We plan to implement ApplePay to our credit card business. Until now we have not processed any full credit card numbers, but a partially anonymized number (123 123 **** 123). From the moment we implement ApplePay we will have a PCI-compliant process, we will handle full credit card numbers.
Question: should I consider credit card numbers to be noted as a personal data category in the module Data Subject Categories and be covered by the purpose and legality assessment etc?
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is a broad list of attributes and a recent case in Germany established that vehicle chassis numbers (VIN) may also be regarded as personal data, so be cautions and treat all financial data as special category and you cant go too far wrong. The ICO will applaud the additional risk measures you will implement and customers will appreciate the additional protections you give to their data.