Transaction Trends

All around the world, regulators are coming to scrutinize how companies handle the sensitive data of their customers, and of consumers and citizens more generally. One of the first and most significant pieces of legislation tied to this development is the European Union’s General Data Protection Regulation (GDPR) 2016/679. This regulation concerns data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway). Its provisions apply to any organization that collects, processes, or stores data pertaining to those individuals – even if the organization is located outside of the United States.

And the fines for non-compliance are steep. Depending on the infraction – and specifically which article of GDPR it falls under – data processors and controllers can face fines of up to €20 million or 4% of their annual global turnover (whichever is highest). In February 2019, law firm DLA Piper found that 59,000 data breaches had been reported since GDPR went into effect in May 2018. In the same time frame, national supervisory authorities in 11 European Economic Area (EEA) countries brought fines under article 58.2(i) of GDPR totaling €55,955,871, of which €50 million was levied against Google in January 2019.

Any payments company that collects, processes, or stores data pertaining to an individual within the EEA is subject to GDPR. Most payments companies are considered Data Processors under GDPR, because they process data on behalf of the Data Controller – i.e. the entity which determines the purposes and means of the processing of personal data (i.e. the merchant). However, it is possible for a single entity to be both a Controller and a Processor, which expands the scope of legal obligation.

To help clarify some of the confusion around GDPR and what it means for U.S.-based payments companies, ETA’s Risk, Fraud & Security Committee has compiled answers to the most frequently asked questions about GDPR. These answers are written from the perspective of the U.S. merchant acquiring industry. The document addresses such questions as:

• If I do business internationally, is my US portion affected by GDPR?
• If I have non-US Merchants, how am I affected by GDPR?
• How does GDPR affect data pertaining to European transactions that my organization stores in the U.S.?

The FAQ answers discuss how the most common payment processing scenarios are regulated under GDPR and provide high-level guidance for acquirers and other payments companies to ensure compliance. The last few questions and answers attempt to highlight similarities and differences between the U.S. and the EU with regards to data protection policies and frameworks and anticipate how the policy environment in the U.S. is shifting and will continue to change in the wake of GDPR.

To download the full FAQ, please click here.

With thanks to the authors of this FAQ: Sam Pfanstiel, Coalfire (Risk, Fraud & Security Committee Vice Chair); Dan Fritsche, Global Payments; Ed Marshall, Arnall Golden Gregory; James Zou, SecureTrust, a division of TrustWave