Data processing in Payments: transparent and secure.
You can pay by card with peace of mind: As a regulated payment institution under the supervision of BaFin and Bundesbank, InterCard stores sensitive cardholder payment data with due care and for specific purposes. And it also complies with the very highest technical security standards, as well as all statutory provisions.
As a service provider to the trade sector, InterCard primarily processes cardholder payment data within the framework of what is known as controller for the legitimate interest and legal obligations . However, InterCard also operates in some segments as a contract data processor for the trade sector and its service providers. The data are in part personal data pursuant to the General Data Protection Regulation (GDPR) and are used strictly for their intended purpose. In particular, they are not used for sales or marketing purposes. The data are protected by the very highest applicable security standards (including PCI DSS).
When using the data, where possible, InterCard first consults with the competent Bavarian Data Protection Authority (BayLDA), as well as with other national organisations.
InterCard is regulated by the Federal Financial Supervisory Authority (BaFin) and Deutsche Bundesbank and must comply with the Anti Money Laundering Act, the Payment Services Supervision Act and the Banking Act, among others. InterCard must also store and assess its customers’ transaction data suitably. These are used transparently and for their intended purpose - while ensuring the highest possible level of data protection and data minimisation.
The extensive information for card holders according to Art. 13 and 14 GDPR and the recommendation of the Federal Association of electronic cash networks operators e.V. (BecN) can be found here:
Data protection for cardholders (PDF, 155.65 KB)
The regulations as recommended to the merchants in the following appendix apply to ec direct debit payments made via InterCard (ec debit card payments and signature-based payments).
Receipt text for ec direct debit (ELV) via InterCard (PDF, 83.86 KB)
Notice text for ec direct debit (ELV) via InterCard (PDF, 92.24 KB)
With online direct debit payments, InterCard assumes the merchant’s bad debt risk in some cases. In these cases, in order to limit the payment default risk, the name and address of the invoice recipient is communicated to InterCard and, using these data, InterCard performs an address check and a credit rating with the following service providers:
a) To check the postal deliverability and correct spelling of the name and the address of the invoice recipient: Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf, Germany
b) To limit the credit risk, based on the name and address, we request information about the previous payment behaviour and credit rating information based on a mathematical/statistical method using address data (Rating to calculate the likelihood of payment) from infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden, Germany
These data are stored and used by InterCard solely for the purpose of preventing fraud and limiting the risk of payment defaults.
The merchant has a contractual obligation towards us to forewarn its customers of these checks.
The data stored by us will, as already said, only be used to process payments, perform risk checks and, where applicable, process returned direct debits, and shall be forwarded to the relevant banks for further processing. The data are used strictly for the intended purpose only and are not used for marketing purposes or sold on to call centres.
We are happy to provide information about personal data stored by us subject to an appropriate postal request and will explain to you how we process transactions. To this end, we must nonetheless consult the competent data protection supervisor and follow the requisite verification channels, as we do not usually know your address. On data protection grounds, we may not release specific transaction data to ‘unknown parties’, i.e., potentially to an ‘imposter’. When providing information, we must comply with the security provisions agreed with the data protection supervisor.
As a cardholder, do you wish to get information about your transaction data maintained in our database?
As a cardholder, you can request information about your transaction data maintained in our database according to the procedure agreed with the relevant Data Protection Authority only by mail. You will promptly receive our written reply outlining the requirements for the relevant request.
We will need specific details of your data. There are two options: the standard procedure, where a number of ec cardholders use a single account, and the simplified procedure, where the ec cardholder is the sole account holder. We will need, among other things, a copy of your ec card, as well as a redacted bank account statement.
We are willing to provide information; however, we must not disclose any transaction data to unauthorised parties. We ask for your understanding for these security measures, which protect your data.
All ec card payments are typically processed using a “hybrid” procedure:
First, an attempt is made to execute an ec direct debit (ELV, ec card with signature) via InterCard. This includes an attempt to check whether InterCard will buy the receivables on the ec card in the event of a chargeback. To prevent card abuse and to mitigate the risk of default, InterCard checks the black list and performs a number of card limit checks. These are agreed in detail with the competent Bavarian data protection authority, which supervises InterCard; an overview is provided in the ec notice available from the merchant.
If InterCard refuses to take over the risk from the merchant, this typically triggers the electronic cash (girocard) procedure (ec card with PIN) guaranteed by a bank. The procedure is also processed by InterCard. Alternatively, the merchant may suggest a different form of payment, for instance cash.
With successful ec payments, InterCard gets no information about the ec cardholder’s name and address.
Personal payment data maintained by InterCard are not used for marketing or sales purposes.
In the case of a chargeback with the ec direct debit procedure, InterCard as a rule purchases the receivables in respect of the chargeback from the merchant and collects the receivables in its own name. The faster the outstanding receivables are paid to InterCard, the lower the cost to the cardholder. For more information, see the section Chargeback/Tips.
We are happy to address your questions about data protection. Please understand that we can only reply to questions and comments about the process that are sent by post.
Data Protection Officer
F: +49 89 61445 - 888