No Pain, No Gain? GDPR, PSD2 And The New Payments Reality

GDPR PSD2 Whitepages Pro

Last year brought the General Data Protection Regulation (GDPR) deadline, Europe’s attempt to boost online privacy and security for consumers — a law that just resulted in a $57 million fine against Google, which was accused of not doing enough to gain the consent of users when collecting data meant for targeted advertising.

This year brings the Second Payment Services Directive (PSD2) deadline, also in Europe, with its designs meant to encourage more security and innovation in the payments and FinTech spaces. Parts of PSD2 are set to take effect in September 2019.

Those two regulations — already having an impact on the planning and operations of players in the payments, commerce and digital spaces — promise to significantly shape those worlds in the coming years, no doubt in ways that can barely be predicted now, as is the case with many laws and regulations.

In the latest PYMNTS Data Drivers podcast, Karen Webster and Whitepages Pro CEO Rob Eleveld discussed GDPR and PSD2 (how they differ and how they might intersect), and dug into the harsh truths that businesses will have to know as those regulations become more settled.


70 percent

The amount of businesses that failed to address personal data requests following GDPR ranked at 70 percent — a signpost for how compliance to the European Union’s (EU’s) privacy regulations might play out in the coming months. The GDPR said that users have a right to know what information a company holds about them, as well as the sources of the data and who’s getting it. Failing to do so can lead to fines and lawsuits.

So, is that 70 percent figure a simple matter of businesses basically flouting GDPR? Not really, Eleveld told Webster during their discussion. “It’s not trivial, from a complexity standpoint, to be able to process personal requests,” something Whitepages Pro has experienced, he said.

That’s because consumer data resides in different places and databases — and retrieving that data brings technical and logistical challenges, even for a business bent on following both the spirit and letter of GDPR. In addition, the various business units, where all that data resides, “don’t always talk to each other,” he said. “To remove someone from all those places [via a GDPR request] is not a trivial requirement.”

3D Secure 2.0 and SCA

When it comes to these payment and security trends, from one angle, it’s a matter of acronyms. Under PSD2, strong customer authentication (SCA) mandates multi-factor authentication, which ties together ownership (where transactions come from devices recognized as belonging to a consumer), knowledge and consumer-specific traits (such as fingerprints, verified through biometrics).

That’s the goal.

However, many banks and merchants are busy, for the time being, trying to adopt the latest generation of 3D Secure (3DS) protocols, 3DS 2.0, designed to protect both consumers and the companies serving them. Visa and Mastercard designed the 3DS protocols, providing them under the names Verified by Visa and Mastercard Secure Code. Both solutions provide increased fraud protection for online transactions made via debit or credit cards. Initially, 3DS was introduced in 2001, and has continued to evolve over the past 17 years.

“The market will target [3DS 2.0] in the first step” toward more robust security, encouraged and/or mandated by PSD2, Eleveld said, given that protocol’s long history and relative familiarity. “The market will eventually get to some of the more cutting-edge PSD2 regulations, but it will not go there first because it’s just such a sea change.”

PSD2 Versus GDPR

Meeting the requirements of GDPR is hard enough, especially given that regulators are still figuring out (or testing) how exactly they will enforce the privacy regulation and related laws (see Google vs. France, for starters). GDPR will no doubt make examples of some companies in hopes of sending messages to others (as happens often with new or revised regulations).

Yet, that will be child’s play compared with PSD2, Eleveld told Webster. Over the long term, he said PSD2 will bring “at least as much change, if not more, to the payments industry. There are all sorts of hoops to jump through. It’s hard to imagine a wholesale cutover to meet all of those requirements by September 2019.”

Of course, one prediction is relatively easy to make when it comes to PSD2: “The winners in that shift will be the largest and best-known brands at some level,” he said.

52 percent

Between October 2017 and September 2018, the amount of cyberattacks reported that targeted businesses subject to PSD2 came in at 52 percent.

The war against online criminals will never end. Any person or organization that proves otherwise is set for a positive role in upcoming history books, business classes and computer science celebrations. That brings challenges — and the opportunities that all challenges provide — to the PSD2 and payments space.

In Eleveld’s view, that means education. Consumers “are almost numb about data breaches,” he said. However, that doesn’t necessitate surrender. “With some education and patience” on the part of consumers and companies, the goal of increasingly secured payments — that can also have less friction — can eventually be achieved.

A Reckoning Approaches

Both GDPR and PSD2 are, obviously, in their early stages. Yet, the choice that companies face is pretty clear, according to Eleveld. Sure, consumer data might reside in different units, and various people in a business might have multiple uses for all that data, but companies will not be able to have it all.

As Eleveld put it, companies need to address this: “Are we storing data to protect consumers or market to them? The marketing department wants it for one thing. The risk department wants it for another. But you cannot have it both ways. Hard decisions have to be made. There will not be a lot of grey areas.”