How are merchants responding to the GDPR and PSD2 regulations?

DJ: This is an interesting question. On one hand GDPR is already business-as-usual for many large corporates. If it’s not, then that opens them up to considerable financial penalties if they aren’t compliant or they suffer a data breach.

A number of other merchants are still working through it and what will really drive implementation of GDPR will be the first data breaches and first penalties that are handed down. That will make businesses realise that this is a threat and penalties are being dished out accordingly.

Businesses still need to think about GDPR in their daily processes and make sure it’s embedded from the ground up. It has to be baked into the core of their processes, product and services, rather than retrofitted on the back. That’s where we’ll see the real step change.

DJ: PSD2 is a really hot topic right now. It has been brought in to counter the growing problem of ecommerce fraud, and it’s been a priority for us at Barclaycard because as an acquirer we need to be able to facilitate PSD2.

Strong Customer Authentication (SCA) is a big focus for us, and more and more merchants are starting to focus on it too. PSD2 brings in new standards for multi-factor authentication as of September 2019 and in support of this Visa/MasterCard have also released the new standards for their authentication service ‘3DS 2.0’. This will require merchants to ask for two forms of ID when a customer buys something online for more than €30.

All parties involved in authorising a transaction will need to be involved in facilitating 3DS 2.0 and SCA. The card issuer will need to decide which ID factors they want their cardholders to use, and the acquirer (e.g. Barclaycard) will need to facilitate that as well.

The merchant will be responsible for making sure the card holders are able to submit those forms of ID as part of the checkout experience. There’s a lot of work involved.

PSD2 does also give acquirers the ability to apply exemptions from the €30 limit for SCA. In order to apply this exemption, the acquirer needs to have a certain level of fraud-to-sales performance.

For example, if Barclaycard has a fraud-to-sales level of under 13 basis points, we can offer exemptions for low risk transactions up to €100 therefore avoiding the need to go through two-factor authentication. That facilitates a more frictionless customer experience and it’s the first time that acquirers have been so heavily invested in this. As the acquirer basis point performance improves further, these exemptions can be applied to higher value transactions.

However, the final decision over whether a transaction is authorised and needs to be fully authenticated or not always sits with the issuer. So even if the acquirer applies the exemption flag, the issuer can still require the customer to use two-factor authentication.

DJ: No, I don’t think it is. GDPR is a multi-layered approach, so with large corporations there’s an expectation they will have more resources to comply with it and arguably they collect more data. Businesses over a certain size will need a data privacy officer in place, for example, whereas smaller businesses don’t have to comply with that requirement.

For PSD2 all the necessary payment rails are there and merchants can access them by working with the right intermediaries. It’s about working with the right experts who can take on a lot of the heavy lifting, so merchants can focus on what’s important for them rather than worrying about authentication, data security, etc.

DJ: Unequivocally, yes. Going back a number of years, we were almost having to beat down merchant’s doors to get them to talk to us about security and fraud. It used to be perceived as one of those necessary evils, but now businesses come to us to have those conversations as they see the potential costs involved in not having the proper fraud protection in place.

Another change is that our conversations with merchants are now about increasing conversion rates as well as reducing fraud. Merchants want to filter out fraudulent transactions without blocking real customers, so conversations are much more centred around that.