What to consider when my business is accepting online payments?

When accepting payment methods at either your physical retail store or online, it is important for businesses to be wary of the regulations you need to follow, to ensure compliance with the law. With the rise of contactless payments and the increasing risks of cyberattacks, here is what you need to know when accepting payments. 

For accepting online payments, most online businesses use Retail Payment Systems and Stored Value Facilities. 

Retail Payment System vs Stored Value Facilities 

A retail payment system (RPS) handles transfers and/or settlements for retail purchases, such as credit cards like UnionPay, American Express and Mastercard. Whereas stored value facilities have a prepaid amount of value that is used to purchase goods or services. 

There are 3 types of Stored Value Facilities that are subject to regulatory requirements 

  1. Single-purpose, where it can be used to make purchases from one merchant only, such as gift cards. Or, it can be multi-purpose, such as an Octopus card 
  1. Device-based is when a physical device contains a value, and a non-device based is where a physical device has stored value. Examples include electronic chips on cards and watches. 
  1. Network-based is when value is stored using a communication system or network facility. This includes internet payment systems, mobile payment systems and prepaid cards. 

Regulatory Requirements 

  • If your business accepts multi-purpose, device and non-device based stored value facilities, then you should ensure that the operator has a license from the Hong Kong Monetary Authority (HKMA), though it does not apply to operators of single-purpose SVFs 
  • In relation to RPS operators, the HKMA has the power to designate RPSs, subject to their oversight if the RPS is operated in HK or processes HK dollars or any other currencies prescribed by the HKMA 

Protection of Data 

The Personal Data (Privacy) Ordinance applies when accepting payment. SVFs and RPS should only collect data that is necessary to conduct their services. It is best if you rely on the SVF and RPS to collect payment information. If your business collects more personal data, there is a bigger risk of breaching the PDPO and of being in a worse position when it comes to cyberattacks. 

The operators should clarify what personal data they collect and how it will be used and to who it will be transferred to. This should be presented in a clear and understandable manner. 

If the business intends to use the collected personal data for anything other than related to receiving payment, such as for identification purposes, it should be explicitly stated and consent is required from the paying consumer. 

The SVF operators need to conduct formal risk assessments regularly to keep a high level of security to safeguard personal data. The thoroughness depends on how sensitive the data is. So, the more sensitive the data, the more security risks need to be taken. 

Operators need to work with third-party agents to process the collected personal data on their behalf through a contract or other ways to make sure the data transferred to third party agencies are not kept for longer than necessary. This prevents any accidental access or unauthorised processing, which minimises the chances of loss or misuse of data. 

Card Payments 

Most payment card scheme operators need to comply with the Code of Practice for Payment Card Scheme Operators, which is monitored by the HKMA. Thus, if your business accepts payments from cards, the systems should need to comply with the accepted industry standards on data security. 

Electronic Payment Records 

Electronic payments include examples such as Visa, Mastercard, UnionPay. As the records from these electronic payments are stored electronically, the records are subject to the Electronic Transactions Ordinance (ETO). If your operator requires any electronic signature, the ETO will allow you to legally keep electronic records.

Key Takeaways 

  • Due diligence is needed to ensure the SVF and RPS operators you use are properly licensed and are following the PDPO guidelines and that there are sufficient security measures 
  • If businesses collect other personal data, it should be explicitly stated and consent is required from customers 

Bibliography