+1 for canta!
It should definitely no longer be in a system that could attempt a transaction or other checks, it should be archived.
So definitely some sort of case here for sure
This is just from memory and I haven’t double checked it but.
There’s exemptions in GDPR, and some of them are related to financial, tax and safety stuff.
A company has to be able to prove legitimacy of transactions for 10 years in most of Europe, so keeping your card details and transaction history etc for 10 years is within GDPR exemptions for sure.
The real issue here is why the card of someone who has otherwise completely ended their customer relationship with the business was accessed in any way.
Make a cheater pool and put anyone you detect using cheats in a separate matchmaking system that only matches cheaters with cheaters.
And never ban anyone, ofc.