Fraud Mitigation Privacy Notice

 

Last Updated Date: June 22, 2023

 

Fiserv, Inc., on behalf of itself and its affiliates, including First Data Corporation (together, "Fiserv" or “we”) provide the Fraud Mitigation services (formerly branded as the Fraud Detect service) (the Service) to subscribing merchants to help identify and reduce fraud in certain card transactions and, as applicable, in card or account registrations performed through the merchant’s mobile application and/or website. The Service includes various sub-services, products, and functionality, such as “Score” and “Control” (as those services may be rebranded from time-to-time). Merchants are not required to use all aspects of the Service. This “Privacy Notice” explains how we collect, use, disclose, and otherwise process personal information about cardholders and merchants in connection with the Service. This Privacy Notice does not apply to Fiserv’s privacy practices outside of the context of the Service, such as its payment card acceptance services.

 

Fiserv’s processing of personal information in connection with the Service is governed by this Privacy Notice and our agreement with the merchant for this Service (Service Agreement). In the event of any conflict between this Privacy Notice and a Service Agreement, the Service Agreement will control to the extent permitted by applicable law.

 

We provide important information here for individuals located within Member States of the European Union, countries in the European Economic Area, the United Kingdom, and Switzerland (collectively, “Europe” or “European”). We also describe European data protection rights, including a right to object to some of the processing which Fiserv carries out. More information about your rights, and how to exercise them, is set out in the “Your rights and choices” section.

 

This Privacy Notice is not a substitute for any privacy notice that merchants are required to provide to their customers or end-users.

Table of Contents

  1. Information we collect
  2. How we use the information we collect
  3. How we share information
  4. Cross border data transfers
  5. Information of relevance for European data subjects 
  6. Updates
  7. Contact us

Information We Collect

 
Information about merchants
 

We collect information about the merchant that subscribes to use the Service upon registration and when consumer transactions are processed. This information may include:

  • Name of the merchant 
  • Merchant ID and category code
  • Merchant location where a transaction occurred
  • Information about transactions processed by the merchant, including transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios

Information about end-users, consumers, and transactions that are submitted to the Service
 
Information we collect about individuals

 

We collect information about the following categories of individuals in connection with the Service (e.g., when an individual places an order for physical or digital goods or services or registers for an account with a merchant). In many instances, these will be the same person:

  • Individuals who use a computer or mobile device (end-users)
  • Individuals who register for an account or make a purchase with a merchant (consumers)
  • The individual whose payment card is used to make a purchase (cardholder)
  • The individual whose details are listed as a billing contact in connection with a purchase
  • The individual whose details are listed as the shipping contact or recipient in connection with a purchase

Merchants may provide us with a variety of information about individuals, such as:

  • Name
  • Billing, delivery, or other address
  • Email address
  • User ID or other unique identifier
  • Telephone number
  • Hashed payment card number or other payment information
  • Information about an individual’s participation in the merchant’s loyalty or rewards program, such as a loyalty account number, status in the program, and points balance

 

Information about transactions
 

We may obtain a variety of information about transactions performed via the merchant’s website or mobile application. This information is associated with an individual. This type of information includes:

  • Order number or similar identifier
  • Details regarding the payment transaction, such as amount, date, and time
  • Details regarding the products and/or services purchased in the transaction, such as the precise item(s) purchased and the category of goods the merchant assigns to the item (e.g., books, clothing, prepared food)
  • Details regarding chargebacks for the reason of fraud

 

Any other information the merchant chooses to submit to us
 

Merchants can choose to submit additional information to us in connection with payment transactions, account registrations, and our performance of the Service. Such information may include, without limitation:

  • An individual’s transaction history with the merchant
  • Gender
  • Birthdate or year of birth
     
Information about end-users’ computers or mobile devices
 

We may collect information automatically about end-users’ computers or mobile devices in connection with account registrations or transactions. This information varies depending on whether the relevant transaction or interaction was performed via a web browser or mobile application. We may use service providers to facilitate our collection of computer or device data, including through the use of third-party cookies when the Service is implemented on a website. If we are unable to collect information about an end-user’s computer or mobile device in connection with a transaction or registration, we may be unable to provide the Service for that transaction or registration; and, as a result, a merchant may choose whether to reject or accept that transaction or registration.

 

Information collected via web browsers
 
  • Information about the device and its configuration, such as device type, the browser and operating system version, screen resolution, fonts installed, and time zone
  • Browser settings, such as language settings, browser plugins installed, whether cookies are accepted, and whether the browser sends a “Do Not Track” signal
  • IP address and approximate geolocation derived from the IP address
  • Information about mouse movements, clicks, and keypresses on the pages where the Service is installed

 

Information collected via mobile applications
 

The specific information we collect via mobile applications may vary depending on whether an Android or Apple device is used and the version of the operating system installed on the end-user’s device. In addition, our ability to collect certain information may depend on whether the end-user has granted the merchant’s app certain permissions. Typically, the information we may collect includes:

 

  • Information about the mobile device and its configuration, such as device type, manufacturer, model, operating system and version, language settings, screen resolution, time zone, and whether the device was rooted
  • IP address
  • Applications installed on the mobile device and whether malware was detected
  • Phone numbers and accounts registered on the device
  • Unique identifiers associated with the device (such as Google Advertising ID or Apple ID for Advertising, MAC address, and IMEI)
  • Information about the network(s) to which the device is connected and nearby
  • Battery level
  • Precise (GPS) and network-based geolocation data
  • Accelerometer data

 

How We Use The Information We Collect

 

We use the information we collect about individuals, transactions, and devices for the purposes described in this Privacy Notice and otherwise in our Service Agreement.

 

To provide and improve the Service and our offerings


We use the information we collect to provide and improve the Service, which includes:

 

  • Scoring transactions and registrations for indicators of fraud and providing recommendations whether to permit, deny or review a transaction or registration
  • One way we do this is to look for data points which are not consistent, such as location of purchase and location of device being different
  • Investigating suspected fraud
  • Maintaining records of unique identifiers (such as email addresses, device IDs, and payment card numbers) associated with fraudulent transactions or account registrations
  • Analyzing, refining, and developing new fraud detection models for the Service based in part on transaction data, end-user information, and device data obtained from all merchant users of the Service
  • Maintaining a historical record of transactions and chargebacks at merchants that use the Service for purposes of identifying indicators of fraud
  • Providing support and maintenance for the Service
  • Uses as requested by the merchant or as  otherwise provided in our Service Agreement with the merchant and for purposes which are compatible with those listed above

 

To market our products and services to merchants

 

We may send merchants who have subscribed to the Service marketing communications as permitted by law. Our marketing communications may be targeted based on aggregated information about a merchant’s use of the Service – such as transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios. Merchants will have the ability to opt out of such communications. We do not use the data that we collect in connection with the Service to send marketing emails to the end-users or consumers of merchants that use the Service.


For product development, analytics, and other legitimate business purposes


We use the information we collect for our own legitimate business purposes, which include:

  • Developing or improving our products and services (which may include other fraud and risk mitigation tools, services, and models)
  • To develop and create analytics and related reporting, such as regarding industry and fraud trends
With the consent of the data subject

 

In some circumstances, we may need consent of the data subject in the performance of our Service. Merchants are responsible for ensuring data subject consent is obtained for the performance of our Service.

 

To create anonymous or deidentified data

 

We may create anonymous or deidentified data from the personal information we collect. We make personal information into anonymous or deidentified data by excluding information that makes the data personally identifiable, and use that anonymous or deidentified  data for our lawful business purposes. 

 

For compliance, fraud prevention, and safety

 

In addition, we may also use personal information as we believe necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

 

How We Share Information

 

We may share the information we collect:

  • With merchants, regarding information that pertains to the merchant’s customers and end-users
  • With third party service providers that help us manage and improve the Service
  • With Fiserv subsidiaries and corporate affiliates
  • With our professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. With our professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.We may also share personal information with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

 

We may sell, transfer or otherwise share some or all of Fiserv’s  business or assets, including personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy.

 

Cross Border Data Transfer

 

In connection with the Service, Fiserv may transfer personal information to countries outside of the country where the data was initially collected, including to the United States. Please see the Service Agreement for additional information regarding how Fiserv safeguards the personal information it transfers across borders. Additional information is provided in the section titled “Information of Relevance to European Data Subjects.”

 

 

Controller and Data Protection Officer

 

Fiserv is made up of different legal entities. The controller is the member of the Fiserv group that signs the Service Agreement, or which is otherwise identified as the controller in the Service Agreement. If you would like more information about which Fiserv entity is the controller in respect of your information, you can contact us for this.

 

The contact information for Fiserv’s Data Protection Officer is:

Data Protection Officer, Fiserv

Email address: dpo@fiserv.com

Postal address: Janus House

Endeavour Drive

Basildon

Essex

SS14 3WF

United Kingdom

 

Information of Relevance to European or British Data Subjects
 

Legal Bases for Processing

 

Our legal bases for the processing of personal information are as follows:

 

Processing purpose (click link for details)
Details regarding each processing purpose listed below are provided in the section above titled “How we use your personal data”.

Legal basis

Providing our products and services

If you are a subscribing merchant, processing is necessary to perform the contract governing our provision of the products or services or to take steps that you request prior to signing up for the Services.

Otherwise, the processing activities constitute our legitimate interests.  We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

·       Marketing

·       Research, development and analytics

·       Creating anonymous data

·       Compliance, fraud prevention, and safety

These processing activities constitute our legitimate interests.  We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Compliance, fraud prevention, and safety (where we have a legal obligation)

Processing is necessary to comply with our legal obligations

Direct marketing (where consent is required)

Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated at the time we collect your information or by contacting us at dpo@fiserv.com.

 

 

 

Cross Border Data Transfer

 

When we transfer personal data outside of Europe or the UK  to countries not deemed to provide an adequate level of protection for personal data, we make the transfer as follows:

  • When transferring personal data within the Fiserv group, the transfer is made based on our Binding Corporate Rules, a copy of which can be found here.
  • When transferring personal data to third parties, the transfer will be made pursuant to:
    1. A contract approved by the European Commission (sometimes called “Model Clauses” or “Standard Contractual Clauses”);
      • The recipient’s Binding Corporate Rules;
      • The consent of the individual to whom the personal data relates; or
      • Other mechanisms or legal grounds as may be permitted under applicable European law.

 

Data subjects may contact us with questions about our transfer mechanism.

 

Automated Decision-Making

 

The Service may involve automated decision-making subject to Article 22 of the GDPR or other privacy and consumer protection laws. Decisions are made by matching the data provided to us by merchants such as consumers buying habits (for instance the number of transactions with a particular card in a 24-hour period) with patterns indicative of fraud. This data is used to inform the automated decision making tool and the rules that a merchant can set to ascertain if a purchase is fraudulent or not. The automated decision making is validated based on multiple data elements which are assessed against an analysis of historical transaction data. Depending on the Service selected by the merchant, where the Service identifies a suspected fraudulent account registration or purchase that is consistent with the merchant’s pre-established thresholds for blocking registrations or transactions, Fiserv will block the registration or transaction in an automated manner. Where a registration or transaction is blocked, certain unique identifiers associated with the registration or purchase will subsequently be blocked with that merchant.

 

To the extent that decisions are made based solely on automated processing that produce legal or similarly significant effects, such decisions will be made where (a) they are necessary for entering into, or performing, a contract between the data subject and a data controller; (b) as authorized by applicable law; or (c) based on the data subject’s explicit consent. The merchant's privacy notice will set out more information about your rights relating to automated individual decisions – in particular, your right to obtain human intervention, to express your point of view and to contest the decision.

 

Data Retention

 

Fiserv retains personal information for as long as necessary to (a) provide the Service; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of the Service Agreement. Merchants may contact us for additional information about our data retention practices in connection with the Service.

 

Data Subject Rights

 

Merchants are data controllers of the personal information that they provide to Fiserv or enable Fiserv to collect via the Service about their consumers or end-users. Fiserv is a data controller for personal information that it processes in order to offer its services to merchants in general and to develop and improve these services. Because merchants have a direct relationship with consumers or end-users, we ask merchants which use our services to provide all necessary privacy notices to data subjects, including information about Fiserv's processing of personal data for the Service. Merchants will also be responsible for dealing with data subject requests to exercise any rights afforded to them under applicable data protection law which relate to the transaction with the merchant. If the data subject request relates to personal data which Fiserv processes to provide services to merchants in general, then Fiserv will be responsible for dealing with the request. Fiserv and the merchants who receive services from us will assist each other in responding to such requests.

 

Under certain circumstances and where provided for by law, data subjects have certain rights relating to their personal data, which include the rights to request from the controller (a) access to the data subject’s personal data; (b) correction of incomplete or inaccurate personal data; (c) erasure of personal data; (d) restriction of processing concerning the data subject; and (e) that the controller provide a copy of the data subject’s personal data that the data subject provided to the controller in a structured, commonly used and machine-readable format. Data subjects may also object to a controller’s processing of personal data under certain circumstances. Where processing is based on a data subject’s consent, the data subject has the right to withdraw consent at any time; however, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.  More information about how to submit a request can be found on Fiserv’s Privacy Notice.  You can submit requests to exercise these rights by contacting the Fiserv Privacy Office using the following link here. We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your personal data, for example, a merchant identification number or account number. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

 

Data subjects in the EU or UK  may also file a complaint with a supervisory authority that is located where you live, work or where you believe the breach has occurred.

 

Updates

 

We reserve the right to modify this Privacy Notice at any time. We will notify our merchants of updates by updating the date of this Privacy Notice and posting the updated Privacy Notice to our website and through such other manner as may be stated in our Service Agreement.

 

Contact Us

 

Merchants with questions about this Privacy Notice may contact the Fraud Mitigation support team at FraudMitigationSupport@fiserv.com. Both merchants and data subjects may contact our Data Protection Officer at dpo@fiserv.com.