Deep Dive: The Costs, Complexities Of Managing Consumer Data

These days, consumers are almost always walking around with at least one, if not more, connected device. Whether they’re smartphones, tablets, wearables or something else, these devices are constantly collecting information about their owners, including their whereabouts, their daily activities and more.

Data on a consumer’s smartphone or tablet is being recorded almost constantly, as devices do everything — from keeping tabs on physical locations while giving users directions, to monitoring financial habits while hosting banking apps. Smartwatches, meanwhile, could also be
recording location data, along with information on a user’s speed, steps, heart rate or other biometric information.

Consumers might be eager to enjoy the conveniences these connected experiences offer, but they are also becoming increasingly concerned
about how their data is being collected and used. A long list of high-profile security breaches — whether it’s last year’s Equifax breach or last month’s cyberattacks on Marriott — have made consumers wary of their data’s security. Now, national and international governments and regulators are stepping in and passing new regulations that force companies handling consumer data to meet heightened requirements.

As new regulations continue to mount, and consumers’ fears are stoked by new breaches, companies in a range of industries are under
more pressure than ever to protect customers and their data from cybercriminals. In the inaugural PSD2 Tracker™ Deep Dive, PYMNTS explores the complications and costs that hinder those efforts.

Growing complexities

One of the challenges for companies that want to protect consumer data is the stronger security requirements involving PII, which is often the key to unlocking consumers’ accounts and allowing cybercriminals to wreak havoc. Companies should offer more stringent security measures by notifying users of suspicious activity in real time and collaborating with customers to protect that data.

Those in the banking and financial services spaces, which are particularly targeted by fraudsters,should use end-to-end encryption to protect
data. Simply encrypting data is often not enough, however. Players in these spaces should also limit and specify the amounts and kinds of data that are available at consumer touch points. By shielding unneeded PII during these interactions, companies can better protect consumers from data breaches.

Merchants should also notify customers in real time when a breach occurs. Most customers that use digital, mobile and other connected devices can instantly communicate with the companies with which they do business, allowing them to strengthen security efforts by implementing a real-time notification system. These systems alert users to everything from repeated attempts to access billing information, to attempts to change usernames or passwords, which can prompt consumers to change their passwords or lock their accounts to reduce the damage they might suffer in an attack. Real-time notifications should only be the beginning of a company’s efforts when it comes to collaborating with customers on cybersecurity.

Companies should also work with their customers to find out what kind of security offerings they expect and demand. Research has shown that consumers often value convenience over security, and they often become discouraged over more complex security processes in favor of easy-to-complete ones.

In other words, if companies expect consumers to accept their data protection initiatives, the authentication measures must be as user-friendly as possible.

Rising costs 

Increasingly complex security needs aren’t the only challenges for modern data protection. As data breaches and other cyberattacks have become more frequent recently, regulators in a range of geographic regions have implemented new security requirements. While these regulations stand to protect consumers and curb cybercrime, they also create expensive new hoops that companies must jump through.

In the EU, for example, companies must comply not only with strict guidelines from GDPR, but also with PSD2. Those that do not comply with these regulations can face fines of up to €20 million ($22,750 million USD), or 4 percent of a firm’s global annual sales, whichever amount is greater.

What’s more, the fines are levied on a tiered system, meaning that breaking more than one regulation could leave companies in a world of financial hurt. Unfortunately, complying with the regulations isn’t much cheaper. According to some estimates, purchasing the technology to adhere to these standards could cost Fortune 500 companies as much as $1 million. Companies will also haveto permanently employ compliance experts and regularly update their technology, meaning that larger companies have a head start when it comes to PSD2 readiness.

While large companies may have the advantage, it will be crucial for businesses large and small to be ready — not only to avoid fines from financial regulators, but also to avoid becoming the latest cyberattack victims.