How are merchants responding to the GDPR and PSD2 regulations?

 The quickest way to frustrate a customer

Thur Aug 30 2018

Fraud is big business in the UK, with some £731.8m lost in 2017 (PDF 737KB) due to unauthorised financial fraud on payment cards, remote banking and cheques.

However, the EU's new PSD2 regulation seeks to stem the losses by bringing in more robust security checks for some card payments. To find out more about PSD2 and other new data regulations, we spoke to David Jeffrey, Barclaycard’s director of fraud and security products.

David heads up the fraud and risk space, dealing with everything from PCI compliance and the governance around that, to PSD2, strong authentication, machine learning and data sciences.


1. David, why do we need new security and fraud regulations, such as GDPR and PSD2?

David Jeffrey: The simple answer is that fraud, security threats, and data breaches are increasing at an alarming rate. It’s providing a lucrative marketplace for criminals, and the value of both personal data and card and payments data is increasing.

In fact, some of the latest insights we have from the dark web show that personal data is actually more valuable than card data. It’s not often you change your address and it’s impossible to change your date of birth, but a new credit card can be issued very quickly. The commercial value of personal data is therefore high and it’s probably set to increase.

So it’s important to have new regulations such as GDPR and PSD2 in place to protect our data. It’s the same reason PCI DSS was implemented in 2004 – credit card data was hot among criminals and was being stolen at an increasing rate, so the payments industry came up with new standards to better protect it.

Regulation is a good thing, and though it can be hard work it’s there for a reason and nobody can deny the degree of threat going on in the marketplace at this time.


2. The deadline for compliance with GDPR was 25th May 2018 for businesses in Europe. What changes have you seen in business' approach to data collection since the deadline?

DJ: The way businesses approach data collection changed a lot in the lead up to the GDPR deadline in May. In my personal experience as a consumer, lots of businesses have contacted me asking me to give them permission to store my data. We’re seeing lots more opt-in requests and businesses are being more specific and upfront about why they need consumer data.

At Barclaycard we’re having a lot of conversations with businesses around housekeeping. As a merchant, if you don’t know what data you have how can you make sure you comply with the rules? So the first part of GDPR is understanding what data you have and how it’s being stored.

There’s also an increasing interest in hosted solutions, such as pay pages hosted by the merchant’s payment gateway supplier. That can take a lot of the hard work out of GDPR compliance – the data never touches your environment, so you’re not directly responsible for making it secure.

David Jeffrey, Barclaycard director of fraud and security products
"PSD2 is a really important topic at the moment and it's a big priority for us at Barclaycard. It brings in new standards for multi-factor authentication as of September 2019, so merchants and the payments industry are working hard to ensure we implement the new security criteria without harming the customer experience."

David Jeffrey


3. How much work is still to be done until businesses see GDPR as just business as usual?

DJ: This is an interesting question. On one hand GDPR is already business-as-usual for many large corporates. If it’s not, then that opens them up to considerable financial penalties if they aren’t compliant or they suffer a data breach.

A number of other merchants are still working through it and what will really drive implementation of GDPR will be the first data breaches and first penalties that are handed down. That will make businesses realise that this is a threat and penalties are being dished out accordingly.

Businesses still need to think about GDPR in their daily processes and make sure it’s embedded from the ground up. It has to be baked into the core of their processes, product and services, rather than retrofitted on the back. That’s where we’ll see the real step change.


4. Similarly, what work have businesses done to comply with the new PSD2 regulations?

DJ: PSD2 is a really hot topic right now. It has been brought in to counter the growing problem of ecommerce fraud, and it’s been a priority for us at Barclaycard because as an acquirer we need to be able to facilitate PSD2.

Strong Customer Authentication (SCA) is a big focus for us, and more and more merchants are starting to focus on it too. PSD2 brings in new standards for multi-factor authentication as of September 2019 and in support of this Visa/MasterCard have also released the new standards for their authentication service ‘3DS 2.0’. This will require merchants to ask for two forms of ID when a customer buys something online for more than €30.

All parties involved in authorising a transaction will need to be involved in facilitating 3DS 2.0 and SCA. The card issuer will need to decide which ID factors they want their cardholders to use, and the acquirer (e.g. Barclaycard) will need to facilitate that as well. The merchant will be responsible for making sure the card holders are able to submit those forms of ID as part of the checkout experience. There’s a lot of work involved.

PSD2 does also give acquirers the ability to apply exemptions from the €30 limit for SCA. In order to apply this exemption, the acquirer needs to have a certain level of fraud-to-sales performance.

For example, if Barclaycard has a fraud-to-sales level of under 13 basis points, we can offer exemptions for low risk transactions up to €100 therefore avoiding the need to go through two-factor authentication. That facilitates a more frictionless customer experience and it’s the first time that acquirers have been so heavily invested in this. As the acquirer basis point performance improves further, these exemptions can be applied to higher value transactions.

However, the final decision over whether a transaction is authorised and needs to be fully authenticated or not always sits with the issuer. So even if the acquirer applies the exemption flag, the issuer can still require the customer to use two-factor authentication.


5. Is the resource needed to comply with GDPR and PSD2 a barrier to growth, particularly for SMEs rather than corporates who might have departments dedicated to security and fraud?

DJ: No, I don’t think it is. GDPR is a multi-layered approach, so with large corporations there’s an expectation they will have more resources to comply with it and arguably they collect more data. Businesses over a certain size will need a data privacy officer in place, for example, whereas smaller businesses don’t have to comply with that requirement.

For PSD2 all the necessary payment rails are there and merchants can access them by working with the right intermediaries. It’s about working with the right experts who can take on a lot of the heavy lifting, so merchants can focus on what’s important for them rather than worrying about authentication, data security, etc.


6. Has the nature of the conversations you have with merchants about fraud changed in recent years?

DJ: Unequivocally, yes. Going back a number of years, we were almost having to beat down merchant’s doors to get them to talk to us about security and fraud. It used to be perceived as one of those necessary evils, but now businesses come to us to have those conversations as they see the potential costs involved in not having the proper fraud protection in place.

Another change is that our conversations with merchants are now about increasing conversion rates as well as reducing fraud. Merchants want to filter out fraudulent transactions without blocking real customers, so conversations are much more centred around that.

More information

For more on PSD2, read our overview of the new regulation and its impact on payments.

Want to accept card payments?

Call us

If you need to speak to an advisor, give us a call on:

0800 096 8237


Request a call back

Fill in some details and we'll call you back