It’s been well over a year since GDPR was introduced, and France, Greece, Romania, Sweden and the UK have all seen the first casualties of non-compliance.  As EU organizations struggle to come to grips with the new legislation, we take a closer look at GDPR, what it is and why merchants can’t afford to ignore it.

What is GDPR?
The General Data Protection Regulation (GDPR)  is an EU law that came into effect on May 25, 2018. GDPR applies to the handling of any personal data processed within the European Union and the European Economic Area. It was designed to protect consumers’ personal data in the modern digital world.  It gives them more say in what information companies keep on them and how it is used and shared – especially online.

GDPR requires businesses to get consent from the consumer before it stores their details. The introduction of GDPR was marked by a flurry of activity as organizations mailed customer contacts for permission to retain their existing data, while also allowing customers to opt out.

Secondly, GDPR protects consumers against data misuse. It stops organizations from collecting data for one activity and then using it for another e.g. saving an email to send a receipt and then using this to issue a newsletter or promotional offer.

Lastly, it sets out notification procedures that have to be followed in the event of a data breach, including informing customers and safeguarding their data from further harm. This includes a 72-hour breach notification requirement and process.

Why GDPR cannot be ignored
GDPR has the power to fine organizations that fail to comply.  Fines can be up to 4% of a company’s ‘global’ annual turnover.  If you are hit with a data breach, or other incident, how your organization responds can determine how severe the costs are, in terms of both public backlash and regulatory penalties.

It is best to always follow best practice in terms of consent, user and document management, security and response, to ensure you meet compliance guidelines and make sure you have a solid audit trail in place. That includes making sure any third-parties you outsource to are GDPR compliant too. If process and due diligence is not followed, then hefty fines are waiting. For example, the first big ‘headline’ fine was Google in France, who was charged €50 million ($56.8 million USD) for data misuse. Other smaller fines have been instigated across Europe, in many cases connected to data misuse. Interestingly if the Cambridge Analytics Scandal had occurred after GDPR was introduced, the fine they received would have been far more severe.

Why GDPR matters for businesses in the US
Although part of EU legislation, GDPR impacts businesses all over the world because it also covers the ‘transfer’ of personal data to countries outside the EU and EEA. This means GDPR doesn’t just affect European companies but any organization selling to, or holding information on EU consumers.

As momentum for similar consumer privacy regulations grows, other countries including Japan, Canada and Korea are looking to tighten data security. It’s likely that new standards will closely resemble GDPR. For example, we have already seen signs of this here in the US, with the California Consumer Privacy Act, which will come into effect next year.

At the end of the day, merchants should never put their brand at risk by ignoring regulations like the GDPR.  Make sure you review your data protection strategy regularly and, if there is no formal process, don’t delay in putting one in place.

More than two decades ago, Microsoft’s Bill Gates declared of the internet “content is king”. That statement still resonates today, even more so, with the prevalence of smart devices, social media and ‘anywhere’ connectivity.

For those who own, or can provide access to, a consumer-facing ‘content channel’, there’s now a massive opportunity to generate revenue from organizations looking to push content that persuades consumers to buy.

Whether you operate a retail outlet, stadium, hotel, theme park or even a university campus, chances are you already have a physical POS estate, with terminals that are packed with sales processing power, full color displays and even multi-media capability. You may not realize it but these integrated online and mobile checkouts, represent a rich new channel of opportunity and revenue.

Having spent your hard-earned profit building a great customer UX at the sales point, it makes sense to try to generate as much return on your investment as you can. That means finding new ways to drive extra revenue and, with FreedomPay’s DecisionPoint Network™ (DPN), it may be easier than you think.

Get your POS working harder

DPN lets you reimagine the role of the POS. Thinking beyond simple acceptance and transforming checkout as an end to end marketing platform. One that can enhance the customer experience with targeted advertising and special event notifications. DPN enables the POS to deliver persuasive branding and advertising in real-time at the exact moment customers are ready to buy.

With little effort, you can turn your sales point into a highly targeted digital advertising channel that generates revenue for you and your partners. It won’t impact your compliance or security as DPN is offered as a component of FreedomPay’s fully PCI Validated Point-to-Point Encryption (P2PE) solution, which facilitates secure and fast onsite payments.

You can leverage DPN to improve your own experience – with sample ad messaging, to launch emerging technology-accepted methods of payment, new products/merchandise offerings, live discounts/offers, and redeem reward points at payment check out. DPN also allows third-party advertisers to purchase space on your POS too.

Real-time ads and content at the POS

The POS provides a dedicated content network that spans many retailers, reaching hundreds of millions of consumers every day. Not when they are watching TV, browsing the internet or on the street (when they are distracted, and their concentration is low) but when they are 100% focused and in buying mode, right at the decision point.

Unlike other digital channels, advertising on the POS gives brands 100% share of voice and 100% viewability with ad-exposure times of 10-15 seconds, all in a brand safe environment with no risk of ad fraud and ad blocking.

DPN makes it easy for advertisers to target ads, exploiting your POS estate to effectively influence conversion/upsell opportunity. At the same time, it enhances your customer experience and provides you with a lucrative revenue stream. What’s not to love?

By delivering content at the checkout, it’s clear that you can deepen your customer relationships, drive loyalty and increase average order value (AOV) by communicating targeted discounts, and offers in real-time. It really is true, content is king, and thanks to DPN you can now use it to reap royal rewards!

Cedric Lourie, Director of Digital Development for FreedomPay, follows how digital media continues to develop creative methods of advertising and unpacks what is worrying marketers in today’s content-driven climate in this podcast.

As a consumer, it’s still surprising to go into a store, and be asked to ‘swipe’ rather than ‘dip or tap’. While in Europe EMV has been the norm for almost a decade, here in the US the reality is there is still a long way to go, even though the market has been transitioning from traditional mag-stripe cards to EMV since 2015.

Today, more than half of credit and debit cards worldwide are now EMV and nearly two-thirds of all card-present transactions involve EMV. Despite this, many mom-and-pop stores and home-grown retailers have yet to make the switch.

It appears that, even as adoption rates increase, there’s still resistance from some merchants to enable EMV acceptance. In many cases, they’re simply reluctant to replace their outdated mag-stripe infrastructure with point of sale devices that can read chip card data.

So why should retailers switch to EMV? 

While there are many reasons, the most obvious is because it is much more secure than traditional mag-stripe cards which have several vulnerabilities – cards can be stolen before they are signed, signatures can be erased and forged, and magnetic stripes can be cloned without the owners knowledge.

On the other hand, with its integrated chip (IC), EMV is very hard to copy or counterfeit.  EMV cards offer two types of authorization – signature or PIN containing up to six digits. When the card is PIN enabled, it’s even more secure and if the card is stolen, the thief needs the PIN to use it. In markets where EMV is established, payment card fraud rates have fallen significantly, by up to 76% according to Visa.

But if you are still unconvinced, there are other reasons, beyond security, why EMV is a great investment:

• Reduced liability and fewer chargebacks
  EMV stands for Europay, MasterCard and Visa, the major card issuers who developed it to solve their collective card security issues. In many countries, including here in the US, these card issuers and their processors are now implementing liability shifts for non-EMV transactions – transferring the onus from the issuer to the merchant if a fraudulent transaction takes place. This means that if you don’t support EMV you are more likely than your EMV-accepting competitor to see your hard-earned profit get eaten up by fines, fees and chargebacks.
• Convenient for consumers and staff.
  EMV offers faster, more convenient payments, including enabling contactless ‘tap and go’ payments. If you can accept contactless, you can transact faster than with cash, meaning shorter lines, less hassle than reconciling/banking dollars and less temptation of theft at the point of sale too.
• EMV paves the way for e-loyalty and more
  Its ‘smart chip’ can hold more than payment data, creating opportunity for added value services and features such as supporting complex loyalty schemes. It can also be used to implement everything from mobile wallet applications to charity donations. Increasingly, EMV is also being used to support transportation, ticketing and secure site access.
• Use EMV POS devices for more than cards
  With contactless enabled EMV readers, retailers can also accept NFC and mobile payments. With more people carrying smartphones than cash or cards – especially millennials and Gen Z – it means you’re much less likely to miss a sale, and more likely to see AOV increase.

Combined with smart acceptance devices, commerce-enriched payment gateways and POS service apps, there’s no question that EMV gives sales businesses lots to get excited about.

High value retailers more susceptible to fraud can minimize their risk, while low value, high volume outlets can speed throughput and convenience, and those where service drives repeat business can deliver a raft of new customer-facing loyalty services connected to the consumers EMV card.

So, if you are looking to gain greater security, reduce lines, and drive revenue, why wait?

Learn more about EMV benefits here.

Customers are becoming more demanding, and the retailers who keep up with the latest payments solutions, payments platform and point of sale (POS) systems will be the ones who are the most successful.

Think back just 10 years and no-one was using a smartphone to pay for goods and services. There were no wearable devices like Apple watches or mobile wallets that you could use for payment processing, and when you went to a concert or a coffee shop, you could not order and pay for refreshments in advance and avoid the crowds.

Jump forward a decade, and this is now the norm. Consumer-centric payment technology has advanced to a point where you can even use your face to authorize a payment. As technology continues to progress, the number of ways people want to pay increases, and retailers must keep up to compete.

Seamless customer payment experiences are the key

The importance of a seamless customer payment experience cannot be underestimated, and enticing your existing customers back is the key to sales success and customer retention. Assessing data which helps you understand customer behaviour can be strenuous but there are systems which allow you to undertake a deep, granular analysis of the way different customers interact with retailers; what they buy, how often and, importantly, how they pay for their purchases.

Using this data, you can create a unique loyalty offering, giving your best customers access to discounts, or exclusive events that will give them a great customer experience. Loyalty schemes come in all shapes and sizes, and using the latest technology provides not just a safe, secure and simple payment environment, but one that makes the customer/retailer interaction as beneficial as possible for both parties.

Future payment services could become even more integrated with the advent of open banking across Europe. The possibilities going forward could include the complete removal of transaction fees, direct settlement and even low-cost credit for customers at the checkout.

As a retailer, you want a system that is future-proof, so choose a payment provider that applies new technology to meet the latest data protection regulations, payment systems and the widest possible range of loyalty options.

No matter how big or small your organization, whether you sell products or services or both, if you process, store or transmit credit card or payment data then it’s important to be PCI DSS (Payment Card Industry Data Security Standard) compliant. If you don’t your business could be at risk from fraud, fines, and a wrecked reputation.

• Risk from fraud
  Retail Fraud surged 30% last year with merchants now paying nearly $3 for every dollar lost. As more retailers invest in anti-fraud solutions, criminals are targeting retailers with vulnerabilities they can exploit with minimal effort. If you’re not PCI compliant you become easy pickings for them.
• Risk from fines
  PCI compliance is not legally mandated, so there’s no criminal charges if you aren’t compliant. However, if you suffer a data breach while not in full compliance, you could be liable to a steep fine from the PCI Security Standards Council (PCI SSC), and possibly GDPR (in Europe), which holds you accountable for how you safeguard your customers’ data.
• Risk from lost reputation
  While your business may find it easy to bounce back financially from any criminal losses or fines, the same is not true for your reputation. Once word gets out that your systems aren’t secure, it can impact even the most loyal customers.

PCI safeguards the payment chain

Being PCI compliant means that your business is either meeting the standards and best practices as outlined within PCI DSS or outsourcing to others who are. In particular, the PCI DSS is designed to protect your key transaction systems and processes including:

• Card readers and point of sale (POS) systems (hardware and software)
• Store-based networks and wireless access routers
• Payment card data storage and transmission (e.g. payment gateways)
• Payment card data stored in paper-based records
• Online payment applications and shopping carts

The Standard specifies 12 requirements, which are organized into six control objectives relating to the storage, transmission and processing of cardholder data.

In effect this means that merchants are responsible for compliance wherever they come into contact with customers’ ‘sensitive’ data.  That means keeping well documented records and ensuring staff are trained and systems and processes are maintained to PCI standards.

Five Steps to PCI Compliance

No surprise that many sales organizations, already struggling to get to grips with data security, are   failing to meet their initial PCI compliance assessments.

So, what’s the best way to make PCI compliance plain sailing? Here are five key steps you can take to keep you on track:

1. Understand your scope and PCI requirements
   Before you start, it’s important to establish where you currently stand in terms of the PCI criteria. The applicable requirements are different for different businesses (currently 9 categories). These are determined by transaction pathway and exposure to cardholder data. Identifying all the system and components that are located within, or connected to, your cardholder data environment, will give you a good indication of your ‘scope’.
2. Consider how to aid compliance and reduce scope
   Payment strategy and solutions can have a huge impact on your PCI scope. For example, many online merchants outsource all their data to third-party service providers. As they never touch or view customer credit cards or raw payment data, their scope is significantly reduced, leaving minimal criteria for them to follow. The risk is carried by their partner, who will be responsible for all applicable PCI requirements. Where you are responsible for customer payment data in card present scenarios, you can minimize scope using PCI point to point encryption (P2PE) in conjunction with tokenization to reduce handling of sensitive data.
3. Follow the PCI assessment process and use the guides to stay on track
   Completing a PCI self-assessment questionnaire (SAQ) will help you assess your current compliance level. There are different versions of this depending on your type of business (see point 1). The relevant guidebook will take you through the process of identifying your current practice and what you have to do to bring your payment security into line with PCI. There are lots of merchant resources to help on the PCI Security Standards Council website.
4. Ensure your systems make the grade – and change them if they don’t
   Any gaps flagged in step 3 should be rectified. Fixes may be easy (e.g. tweaking an audit process) or more complex (e.g. changing outdated devices, non-compliant payment platforms and even your payment service provider). You can use the SAQ to re-assess your improvements and make sure you’re ready to procced to the next stage.
5. Complete your AOC and inform relevant parties
   Once you’re happy with your SAQ, you can complete a formal attestation of compliance (AOC). This claims your business is fully compliant with all relevant PCI standards (according to your business category). If required, now is the time to have a QSA (qualified security assessor) audit and report on your compliance to validate your own findings. Once approved, you must notify relevant credit card companies and/or banks who may request an additional external vulnerability scan to finalize the process.

The key message is “Don’t leave PCI to chance”.  If you’re not certain, it makes sense to get help finding out rather than ignoring the issues and letting your security lag.  Most solution providers will be happy to talk through any sticking points. Or you can contact the PCI SSC for a list of approved experts to guide you along the way.

And remember, the PCI DSS is not a tick in the box standard. It is an on-going process and checks need to be carried out regularly, which may include an annual audit, to ensure you remain compliant and your customers protected.