How are merchants responding to the GDPR and PSD2 regulations?
To find out more about PSD2 and other new data regulations, we spoke to David Jeffery, Barclaycard's director of fraud and security products. To find out how we can help your business, call our payment experts on 0800 096 8237*
Fraud is big business in the UK, with some £731.8m lost in 2017 due to unauthorised financial fraud on payment cards, remote banking and cheques. However, the EU's new PSD2 regulation seeks to stem the losses by bringing in more robust security checks for some card payments.
In this interview, Barclaycard director David Jeffrey gives his views on how PSD2 and GDPR are impacting merchants.
Why do we need new security and fraud regulations, such as GDPR and PSD2?
David Jeffrey: The simple answer is that fraud, security threats, and data breaches are increasing at an alarming rate. It’s providing a lucrative marketplace for criminals, and the value of both personal data and card and payments data is increasing.
In fact, some of the latest insights we have from the dark web show that personal data is actually more valuable than card data. It’s not often you change your address and it’s impossible to change your date of birth, but a new credit card can be issued very quickly. The commercial value of personal data is therefore high and it’s probably set to increase.
So it’s important to have new regulations such as GDPR and PSD2 in place to protect our data. It’s the same reason PCI DSS was implemented in 2004 – credit card data was hot among criminals and was being stolen at an increasing rate, so the payments industry came up with new standards to better protect it.
Regulation is a good thing, and though it can be hard work it’s there for a reason and nobody can deny the degree of threat going on in the marketplace at this time.
The commercial value of personal data is high.
The deadline for compliance with GDPR was last year for businesses in Europe. What changes have you seen in their approach to data collection since?
DJ: This is an interesting question. On one hand GDPR is already business-as-usual for many large corporates. If it’s not, then that opens them up to considerable financial penalties if they aren’t compliant or they suffer a data breach.
A number of other merchants are still working through it and what will really drive implementation of GDPR will be the first data breaches and first penalties that are handed down. That will make businesses realise that this is a threat and penalties are being dished out accordingly.
Businesses still need to think about GDPR in their daily processes and make sure it’s embedded from the ground up. It has to be baked into the core of their processes, product and services, rather than retrofitted on the back. That’s where we’ll see the real step change.
What work have businesses done to comply with the new PSD2 regulations?
DJ: PSD2 is a really hot topic right now. It has been brought in to counter the growing problem of ecommerce fraud, and it’s been a priority for us at Barclaycard because as an acquirer we need to be able to facilitate PSD2.
Strong Customer Authentication (SCA) is a big focus for us, and more and more merchants are starting to focus on it too. PSD2 brings in new standards for multi-factor authentication as of September 2019 and in support of this Visa/MasterCard have also released the new standards for their authentication service ‘3DS 2.0’. This will require merchants to ask for two forms of ID when a customer buys something online for more than €30.
All parties involved in authorising a transaction will need to be involved in facilitating 3DS 2.0 and SCA. The card issuer will need to decide which ID factors they want their cardholders to use, and the acquirer (e.g. Barclaycard) will need to facilitate that as well.
The merchant will be responsible for making sure the card holders are able to submit those forms of ID as part of the checkout experience. There’s a lot of work involved.
PSD2 does also give acquirers the ability to apply exemptions from the €30 limit for SCA. In order to apply this exemption, the acquirer needs to have a certain level of fraud-to-sales performance.
For example, if Barclaycard has a fraud-to-sales level of under 13 basis points, we can offer exemptions for low risk transactions up to €100 therefore avoiding the need to go through two-factor authentication. That facilitates a more frictionless customer experience and it’s the first time that acquirers have been so heavily invested in this. As the acquirer basis point performance improves further, these exemptions can be applied to higher value transactions.
However, the final decision over whether a transaction is authorised and needs to be fully authenticated or not always sits with the issuer. So even if the acquirer applies the exemption flag, the issuer can still require the customer to use two-factor authentication.
Is the resource needed to comply with GDPR and PSD2 a barrier to growth?
DJ: No, I don’t think it is. GDPR is a multi-layered approach, so with large corporations there’s an expectation they will have more resources to comply with it and arguably they collect more data. Businesses over a certain size will need a data privacy officer in place, for example, whereas smaller businesses don’t have to comply with that requirement.
For PSD2 all the necessary payment rails are there and merchants can access them by working with the right intermediaries. It’s about working with the right experts who can take on a lot of the heavy lifting, so merchants can focus on what’s important for them rather than worrying about authentication, data security, etc.
It's about working with experts who can take on the heavy lifting.
Have your conversations with merchants about fraud changed in recent years?
DJ: Unequivocally, yes. Going back a number of years, we were almost having to beat down merchant’s doors to get them to talk to us about security and fraud. It used to be perceived as one of those necessary evils, but now businesses come to us to have those conversations as they see the potential costs involved in not having the proper fraud protection in place.
Another change is that our conversations with merchants are now about increasing conversion rates as well as reducing fraud. Merchants want to filter out fraudulent transactions without blocking real customers, so conversations are much more centred around that.
Conversations are now about increasing conversion rates.
What’s your Strong Customer Authentication strategy?
Like all regulation, Strong Customer Authentication (SCA) brings new challenges. But with the right strategies in place, merchants can be compliant, help reduce fraud and offer secure payments. For more information, see our whitepaper: Demystifying the payment landscape: PSD2, SCA and the security challenge.
Speak to our payment experts today
0800 096 8237