Payment and Financial Information Collection Not Disclosed in Privacy Policy

Payment and Financial Information Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects payment or financial information, such as credit card details or bank account numbers, but the privacy policy fails to disclose this data collection. Payment and financial data is highly sensitive. Omitting this information from the privacy policy can mislead users about how their data is handled and may violate requirements of privacy regulations like GDPR and CCPA, as well as industry standards such as PCI DSS if applicable.

Recommendation

Update your application's privacy policy to explicitly state that payment and financial information is collected. Clearly describe the types of financial data gathered, the specific purposes for its collection, how it is securely processed and stored (including security measures like encryption and access controls), any sharing practices (e.g., with payment processors), and data retention periods. Ensure full transparency and compliance with all relevant data protection laws and standards.

Links

• PCI Security Standards Council
• GDPR Article 32 - Security of Processing
• GDPR Article 35 - Data Protection Impact Assessment
• CWE-311: Missing Encryption of Sensitive Data
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
  • CC_6_7
• CNIL_FOR_EDITORS:
  • EDITORS_3_1_1
  • EDITORS_3_1_2
  • EDITORS_4_1_1