Why Mastercard wants others to opt in to its data privacy project
There's no shortage of corporate and political efforts to protect the mountains of data generated by e-commerce, but a universal solution remains elusive.
Last week Mastercard announced an initiative to encourage data protection and responsible stewardship. Mastercard's positioning its effort as a call to action — instead of a mandate — to bring stakeholders together to produce best practices to project data.
“Data innovation has brought us this far, it has been helpful and will continue,” said JoAnn Stonier, chief data officer at Mastercard. “At the same time it can be hard for people to engage with their data.”
The card brand's efforts join regulations such as GDPR and PSD2 in Europe and a law in California designed to provide consumers with control over how their data is used. And there are other corporate efforts to protect data by digitizing ID and making it more portable.
But many of the existing measures are struggling. Banks and merchants have struggled to comply with GDPR and PSD2, and competitive pressures act as a barrier to universal ID projects. Decentralized blockchain-powered payment systems have similarly stalled.
“You need laws around transparency, we won’t get there without laws or association rules,” said Avivah Litan, a vice president at Gartner, who says it’s good that Mastercard has brought attention to the issue, but enforcement is needed to push data protection forward.
“Data privacy has become a serious issue," Litan said. "Data has become very profitable and there are lots of companies making money, and consumers aren’t getting any of that. Either the companies are making the money or the bad guys are stealing it.”
Payment companies have worked together, though often after a period of struggle. The card brands' "click to pay" button debuted last week, a collaborative move that should give international e-commerce payments a major boost. However, it came years after each card brand tried to market its own buy button or secure checkout, with mixed success.
The global shift to EMV was also a function of at least some coordination among payment companies. Click to pay and EMV both represented a response to a common threat: payment card fraud.
Mastercard hopes the same type of common goal can drive data protection. Mastercard’s initiative is meant to spark a dialogue, according to Stonier, suggesting a collaborative effort that includes sources from inside and outside the financial services industry.
In the case of click to pay, Mastercard, Visa, American Express and Discover jointly pushed a singular experience in an effort to make online payments ubiquitous, similar to plastic card payments. But that effort did not include PayPal, and there’s bound to be competitive issues that would hamstring an effort to build a set of best practices for privacy and data management. PayPal, Visa, Discover and Amex did not return requests for comment for this story.
During an interview, Stonier proposed about a half-dozen pillars of data responsibility. Mastercard did not propose detailed granular policy, nor did Stonier say this project would create rules for companies to do business with Mastercard. The hope is the dialogue will produce collaborative best practices.
Stonier did say companies need to do more to communicate with each other and the public about what they do with data.
“They have to go further than privacy notices,” Stonier said. “None of us can read privacy notices. There has to be a better method of being clear about what’s going on with data.”
Other data issues to consider include the use of AI and machine learning, which have come under criticism for bias that drives outcomes that are not fair or universal, according to Stonier.
“When we talk about bias and machine learning, we have to be careful about the integrity of the process and understand a drift in the models,” Stonier said. “If we’re not careful we could do some harm to society. If we don’t start the conversation now it will become harder to fix later.”
While there are laws governing data protection in most nations, Stonier envisions the collaborative effort with Mastercard adding a dose of self-regulation.
“If organizations like Mastercard take these principles to a global level, that would certainly be valuable to consumers. It would also help organizations to manage their data better,” said Ron van Wezel, a senior analyst at Aite. “I like the intent of Mastercard's initiative, to take data stewardship and privacy beyond mere compliance. Consumer trust is critical to make open banking a success and create new experiences for the market.”
In addition to data risk management, Stonier is advocating a product design model that recognizes the public benefit of data usage.
If a project promotes financial inclusion, for example, the “best practices” as envisioned by Stonier would provide a road map built by disparate stakeholders to guide data usage.
“Even B2B companies have to keep individuals at the center of product design,” Stonier said. “Sensitive and personal data must be in the middle of the design process.”
Data security is always in the news, but there has lately been more visibility into the issue due to the struggles of Facebook's Libra cryptocurrency project, which are partly based on concerns about how user data will be managed in an international payment system tied to a social network.
Mastercard did not comment on Facebook's Libra project, which Mastercard recently withdrew from along with PayPal, eBay, Visa, Stripe and others. Mastercard has also entered into large deals such as an agreement with Microsoft to work on digital ID technology.
A Mastercard representative said its policy prohibits the sale or sharing of personal data, adding it provides business insights using information that has been scrubbed and aggregated to remove information that could be linked to an individual. The card brand also said Mastercard is not sharing data or insights for ad measurement purposes to any of the technology giants.
The Mastercard initiative could boost self-sovereign identity, said Tim Sloane, vice president of payments innovation at Mercator. There are existing collaborative efforts that are pushing interoperable ID, such as the Sovrin Foundation, a decentralized model and standards that allows proof of ID to be shared among different parties. Mastercard also did not answer questions about specific ventures such as the Sovrin Foundation.
But the overall push for interoperable ID does have significant weight behind it, Sloane said, adding large parties such as IBM, Microsoft and the Linux Foundation are all supporting self-sovereign identity.