The deadlines for compliance with new European data regulations are right around the corner, and the impact of these changes won’t be limited to the European Union. According to Ethoca, neither should preparations for the shift.
The General Data Protection Regulation (GDPR) goes into effect on May 25 of this year. Additionally, the strong customer authentication (SCA) mandated by the second Payment Services Directive (PSD2) goes into effect in September of 2019 — and yes, that too counts as “right around the corner.”
GDPR’s regulatory ripple effect will touch organizations conducting business or having employees in the European Union. With only one month to go before GDPR goes into effect, affected businesses are down to the wire to make their plans and implement changes to become compliant.
It may be crunch time for GDPR prep, but the year and a half until SCA goes into effect likely won’t prove as luxurious a timeframe as some seem to believe.
Many merchants are reporting that they have yet to even think about how they will respond to the new rules. Some are playing the wait-and-see game, keeping an eye on others in the space for ideas; others are gambling with which rules to follow and which to ignore until the consequences of non-compliance become more clear. A few are lucky enough that their current practices will keep them compliant, so they won’t need to change a thing.
So what should merchants, issuers, data controllers and processors be doing in the days and months before the new regulations go live? Furthermore, what are some of the new challenges and vulnerabilities that may develop as a result of these well-intentioned changes?
Ethoca’s Keith Briscoe, chief marketing and product officer; Julie Fergerson, SVP industry solutions; and Corey Levin, general counsel touched on the salient points in a recent webinar with Karen Webster.
What Every Org Should Know About GDPR
The regulations can get a little technical, Levin acknowledged, but every impacted business should understand the basics of both GDPR and PSD2.
GDPR relates to personal data, or information related to an identified or identifiable natural person – meaning human beings. Its goal is to create a common set of data protection practices across the EU.
This new regulation provides increased privacy rights for consumers and impacts any organization they may deal with. It provides the right to be informed about the data controller who is processing their information and how to contact that entity; the right to “erasure,” or the removal of data; and the right to prevent automated decision-making, which is used to profile individuals and use their data to target ads.
An organization should only process personal data for the lawful reasons set out in the GDPR; they can’t collect it “just because.”
The consequences for not complying with GDPR can be significant, with fines ranging from the greater of €20 million or 4 percent of annual worldwide turnover. As Levin noted, there are ways to try to minimize the fines, such as by instituting technical safeguards like data encryption.
It remains to be seen how regulators will respond to issues and dole out fines, said Levin, but it’s definitely in an organization’s best interest to avoid becoming the example of what not do to.
What Every Org Should Know About PSD2
Generally speaking, the second Payment Services Directive is all about giving consumers ownership and choice about who they share their data with, who gets to hold onto that data and how the information may be used.
PSD2 sets out the requirements for SCA, an identity verification procedure that leverages multifactor authentication. SCA pulls in factors such as ownership (i.e., the transaction is coming from a device that is recognized as belonging to the consumer) and inherent traits (biometric identifiers like fingerprints and retinas).
However, Levin noted, there are significant industry concerns with PSD2 and SCA. Multifactor authentication does introduce new frictions that could make purchasing goods online less desirable.
Fergerson noted that many are turning to biometrics in an attempt to satisfy multiple regulations without overly inconveniencing consumers, who have largely embraced the use of digital fingerprinting as a security feature. For those whose devices don’t read fingerprints, however, another method will be needed. Some merchants are considering redirecting those customers to call in and pay over the phone.
These challenges, paired with a lack of clear consequences for not implementing SCA, has led some merchants to ignore the requirements and hope the penalties won’t cost more than the implementations they avoided.
The new regulatory era aims to offer protection for cardholders, but Briscoe said it may also be creating opportunities for thieves.
Limiting the data that merchants collect, keep and share could cripple third-party fraud-scoring systems that leverage those data elements, he said, which can over time harm the merchant’s brand, generate a greater volume of false declines and prevent fine-tuning of fraud models.
The right to erasure could prove especially problematic. If a criminal requests the removal of identifying data points, such as an IP address, then it leaves merchants at a distinct disadvantage, as they are unable to add those data points to their negative list.
“It will significantly impact their ability to dispute a chargeback and win,” Briscoe said. “There will have to be a balance between protecting the ecosystem and protecting the cardholder. Otherwise, the merchant will not be able to protect itself from fraud or the cardholder from being exposed to fraud in the future.”
It’s not just about criminal fraudsters, though. Some valid cardholders are already exploiting the dispute system for their own gain, Briscoe said. Friendly fraudsters are legitimate customers who, after performing a transaction, claim that the transaction was fraudulent so they can enjoy a full refund and their “purchase” for free.
Briscoe expects that cardholders who abuse the system will find similar ways to abuse GDPR. For instance, they could call the merchant and ask to exercise their right to data erasure, then call the bank to issue a dispute that the merchant no longer has enough compelling evidence to refute.
What’s a Merchant to Do?
Fergerson said merchants are considering a few options to confront these scenarios.
When chargebacks hit, merchants may choose to fight the claim by presenting compelling evidence that demonstrates the transaction was not, in fact, fraudulent. GDPR allows organizations to retain information for the purpose for which it was collected for a finite period of time, she said, so some merchants may opt to keep data until the 180-day chargeback window closes.
Others, said Fergerson, are going a step further and planning to quarantine data so that only fraud investigation and chargeback teams can access it if a chargeback is issued.
Still others are planning to take the path of strict compliance. These organizations simply absorb the losses as a cost of doing business, Fergerson said, and have adjusted their compelling evidence packages to suffice even without some information that traditionally would have been included.
Fergerson said the decision will be different for every organization. Across the board, complying with these new regulations is going to present a difficult balancing act, and merchants will need to decide for themselves: What is the risk of sharing personal data compared to the risk of not stopping fraud?
Fergerson said merchants should start by asking themselves what data they will need to leverage for compelling evidence, then looking at the data they collect and figuring out which pieces have a legitimate purpose to store even when a consumer asks for the right to erasure.