Europe's new data rules go much deeper than PCI — and many U.S. companies must comply
U.S. payments processors, banks and retailers have dealt with the EMV liability shift and various Payment Card Industry security standards in the past, so they know a thing or two about data security — as well as the tightness of compliance deadlines.
But their PCI compliance won't be enough to meet the strict requirements of the General Data Protection Regulation, which takes hold May 25 in Europe. Again, far too many companies are neither aware of nor prepared to comply with the various facets of the GDPR, a consumer privacy measure that essentially moves the ownership of data to European consumers and away from companies that compile, store, move or sell data for various purposes.
The GDPR, announced through the European Union in 2016, is an offshoot of the European Data Protection Act and guards against companies loosely handling data while also allowing EU consumers to "own" the data and know how and where that data gets used.
Being aware of GDPR
Senzing, a California-based software technology company, estimates that just the data-collection search aspects of the regulation could amount to 172 hours a month.
The company spoke to more than 1,000 companies throughout Europe, concluding that more than 60% of companies are not currently GDPR ready.
"There is still a general lack of knowledge around GDPR," said Gareth Lodge, a London-based payments industry analyst with Celent. "I'd be very surprised if we were even at 90% awareness."
There is a need for companies to be clear on what GDPR means and any overlap it might have with other security or privacy measures, Lodge said. "There are many directives, all written by different parts of the EU, with little in terms of common language."
GDPR represents a dramatic and complex change — especially for U.S. companies that handle European consumers' data. They'll have to change a lot of policies, contract and privacy paperwork, and data management records to reach compliance.
Under GDPR, companies have to deal with the fact that European consumers, or "data subjects" as they are called under the regulation, are automatically opted out of any commitment to allow use of their data. The consumer holds the power as to whether a company can do anything with the data, including keeping it stored, and has to give permission to do so.
In the U.S., it is the opposite. American companies can use customer data for other means, which they usually explain in privacy notices and other lengthy disclosures that consumers generally ignore. Basically, U.S. consumers automatically agree to allow other data uses, such as for marketing purposes or risk assessment, unless they choose to opt out.
A change for payment platforms
"In payments, when a processor or issuer is using the data for marketing or promos, or to calculate credit scores, they could be in violation because if you are using European Union citizens' data to monitor and do things, the platforms have to be compliant," said John Doherty, partner and Americas financial services data protection leader for EY (formerly Ernst & Young LLP).
The handling of data under GDPR will be different from complying with PCI standards, Doherty said.
"PCI is basically telling you to protect credit card data, while GDPR is saying we are going to give the consumer the right to manage the data," Doherty added. "They will have the right to get electronic records, or the right to have their data forgotten and not stored."
Currently, a U.S. credit card processor who has locked down and protected a consumer's payment card and personal data would essentially be able to store that data forever. Under GDPR, a European consumer could request that it be stored only for future payment reference for a period of time, or be taken off the database completely. It could not be used for any other purpose without consent.
Along similar lines, Doherty said, European consumers will be able to contact a payment provider, or other data company, and ask where their data is currently stored and what it is being used for. And a company has to immediately respond to that request with accurate information, he added, and many currently may not be able to do so.
Any requests by EU consumers asking where their data is at a given time could create more pressure on payments companies to "understand critical details regarding their handling of sensitive data," said Ryan Stolte, co-founder and chief technology officer at the cybersecurity firm Bay Dynamics. "This includes where it is located, where it moves, who interacts with it, as well as how it is being used, and where in the world it is being accessed."
As it currently stands, many organizations lack a full understanding of their data, Stolte said.
"Some of it may be in the cloud, some on premise, and all of it accessed by third-party vendors and employees," he added. "To comply with GDPR, companies should use a combination of behavior analytics and other technologies to better understand who is interacting with payment card data, and from where."
PCI compliance is not enough
Sometimes, payments companies have found it is better to wait for clarity than to meet a rulemaker's stated deadline.
"This will be similar to the EMV chip migration in that many businesses won't really know what to do or how to comply," said John Barchie of Phoenix, Ariz.-based Arrakis Consulting LLC, which currently specializes in helping companies comply with GDPR.
While not directly connected, GDPR will have some crossover similarities with the PSD2 directives in Europe for payment innovation and technology development, as well as the privacy factors of HIPAA.
"GDPR is better security in the sense that you know what is going on with the data, but it is not specifying a particular security framework, because those already exist," Barchie said. "They are saying you need to do these things to enhance the privacy of the data subject, and it just happens to enhance the security measures."
Because of PCI security standards and various technologies to protect data, U.S. payments companies are better positioned for GDPR than other data processors might be — but it would be a mistake for a payments company or retailer to think that this process is similar to PCI compliance, because it is more complex than that, Barchie noted.
"We are seeing that it is more than 4,000 hours of work to comply because it is very extensive," he added.
Knowing what to do
GDPR calls for the hiring of a data protection officer at companies that handle large amounts of data that fall under GDPR — from addresses and phone numbers to personal information and payments credentials.
"On the payments side, those companies might be surprised to find that someone is going to regulate you and ask to increase your head count by one," Barchie said. "But you can take a current manager and make them the data protection officer, which is a full-time job."
A company also has to show it has a legal right to accept, process and store data, and also show it has upgraded software or legacy equipment as needed to address new technology and current data security needs.
Data protection and privacy impact assessments have to take place as part of doing business, as well as data mapping that would accurately show how data is received, processed, stored or moved and for what purposes.
The data subject, or consumer, has numerous rights — and companies have to comply with their requests. There can be no data access restrictions for consumers, an intentional deletion or denial of data.
There can be no caveats attached to seeking permission to use data in ways other than the original intent. A company cannot hold back or deny a service if an EU consumer won't accept a request to use the data in some other fashion.
If a consumer ignores a company's request for permission, the company must honor that, Barchie said. This is counter to the typical practice in the U.S., where a consumer's silence could imply permission.
Big consequences for noncompliance
Any violation of the handling of GDPR data is subject to fines, the severity measured by the intent of the company. But the fines can be hefty, in the millions of dollars.
Unfortunately, companies in danger of facing fines are likely those not fully aware of their data handling or movement — and who are nowhere near ready to comply with GDPR by late May.
Any company not fully prepared and engaged in making changes at this time will not be compliant by the deadline. That could be as high as 70% to 80% of U.S. businesses and 50% of EU/U.K. businesses, according to Arrakis Consulting.
"You can make it simpler on yourself by reducing the amount of data you are moving around, and just not blast the total customer database to various places," Barchie said. "That makes it complicated if someone asks where their data is, but also could be a problem for companies that want the data in various places to better provide services."