Many online businesses are feeling as though they’re caught up in a compliance whirlwind. Companies invested time, thought and effort into ensuring compliance with the European GDPR legislation. However, rather than being able to take a step back and review the new situation, they now must immediately prepare for the revised Payment Services Directive: PSD2.
The fact that both of these compliance burdens have fallen on businesses in such a short time is not coincidental. It reflects the increasing focus on the importance of consumer privacy and data protection. The internet has changed how we store and share data in ways that would have been unimaginable even ten years ago, and legislation is now trying to catch up.
Finding the Balance: Convenience Versus Security
The delicate balancing act that all companies perform in today’s world is finding the right compromise between rigid security and smooth customer experience. Too strict, and users struggle experience frustrations or even abandon shopping carts in favor of competitors. Too lax, and valuable data is left vulnerable to exploitation and misuse.
It can be hard to remember the benefits when you’re caught up in what feels like an endless checklist of compliance requirements, but ultimately, both GDPR and PSD2 were designed to help EU consumers — and companies — find the right balance.
GDPR aimed to ensure that consumers are aware of where and how their data is shared, and that companies become more careful about their policies, procedures and reactions relating to data. This, in turn, should lead to customers feeling more comfortable about how their data is used and therefore more confident in sharing it. This confidence boost is important, given that 72% of those surveyed in a recent Forter report were concerned about their private details being stolen via a retailer’s website.
PSD2 was created to open up access to account data, breaking the monopoly on this access previously enjoyed by a very limited number of payments organizations, notably banks. The hope is that this will usher in a new era of “open banking” wherein customers will have unprecedented freedom in how they access financial services. On the other hand, since this access can be exploited, the Strong Consumer Authentication (SCA) requirement was included to protect consumer data at the point of transaction.
Not Just a European Phenomenon
GDPR and PSD2 are European initiatives, but it is important to appreciate that the impact of the shift towards data protection and privacy is not purely a European concern. For one thing, many businesses which operate within the EU are global rather than EU-specific, and EU legislation is something that international businesses need to account for.
Beyond GDPR and PSD2, public concern about how data is handled is not confined to the EU. In June 2018 California passed its own Consumer Privacy Act, which bears resemblance to GDPR. The act does not come into effect until January 2020, leaving time for legislators to make changes and companies to prepare, but it is a significant sign of the way that these themes are becoming a global discussion.
More broadly, consumers themselves have begun to voice concerns about privacy and data control and management. A report from the International Data Corporation found that 84% of U.S. consumers are concerned about the security of their personally identifiable information. Businesses that are not sensitive to this concern may risk losing business as customers turn to other companies that value security and privacy.
Future-Proof Your Business
Compliance is vital to any global business, but merchants must also prepare for the future of compliance. Companies should start structuring their systems and processes with an eye to data security and privacy concerns as a natural and fundamental part of their framework. Additionally, it is time for all departments to become aware of compliance considerations and how they affect their business, rather than leaving it solely to the infosec or legal professionals.
In this way merchants can begin to ensure that their business, tools and solutions are not only compliant today, but also future-proofed against the changes and demands that evolving attitudes towards data protection will bring with them.