I want to make sure I understood.
Certain obligations are imposed on you. If you do business with the credit card company, whether Visa or Mastercard or another company, the data on clients' credit card transactions are kept on the servers of the credit card company. Does this create a problem with respect to the legal protection offered in countries where the data are kept? Do the same obligations apply? If Visa, for instance, knows about a leak on American servers, is it the Canadian bank that is responsible for that leak?