The Regulatory Ripple Effect – GDPR & Beyond Your source for payments education The Regulatory Ripple Effect – GDPR & Beyond

Today’s Speakers Steve Durney – Ethoca Scott Williams – Digital River

How do these regulations impact you? General Data Protection Regulation (GDPR) Payment Services Directive (PSD2) California Automatic Renewal Law (ARL)

GDPR General Data Protection Regulation Implemented May 25, 2018 Applies to all organizations processing the personal data of EU subjects – wherever the organization is geographically based GDPR

2 By the Numbers: A Look at GDPR 1 3

£183 Million £99 Million $5 Billion Recent Fines £183 Million £99 Million GDPR $5 Billion FTC

GDPR in the US By the end of 2018, 74% of US companies expected to be compliant (Source: TrustArc) 93% project full compliance by the end of 2019 (Source: TrustArc) The main motivator for compliance isn’t the avoidance of fines, but to meet customer expectations.

GDPR and You: A Quick Guide U.S. firms that have employees or customers in Europe are affected by the GDPR. You must comply with a complex series of rules that include: Allow customers to see and delete the data that concerns them Provide notice of data breaches in 72 hours Make data policies transparent to an average person Hire a Chief Data Office (in some cases) Follow “privacy by design” principles Note that the rules are different depending on the data in question. Companies that touch special categories of sensitive data should be especially careful. What happens if a U.S. company doesn’t follow the rules? A fine amounting to the higher of 4% worldwide revenue or 20 million euros is the maximum punishment.

Merchant Experience GDPR

> > > Privacy Tracking Tool Client Rectification Privacy Tracker Vendor Erasure > > > Portability Compliance Team Email Summary Dashboard Inquiry Interested Party

How Does GDPR Impact You? NEGATIVE Possible abuse of the right to erasure Potential loss of fraud insights Merchant representment effectiveness could be impacted NOTE: It’s still too early to ascertain to true ‘ripple effects’ GDPR will have on fraud.

How Does GDPR Impact You? POSITIVE Data used for prevention of fraud protected from consent Organizations have improved their incident response strategies Internet of things security being taken more seriously Businesses are better prepared for U.S. data privacy regulations

PSD2 Payments Service Directive 2 Effective date: September 2019 Aims to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer. PSD2

STRONG CUSTOMER AUTHENTICATION (SCA) Knowledge Ownership Inherence something only the user knows (password, code, personal identification number) (or possession) something only the user possesses (token, smart card, mobile device). something the user is (biometric characteristic, such as a fingerprint)

PSD2 RTS – SCA Exceptions A PSP can be exempted of SCA in cases where the PSP’s overall fraud rate is below the EBA reference thresholds: Exemption Threshold Value Remote Card-Based Payment Credit Transfers €500 0.01% 0.005% €250 0.06% €100 0.13% 0.015% Note: EBA’s fraud requirements are significantly lower than current European CNP fraud rates (approx. 0.3-0.4%). At present both the payees’ and payers’ PSPs could trigger such an exemption but with the payers PSP having the final say. No SCA required below €30

PSD2 AND 3DS In order to comply with PSD2 and SCA requirements, the standard protocol for merchants is to rely on 3DS for affected transactions. 3DS2 has been designed to be less intrusive for customers than its predecessor. But it will introduce friction and will be required for every transaction, not just the riskiest.

Merchant Experience PSD2

How Does PSD2 Impact You? NEGATIVE Private consumer data will now be available to more players than ever before Increased payment friction Tighter issuer acceptance rates Banks and overall fraud rate Phone and mail order fraud may increase Fraud shift from EU to US and other regions Shift from transaction to account fraud

How Does PSD2 Impact You? POSITIVE Strong customer authentication and 3DS Easier to distinguish between genuine and friendly fraud

ARL California revised Automatic Renewal Law Came into force on July 1, 2018 The updated law requires e-commerce sellers, doing business in California, to allow online cancellation of auto-renewing memberships or recurring purchases that were initiated online. ARL

The Basics: California Automatic Renewal Law Online Cancellation  Pricing After a Trial Period Cancellation After a Trial Period

Merchant Experience ARL

How Does ARL Impact You? NEGATIVE Penalties for failing to comply Need to revise sales/renewal practices

How Does ARL Impact You? POSITIVE Better long-term customer experience

Questions?

Thank you Don’t forget to submit your session evaluation! Steve Durney, SVP Market Strategy (Ethoca) Scott Williams, Principal Product Manager (Digital River)