Can Payments Companies Monetize Data and Still Comply with GDPR?
A growing trend among payment service providers is identifying opportunities to monetize customer data.
While some organizations will sell their data directly to third parties, or indirectly through cross- or up-sell with payments history analysis, a lot of customer data is anonymized, due to its highly sensitive personally identifiable information (Pii).
The European Commission’s new E-Commerce Directive security laws aim to improve security of online E-Commerce payments, and further regulate the payments industry in order to open the market up to new competitors, but between this and the implementation of Privacy Shield and GDPR, payments firms may be wondering how they can continue to leverage customer data while still being compliant.
Peer-to-peer and sharing companies like Uber, Venmo, and Airbnb have permanently changed the payments landscape, and payments businesses must do what they can to avoid alienating current customers, which would include more consent-driven data management.
Payments firms would benefit from providing customers with tools to view and manage their own data, which would not only keep them compliant with GDPR, but would also build loyalty and enhance the customers’ experience with the brand.
Taking these steps would mean that payments companies could continue to monetize their customer data, so long as they continue the practice of informed consent.
One of the E-Commerce Directive’s key security recommendations for payment service providers, is that they should implement strong authentication for registering cards, making credit transfers, and making card payments.
The suggested “two-factor authentication” is a combination of a user’s PIN or password and something the user has like a token, card, or mobile phone –– because these are independent pieces of data, a compromise of one does not compromise the other.
Payment services providers need to then capture and manage the authenticated consent in an auditable workflow. This requires a centralized, sophisticated platform that would enable an automated and secure digital communication link with the customer.
Bottom line: it’s not enough to just ask for a customer’s consent, and this approach will help organizations meet the GDPR stipulations of Data Portability and the Right to be Forgotten.