1. The Regulatory Ripple Effect – GDPR & Beyond
Your source for payments education
The Regulatory Ripple Effect – GDPR & Beyond

2. Today’s Speakers
Steve Durney – Ethoca
Scott Williams – Digital River

3. How do these regulations impact you?
General Data Protection Regulation (GDPR)
Payment Services Directive (PSD2)
California Automatic Renewal Law (ARL)

4. GDPR General Data Protection Regulation Implemented May 25, 2018
Applies to all organizations processing the personal data of EU subjects – wherever the organization is geographically based
GDPR

5. 2
By the Numbers:
A Look at GDPR 1 3

6. £183 Million £99 Million $5 Billion
Recent Fines
£183 Million
£99 Million
GDPR
$5 Billion
FTC

7. GDPR in the US
By the end of 2018, 74% of US companies expected to be compliant (Source: TrustArc)
93% project full compliance by the end of 2019 (Source: TrustArc)
The main motivator for compliance isn’t the avoidance of fines, but to meet customer expectations.

8. GDPR and You: A Quick Guide
U.S. firms that have employees or customers in Europe are affected by the GDPR.
You must comply with a complex series of rules that include:
Allow customers to see and delete the data that concerns them
Provide notice of data breaches in 72 hours
Make data policies transparent to an average person
Hire a Chief Data Office (in some cases)
Follow “privacy by design” principles
Note that the rules are different depending on the data in question. Companies that touch special categories of sensitive data should be especially careful.
What happens if a U.S. company doesn’t follow the rules? A fine amounting to the higher of 4% worldwide revenue or 20 million euros is the maximum punishment.

9. Merchant Experience
GDPR

10. > > > Privacy Tracking Tool Client Rectification
Privacy Tracker
Vendor
Erasure
>
>
>
Portability
Compliance Team
Summary
Dashboard
Inquiry
Interested Party

11. How Does GDPR Impact You?
NEGATIVE
Possible abuse of the right to erasure
Potential loss of fraud insights
Merchant representment effectiveness could be impacted
NOTE: It’s still too early to ascertain to true ‘ripple effects’ GDPR will have on fraud.

12. How Does GDPR Impact You?
POSITIVE
Data used for prevention of fraud protected from consent
Organizations have improved their incident response strategies
Internet of things security being taken more seriously
Businesses are better prepared for U.S. data privacy regulations

13. PSD2 Payments Service Directive 2 Effective date: September 2019
Aims to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.
PSD2

14. STRONG CUSTOMER AUTHENTICATION (SCA)
Knowledge
Ownership
Inherence
something only the user knows (password, code, personal identification number)
(or possession) something only the user possesses (token, smart card, mobile device).
something the user is (biometric characteristic, such as a fingerprint)

15. PSD2 RTS – SCA Exceptions
A PSP can be exempted of SCA in cases where the PSP’s overall fraud rate is below the EBA reference thresholds:
Exemption Threshold Value
Remote Card-Based Payment
Credit Transfers
€500
0.01%
0.005%
€250
0.06%
€100
0.13%
0.015%
Note: EBA’s fraud requirements are significantly lower than current European CNP fraud rates (approx %).
At present both the payees’ and payers’ PSPs could trigger such an exemption but with the payers PSP having the final say.
No SCA required below €30

16. PSD2 AND 3DS
In order to comply with PSD2 and SCA requirements, the standard protocol for merchants is to rely on 3DS for affected transactions.
3DS2 has been designed to be less intrusive for customers than its predecessor. But it will introduce friction and will be required for every transaction, not just the riskiest.

17. Merchant Experience
PSD2

18. How Does PSD2 Impact You? NEGATIVE
Private consumer data will now be available to more players than ever before
Increased payment friction
Tighter issuer acceptance rates
Banks and overall fraud rate
Phone and mail order fraud may increase
Fraud shift from EU to US and other regions
Shift from transaction to account fraud

19. How Does PSD2 Impact You? POSITIVE
Strong customer authentication and 3DS
Easier to distinguish between genuine and friendly fraud

20. ARL California revised Automatic Renewal Law
Came into force on July 1, 2018
The updated law requires e-commerce sellers, doing business in California, to allow online cancellation of auto-renewing memberships or recurring purchases that were initiated online.
ARL

21. The Basics: California Automatic Renewal Law
Online Cancellation 
Pricing After a Trial Period
Cancellation After a Trial Period

22. Merchant Experience
ARL

23. How Does ARL Impact You? NEGATIVE Penalties for failing to comply
Need to revise sales/renewal practices

24. How Does ARL Impact You?
POSITIVE
Better long-term customer experience

25. Questions?

26. Thank you Don’t forget to submit your session evaluation!
Steve Durney, SVP Market Strategy (Ethoca)
Scott Williams, Principal Product Manager (Digital River)