Light speed patterns in road

GDPR and PSD2: The Balancing Act of Data Sharing and Privacy



GDPR and PSD2: The Balancing Act of Data Sharing and Privacy

Fresh from last year’s scramble to understand and meet GDPR requirements, companies are starting to turn their attention to the EU’s new Payment Services Directive (PSD2) and its September 2019 compliance deadline.

There’s a lot of overlap between GDPR and PSD2, but at first glance there are also some discrepancies. With GDPR, companies have been locking down their data in order to maximize their chances of being compliant. But the open banking and strong customer authentication aspects PSD2 actually encourage company to share data more broadly.

At Ekata, we believe that GDPR and PSD2 will both work with each other to make data more secure while decreasing friction for customers. I recently spoke with Karen Webster, CEO of, about how companies can prepare.

More data points means better authentication

Right now, the 3D Secure protocol adds a layer of protection to online debit and credit card transactions and helps prevent unauthorized card not present (CNP) transactions. The 3D Secure 2.0 protocol, which is being rolled out in support of PSD2, will make that protection even stronger.

One way it will do that is by going from transferring 11 data points to over 100 element as part of its authorization message. All the supplemental data being passed through as part of the authorization message will allow for a greater overall risk assessment on the part of the card issuer. That means better protections for the cardholder and better authorization rates, as well as allowing merchants to be comfortable with the idea of challenging consumers less, therefore increasing conversion rates.

More data points means greater trust

Individual companies are already using data to identify known and trusted customers in order to reduce friction in later transactions. With 3D Secure 2.0 and the data sharing directives in PSD2, good customers can be identified throughout the payment ecosystem and be given less friction even when shopping at new merchants.
At Ekata, we’re already using identity data across our network of customers—in an aggregated and anonymized way that is compliant with GDPR—to help merchants feel confident that a customer is who they say they are. The insights that data aggregators like Ekata and payment services providers can get through responsible, GDPR-compliant data sharing can have incredible benefits to merchants and consumers alike.

Are you ready for PSD2?

With that in mind, it’s important that merchants start preparing for PSD2’s regulatory changes to go into effect. Here are our recommendations:

Take your cues from companies who are actively working with regulators.

Within the payments ecosystem, the big players such as Visa and MasterCard are on the forefront of interpretation when it comes to understanding the regulations. We encourage small and medium-size firms to look to their payment services providers to figure out how to best implement data sharing measures.

Make sure all payment methods protect customers.

More companies are looking at alternative payment methods—such as Alipay for Chinese consumers—in order to stay competitive. However, before adopting a new payment method, be very aware of the protections it gives to consumers. For example, the ability to do a chargeback with a credit card, as opposed to much less protected cryptocurrency methods like Bitcoin.

Take a realistic look at your data strategy.

In an ideal world, every company has already overhauled their data strategy in order to comply with GDPR’s requirements for data storage and access requests. As we at the Ekata know from experience, however, it’s a much bigger job than it may at first appear. If you haven’t already, take time to figure out where data is stored, how to modify it, and what your overall data strategy is.

Mastercard Identity Avatar

About the Author

Related content