What legal measures are being taken in Russia in accordance with Federal Law No. 152-FZ to combat card data theft?

[Student]

Federal Law No. 152-FZ "On Personal Data" of July 27, 2006, is the primary regulatory act in Russia governing the protection of personal data, including bank card data. This law aims to ensure the confidentiality and security of information and prevent its unauthorized use, including theft. For educational purposes, we will examine in detail the legal measures applied in Russia under Federal Law No. 152 and related legislation to combat bank card data theft, including protection mechanisms, liability, and practical application.

1. The main provisions of Federal Law No. 152 and their connection with the protection of card data​

Federal Law No. 152 regulates the processing of personal data (PD), which is defined as any information relating to an individual that allows for their identification. Bank card data (card number, CVV code, cardholder name, expiration date) is considered personal data, and in some cases, it is considered a special category (for example, if related to financial transactions). The law establishes the following key principles and measures:

• Principles of data processing (Article 5):
  • The processing of personal data must be lawful and carried out with the consent of the subject, except in cases provided by law (for example, for the performance of a contract).
  • Data should be collected only for specific, pre-defined purposes.
  • The volume and content of data should be limited to the necessary minimum.
• Consent of the subject (Article 9):
  • Processing card data requires the cardholder's explicit consent, which must be voluntary, specific, and informed. For example, when paying online, the user must be informed about what data is being collected and how it will be used.
  • Unauthorized use of card data (for example, as a result of a leak) is considered a violation of the law.
• Responsibilities of personal data operators (Articles 18, 19):
  • Operators (banks, payment systems, online stores and other organizations that process card data) are obliged to:
    • Ensure data confidentiality.
    • Take measures to protect against unauthorized access, including theft.
    • Assign those responsible for organizing the processing of personal data.
    • Notify Roskomnadzor about the processing of personal data (before the start of processing, unless exempted by law).

2. Measures to protect card data in accordance with Federal Law No. 152​

To prevent theft of card data, the law requires operators to implement a range of technical and organizational measures. These measures include:

• Technical measures (Article 19):
  • Data encryption: Using cryptographic methods to protect data during transmission and storage (e.g. SSL/TLS protocols for online transactions).
  • Access control: Restrict access to data to only authorized employees using passwords, biometrics, or other authentication methods.
  • Monitoring and auditing: Continuous monitoring of data processing systems to detect unauthorized access attempts.
  • Antivirus protection and firewalls: To prevent attacks using malware (e.g. Trojans, phishing programs).
• Organizational measures:
  • Development of internal policies and regulations for the processing of personal data.
  • Training employees working with data in security rules.
  • Conducting regular checks for compliance with legal requirements.
• Incident Notification:
  • In the event of a data leak, the operator is obliged to notify Roskomnadzor within 24 hours of detecting the incident and provide a detailed report on the causes and consequences within 72 hours (clause 3.3 of Article 19, amended in 2022).

These measures must comply not only with Federal Law No. 152 but also with international standards such as PCI DSS (Payment Card Industry Data Security Standard), which is mandatory for organizations processing bank card data. PCI DSS requires, for example, data tokenization (replacing actual card data with unique identifiers) and the implementation of two-factor authentication.

3. Liability for theft of card data​

The theft of bank card data may entail various types of liability, as provided for by Federal Law No. 152 and other regulations:

• Administrative liability (Code of Administrative Offences of the Russian Federation, Article 13.11):
  • Violation of the procedure for processing personal data (for example, lack of data protection or processing without consent) entails fines:
    • For officials: from 10,000 to 100,000 rubles.
    • For legal entities: from 30,000 to 500,000 rubles (depending on the severity of the violation).
    • For repeated violations, fines increase, and in some cases, the organization's activities may be suspended.
  • Example: In 2023, Roskomnadzor fined several companies for data leaks, including online stores, up to 300,000 rubles for failure to comply with security requirements.
• Criminal liability:
  • Article 159.6 of the Criminal Code of the Russian Federation ("Fraud in the field of computer information"): Theft of card data for the purpose of embezzlement may result in imprisonment for up to 7 years.
  • Article 272 of the Criminal Code of the Russian Federation ("Unauthorized access to computer information"): Hacking a system to obtain card data is punishable by imprisonment for up to 7 years.
  • Article 273 of the Criminal Code of the Russian Federation ("Creation, use, and distribution of malicious programs"): Using phishing sites or malware to steal card data may result in imprisonment for up to 7 years.
  • Example: In 2022, a hacker in Russia who stole card data through a phishing website was sentenced to 5 years in prison under Article 159.6 of the Russian Criminal Code.
• Civil liability:
  • In the event of a data leak, the cardholder has the right to demand compensation for material and moral damages (Article 24 of Federal Law No. 152). Courts may award the operator amounts depending on the extent of the damage.
  • Example: In 2021, a bank client received 100,000 rubles in compensation for moral damages due to a data leak that led to unauthorized charges.

4. The role of related legislation and regulators​

In addition to Federal Law No. 152, the protection of bank card data is regulated by other regulations and bodies:

• Federal Law No. 161-FZ "On the National Payment System":
  • Obligates banks and payment systems to ensure the security of transactions.
  • In the event of data theft and unauthorized debits, the bank is obligated to compensate the client for damages unless it can prove the client's fault (for example, disclosure of the PIN code).
  • Banks should implement technologies such as 3D-Secure to further protect online payments.
• The role of the Central Bank of the Russian Federation:
  • The Bank of Russia sets security standards for financial institutions (for example, Regulation No. 382-P on information security requirements).
  • Requires banks to implement transaction monitoring systems to identify suspicious transactions.
• Roskomnadzor:
  • Monitors compliance with Federal Law No. 152 and conducts inspections of personal data operators.
  • Maintains a register of personal data operators and accepts citizen complaints about violations.
  • In 2024, Roskomnadzor tightened controls over data leaks, leading to increased inspections and fines.
• International standards (PCI DSS):
  • Although PCI DSS is not a Russian law, it is mandatory for all organizations working with international payment systems (Visa, Mastercard). Violation of the standard may result in fines from payment systems and transaction restrictions.

5. Practical application and examples​

• Real cases:
  • In 2020, a major Russian bank experienced a data breach involving thousands of clients, including card numbers. Roskomnadzor conducted an investigation, and the bank was fined 200,000 rubles for failing to comply with security requirements. The bank also paid compensation to affected clients.
  • In 2023, a hacker group used phishing websites to steal Russian citizens' card data. Law enforcement detained the organizers, using Articles 159.6 and 273 of the Russian Criminal Code.
• Prevention:
  • Banks are actively implementing two-factor authentication (for example, SMS codes or push notifications) and tokenization (replacing card data with temporary tokens, like in Apple Pay or Google Pay).
  • Online stores are required to be PCI DSS certified and use secure payment processing protocols.
• Citizens' rights:
  • If card data has been stolen, a citizen can:
    • Contact your bank to block your card and dispute the transactions.
    • File a complaint with Roskomnadzor against the operator that allowed the leak.
    • Apply to court for compensation for damages.

6. Prospects and tightening of measures​

In recent years, Russia has seen increased control over the protection of personal data:

• In 2022–2024, amendments were made to Federal Law No. 152, tightening requirements for operators, including mandatory notification of incidents and increased fines.
• There is discussion about increasing criminal penalties for data theft, especially in the context of the rise in cybercrime.
• The Bank of Russia is developing additional standards for data protection within the national payment system, including the mandatory use of domestic cryptographic algorithms.

7. Recommendations for citizens​

To protect card data, citizens are advised to:

• Use two-factor authentication and do not disclose PIN codes or CVV.
• Check the security of websites before entering card details (availability of HTTPS, certificates).
• Monitor transactions through banking apps regularly.
• If your data is stolen, immediately block your card and contact your bank, as well as file a complaint with Roskomnadzor.

If you need specific case law examples, data breach statistics, or clarification on specific aspects (such as technical security measures), please let me know and I can research relevant information or provide more detailed data.