Fraud Mitigation Privacy Notice
Last Updated Date: September 19, 2024
Fiserv, Inc., on behalf of itself and its affiliates, including First Data Corporation (together, "Fiserv" or “we”) provide the Fraud Mitigation services (formerly branded as the Fraud Detect service) (the Service) to subscribing merchants to help identify and reduce fraud in certain card transactions and, as applicable, in card or account registrations performed through the merchant’s mobile application and/or website. The Service includes various sub-services, products, and functionality, such as “Score” and “Control” (as those services may be rebranded from time-to-time). Merchants are not required to use all aspects of the Service. This “Privacy Notice” explains how we collect, use, disclose, and otherwise process personal information about cardholders and merchants in connection with the Service. This Privacy Notice does not apply to Fiserv’s privacy practices outside of the context of the Service, such as its payment card acceptance services.
Fiserv’s processing of personal information in connection with the Service is governed by this Privacy Notice and our agreement with the merchant for this Service (Service Agreement). In the event of any conflict between this Privacy Notice and a Service Agreement, the Service Agreement will control to the extent permitted by applicable law.
We provide important information here for individuals located within Member States of the European Union, countries in the European Economic Area, the United Kingdom, and Switzerland (collectively, “Europe” or “European”). We also describe European data protection rights, including a right to object to some of the processing which Fiserv carries out. More information about your rights, and how to exercise them, is set out in the “Your rights and choices” section.
This Privacy Notice is not a substitute for any privacy notice that merchants are required to provide to their customers or end-users.
Table of Contents
- Information we collect
- How we use the information we collect
- How we share information
- Cross border data transfers
- Information of relevance for European data subjects
- Updates
- Contact us
Information We Collect
Information about merchants
We collect information about the merchant that subscribes to use the Service upon registration and when consumer transactions are processed. This information may include:
- Name of the merchant
- Merchant ID and category code
- Merchant location where a transaction occurred
- Information about transactions processed by the merchant, including transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios
Information about end-users, consumers, and transactions that are submitted to the Service
Information we collect about individuals
We collect information about the following categories of individuals in connection with the Service (e.g., when an individual places an order for physical or digital goods or services or registers for an account with a merchant). In many instances, these will be the same person:
- Individuals who use a computer or mobile device (end-users)
- Individuals who register for an account or make a purchase with a merchant (consumers)
- The individual whose payment card is used to make a purchase (cardholder)
- The individual whose details are listed as a billing contact in connection with a purchase
- The individual whose details are listed as the shipping contact or recipient in connection with a purchase
Merchants may provide us with a variety of information about individuals, such as:
- Name
- Billing, delivery, or other address
- Email address
- User ID or other unique identifier
- Telephone number
- Hashed payment card number or other payment information
- Information about an individual’s participation in the merchant’s loyalty or rewards program, such as a loyalty account number, status in the program, and points balance
Information about transactions
We may obtain a variety of information about transactions performed via the merchant’s website or mobile application. This information is associated with an individual. This type of information includes:
- Order number or similar identifier
- Details regarding the payment transaction, such as amount, date, and time
- Details regarding the products and/or services purchased in the transaction, such as the precise item(s) purchased and the category of goods the merchant assigns to the item (e.g., books, clothing, prepared food)
- Details regarding chargebacks for the reason of fraud
Any other information the merchant chooses to submit to us
Merchants can choose to submit additional information to us in connection with payment transactions, account registrations, and our performance of the Service. Such information may include, without limitation:
- An individual’s transaction history with the merchant
- Gender
- Birthdate or year of birth
Information about end-users’ computers or mobile devices
We may collect information automatically about end-users’ computers or mobile devices in connection with account registrations or transactions. This information varies depending on whether the relevant transaction or interaction was performed via a web browser or mobile application. We may use service providers to facilitate our collection of computer or device data, including through the use of third-party cookies when the Service is implemented on a website. If we are unable to collect information about an end-user’s computer or mobile device in connection with a transaction or registration, we may be unable to provide the Service for that transaction or registration; and, as a result, a merchant may choose whether to reject or accept that transaction or registration.
Information collected via web browsers
- Information about the device and its configuration, such as device type, the browser and operating system version, screen resolution, fonts installed, and time zone
- Browser settings, such as language settings, browser plugins installed, whether cookies are accepted, and whether the browser sends a “Do Not Track” signal
- IP address and approximate geolocation derived from the IP address
- Information about mouse movements, clicks, and keypresses on the pages where the Service is installed
Information collected via mobile applications
The specific information we collect via mobile applications may vary depending on whether an Android or Apple device is used and the version of the operating system installed on the end-user’s device. In addition, our ability to collect certain information may depend on whether the end-user has granted the merchant’s app certain permissions. Typically, the information we may collect includes:
- Information about the mobile device and its configuration, such as device type, manufacturer, model, operating system and version, language settings, screen resolution, time zone, and whether the device was rooted
- IP address
- Applications installed on the mobile device and whether malware was detected
- Phone numbers and accounts registered on the device
- Unique identifiers associated with the device (such as Google Advertising ID or Apple ID for Advertising, MAC address, and IMEI)
- Information about the network(s) to which the device is connected and nearby
- Battery level
- Precise (GPS) and network-based geolocation data
- Accelerometer data
How We Use The Information We Collect
We use the information we collect about individuals, transactions, and devices for the purposes described in this Privacy Notice and otherwise in our Service Agreement.
To provide and improve the Service and our offerings
We use the information we collect to provide and improve the Service, which includes:
- Scoring transactions and registrations for indicators of fraud and providing recommendations whether to permit, deny or review a transaction or registration
- One way we do this is to look for data points which are not consistent, such as location of purchase and location of device being different
- Investigating suspected fraud
- Maintaining records of unique identifiers (such as email addresses, device IDs, and payment card numbers) associated with fraudulent transactions or account registrations
- Analyzing, refining, and developing new fraud detection models for the Service based in part on transaction data, end-user information, and device data obtained from all merchant users of the Service
- Maintaining a historical record of transactions and chargebacks at merchants that use the Service for purposes of identifying indicators of fraud
- Providing support and maintenance for the Service
- Uses as requested by the merchant or as otherwise provided in our Service Agreement with the merchant and for purposes which are compatible with those listed above
To market our products and services to merchants
We may send merchants who have subscribed to the Service marketing communications as permitted by law. Our marketing communications may be targeted based on aggregated information about a merchant’s use of the Service – such as transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios. Merchants will have the ability to opt out of such communications. We do not use the data that we collect in connection with the Service to send marketing emails to the end-users or consumers of merchants that use the Service.
For product development, analytics, and other legitimate business purposes
We use the information we collect for our own legitimate business purposes, which include:
- Developing or improving our products and services (which may include other fraud and risk mitigation tools, services, and models)
- To develop and create analytics and related reporting, such as regarding industry and fraud trends
With the consent of the data subject
In some circumstances, we may need consent of the data subject in the performance of our Service. Merchants are responsible for ensuring data subject consent is obtained for the performance of our Service.
To create anonymous or deidentified data
We may create anonymous or deidentified data from the personal information we collect. We make personal information into anonymous or deidentified data by excluding information that makes the data personally identifiable, and use that anonymous or deidentified data for our lawful business purposes.
For compliance, fraud prevention, and safety
In addition, we may also use personal information as we believe necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
How We Share Information
We may share the information we collect:
- With merchants, regarding information that pertains to the merchant’s customers and end-users
- With third party service providers that help us manage and improve the Service
- With Fiserv subsidiaries and corporate affiliates
- With our professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. With our professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. We may also share personal information with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may sell, transfer or otherwise share some or all of Fiserv’s business or assets, including personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy.
Cross Border Data Transfer
In connection with the Service, Fiserv may transfer personal information to countries outside of the country where the data was initially collected, including to the United States. Please see the Service Agreement for additional information regarding how Fiserv safeguards the personal information it transfers across borders. Additional information is provided in the section titled “Information of Relevance to European Data Subjects.”
Controller and Data Protection Officer
Fiserv is made up of different legal entities. The controller is the member of the Fiserv group that signs the Service Agreement, or which is otherwise identified as the controller in the Service Agreement. If you would like more information about which Fiserv entity is the controller in respect of your information, you can contact us for this.
The contact information for Fiserv’s Data Protection Officer is:
Data Protection Officer, Fiserv
Email address: dpo@fiserv.com
Postal address: Janus House
Endeavour Drive
Basildon
Essex
SS14 3WF
United Kingdom
Information of Relevance to European or British Data Subjects
Legal Bases for Processing
Our legal bases for the processing of personal information are as follows:
Processing purpose (click link for details) | Legal basis |
Providing our products and services | If you are a subscribing merchant, processing is necessary to perform the contract governing our provision of the products or services or to take steps that you request prior to signing up for the Services. Otherwise, the processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). |
· Marketing · Research, development and analytics · Creating anonymous data · Compliance, fraud prevention, and safety | These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). |
Compliance, fraud prevention, and safety (where we have a legal obligation) | Processing is necessary to comply with our legal obligations |
Direct marketing (where consent is required) | Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated at the time we collect your information or by contacting us at dpo@fiserv.com. |
Cross Border Data Transfer
When we transfer personal data outside of Europe or the UK to countries not deemed to provide an adequate level of protection for personal data, we make the transfer as follows:
- When transferring personal data within the Fiserv group, the transfer is made based on our Binding Corporate Rules, a copy of which can be found here.
- When transferring personal data to third parties, the transfer will be made pursuant to:
- A contract approved by the European Commission (sometimes called “Model Clauses” or “Standard Contractual Clauses”);
- The recipient’s Binding Corporate Rules;
- The consent of the individual to whom the personal data relates; or
- Other mechanisms or legal grounds as may be permitted under applicable European law.
- A contract approved by the European Commission (sometimes called “Model Clauses” or “Standard Contractual Clauses”);
Data subjects may contact us with questions about our transfer mechanism.
Automated Decision-Making
The Service may involve automated decision-making subject to Article 22 of the GDPR or other privacy and consumer protection laws. Decisions are made by matching the data provided to us by merchants such as consumers buying habits (for instance the number of transactions with a particular card in a 24-hour period) with patterns indicative of fraud. This data is used to inform the automated decision making tool and the rules that a merchant can set to ascertain if a purchase is fraudulent or not. The automated decision making is validated based on multiple data elements which are assessed against an analysis of historical transaction data. Depending on the Service selected by the merchant, where the Service identifies a suspected fraudulent account registration or purchase that is consistent with the merchant’s pre-established thresholds for blocking registrations or transactions, Fiserv will block the registration or transaction in an automated manner. Where a registration or transaction is blocked, certain unique identifiers associated with the registration or purchase will subsequently be blocked with that merchant.
To the extent that decisions are made based solely on automated processing that produce legal or similarly significant effects, such decisions will be made where (a) they are necessary for entering into, or performing, a contract between the data subject and a data controller; (b) as authorized by applicable law; or (c) based on the data subject’s explicit consent. The merchant's privacy notice will set out more information about your rights relating to automated individual decisions – in particular, your right to obtain human intervention, to express your point of view and to contest the decision.
Data Retention
Fiserv retains personal information for as long as necessary to (a) provide the Service; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of the Service Agreement. Merchants may contact us for additional information about our data retention practices in connection with the Service.
Data Subject Rights
Merchants are data controllers of the personal information that they provide to Fiserv or enable Fiserv to collect via the Service about their consumers or end-users. Fiserv is a data controller for personal information that it processes in order to offer its services to merchants in general and to develop and improve these services. Because merchants have a direct relationship with consumers or end-users, we ask merchants which use our services to provide all necessary privacy notices to data subjects, including information about Fiserv's processing of personal data for the Service. Merchants will also be responsible for dealing with data subject requests to exercise any rights afforded to them under applicable data protection law which relate to the transaction with the merchant. If the data subject request relates to personal data which Fiserv processes to provide services to merchants in general, then Fiserv will be responsible for dealing with the request. Fiserv and the merchants who receive services from us will assist each other in responding to such requests.
Under certain circumstances and where provided for by law, data subjects have certain rights relating to their personal data, which include the rights to request from the controller (a) access to the data subject’s personal data; (b) correction of incomplete or inaccurate personal data; (c) erasure of personal data; (d) restriction of processing concerning the data subject; and (e) that the controller provide a copy of the data subject’s personal data that the data subject provided to the controller in a structured, commonly used and machine-readable format. Data subjects may also object to a controller’s processing of personal data under certain circumstances. Where processing is based on a data subject’s consent, the data subject has the right to withdraw consent at any time; however, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. More information about how to submit a request can be found on Fiserv’s Privacy Notice. You can submit requests to exercise these rights by contacting the Fiserv Privacy Office using the following link here. We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your personal data, for example, a merchant identification number or account number. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Data subjects in the EU or UK may also file a complaint with a supervisory authority that is located where you live, work or where you believe the breach has occurred.
Information for California Residents
The information provided in this “Information for California Residents” section only applies to California residents. This notice describes how we collect, use and disclose your Personal Information (as defined in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, or “CCPA”), and your rights with respect to that Personal Information.
Your California privacy rights
If you are a California resident, you may have the rights listed in the section above titled Accessing, correcting or deleting your information. However, these rights are not absolute, and we may decline your request as permitted by the CCPA.
You are entitled to exercise these rights free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as by denying you goods or services, increasing the price/rate of goods or services, decreasing the service quality, or suggesting that we may penalize you as described above for exercising your rights.
How to exercise your rights
If you are a California resident, you may exercise your access, correction, and deletion rights as follows:
· Visiting www.fiserv.com/PrivacyRequests
· Calling 1-888-999-1114
-
- Identify verification. The CCPA requires us to verify the identity of the individual submitting the request before providing a substantive response to the request. A request must be provided with sufficient detail to allow us to understand, evaluate and respond. The requester must provide sufficient information to allow us to reasonably verify that the individual is the person about whom we collected information. A request may also be made on behalf of your child under 13.
- Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.
Sale or Sharing of Personal Information
We do not sell your Personal Information to third parties as defined in the CCPA.
Personal information that we collect, use and disclose
The chart below summarizes our collection, use and disclosure of Personal Information during the last 12 months. We describe the sources through which we collect Personal Information in the section above titled The Personal Data We Collect, and describe the purposes for which we collect, use, and disclose this information and the third parties to whom we disclose information in the sections above titled How We Use Your Personal Data and How We Share Your Personal Data. We will retain your Personal Information as set forth above in the section titled How long will you use my personal data?
Categories of Information We Collect | Do we collect this information? | Do we disclose this information for business purposes? |
Identifiers | Yes | Yes |
Online Identifiers | Yes | Yes |
Protected Classification Characteristics | No | No |
Commercial Information | Yes | Yes |
Biometric Information | No | Yes |
Internet or Network Information | Yes | Yes |
Geolocation Data | Yes - We may collect geolocation data | Yes |
Professional or Employment Information | No | No |
Education Information | No | No |
Inferences | Yes | Yes |
Financial Information | Yes | No |
Medical Information | No | No |
Glossary
Categories of Personal Information | Examples of Elements Within the Category |
Biometric Information | An individual’s physiological, biological or behavioral characteristics, including information pertaining to an individual’s DNA, that is used or is intended to be used, singly or in combination with each other or with other identifying data, to establish an individual’s identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. |
Commercial Information | Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
Financial Information | Bank account number, debit or credit card numbers, insurance policy number, and other financial information. |
Geolocation Data | Precise location, e.g., derived from GPS coordinates or telemetry data. |
Identifiers | Real name, alias, postal address, unique personal identifier, customer number, email address, account name other similar identifiers. |
Inferences | Inferences drawn from any personal information collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
Government-issued ID | Social security number, driver’s license, passport, or other government-issued ID, including an ID number or image. |
Medical Information | Personal information about an individual’s health or healthcare, including health insurance information. |
Internet or Network Information | Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement. |
Online Identifiers | An online identifier or other persistent identifier that can be used to recognize a person, family or device, over time and across different services, including but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers (i.e., the identification of a person or a device to a degree of certainty of more probable than not) that can be used to identify a particular person or device. |
|
Professional or Employment Information
| Information relating to a person's current, past or prospective employment or professional experience (e.g., job history, performance evaluations), and educational background. |
|
Protected Classification Characteristics
| Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). Racial or ethnic origin, religious or philosophical beliefs, genetic data, and personal information collected and analysed concerning a consumer’s sex life or sexual orientation are considered to be Sensitive Personal Information under the CCPA. |
|
Sensory Information | Audio, electronic, visual, thermal, olfactory, or similar information.
|
|
Sensitive Personal Information
We do not use or disclose Sensitive Personal Information except for purposes for which you do not have a right to limit the use and disclosure of Sensitive Personal Information under the CCPA. For example, we may use Sensitive Personal Information to provide you products or services you have requested.
How long will you use my Personal Information?
We will use your personal data for as long as necessary based on why we collected it and what we use it for. This may include our need to satisfy a legal, regulatory, accounting, or reporting requirement.
In general terms, we will retain your personal data for as long as is necessary for the purposes identified in this Privacy Notice, including to provide our Services, to comply with legal obligations, to enforce and prevent violations of our Terms, to protect against fraudulent activity, and to defend our legal rights, property and users.
Updates
We reserve the right to modify this Privacy Notice at any time. We will notify our merchants of updates by updating the date of this Privacy Notice and posting the updated Privacy Notice to our website and through such other manner as may be stated in our Service Agreement.
Contact Us
Merchants with questions about this Privacy Notice may contact the Fraud Mitigation support team at FraudMitigationSupport@fiserv.com. Both merchants and data subjects may contact our Data Protection Officer at dpo@fiserv.com.