As e-commerce continues to enable global expansion for merchants, companies that want to leverage European markets are subject to several recent regulatory changes. A panel of experts at this year’s CNP Expo in San Francisco talked compliance in Europe with the second Payment Services Directive (PSD2), the most recent evolution of 3-D Secure authentication (3DS 2.0) and the General Data Protection Regulation (GDPR).
One component of PSD2 is strong customer authentication. However, the idea that changes need to be in place for every transaction that happens in the EU can be overwhelming. Tedd Huff, vice president for CNP product at Nuvei, assuaged some of those fears by clarifying that, “The acquiring platform and the issuing platform both have to be located in the EU to be impacted by PSD2.”
3DS 2.0, the mechanism for a merchant and a card issuer to exchange information prior to authorization, is increasingly important, according to Kevin Crockett, senior director of GCS at Cardinal. “When we look across the global payments ecosystem, we are seeing 23 percent growth in global sales, 25 percent growth in global declines and 16 percent growth in card-not-present fraud.”
Despite the fact that GDPR will soon celebrate its one year anniversary, some companies have done a cost benefit analysis and determined that they can “roll the dice” on the risk of being fined for non-compliance. Huff said that is not recommended.
One impact of GDPR and other privacy regulations is in the individual’s right to be forgotten, as this can potentially open an avenue for fraud. “From a fraudster’s perspective, they can abuse the right to be forgotten. If I’m using stolen credit cards, I know merchants are putting together technologies, a fraudster can call in as an EU customer and say, “I don’t want you to use my data,” said Ajay Guru, founder at Savant Intuition.