D: Payment by online direct debit with signing a receipt
Category: NachrichtenBy: F. Fiesel, 2B Advice – the privacy benchmark
Paying by EC card – very convenient and, when using a PIN, relatively safe if you stick to a couple of well-known basic rules when using your PIN.
But some German retailers also offer payment by "online direct debit". Here, instead of entering your PIN, you sign a receipt stating that the amount may be debited from your account. The process is inherently not as safe as entering your PIN, as a signature can more easily be forged than a PIN can be guessed.
However, on top of this risk, a well-known retail chain from North Rhine-Westphalia stated over some time additions on the receipts for the debits signed by customers, which were designed to enable the processing and storing of the data. As such, the receipt was issued in such a way that, on signing, the company's customers also had to agree to the passing on to a certain number of third parties.
A data protection expert from NRW failed to spot this abuse during an audit, as she assumed that customers would receive a copy of the receipt. In fact, however, the crucial additions were not stated on the customer copy of the receipt.
When this abuse became public, the retail chain reacted immediately by switching to EC card payments by PIN. A detailed review is now being carried out to establish whether payment by online direct debit is to be phased out entirely within the company or not.
This example shows that before collecting data, the permissibility of doing so should always be verified first, because such glitches not only cause legal issues but severely affect customer trust in the company, resulting in long-term financial loss.