New EU data protection rules are designed to protect customer data through stronger privacy and security requirements. GDPR (General Data Protection Regulation) goes into effect on May 25, 2018, and the second Payment Services Directive (PSD2) is not far off with a September 2019 implementation deadline. The new regulations are intended to ensure better customer information security and privacy while reducing fraud, essentially by giving control over data to its owners – consumers.
GDPR provides new policy around data collection and storage, including a requirement for consent to data collection the right for consumers to request any data collected on them be erased permanently. PSD2 allows customers to approve access to their bank account data by third parties, modernizing the payment structure in line with the growth of e-commerce. It also puts into place stronger user authentication checks for online transactions – at a minimum, two-factor authentication, which can include voice authentication or other biometrics.
This is all good for consumers, in theory, but there are potential drawbacks.
While consumers have generally adapted to an online economy and the need for heightened security has been prominently featured in media headlines thanks to many high-profile breaches, many consumers and businesses don’t take the risk as seriously as they should. Two-factor authentication provides an additional layer of security, but it also adds complexity to completing transactions for consumers, which could lead to a new resistance to online purchasing. That, in turn, could result in vendors opting to not implement additional security features, putting them and their customers at risk.
It’s clear payment structures have to more efficiently accommodate the digital era and the ability to authorize access to account information serves to democratize the payment industry. But, there are risks here as well. By providing access to sensitive account information to more parties, the risk is inherently increased by serving up new attack opportunities for cyber criminals. The burden of account security will be the domain of every online vendor with access to banking details.
Third, fraud identification relies on massive amounts of user data. A reduction of collectable data means merchants and fraud scoring systems will reach conclusions based on fewer data points, making it more difficult to accurately identify fraud. That can lead to increased false flags or missed fraudulent activity. Both are likely to have a negative impact on consumer sentiment. Even worse, cyber criminals are smart and adapt to changing conditions. The new rules could allow identity thieves to request data removal, which would mean those data points could no longer be used in scoring systems and lists of identified fraudulent activity.
There’s no question the intent of both GDPR and PSD2 is to protect customers – and by extension, businesses. But, they have potential flaws that could be exploited by fraudsters. The best way for consumers and merchants alike is to take security seriously and to understand that new identity verification methods, like voice authentication or fingerprint scanning, add a step to the process, but the inconvenience is minor compared to having to deal with identity theft or fraud.
To learn more about how voice authentication can help reduce fraud, visit VoiceVault.