Business Tips

GDPR and PSD 2: What do they mean for your business?

Last updated January 2022

No modern business has the luxury of ignoring digital security. In the wake of massive fines by government agencies on companies like Facebook, Marriott, and British Airways, businesses of all sizes can’t afford lax practices around keeping their customer’s data private and payment information safe. Strong security builds trust with customers.

GDPR, short for the General Data Protection Regulation, is a European Union digital privacy law that went into effect in 2018. PSD2, an acronym for an update to the EU’s Payment Services Directive, was set to go live in September 2019, but UK’s Financial Conduct Authority (FCA) is delaying its enforcement until March 2021 and the EU is readying the delay as well. To make sure you don’t make an inadvertent, expensive mistake, make sure you know how GDPR and PSD2 impact your company.

What is GDPR?

Does it affect non-EU businesses? – Yes

The General Data Protection Regulation sets detailed rules on what businesses have to do to keep consumer data private and what control consumers have over their data. This law is applied to any business that has customers in the European Union, even if that business is not located in the EU. The maximum penalty for breaking GDPR is 4% of a business’s annual revenue!

The most important provisions impact business managers focus on customer email practices, data collection, and data security. For example, businesses are not allowed to automatically add EU customers to your email list without individual explicit permission. You have to be able to show customers what data you keep about them and give them the opportunity to download it. You also have to honor customer requests to stop emails and delete their data.

What is PSD2?

Does it affect non-EU businesses? – No

The Payment Services Directive is a regulation focused on payment security. The biggest change is for EU-to-EU payments. If your business has no presence in the EU, it doesn’t have to worry about PSD2. But if you operate within EU borders, you’ll need to be compliant by the pending deadline.

A key component of PSD2 is 3DS2. Is your head spinning from all of these acronyms yet? The basic idea here is that all covered payments will utilize two-factor authentication for online payments. This upgrade to “card not present” payments adds a huge layer of security that thwarts online payment fraud. At the same time, it should improve approval rates for legitimate payments. This leads to an all-around better customer experience and decreased risk.

Every business should be GDPR compliant

Whether you are located in the EU or not, you should definitely make sure your business is compliant with GDPR. Fortunately, most major 3rd party service providers for email lists, social media tools, and online advertising already feature GDPR compliance options. You just have to enable them and you will have done most of the work.

If you work with a large number of customers and are not sure if GDPR applies to you, consult with a legal expert who can audit your business for any potential compliance issues. If you get caught, that penalty of up to 4% of your revenue can be a lot to swallow. Marriott and British Airways were recently targeted by nine-figure fines for GDPR violations. That is an example nobody wants to follow.

Bigger businesses will have a bigger hurdle to cross to get compliant, but it is worth the effort. In the current digital and legal climate, every single business with an online presence has to pay attention to GDPR.

EU businesses must follow PSD2

PSD2 is far less daunting for most international companies. Unless you have a physical presence accepting payments inside of the EU, you most likely get a pass on this one. If you are involved in EU-to-EU payments, however, this does apply to you.

Short for 3D Secure, 3DS2 is a major update to a set of security protocols established in 2001. The update adds in the same type of two-factor authentication you may already have with a bank account, company-issued laptop, or even your email account. The original 3DS gave way to checkout tools like Verified by Visa. 3DS2 takes it to the next level.

By adding another data point in the transaction, payment processors are in a better position to identify fraudulent purchases and stop them in their tracks, saving banks, merchants, and ultimately customers money.

Staying one step ahead of regulations

More often than not, the cost of compliance is less than the cost of a fine. Just as important, upgrading your business’s data security and payment security practices benefits both your business and your customers. It does a lot to prevent fraud and breaches of trust with your customers.

Splitit always maintains top-levels of compliance, including PCI, to ensure its’ partners and end-users have a safe and secure experience every time they check out and make an installment payment. Furthermore, Splitit supports merchants’ GDPR and PSD2 payment flows in a seamless manner. 

If your business is required to act, don’t delay. This is the wake-up call you’ve been waiting for. When you have made sure your business is compliant, you can rest easy knowing you’re on the right side of the rules. Both your business and your customers will come out ahead.