Skip to Content

Effective Date: 4 February 2025

Mastercard takes individuals’ privacy and data protection rights very seriously. Mastercard is a global payments network committed to making payments safe, simple, and secure. To ensure the integrity of our payments network across all network participants, including customer banks, merchants, and cardholders, Mastercard has put in place robust safeguards to protect cardholders against fraud.

In particular, merchant-based fraud significantly harms individuals, financial institutions, the financial ecosystem, and society as a whole. It is one of the most common causes of financial loss and can take many forms. For example, a fraudster can pose as a legitimate merchant or take over its account to process payment transactions and steal funds.

To limit and prevent such fraud, Mastercard operates the Mastercard Alert To Control High-Risk (Merchants) system (“MATCH”). Financial Institutions that acquire card payments for merchants and third party processors acting on such acquirers’ behalf (collectively “Financial Institutions”) can upload information about merchants that were terminated for fraud into the MATCH database. When a Financial Institution considers onboarding a new merchant, it can consult the information in MATCH to help it assess the risk related to onboarding that merchant.

SCOPE OF THIS PRIVACY NOTICE

This privacy notice (“Notice”) describes how Mastercard International Incorporated and its affiliates (collectively “Mastercard”, “us”, “we”) process Personal Information in the context of MATCH. “Personal Information” means any information relating to an identified or identifiable individual.

MATCH services are intended for and provided to Financial Institutions and not individual consumers or end-users. Additionally, when Financial Institutions process Personal Information relating to California-based merchants within MATCH, Mastercard does so as a service provider to Financial Institutions. If you are a California-based merchant, you should review the privacy statement for the Financial Institution with whom you are engaged and direct any privacy inquiries, including requests to exercise your privacy rights, to that Financial Institution.

ROLE OF MASTERCARD AND FINANCIAL INSTITUTIONS

Mastercard is responsible for storing the merchant information, including any Personal Information added by Financial Institutions into MATCH and for making it available to other Financial Institutions.

Financial Institutions are responsible for adding and maintaining merchant information, including any Personal Information, to MATCH, ensuring the accuracy of merchant Personal Information, and for any processing resulting from their consultation of Personal Information in MATCH. This Notice does not cover the processing by Financial Institutions. To understand how your Financial institution processes your Personal Information in the context of MATCH, please read their privacy notice.

THE TYPES OF PERSONAL INFORMATION WE PROCESS

We may process the following types of Personal Information in MATCH:

  • Principal owner first and last name and middle initial, business and personal address, business and personal phone number(s), email, and date and place of birth, when permitted under the applicable law;
  • To the extent that principal owner data relates to a sole trader: VAT/tax identification number when permitted under the applicable law, unique reference number assigned by the Financial Institution, merchant category code, date of signature and termination of the merchant contract, confirmation of whether the merchant uses a CAT terminal, website URL, and a code indicating the reason for which the merchant was added to MATCH.
  • Principal owner government identification information, such as driver’s license information, or social security number, when permitted under the applicable law,
  • Unique reference number assigned by the Financial Institution, merchant category code, date of signature and termination of the merchant contract, confirmation of whether the merchant uses a CAT terminal, website URL, and a code indicating the reason for which the merchant was added to MATCH;
  • Login information of individuals working for Financial Institutions, their professional contact details, function and search logs.

HOW WE USE YOUR PERSONAL INFORMATION

We process your Personal Information for the purposes described below, including to operate, maintain, improve, and secure MATCH. MATCH helps Financial Institutions in their onboarding due diligence of merchants. When a Financial Institution wants to onboard a new merchant, it can query MATCH using various text fields (such as name, address, and phone number). In case of a match, the Financial Institution is presented with the information related to its query. It can use this information as an element in its assessment of the risks associated with onboarding that merchant. For example, it can determine whether additional due diligence is required for that merchant, whether the merchant should implement additional technical and organizational measures, or to not contract with the merchant.

In providing MATCH to Financial Institutions, we may use your Personal Information for the purposes set out below. Depending on data protection requirements for the country in which you are located (e.g., the EEA, the UK or Switzerland), we will only process your Personal Information, when we have a legal basis for the processing as identified in the table below. However, please note that even though the chart below does not list consent as a legal basis for each processing activity, where required under applicable law, we will only process your Personal Information with your consent.

Processing Purpose

Legal Basis for Processing (where required under applicable law)

Operate and improve MATCH
  • We, or the Financial Institutions, have a legitimate interest in using your Personal Information to prevent and protect against merchant-based fraud, and to secure our network and the payment transactions we process. This legitimate interest is strengthened by the various legal frameworks that require Mastercard and Financial Institutions to protect cardholders against fraud, including merchant-based fraud; or
  • The processing is necessary for entering into, or performance of, a contract to which you are a party.

 

Prepare aggregated reports for internal reporting, accounting, billing and reconciliation
  • We, or a third party, have a legitimate interest in using your Personal Information to prepare aggregated reports for internal reporting, accounting, billing, and reconciliation activities; or
  • The processing is undertaken for statistical or research purposes (in jurisdictions where this legal ground is available).

 

Protect the security and integrity of MATCH
  • We have a legitimate interest in using your Personal Information to log access to and use of our systems and network to protect their security and integrity.

 

 

HOW WE DISCLOSE YOUR PERSONAL INFORMATION

We disclose your Personal Information:

  • With Mastercard’s headquarters in the U.S., our affiliates, and other entities within Mastercard’s group of companies.
  • With Financial Institutions that consult MATCH to assess the level of risk related to onboarding a specific merchant.
  • With service providers that help us to maintain, improve, and protect MATCH. We subject them to strict contractual data protection and security obligations, including requiring them to ensure that your Personal Information is only used for the purposes described in this notice.
  • When we believe disclosure is necessary to protect individuals’ vital interests, to prevent Mastercard against harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
  • As required under applicable law or legal process, or to respond to requests from law enforcement or governmental agencies. When receiving such requests, we will follow the process set out in our Binding Corporate Rules (see “Data Transfers” below), where applicable.

YOUR RIGHTS AND CHOICES

Subject to applicable law, you have certain rights and choices regarding the Personal Information processed in the context of MATCH. In particular, you have the right to:

  • Access your Personal Information, rectify it, restrict, or object to its processing, or request its deletion.
  • Where applicable, lodge a complaint with your supervisory authority.

If you are located in California, to exercise your rights under the CCPA, you must contact the relevant Financial Institution responsible for maintaining the merchant record in MATCH.

If you’re not located in California, but also depending on the country in which you are located, you can exercise your rights by emailing privacyanddataprotection@mastercard.com. We will redirect the request to the relevant Financial Institution, where appropriate.

DATA TRANSFERS

Mastercard is a global business. We may transfer or disclose Personal Information to recipients in countries other than your country, including to the United States, where our global headquarters are located. These countries may not have the same data protection laws as the country where you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this notice.

We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA and UK supervisory authorities as providing an adequate level of protection to the Personal Information we process globally. Our EEA and UK BCRs cover MATCH. A copy of our BCRs is available here. We may also transfer Personal Information to Financial Institutions located in countries for which adequacy decisions have been issued, and use contractual protections to transfer Personal Information to third parties, such as the European Commission’s or UK’s Standard Contractual Clauses.

Depending on your country, you may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of your jurisdiction.

Mastercard’s privacy practices, described in this MATCH Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.

If you are located in mainland China, you understand that we may transfer the Personal Information we collect about you to recipients in countries or regions other than mainland China, including Mastercard International Incorporated in the United States, Mastercard Asia/Pacific Pte. Limited in Singapore and to other affiliates as listed here. When we conduct international transfers of Personal Information, we will always ensure to comply with requirements stipulated under applicable laws.

HOW WE PROTECT YOUR PERSONAL INFORMATION

We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession.

We take measures to delete, destroy or de-identify your Personal Information when it is no longer necessary for the purposes for which we process it or when you request its deletion, unless we are required by law to keep it longer. For example, MATCH listings are automatically deleted after five years.

HOW TO CONTACT US

You can exercise your rights by emailing privacyanddataprotection@mastercard.com. We will redirect the request to the relevant Financial Institution, where appropriate.

If you are located in the EEA, the UK, or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information (or data controller). You can write to us at:

Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

If you are located in in the Caribbean and Latin America, you may contact our LAC Data Protection Officer at privacyanddataprotection@mastercard.com.

If you are located in Asia Pacific (excluding mainland China), Middle East or Africa, Mastercard Asia Pacific Pte. Ltd. is the entity responsible for the processing of your Personal Information. You may write to us at:

Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Singapore 189352

If you are located in mainland China, Mastercard Shanghai Business Consulting Ltd. is the entity responsible for the processing of your Personal Information. You may write to us at:

China Data Protection Officer
Room 2907-14, Part of 29/F Tower 2
Shanghai IFC, 8 Century Avenue
China (Shanghai) Pilot Free Trade Zone

If you are located in Canada, you may contact our Data Protection Officer at privacyanddataprotection@mastercard.com.

Mastercard will investigate your query or complaint as required by applicable law and will respond to you in writing within one month of receiving the written complaint unless a different time frame is provided by applicable law. If we fail to respond to your complaint or are dissatisfied with the response you receive from us, you may have the right to make a complaint to the applicable competent supervisory authority.

ADDITIONAL INFORMATION ABOUT OUR PRACTICES

This Notice may be updated periodically to reflect changes in our practices. We will notify you of any significant changes to this Notice by posting the new version on the MATCH Product page and indicating when it was most recently updated at the top of the Notice. If we update this Notice, we may seek your consent in certain circumstances. This Notice complements our Global Privacy Notice, which provides more information about how we share, transfer or protect your Personal Information in other contexts.