Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sogecommerce is the e-commerce payment gateway operated by Société Générale, the major French banking group. It enables merchants to accept online payments through a hosted secure page, supporting major card networks, Apple Pay, Google Pay, and SEPA. Sogecommerce handles PCI DSS compliance, 3D Secure authentication, and fraud detection on the bank side, removing card data from merchant systems. Processing takes place exclusively in France, making it a strong choice for European businesses that require strict data residency and a recognised banking partner.
Sogecommerce is the e-commerce acquiring service operated by Société Générale, one of the largest French retail and corporate banks. It allows merchants to collect card-not-present payments from customers across Europe and beyond, with the bank acting as the acquirer and technical processor.
When a customer reaches checkout, the merchant redirects them to a Société Générale hosted payment page (or embeds it in an iframe). The customer enters card details on the bank infrastructure, never on the merchant server. The bank handles 3D Secure authentication, fraud scoring, and authorisation with the card scheme, then returns a success or failure status to the merchant via a server-to-server callback.
Because the cardholder interaction happens on a Société Générale domain (typically payment.sogecommerce.com or payment.systempay.fr depending on the technical stack), the bank sets its own session cookies on its own domain. These cookies are essential to maintain the secure transaction session, prevent CSRF attacks, and complete the 3D Secure challenge.
Data collected during the transaction includes the card number (tokenised and never returned to the merchant in clear form), expiry date, CVV, cardholder name, transaction amount, currency, and IP address for fraud scoring. The merchant only receives a transaction identifier and a payment token, not the raw card data.
Société Générale acts as an independent controller under GDPR for the bank-side processing tied to its banking obligations (anti-money-laundering, financial reporting, fraud prevention). The merchant remains controller for the commercial relationship with the customer.
Under the ePrivacy Directive, the cookies set during a payment transaction qualify as strictly necessary: they are required to deliver a service explicitly requested by the user, which is the immediate fulfilment of payment. They therefore fall outside the consent requirement of Article 5(3) ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sogecommerce processing takes place in Société Générale data centres located in France, under the supervision of the French banking authority ACPR. There are no transfers to third countries in the standard configuration of the service, which makes it well suited for merchants who explicitly need a French or EU acquiring partner.
Indirect transfers can occur via card schemes (Visa, Mastercard) and issuing banks, but these flows are inherent to the international card payment infrastructure and are governed by separate legal frameworks negotiated by the schemes themselves.
Reference Sogecommerce in your privacy notice as a payment processor and joint controller for the payment-specific processing. Make clear that no consent is needed for the payment cookies set during checkout, since they are strictly necessary under Article 5(3) ePrivacy and Article 6(1)(b) GDPR.
If you reuse transaction tokens for recurring billing or one-click checkout, document the appropriate legal basis (typically the underlying contract for subscriptions, or explicit opt-in for tokenisation of cards for later use), and update your record of processing activities accordingly.
If you are evaluating Sogecommerce, common alternatives in the same EU-resident category include Systempay by BPCE (Banque Populaire and Caisse d'Epargne group), Monext, Worldline (formerly Atos), Adyen (Netherlands), and Stripe Europe (Ireland). Each has a different posture on data residency, cookie usage, and reporting capabilities.
Choose based on geographic footprint of your customers, language and currency support, recurring billing needs, and whether you require deep integration with French banking reconciliation (in which case the French banks remain the most natural fit).
Websites using Sogecommerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required because Sogecommerce processes a limited set of payment data on a strictly necessary legal basis. However, controllers handling high-volume online transactions or sensitive sectors (subscriptions, donations to political or health causes) should document a risk assessment covering fraud scoring, retention of transaction logs, and the chain of subprocessors involved in card scheme settlement.
Sample consent text
We use Sogecommerce, operated by Société Générale, to securely process your card payment. No consent is required: the bank cookies set during checkout are strictly necessary to complete your transaction and to comply with anti-fraud legal obligations.
Third-party domains contacted
sogecommerce.societegenerale.eupayment-webinit.sogecommerce.societegenerale.eusecurepayments.societegenerale.euCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JSESSIONID | http | session | Manages the payer session on the hosted payment page during checkout. |
| SG_PAYMENT_TOKEN | http | session | Carries the one-time payment token between the bank and the merchant return URL. |
| XSRF-TOKEN | http | session | Prevents cross-site request forgery on bank forms. |
| 3DS_SESSION | http | session | Maintains state during 3D Secure strong customer authentication. |
Sogecommerce uses cookies for user preferences — inform visitors with a consent banner.
Sogecommerce only sets strictly necessary cookies on the bank domain during checkout, including a session identifier, a CSRF protection token, a payment token and a 3D Secure state cookie. No marketing or analytics cookies are placed by the gateway itself.
No. Because the cookies set by Sogecommerce are strictly necessary to process the payment, Article 5(3) of the ePrivacy Directive exempts them from prior consent. You should still mention Sogecommerce in your privacy notice as a separate controller for payment data.
Société Générale relies on Article 6(1)(b) GDPR (performance of a contract) for processing the transaction itself, and Article 6(1)(c) (legal obligation) for anti-fraud controls and banking record retention. The merchant invokes the same legal bases for its own order data.
No systematic transfer takes place: processing and storage happen in Société Générale data centres in France. Some Visa or Mastercard settlement steps may involve occasional cross-border flows when the cardholder bank is located outside the EU, but these are governed by card scheme contracts.
A DPIA is generally not mandatory because Sogecommerce processes a limited set of payment data on strictly necessary and legal-obligation bases. Controllers handling high transaction volumes, recurring billing or sensitive sectors should still document a focused risk assessment.
Reference Sogecommerce in your privacy notice as an autonomous controller, link to the Société Générale privacy policy, describe the 3D Secure step in your checkout UX, and configure your consent banner to treat the payment flow as strictly necessary rather than optional tracking.
Comparable European bank-led gateways include Adyen (Netherlands), Worldline (France/Belgium), BNP Mercanet (France), Crédit Agricole CAEPS or Banque Populaire Sherlock's. Pure fintech alternatives such as Stripe and Adyen offer broader feature sets but may add subprocessors in the US or other third countries.
List Sogecommerce as a payment service provider rather than a tracker, indicate that its cookies are strictly necessary and not subject to consent, link to the Société Générale privacy notice, mention the legal basis and retention period, and refresh the entry whenever the bank publishes new processing information.