SEPA, PSD2, GDPR, Oh My! How Do They Interconnect, and How does TokenEx facilitate? Part 2 of 3

SEPA, PSD2, GDPR, Oh My! How Do They Interconnect, and How does TokenEx facilitate? Part 2 of 3

In Part 1 of this blog series we covered the basics of the directives and how they interconnect. In this edition we will dive into the details of the development of instant payment systems and why the EU is overhauling their payments infrastructure. How will the landscape of payments change? With the rising tide of Big Data analytics to improve the financial ecosystem, how will the secure collection of sensitive data impact organizations from a GDPR standpoint? Financial organizations will continue to answer the consumer call of faster, more efficient payments, but how do these organizations enforce their third parties’ handling, securing, and storing of payment card data and personal information aka personally identifiable information (PII) in a compliant fashion? i.e. fall in line with current ISO compliance?

Instant Payments Change the Landscape

PSD2 empowers consumers and organizations to use a third party provider to manage their finances. These third party providers can be FinTechs who augment services to financial organizations or stand-alone providers, which means financial organizations will have to provide open API access to these third party providers. These providers fall into 2 categories: Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP). AISPs will have access to the account of financial organization customers, and PISPs are the service providers that originate the payments on behalf of the consumer or organization. An AISP performs analytics on spending patterns and summates sensitive data–all to gain greater business intelligence. Both AISPs and PISPs will be handling very sensitive data sets for both individuals and organizations, including payment card data, bank account information, first name, last name, and so on–basically, a treasure trove of Personally Identifiable Information (PII) to be used in a number of ways. This handling of PII causes these organizations to fall under GDPR compliance requirements. Before we go down the rabbit hole of GDPR, let’s look at the benefits of what both AISPs and PISPs bring to the table.

Big Data Enables Flexibility

For AISPs, data analysis requires the handling of PII for their customers. This allows organizations to act more rapidly on financial recommendations based upon in-depth analytics. Translated, organizations will be able to continue to tailor the customer experience to create more services, greater transparency of the services, but most importantly keep stride with consumer expectations. Meeting consumer expectations, as well as their financial needs with a positive experience guarantees greater retention. The flexibility to provide a better experience is not without its pitfalls. According to PSD2, FinTechs and Financial organizations are mandated to provide

more consumer protection, lower the potential for fraud, and increased accountability for liability. This has everything to do with how the sensitive data is ingested, handled, secured, and stored.

Monetization of Sensitive Data

Using the current sensitive data sets coursing through your organization and beyond allows financial organizations to build more efficient platforms, better services, and most importantly the ability to tailor the customer experience to exactly what the consumer wants. With GDPR, this now means handling the sensitive data in a secure and pseudonymized fashion. Pseudonymization is defined in the GDPR as: data that is “coded” (i.e., details such as a data subject’s name and address are replaced with pseudonyms) such that the data cannot be attributed to a particular data subject without the use of additional information. Understanding the analytics of how consumers interact with your organization, their demographic, spending patterns, and the treasure trove of data that you manipulate to create these consumer-centric experiences now requires your organization to deploy a data security solution that can successfully pseudonymize. Any organization found to not be in GDPR compliance may be fined up to 4% of annual global revenue.

GDPR mandates that there are 2 primary roles for data controllers and data processors. The roles of the data controllers include regulation of what PII will be handled, why the PII needs to be handled, whether or not the PII is handled in a GDPR-compliant fashion, and when third-party agreements may be utilized to handle the PII. Data processors can only handle the PII in the fashion that the data controller mandates, and they can only utilize third-parties for sub-processing as sanctioned by the data controller. As both of these roles are defined, they come into play each time a transaction takes place where personal information (PII) is required to execute and authenticate the transaction. In regard to PSD2, if a customer asks for it, a financial organization will have to provide access to a third party in order to facilitate payments, transfers, etc. This requires that a bank will have to allow third parties access to their APIs.

ISO Compliance Has Gaps

Financial organizations have been using ISO (International Standards Organization) guidelines to help regulate the industry as a whole. The ISO/IEC 27000 class of standards was designed to make sure that organizations are keeping sensitive data sets secure, which requires that organizations manage the security of assets such as financial information, intellectual property, employee details or PII entrusted by third parties. PSD2 is now requiring organizations to use the new ISO 20022 in APIs to define their data, so banks will open up their API’s to 3rd parties for AISP’s and PISP’s.

The Regulatory Technical Standards (RTS) are not requiring financial organizations to standardize their API, given that they adhere to the ISO 20022 security requirements. The financial organizations must also provide free documentation to any third party who wants to use the APIs. With all of these regulations and standards, there are still major security gaps. Currently, ISO 20022 is very different from the conventional development of APIs in how it permits exceptions in the development of the APIs themselves. A prime example would be numerous forms of a given singular message, being present at the same time leading to restriction of the message(s). To further the potential issues, the vast majority of APIs use JSON for requests and responses, and ISO 20022 does not. Anytime absolute standardization is not required for all organizations creates an expanded attack surface.  Standardized APIs that are easy to maintain, adopt, and consume allow developers, architects, and technical writers to build upon the blueprint of the API to build safer and more secure experiences.

So What Does All of This Mean

SEPA is the framework for payments, PSD2 is the regulation backing the new payments framework, and GDPR is the regulation mandating that organizations do not reveal any sensitive data of any EU citizen. By regulation, PSD2 makes sensitive data sets available to third parties, and GDPR was created to make the data private. You can see the conundrum where one regulation conflicts with another. However, every organization has a duty to their customers to make sure that all data being passed back and forth in their environments, business-to-business, business-to-customer, across international borders, etc. is secure.  GDPR puts that regulation into law. GDPR and PSD2 have yet to be tested in courts, but they are setting the trends in how money and information associated with accounts or transactions can safely move between secure environments without exposing the consumer. Like any regulation involving sensitive data, it has everything to do with how the data is secured, transferred, and stored. ISO compliance, PCI compliance, GDPR compliance, and any other compliance-based initiatives are designed to keep organizations and individuals safe from the miserable world of data breaches.

Part 3 of the blog series will cover data security solutions, maintaining compliance in a scalable fashion, and how to continue to create more secure customer experiences. TokenEx is the industry leader for cloud tokenization. Follow us on Twitter and LinkedIn.

TokenEx Cloud Tokenization

Topic(s): payments , data security , encryption , PII , tokenization , GDPR , privacy

Keep Up With Our PCI & Privacy Blog