Skip to Content

Effective Date: 26 April 2022

Mastercard takes individuals’ privacy and data protection rights very seriously. Mastercard is a global payments network committed to making payments safe, simple, and secure. To ensure the integrity of our payments network across all network participants, including customer banks, merchants, and cardholders, Mastercard has put in place robust safeguards to protect cardholders against fraud.

In particular, merchant-based fraud significantly harms individuals, financial institutions, the financial ecosystem, and society as a whole. It is one of the most common causes of financial loss and can take many forms. For example, a fraudster can pose as a legitimate merchant or take over its account to process payment transactions and steal funds.

To limit and prevent such fraud, Mastercard operates the Mastercard Alert To Control High-Risk (Merchants) system (“MATCH”). Banks that acquire card payments for merchants and third party processors acting on such acquirers’ behalf (collectively “Financial Institutions”) can upload information about merchants that were terminated for fraud into the MATCH database. When a Financial Institution considers onboarding a new merchant, it can consult the information in MATCH to help it assess the risk related to onboarding that merchant.

SCOPE OF THIS PRIVACY NOTICE

This privacy notice (“Notice”) describes how Mastercard International Incorporated and its affiliates (collectively “Mastercard”, “us”, “we”) process Personal Information in the context of MATCH. “Personal Information” means any information relating to an identified or identifiable individual (“you”).

This Notice does not cover the processing of information relating to a legal entity. It further describes the rights and choices available to you concerning your Personal Information and how you can contact us if you have any questions or concerns.

ROLE OF MASTERCARD AND FINANCIAL INSTITUTIONS

Mastercard is responsible for storing the merchant information, including any Personal Information, added by Financial Institutions into MATCH and for making it available to other Financial Institutions. In exceptional circumstances, Mastercard may also add Personal Information to MATCH.

Financial Institutions are responsible for adding merchant information, including any Personal Information, to MATCH as well as any processing resulting from their consultation of Personal Information in MATCH. This Notice does not cover the processing by Financial Institutions. To understand how your Financial institution processes your Personal Information in the context of MATCH, please read their privacy notice.

THE TYPES OF PERSONAL INFORMATION WE PROCESS

We may process the following types of Personal Information in MATCH:

  • Principal owner first and last name and middle initial, business and personal address, business and personal phone number(s);
  • To the extent that it relates to a sole trader: VAT/tax identification number, unique reference number assigned by the Financial Institution, merchant category code, date of signature and termination of the merchant contract, confirmation of whether the merchant uses a CAT terminal, website URL, and a code indicating the reason for which the merchant was added to MATCH;
  • Login information of individuals working for Financial Institutions, their professional contact details, function and search logs.

HOW WE USE YOUR PERSONAL INFORMATION

We process your Personal Information to operate MATCH. MATCH helps Financial Institutions in their onboarding due diligence of merchants. When a Financial Institution wants to onboard a new merchant, it can query MATCH using various text fields (such as name, address, and phone number). In case of a match, the Financial Institution is presented with the information related to its query. It can use this information as an element in its assessment of the risks associated with onboarding that merchant. For example, it can determine whether additional due diligence is required for that merchant, whether the merchant should implement additional technical and organizational measures, or to not contract with the merchant.

We may use your Personal Information you for the purposes set out below. Depending on the country in which you are located (e.g., the EEA, the UK or Switzerland), we will only process your Personal Information, when we have a legal basis for the processing as identified in the table below. However, please note that even though the chart below does not list consent as a legal basis for each processing activity, where required under applicable law, we will only process your Personal Information with your consent.

Processing Purpose

Legal Basis for Processing (where required under applicable law)

Operate and improve MATCH
  • We, or the Financial Institutions, have a legitimate interest in using your Personal Information to prevent and protect against merchant-based fraud, and to secure our network and the payment transactions we process. This legitimate interest is strengthened by the various legal frameworks that require Mastercard and Financial Institutions to protect cardholders against fraud, including merchant-based fraud; or
  • The processing is necessary for entering into, or performance of, a contract to which you are a party.

 

Prepare aggregated reports for internal reporting, accounting, billing and reconciliation
  • We, or a third party, have a legitimate interest in using your Personal Information to prepare aggregated reports for internal reporting, accounting, billing, and reconciliation activities; or
  • The processing is undertaken for statistical or research purposes (in jurisdictions where this legal ground is available).

 

Protect the security and integrity of MATCH
  • We have a legitimate interest in using your Personal Information to log access to our systems and network to protect their security and integrity.

 

 

HOW WE SHARE YOUR PERSONAL INFORMATION

We share your Personal Information:

  • With Mastercard’s headquarters in the U.S., our affiliates, and other entities within Mastercard’s group of companies.
  • With Financial Institutions that consult MATCH to assess the level of risk related to onboarding a specific merchant.
  • With service providers that help us to maintain and improve MATCH. We subject them to strict contractual data protection and security obligations, including requiring them to ensure that your Personal Information is only used for the purposes described in this notice.
  • When we believe disclosure is necessary to protect individuals’ vital interests, to prevent Mastercard against harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
  • As required under applicable law or legal process, or to respond to requests from law enforcement or governmental agencies. When receiving such requests, we will follow the process set out in our Binding Corporate Rules (see “Data Transfers” below), where applicable.

We do not sell Personal Information we collect about you, as defined by the California Consumer Privacy Act.

YOUR RIGHTS AND CHOICES

Subject to applicable law, you have certain rights and choices regarding the Personal Information processed in the context of MATCH. In particular, you have the right to:

  • Access your Personal Information, rectify it, restrict, or object to its processing, or request its deletion.
  • Where applicable, lodge a complaint with your supervisory authority.

You can exercise your rights by emailing privacyanddataprotection@mastercard.com. We will redirect the request to the relevant Financial Institution, where appropriate.

If you are located in California, to exercise your rights under the CCPA, you may also call our toll-free number: 1-833-244-4084. For information on the number of privacy requests Mastercard processed pursuant to the California Consumer Privacy Act and other privacy laws globally, please review the “MyData Report” section of the “My Data Center” portal.

DATA TRANSFERS

Mastercard is a global business. We may transfer or disclose Personal Information to recipients in countries other than your country, including to the United States, where our global headquarters are located. These countries may not have the same data protection laws as the country where you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this notice.

We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA and UK supervisory authorities as providing an adequate level of protection to the Personal Information we process globally. Our EEA and UK BCRs cover MATCH. A copy of our BCRs is available here. We may also transfer Personal Information to Financial Institutions located in countries for which adequacy decisions have been issued, and use contractual protections to transfer Personal Information to third parties, such as the European Commission’s or UK’s Standard Contractual Clauses.

You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside the EEA and the UK.

HOW WE PROTECT YOUR PERSONAL INFORMATION

We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession.

We take measures to delete, destroy or de-identify your Personal Information when it is no longer necessary for the purposes for which we process it or when you request its deletion, unless we are required by law to keep it longer. For example, MATCH listings are automatically deleted after five years.

HOW TO CONTACT US

You can exercise your rights by emailing privacyanddataprotection@mastercard.com. We will redirect the request to the relevant Financial Institution, where appropriate.

If you are located in the EEA, the UK, or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information (or data controller). You can write to us at:

Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

If you are located in Asia Pacific (excluding mainland China), Middle East or Africa, Mastercard Asia Pacific Pte. Ltd. is the entity responsible for the processing of your Personal Information. You may write to us at:

Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Singapore 189352

If you are located in mainland China, Mastercard Shanghai Business Consulting Ltd. is the entity responsible for the processing of your Personal Information. You may write to us at:

China Data Protection Officer
Room 2907-14, Part of 29/F Tower 2
Shanghai IFC, 8 Century Avenue
China (Shanghai) Pilot Free Trade Zone

Mastercard will investigate your query or complaint as required by applicable law and will respond to you in writing within one month of receiving the written complaint unless a different time frame is provided by applicable law. If we fail to respond to your complaint or are dissatisfied with the response you receive from us, you may have the right to make a complaint to the applicable competent supervisory authority.

ADDITIONAL INFORMATION ABOUT OUR PRACTICES

This Notice may be updated periodically to reflect changes in our practices. We will notify you of any significant changes to this Notice by posting the new version on the MATCH Product page and indicating when it was most recently updated at the top of the Notice. If we update this Notice, we may seek your consent in certain circumstances. This Notice complements our Global Privacy Notice, which provides more information about how we share, transfer or protect your Personal Information in other contexts.