SEPA, PSD2, GDPR, Oh My! How Do They Interconnect, and How does TokenEx Facilitate? Part 1 of 3

SEPA, PSD2, GDPR, Oh My! How Do They Interconnect, and How does TokenEx Facilitate? Part 1 of 3

The European Union (EU) and partnering countries are leading the way in payments innovation with the Single Euro Payments Area (SEPA ) and the Payments Service Directive 2 (PSD2). Why was SEPA created, and how will PSD2 support the framework of SEPA? With the end goals of changing how currency is transferred within EU borders, as well as unifying a very federated financial network into a much more efficient singular network, how will these new regulations support secure, cashless payments across the EU and partnering countries? What is required of financial organizations and consumers? Financial organizations and third party vendors will be handling a treasure trove of payment card data, as well as Personally Identifiable Information (PII). Will this impact the upcoming Global Data Protection Regulation (GDPR)? Part 1 of this blog series will cover the basics of the directives, and part 2 will focus on how the 3 regulations interconnect, and monetizing sensitive data, while remaining in compliance with the regulations. Part 3 will focus on how to secure the data under the guidelines of the regulations, and how TokenEx can help facilitate a smooth and secure transition for your organization.

SEPA Is Pushing the Boundaries on Payments?

SEPA Single Euro Payments Area (SEPA) SEPA Credit Terms (SCT), SEPA Direct Debit (SDD) instruments, and SEPA Cards Framework. The SEPA framework is redefining how money moves between businesses, individuals, and financial markets. There are 2 primary instruments or agreements that currently exist under SEPA. As defined by the International Accounting Standards (IAS 32 and 39) a financial instrument is defined as “any contract that gives rise to a financial asset of one entity and a financial liability or equity instrument of another entity.” The Cash Instrument includes securities, loans, deposits, and payments that both a creditor and borrower (aka sender and receiver) have mutually agreed upon to transfer. Then you have the Derivative Instruments, which includes assets, indexes, or interest rates where a value is assigned from a core unit.

This framework translates into real-time payments with instantaneous results. This requires that the payments must have twenty-four/seven availability. Additionally, the new norm requires the immediate transfer of funds, which is irreversible, and immediate visibility on whether the payment was successful or failed. You can either be a payer or payee, and this extends to Peer-to-Peer (P2P), Peer-to-Business (P2B), Business-to-Peer (B2P), and Business-to-Business (B2B).

PSD and PSD2 Provide The Legal Backbone

The original Payment Services Directive (PSD) was adopted into the EU in 2007, with the purpose of establishing a foundation of standard guidelines in regard to the transfer of digital money and payments in 30 European countries. A single market for payments was created, which gave SEPA a legal foundation. As the continued digitization of the financial sector evolved, though, new third party services–i.e. FinTechs, new digital banks, etc.–emerged, allowing financial institutions to offer new services to their customers. Unfortunately, these new services fell outside the scope of PSD, so in order to maintain the legal foundation of SEPA, new regulation would be required. Enter PSD2, which has the goal of making payments more secure. This provides greater consumer security while pushing innovation to its boundaries, creating a greater level of fairness and, thus, competition for organizations of all sizes. Translated, this allows third parties a formal way to access customer data through financial organizations giving access to customer accounts through open APIs. So both consumers and organizations can use third parties to manage their finances. The third parties will now be licensed and regulated by PSD2.

Benefits of A Singular System

Utilizing a singular regulation, it becomes much more cost efficient for financial organizations to operate across borders. Consumers will benefit from lower costs due to greater regulated competition, and third parties will be able to make payments for them. Surcharges for consumers will be banned, save for payments subject to interchange fee caps. With fraudulent payments, the consumer will pay no more than 50 Euro, where before it was 150 Euro. For both financial organizations and consumers, PSD2 will also reduce fraud for digital transactions, while enhancing the security of consumer data. Financial organizations are required to gain consent from consumers in handling their sensitive payment card data.


PSD2 mandates Strong Customer Authentication (SCA) each time a payment is created or a consumer accesses their payment account.  SCA will require two or more elements via password, pin, fingerprint, card authentication, or a unique authentication code for verification. The elements of the SCA will be determined based upon the financial organization or third party, but consent is required from the consumer. Consumer consent is something that we will touch on throughout the series, as this is a key focus of all EU regulations. Non-financial organizations will not be allowed to participate until 2018, so financial organizations have a little bit of time left to roadmap and innovate new processes, expand services, and discover new revenue streams.

Handling of Personal Data Creates GDPR Compliance

The General Data Protection Regulation (GDPR) was promulgated by the European Union (EU) to fortify and amalgamate data protection for all individuals within the EU, Great Britain, and other specific European-based countries. GDPR replaces the Data Protection Directive 95/46/EC. The goal of the GDPR is to protect the personal information of all EU citizens and residents by setting standards for the collection, storage, sharing, transferring, processing, and management of various categories of personal information. It also addresses the export of personal information outside the EU. It is designed to standardize data privacy laws across the EU in order to “protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” With the ever-growing threat of cybercriminals’ consistent efforts to steal personally identifiable information (PII), GDPR is easily the most important and impactful regulatory scheme adopted by the EU in recent times.

GDPR is 100% focused on protecting PII. That is, essentially, any information related to a Natural Person, referred to as a ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, to a computer IP address. Every organization handles a massive amount of PII for their customers, through credit applications, payment portals, bank accounts, etc. Basically, SEPA and PSD2 will cause organizations to ingest large amounts of PII for authentication, access to their platforms, analytics, and business intelligence platforms, and so on, creating the need to also become compliant with GDPR.

In part 2 of this series we will dive deeper into the interconnection of the three regulations, as well as monetization of sensitive data while remaining in compliance with the collective requirements of these regulations. TokenEx is the industry leader in cloud tokenization and pseudonymization of ALL data sets. Follow us on Twitter and LinkedIn.

Cloud Tokenization

Topic(s): payments , compliance , data security , encryption , PII , tokenization , pseudonymization , GDPR

Keep Up With Our PCI & Privacy Blog