How Europe's GDPR data-splitting rules will change the global payments market
If U.S. payments and financial services companies are able to show that an individual's data is not held all in one place at one time — thus removing a major target for hackers — it would go a long way toward making them compliant with strict new regulations from the European Union.
The General Data Protection Regulation calls for "pseudonymization" of data — storing an individual's information in separate files — and assesses hefty fines for non-compliance. It takes effect May 25 and also gives consumers the power to dictate who can use that data and when.
"The overriding idea behind this is the old adage of 'don't put all of your eggs in one basket,'" said Kory Willis, senior director of IT at Impartner, a South Jordan, Utah-based partner relationship management software provider, under which it adheres to GDPR data policies.
When hackers gain access to a network, they usually do so one system at a time, Willis said.
"It takes time to gain access to the next system and then the next," he added. "The longer they are in a system, the greater chance that something is going to detect their presence and cut them off."
In many ways, the goal of the GDPR is to increase difficulty for a hacker, while also flipping the rights of data ownership back to the European consumer. U.S. companies that serve European consumers are obligated to follow the regulations.
To ensure compliance, a payments company might keep a consumer's name separate from his address or payments credentials. For those companies that hold Social Security numbers, those would never appear in the same database as a consumer's other information under GDPR guidelines.
"If payment processors, merchants or others who hold financial information or consumer databases have followed just the standard security of having firewalls in place and segmentation and various layers of security, there is still a good chance they might have all of that personal information in one place," Willis said. "Once the hacker reaches the database, they are in and have everything they need."
The pseudonymization of data also protects a company against "the office database administrator who feels he is not getting paid enough, and he downloads the database and walks off with it," Willis added.
Key requirements within the GDPR that complement pseudonymization call for companies to store master records and the identification key or token in separate systems — and divide access to those among different people. In practice, no one person should be able to get to all of the identifiable information without someone else being involved.
It's the accountability and transparency requirements of GDPR that make it stand out as having more teeth than other existing data protection regulations in Europe, said Ron van Wezel, an Amsterdam-based senior analyst with Aite Group.
"Anonymization, pseudonymization and encryption are important techniques to reduce the risk of disclosure and breach of personal data," van Wezel said. "Companies should implement such techniques to reduce risks as much as possible and protect themselves in case of a data breach."
The Payment Card Industry data security standards address the use of third-party vendors, helping acquirers and merchants know how to determine the vendors' PCI compliance, while also recommending the names of those who are compliant.
In the same vein, the GDPR puts the onus on companies to make sure that their third-party vendors are compliant with the new European rules.
"In past years, when a third party got hacked, the company that originally gave them the data could throw their hands up and blame them," Impartner's Willis said. "With GDPR, it becomes the company's problem in making sure they have vetted third-party providers properly."
Overall, GDPR is forcing European and American companies to rethink how they handle data and how their organizations are structured to do so.
"What GDPR does, more than anything, is it takes security and confidentiality from something that just IT worries about to something the entire company worries about," Willis said. "It's a mindshift for most companies to say that security extends beyond what just your IT department is working on."