit card transactions. They manage the transfer of funds and usually offer some amount of fraud prevention. Some of the many vendors that offer this service are Square and Stripe.
Card processors may receive a variety of personal information about a consumer, including:
- Name
- Address
- Email address
- Phone number
- IP address
- Geolocation data
- Card/Account information
- Purchase details
Unlike the consumer wallet services discussed below, the consumer has no direct relationship with this type of payment processor. Because they process personal information on your business’s behalf, a traditional card processor may be classified as a service provider, as long as the contract contains the necessary privacy assurances.
Consumer Wallet Services
There are a growing number of companies—which we refer to as “consumer wallet services”—that offer a different type of payment processing. Common examples include PayPal, Venmo, Apple Pay, Affirm, and Google Pay. The key difference between these companies and a traditional card processor is that the consumer already has a pre-existing relationship with the consumer wallet service. From a privacy perspective, this significantly changes your obligations.
Most importantly, your business discloses far less personal information to a consumer wallet service, because that service already has the consumer’s data. All you are sharing with a service such as PayPal are the details of the consumer’s purchase.