Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · TC260 FRT PAYMENT GUIDE

Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios.

网络安全标准实践指南 — 人脸识别支付场景个人信息安全保护要求

FILED UNDER · Personal Information

DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying regime; specific clauses should be checked against the published guide.

Scope

This practice guide provides personal-information security protection requirements for facial-recognition payment scenarios — the use of facial recognition to verify identity and authorize a payment. It applies to the parties operating such payment services (and their technology providers), and addresses the handling of facial (biometric) information across collection, verification, transmission, storage and deletion in this specific context.

It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard.

Key contents

At a structural level the guide is expected to cover:

  • Consent and notice — obtaining the user’s separate consent for facial-recognition payment, with clear notice of purpose and scope.
  • Non-facial alternatives — ensuring users retain a convenient alternative payment/verification method and are not compelled to use facial recognition.
  • Minimization and purpose limitation — collecting only the face data necessary for payment verification and not repurposing it.
  • Security of face data — anti-spoofing/liveness detection, encrypted transmission, protected (often tokenized) storage, strict access control, and secure deletion.
  • Risk management and accountability — impact assessment, logging, and allocation of responsibility among the parties.

Editor: verify specific clauses against the published guide.

How it fits the regime

Facial information is sensitive personal information under PIPL Article 28, and facial-recognition payment is one of the highest-stakes consumer uses of it. The guide operationalizes the heightened sensitive-PI duties — separate consent (Article 29), strict necessity and protection (Article 28), and impact assessment (Article 55) — in the payment setting.

It complements the Measures for the Administration of the Application of Facial Recognition Technology, which require necessity, alternatives to facial recognition, and filing for large-scale use, and aligns with the facial-recognition judicial interpretation and the sensitive-PI identification and protection standards. For overseas compliance teams operating payment or identity-verification services in China that rely on face data, it is the scenario-specific reference for designing a compliant facial-recognition payment flow.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →