Digital Transactions Authoritative, insightful and timely information for payments professionals
Payments companies that handle consumer data in Europe are becoming quite familiar with the General Data Protection Regulation and the Secure Customer Authentication rules. Think you’re immune because you’re a U.S. company? Think again.
If you’re one of the 500-million-plus consumers in the European Union, you might be proud that authorities last year implemented the General Data Protection Regulation, or GDPR, considered by many to be the world’s strongest set of privacy protections.
You also might find further evidence that authorities are on the side of consumers regarding data-security matters now that the Strong Customer Authentication rules for online electronic payments officially took effect Sept. 14.
Never mind that so many merchants and other affected firms could not meet that deadline that pan-European authorities in effect declared an enforcement holiday and kicked the compliance can down to national governments.
SCA takes cues from private-industry security practices and rules already in force in the U.S. and elsewhere, including the newly updated 3-D Secure technology used for protecting online payment card transactions. Technically, SCA is part of an updated, broader regulation called the second Payment Services Directive, or PSD2.
Why should Americans care about these European regulations? In this online era of instant worldwide communications and global social networks and payment systems, what starts in Europe seems unlikely to stay in Europe. Here’s what a spokesperson for fraud-prevention technology provider Riskified Ltd., which has offices in Tel Aviv, Israel, and New York City, says about PSD2/SCA in an email:
“The rollout of the regulation in Europe is being watched closely by the U.S. payments industry amid increasing fear that CNP [card-not-present] fraud will increase in America and other regions that don’t have similarly strong protections. The U.S. is also widely predicted to adopt similarly strong protections, with adoption in the EU from companies like Amazon expected to speed the deployment here.”
The GDPR, meanwhile, already has had a minor direct effect on Americans—credit, or blame, the regulation for those Internet popups telling you a site uses cookies. The GDPR, which succeeded an older regulation called Data Protection Directive, sets up a whole troupe of actors on the privacy stage who are entrusted with protecting data, and that includes payments companies and social networks.
Its proscriptions could serve as models for lawmakers and regulators in the U.S. and elsewhere trying to address growing fears about eroding consumer privacy. “Regulators are certainly watching it with interest,” says Zilvinas Bareisis, a London-based senior analyst who follows payments issues for the U.S. research and consulting firm Celent, a unit of New York City-based Oliver Wyman.
Adds Eric Grover, a payments consultant with Minden, Nev.-based Intrepid Ventures who has worked on international projects: “The short answer is anybody that transacts, wants to do business, is going to be affected.”
‘The Industry Is Struggling’
What follows is a high-level summary of the PSD2/SCA and GDPR, with a promise to keep the bureaucratese to a minimum.
The basic tenets of SCA, whose scope includes bank withdrawals and card payments, are familiar to just about any U.S. merchant or payment executive concerned with online security. SCA requires authentication to use at least two of three elements, according to a backgrounder from Stripe Inc., a San Francisco-based merchant processor with international operations.
These are: something the customer knows, such as a password or PIN; something the customer has, such as a smart phone, dongle, or other hardware token; and something the customer is, which may include a biometric such as a fingerprint or facial-recognition image.
These requirements apply to customer-initiated online payments within the 31 countries of the European Economic Area, a single market that includes the European Union’s 28 members and three others. Stripe expects SCA to be enforced in the United Kingdom even if that country finally goes through with its long-planned but politically excruciating exit from the EU.
So what counts as strong customer authentication? The payment card networks’ 3-D Secure version 2 does. EMVCo, the card-network-owned standards body, recently updated 3-D Secure, with one major goal: to make the customer checkout experience smoother as well as more secure. That had been a sore point for online merchants who complained buyers had to leave their Web sites during the checkout process under 3-D Secure’s earlier iteration, leading to lost sales.
Also passing the test, according to Stripe, are the built-in biometric or password-based authentication flows in some mobile-payment systems, including Apple Pay and Google Pay. Stripe also said it expects several local European payment services will follow the SCA rules without major changes to the user experience.
But some authentication protocols fail the SCA test. One of the most prominent is the one-time passcode delivered to devices by SMS, the technology behind text messages.
Not every online payment requires SCA. Depending on the size of the transaction, exemptions are possible if the payment provider or bank’s overall fraud rates are below set thresholds. Exemptions also are available in other scenarios, including certain merchant-initiated transactions using card-on-file data.
What happens if a merchant, or by extension its processor, doesn’t follow the SCA requirements? The bank or other card issuer is supposed to reject the authorization request.
But this summer, with the Sept. 14 deadline looming, the card industry was a long way from being ready, according to a July Celent report written by Bareisis.
“According to research by (British bank and finance-company association) UK Finance, 25-30% of e-commerce card transactions would become impossible to complete as things stand,” the report says.
Bareisis says that although the SCA’s requirements officially took effect Sept. 14, European Union regulators “acknowledged the industry is struggling, so they allowed national regulators to put in their own plans on how to become compliant.”
UK Finance is devising such a compliance plan for Britain, and authorities in other major European countries are doing so for their jurisdictions, according to Bareisis.
GDPR’s Vast Scope
Similarly, the GDPR contains a vast amount of details. But a critical reason why U.S. payments firms need to become acquainted with it is that its scope applies not just to European companies, but to companies anywhere in the world that in some way process European consumers’ data.
A number of leading U.S. merchant processors have sizable European operations. They include: Fiserv Inc., which recently acquired First Data Corp.; Fidelity National Information Services Inc. (FIS), the new owner of Worldpay Inc.; and Global Payments Inc., which recently acquired Total System Services Inc. (TSYS). A smaller one is Atlanta-based acquirer EVO Payments Inc., which generates the majority of its transactions in Europe.
The GDPR defines personal data broadly, according to a separate Stripe analysis. “Personal data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP [Internet Protocol] address,” the analysis says.
The 119-page regulation defines and spells out the duties of “data controllers” and “data processors.” We’ll spare you the details here. Suffice to say processing entities must meet a host of conditions, including that the subject of the data has given consent for its use, that the data processing is necessary for the performance of a contract, and several others.
The GDPR also is famous for its provision expanding its predecessor regulation’s right for consumers to demand erasure of their data—the so-called right to be forgotten.
Violations of GDPR rules can carry severe fines—up to 4% of global revenues or €20 million ($22.1 million), whichever is higher. A British agency enforcing the GDPR in the United Kingdom this summer hit British Airways and the Marriott hotel chain with proposed fines of $230 million and $123 million, respectively, after the companies experienced big data breaches. Both firms indicated they would appeal, according to CNBC.
Some of the U.S. processors with European operations did not respond to Digital Transactions’ requests for comment for this story. But a spokesperson for EVO Payments says the company has rolled GDPR compliance into its operations.
“We implemented a lot of those changes a couple of years ago … we’re fully compliant with that,” the spokesperson says in an email.
Some of the data-protection issues the GDPR tries to address actually originated with incidents not in Europe but in the United States, according to Celent’s Bareisis, including the massive 2017 data breach at credit-reporting agency Equifax Inc. that compromised 148 million files.
“A lot of these issues bubbled to the top,” he says. “I think GDPR is seen as a solution to curb these issues.”
Clearly, non-European processors will need to familiarize themselves fully with the GDPR and PSD2/SCA if they want to pursue Europe’s electronic-payments market. Processors also should get ready for what’s next, says consultant Grover.
“This is no surprise, they’re going to have PSD3,” he says. “It’s already percolating. You can take that to the bank.”
