Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Verifone 2Checkout is a US/Romanian merchant of record payment platform, operated by Avangate S.A. in Bucharest as part of Verifone Systems Inc. after the 2020 acquisition. It handles global checkout, subscriptions, dunning and EU VAT collection for software, SaaS and digital goods. The hosted checkout on secure.2checkout.com sets only strictly necessary first party cookies. EU customer data is largely processed in EU data centres, with onward US access covered by SCCs and the EU US Data Privacy Framework.
Verifone 2Checkout, formerly Avangate / 2Checkout, is a global merchant of record (MoR) payment platform acquired by Verifone Systems Inc. in 2020. The product line is still operated by Avangate S.A. in Bucharest, Romania, with engineering and US operations under the Verifone group. It targets software, SaaS, digital media and online learning companies that need a single MoR partner for global checkout, recurring billing, dunning, tax compliance, fraud prevention and multi currency, multi method payments.
Sellers integrate Verifone 2Checkout either via hosted checkout links, the ConvertPlus inline form or the InLine.js library, which tokenises card data inside an iframe served from secure.2checkout.com.
On the hosted 2Checkout checkout (secure.2checkout.com / secure.avangate.com) only strictly necessary first party cookies are set: a session cookie keeping the cart, a CSRF protection token and a risk cookie used for fraud scoring. When ConvertPlus or InLine.js is used on the seller''s page, the iframe still loads on the Verifone domain and the cookies stay first party to that domain. Card data is tokenised within the PCI scope of Verifone and never reaches the seller''s servers.
Because Verifone 2Checkout acts as merchant of record, it is a controller for the invoicing and tax remittance data and a processor for the seller''s customer data. Strictly necessary cookies on the hosted checkout are exempt from prior consent under Art. 5(3) ePrivacy. The customer''s active decision to start a purchase is the legal basis for processing the payment data under Art. 6(1)(b) GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU and UK customers, processing happens predominantly in EU data centres (Bucharest, Frankfurt, Dublin). Some operational access from the United States is required for Verifone operations and risk monitoring. The 2Checkout / Verifone DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and the UK International Data Transfer Addendum. Verifone Systems Inc. is self certified under the EU US Data Privacy Framework.
Sign the Verifone 2Checkout DPA from your seller dashboard. Mention 2Checkout (Avangate S.A., Romania, part of Verifone Systems Inc., United States) as merchant of record and processor in your privacy notice and Article 30 record. Document the US transfer with SCCs and DPF and the EU based processing. No cookie banner update is needed for the hosted checkout itself, but optional analytics on the same page must stay in the consent gated tag manager.
Websites using Verifone 2Checkout must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for standard SaaS subscription billing through Verifone 2Checkout. It may become relevant when the integration is combined with extensive customer profiling, regulated industries or special category data tied to subscription tiers.
Sample consent text
Payments and invoicing on this site are handled by Verifone 2Checkout (Avangate S.A., Romania, part of Verifone Systems Inc., United States), our merchant of record. 2Checkout processes your payment data and EU VAT under contract and legal obligations, predominantly in EU data centres. International transfers to the United States are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
2checkout.comsecure.2checkout.comsecure.avangate.comavangate.netwww.verifone.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| twocheckout_session | first_party | Session | Strictly necessary session cookie on the Verifone 2Checkout hosted checkout used to maintain the customer cart and the in progress order. |
| twocheckout_csrf | first_party | Session | CSRF protection token used to validate the payment form submission on the Verifone 2Checkout hosted checkout. |
| twocheckout_risk | first_party | 30 minutes | Strictly necessary fraud risk cookie used by Verifone 2Checkout for transaction risk scoring during the checkout. |
| twocheckout_locale | first_party | 1 year | Functional cookie used by the Verifone 2Checkout hosted checkout to remember the customer's language and currency preference between sessions. |
Verifone 2Checkout uses cookies for user preferences — inform visitors with a consent banner.
On the hosted 2Checkout checkout (secure.2checkout.com / secure.avangate.com) only strictly necessary first party cookies are set: a session cookie keeping the cart (twocheckout_session), a CSRF protection token (twocheckout_csrf) and a fraud risk cookie (twocheckout_risk). Card data is tokenised in the PCI scope of Verifone and never reaches the seller.
No, the cookies on the hosted 2Checkout checkout are strictly necessary under Art. 5(3) ePrivacy and are exempt from prior consent. The customer's active decision to start a purchase is the legal basis under Art. 6(1)(b) GDPR.
Contract performance (Art. 6(1)(b) GDPR) for processing payment data necessary to complete the transaction. Legal obligation (Art. 6(1)(c)) for EU VAT, AML and tax record keeping, since 2Checkout is the merchant of record. Strictly necessary cookies are exempt under Art. 5(3) ePrivacy.
Yes, with limited scope. EU and UK customer data is processed predominantly in EU data centres (Bucharest, Frankfurt, Dublin). Some operational access from the United States is required for Verifone operations and risk monitoring. Transfers are covered by the EU SCCs, the UK IDTA and the EU US Data Privacy Framework.
Standard SaaS billing through Verifone 2Checkout does not normally require a DPIA. It may become relevant when the integration is combined with extensive customer profiling, regulated industries or special category data tied to subscription tiers.
Sign the Verifone 2Checkout DPA from your seller dashboard. Mention 2Checkout (Avangate S.A., Romania, part of Verifone, US) as merchant of record and processor in your privacy notice and Article 30 record. Document the US transfer with SCCs and DPF and the predominantly EU processing. Use the hosted checkout to keep card data out of your servers.
Other merchant of record platforms include Paddle (UK), Lemon Squeezy (US with DPF), FastSpring (US with DPF), Gumroad (US with DPF). Non MoR EU options include Stripe Billing (Ireland), Mollie (Netherlands), Adyen (Netherlands), Chargebee Billing and Recurly. EU based MoR offerings are still limited; Avangate / 2Checkout remains one of the few with a strong EU footprint.
For most setups no banner update is needed because the hosted 2Checkout checkout sets only strictly necessary cookies under Art. 5(3) ePrivacy. Update your privacy notice to mention 2Checkout as merchant of record, the predominantly EU processing, the US transfer with SCCs and DPF and the customer's rights as data subject.