Effective Date: 1st October 2025
At Mastercard, we offer a market-leading program that helps to provide you with a secure and seamless payment experience (“Automatic Billing Updater” or “ABU Program”). In particular, our ABU Program provides a secure and simple way for acquirers and merchants to receive updated payment account credentials when a payment card has expired or has been renewed. For example, if you saved your payment card details in a merchant’s application and the card subsequently expires, Mastercard can provide the merchant with your updated payment details, without the need for you to take further action.
We recommend that you read this notice together with Mastercard's Global Privacy Notice.
1. SCOPE OF THIS NOTICE
This privacy notice (“Notice”) describes how Mastercard International Incorporated and its affiliates (collectively “Mastercard”, “us” or “we”) processes Personal Information when it operates the ABU Program globally, including in in the European Economic Area, the United Kingdom and Switzerland through Mastercard Europe SA. “Personal Information” means any information relating to an identified or identifiable individual (“you”).
This Notice does not cover the processing where we act on behalf of and under the instructions of financial institutions (e.g., the bank that issued your Mastercard card), merchants and other partners which act as data controllers, including for processing payment transactions. Please refer to their privacy notices for information about the processing of your Personal Information in such cases.
2. WHAT PERSONAL INFORMATION WE PROCESS FOR THE ABU PROGRAM
We collect the following types of Personal Information relating to you:
- Information about your expired payment card: old account number and old expiration date.
- Information about your new payment card: new account number and new expiration date.
We obtain the above categories of Personal Information from the financial institutions that issued your payment card or merchants or their acquirers through ABU merchant’s inquiries.
3. HOW WE USE YOUR PERSONAL INFORMATION
We may use your Personal Information for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information in accordance with applicable law and with transparency and fairness when we have a legal basis for processing, as identified in the table below :
|
|
Legal Basis for Processing (where required under applicable law)
|
Provide, support, and enable the ABU Program, including making updated payment card information available to other Mastercard products and services.
|
- You consented to the use of your Personal Information; or
- The processing is necessary for entering into, or performance of a contract to which you are party to; or
- We, or a third party, have a legitimate interest in using your Personal Information to reduce payment failure and increase the security of the payment network by operating the ABU Program.
|
Detect, investigate, and prevent fraud.
For more information on our fraud and security activities, please see our Fraud and Security Notice.
|
- You consented to the use of your Personal Information; or
- The processing is necessary for entering into, or performance of a contract to which you are party to; or
- We, or a third party, have a legitimate interest in using your Personal Information to protect against fraud, securing our ABU Program, our network, and the payment transactions that we process.
|
Evaluate, improve, and develop our products, services and applications (including the ABU Program), such as tokenization, virtual card generation, and/or optimizing payment transaction processing.
|
- You consented to the use of your Personal Information; or
- The processing is necessary for entering into, or performance of a contract to which you are party to; or
- We, or a third party, have a legitimate interest in using your Personal Information to evaluate, improve, and develop our products and services.
|
De-identify or anonymize Personal Information and prepare aggregated reports for internal analysis and benchmarking.
|
- We, or a third party, have a legitimate interest in de-identifying or anonymizing Personal Information and preparing aggregated data reports for internal business purposes.
|
|
|
- The processing is necessary for compliance with a legal or regulatory obligation.
|
Establish, exercise and defend legal rights.
|
- You consented to the use of your Personal Information; or
- The processing is necessary for entering into, or performance of a contract to which you are party to; or
- We, or a third party, have a legitimate interest in using your Personal Information to establish, exercise, and defend legal rights.
|
|
|
- You consented to the use of your Personal Information; or
- The processing is necessary for entering into, or performance of a contract to which you are party to; or
- We, or a third party, have a legitimate interest in using your Personal Information to comply with industry standards and our policies.
|
4. HOW WE SHARE YOUR PERSONAL INFORMATION
We may share your Personal Information:
- With Mastercard’s headquarters in the U.S., our affiliates, and other entities within Mastercard’s group of companies.
- With participants to the ABU Program, such as financial institution(s) (i.e., banks that issued the card(s) enrolled in the ABU Program and acquirers) and participating merchants.
- With service providers who perform services on our behalf and in connection with the purposes described in this Notice. We subject them to strict contractual data protection and security obligations.
- When we believe disclosure is necessary to protect individuals’ vital interests, to protect Mastercard against harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
- As required under applicable law or legal process, or to respond to requests from law enforcement or governmental agencies. When receiving such requests, we will follow the process set out in our Binding Corporate Rules, where applicable.
- In the event of the sale or transfer of our business or assets, in whole or in part. In such event, we will use reasonable efforts to direct the transferee to use the Personal Information you provided to us in a manner consistent with this Notice.
5. DATA TRANSFERS
Mastercard is a global business. We may transfer your Personal Information to the United States and other countries which may not have the same data protection laws as the country in which you initially provided the information, but we will protect your Personal Information in accordance with this Privacy Notice, as disclosed to you at the time of data collection.
In case of such transfer, if you are located in the EEA, we will process your Personal Information in accordance with our Binding Corporate Rules (“BCRs”) and other appropriate data transfer mechanisms such as the European Commission’s Standard Contractual Clauses to ensure an adequate level of protection of your Personal Information.
Mastercard’s privacy practices, described in this Global Privacy Notice, comply with the APEC Cross Border Privacy Rules (“CBPR”) System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found.
6. YOUR RIGHTS AND CHOICES, HOW TO CONTACT US, AND ADDITIONAL INFORMATION ABOUT OUR PRACTICES
For more information about your rights, how to contact us, or to learn more about how we share, transfer, retain and protect your Personal Information, please read our Global Privacy Notice.
You have certain rights and choices, as detailed in the Global Privacy Notice, regarding the Personal Information we maintain about you. You, or a party authorized to act on your behalf, can exercise these rights on Mastercard’s My Data Centre portal or by submitting a request as described in the Global Privacy Notice.
For enquiries about your Mastercard card and your purchases, please contact your financial institution or merchant. More information about how to contact them can be found on their websites.
