Despite the encroaching September deadline for strong customer authentication (SCA) under the second Payments Services Directive (PSD2), merchants and payments market participants are equally concerned about the ramifications of the already-mandated General Data Protection Regulation (GDPR), according to Chris Kronenthal, chief technology officer (CTO) at FreedomPay.
“They’re equally important to merchants from what we see. And those are the primary two, especially when you look at the penalties for firms like British Airways and others, those fines are starting to get very real now that the legislation has been in place.”
In early July the Information Commissioner’s Office (ICO) announced that it would be fining UK airline British Airways £183m for infringements of GDPR. The airline had allowed traffic from its website to be diverted to a third-party fraudulent page.
Other firms to have been penalised under the legislation include Google, which was fined €50m by the French data regulator CNIL in January; an unnamed Polish data brokerage firm, which was censured in March for failing to inform 6m people that their data was being misused; and Marriott International, fined £99m for a cybersecurity incident exposing 339m data records.
Data from the European Commission, published in May, revealed that 89,271 complaints were lodged to data protection authorities regarding GDPR in 2018. It also showed that only 20% of Europeans were aware of what public authority in their country is responsible for the regulation.
“Sometimes when a big deadline hits, like Y2K, nothing happens. GDPR went into place and there wasn’t some huge fireworks show, it’s just a bogeyman out there. Now that enough time has passed, there has been a second wave of awareness, people are realizing ‘holy smokes, this thing has got some teeth in it.’ The last two presentations I participated in at a merchant level, with global hotel operators, the first two things they asked for was guidance on GDPR and PSD2. A lot of people are still struggling to operationalize GDPR and are confused about what PSD2 and SCA means for them.”
Kronenthal does believe that thing will get better with time, because providers will eventually become more familiar with their regulatory requirements. “I do think there will be a year’s worth of pain and baking in, but probably after 18-24 months you’re going to start seeing [the regulation] becoming a comfortable concept for people.”
The FreedomPay CTO points to PCI Data Security Standard (PCI DSS) compliance as an example. “PCI was ridiculous for some people. The first time you see a standard which says that as a merchant you must solve for 300 or 400 controls it just blows your mind. Once you put all that in place, you start operationalizing it and you have your first audit, you get a little bit better at it. By your third audit, you’re mostly checking the boxes.
“But it’s going to take a longer tail than most people think to fully bake in, whether or not additional legislation comes up that does create it as a repetitive process. As with anything the reality is at some point there will be a breaking point, because with so much regulation it does require levels of overhead that ultimately increase costs. There’s going to have to be this balance point between how much legislation and regulation can be done within reasonable limits of a merchant’s ability to cost efficiently put them in place.”
On whether technology providers can help furnish firms with the right technology to comply with new regulations, Kronenthal believes that there is a “huge” solution gap in the market. “A lot of the providers, especially on the incumbent side, are still are solving the same problems with the same tools. Legacy players are doubling down on other legacy players by forming partnerships with each other, and that’s not enabling new functionality in the market. It’s emblematic of the industry, with a lot of the same entrenched players trying to wrap the same toolkits and offerings into one another.
“There is a lot of technical overhead when using a legacy solution, whether or not because they’re using semi-integrated devices, or integration endpoints require the merchant on an enterprise level to do a lot of work themselves. For a lot of merchants, a lot of companies fail at that problem, and so they end up using only the baseline features and functionality that work, check those boxes and do the minimum.”