1. The Financial Backbone: PCI DSS 4.0.1
The transition to PCI DSS 4.0.1 is now complete, emphasizing "Customized Approaches" to security. For e-commerce, the focus has moved heavily toward client-side security to prevent "skimming" attacks.
Merchant Level & Validation Requirements
|
PCI Level |
Transaction Volume |
Validation Needed |
|
Level 1 |
>6 Million / year |
Annual On-site QSA Audit; RoC |
|
Level 2 |
1 – 6 Million / year |
Annual SAQ; Quarterly Network Scan |
|
Level 3 |
20k – 1 Million / year |
Annual SAQ; Quarterly Network Scan |
|
Level 4 |
<20,000 / year |
Annual SAQ; Recommended Scans |
Note: In 2026, merchants using iframes or redirects must now technically prove their site is not "susceptible to script attacks" to remain eligible for the simpler SAQ A; otherwise, they are elevated to the more rigorous SAQ A-EP or SAQ D .
________________________________________
2. Data Retention: The "Why" Dictates the "How Long"
Under GDPR and national laws, you cannot store personal data "just in case" . Storage is strictly limited by the purpose of the data.
The Retention Timeline (Swedish Context)
- 14 Days: Right of withdrawal window for most online purchases .
- 1 Year: Subscriber data following account termination .
- 3 Years: Consumer complaint records under the Consumer Sales Act .
- 7 Years: Mandatory archiving for all accounting material (invoices, receipts) per the Swedish Accounting Act .
________________________________________
3. Global Comparison: Europe vs. Asia
While the GDPR provides a baseline in Europe, national tax laws often extend retention periods. In Asia, newer e-commerce laws focus more on transaction transparency and user inactivity.
|
Region |
Country |
Retention (Transaction Data) |
Legal Logic |
|
Europe |
Sweden |
7 Years |
Accounting Act (Bokföringslagen) |
|
|
Germany |
8 Years |
Bureaucracy Relief Act (BEG IV) |
|
|
France |
10 Years |
French Commercial Code |
|
Asia |
China |
3 Years |
E-Commerce Law (2019) |
|
|
Singapore |
5 Years |
Income Tax Act |
|
|
India |
3 Years (Inactivity) |
DPDP Rules 2025 |
________________________________________
4. NGOs & The "90-Account" Standard
For non-profits in Sweden, the 90-account (90-konto) is the ultimate seal of quality. Regulated by Svensk Insamlingskontroll, it assures donors that their money is handled ethically .
The 75/25 Rule for 90-Accounts
- Mission First: At least 75% of total revenue must go directly to the charitable purpose.
- Lean Admin: No more than 25% can be spent on administration and fundraising .
- Trust Indicators: These accounts always start with "90" (e.g., Bankgiro 900-xxxx) and allow for dedicated "90" Swish numbers .
NGO vs. E-Commerce: Key Differences
- Sensitive Data: NGOs often handle "Special Category" data (religious/political affiliation), requiring explicit consent.
- Vetting: NGOs face stricter Anti-Money Laundering (AML) checks. Individual donations over €1,000 often trigger mandatory "Know Your Donor" (KYD) identity verification .
- Withdrawal Rights: While e-commerce must offer a "Withdrawal Button" by 2026, pure monetary donations are generally exempt from these consumer return rights .
________________________________________
5. 2026 Swedish Compliance Checklist
If you operate in Sweden, ensure your systems are updated for these three major pillars:
• BankID "Secure Start": Mandatory animated QR code scanning for all cross-device logins to prevent phishing.
• The Withdrawal Button: Mandatory from June 19, 2026. A clearly labeled button must exist for consumers to terminate contracts easily .
• EPR & Packaging (NPA): All "producers" (including online shops) must register with a PRO like NPA to manage the lifecycle of their shipping boxes and mailers .
The Bottom Line: In 2026, compliance is your most valuable asset for building consumer and donor trust. Start your audits early to avoid the steep penalties of the DSA (up to 6% of turnover) or GDPR.