The Impact Of PSD2 And GDPR On Merchant Fraud

FSB Eyes Crypto Regulation

A perfect storm of regulatory changes and card brand rule changes has left many merchants wondering to whom, exactly, they are beholden and what, exactly, they must do to comply.

To add complication to complexity, changes that many see as regional, such as the second payment services directive (PSD2) in Europe, will have ripple effects across the global regulatory landscape, impacting business, cross-border commerce and fraud mitigation the world over.

According to Ethoca’s SVP Industry Solutions Julie Fergerson and CMO Keith Briscoe, merchants can’t afford to “wait and see” what happens. There can be serious penalties for any business that touches a payment and fails to comply.

Whether it’s PSD2, Strong Customer Authentication (SCA), the General Data Protection Regulation (GDPR) or new chargeback rules, global and regional regulations and mandates affect every business — so merchants would do well to prepare now rather than later.

Fergerson, Briscoe and a panel of industry experts will address these challenges and field questions in a webinar on April 25 at 1:00 p.m. EST. Register now to participate. Here’s a sneak peek at what to expect.

The Bottom Line

Regulations can feel a bit abstract and overwhelming on paper, especially when so many changes are happening at once.

In the upcoming webinar, Fergerson and the panel will thread the needle between these regulations and the closer-to-home reality of how merchants can authenticate consumers and protect their data, comply with regulations to share certain data and do it all while avoiding giving bad guys the advantage of anonymity by affording too much privacy.

Bracing for Bad Guys

Criminals always seem to be five steps ahead, so there’s no doubt they’re preparing for these shifts in their own way. The good guys are doing their best to anticipate and brace against the nefarious attempts that are sure to come.

For example, Fergerson noted that, under GDPR, data may be held in quarantine as long as necessary, even after a request for erasure. The quarantined data is removed from the merchant’s records and can only be accessed or used if a customer issues a chargeback — which must be done within 180 days — and then the data is removed from quarantine as well.

Fergerson explained that this can help protect merchants and consumers from the possibility of a fraudster calling in and asking for a user’s data to be erased so he can go about his nefarious business pretending to be the customer.

Data Privacy

In light of Facebook’s current woes, data privacy issues are hovering near the top of everyone’s mind. Fergerson said even the biggest merchants in the industry are worried about how to handle this. They’re uncertain how long they should retain customer data and how they’re supposed to track criminals with new limitations on data use and sharing.

These are relatively new concerns for merchants, Fergerson said, not because criminals didn’t exist before, but because prior regulations didn’t place as much emphasis on data security. Now that card-not-present transactions have become more prevalent, card-not-present fraud has grown accordingly and must be regulated, giving merchants a whole lot of new worries to keep them up at night.

It doesn’t help that many merchants may lack confidence in how 3D Secure 2.0 will be rolled out due to how the first 3D Secure protocol was handled. Both security standards aim to prevent fraudsters from using stolen financials online, with the newer protocol adding support for mobile, in-app and digital wallet payments, as well as much less invasive risk-based authentication to address abandonment rate issues.

Merchants, however, may be concerned over the extent of data being shared to get the liability shift under 3DS 2.0, Briscoe said, since the required data elements are much more extensive than the original 3DS. The current data privacy landscape serves to potentially intensify this concern, and this will need to be balanced against the potential for increased approval rates from card issuers.

Some are talking about biometrics. Others are saying they’d rather do SCA or something else that works across the globe. About half of merchants haven’t even thought about it — which is a problem all its own, said Briscoe. September 2019 sounds far away, but today is definitely not too soon for merchants to map out their game plan for when the time arrives.

Unintended Consequences

Every major change, good or bad, has a domino effect on the structures around it, and Briscoe said these regulations will be no different. The panel will discuss Ethoca’s insights and predictions around these unintended consequences to help merchants prepare for what’s to come.

For instance, there will likely be chargeback cases where elements are missing in terms of “compelling evidence” due to the GDPR shift in what qualifies as “compelling” and how data may be used or stored under the new rules. That will impact the chargeback and dispute cycle.

There will also be a struggle for consistency across trading markets. Whatever solutions are concocted to meet rising regulatory requirements must be universal, as today’s world is a global one and merchants can’t afford to only be compliant within their own environment.

Register now to hear these insights and more on the April 25 webinar.