GDPR: 3 ways merchants can stop themselves coming unstuck with payment data

sticky, gdp, payment data

Data is money; in more ways than one. Merchants are collecting customer data to develop omni-channel strategies, inform marketing and unlock new revenues. That data is also of value to more unscrupulous types too. The new General Data Protection Regulation (GDPR), which will quickly come into force across the European Union (EU) in 2018 is looking to address the changing data landscape and ensure businesses protect consumer data, with harsh penalties for those who fail to do so. Data protection authorities will be able to fine companies for non-compliance up to 4% of their global turnover, or a fine of EUR20 million euros – whichever is greater.

This leaves merchants in something of a quandary; the data they are collecting could give them a competitive edge but the likelihood is they aren’t equipped with the tools or expertise to sufficiently protect that data. To forge ahead anyway would be dangerous in terms of not just the risk of financial penalties but also the irreparable reputational damage of a data breach.

So what is a merchant to do? It would seem you can’t collect customer data without the associated risk. That risk can be significantly and sufficiently mitigated though. Work with the right partners, using the right technologies and it may be that you can have your cake and eat it after all. Here are three things to consider for any merchant who wants to do just that.

Seamless and integrated > stitched together

It’s been said before but bears repeating that the rate of technological advance has changed the way merchants do business. Whether it’s e-commerce, apps or mobile payments, they’ve been forced to react quickly so as not to be left behind. This means a new customer relationship management (CRM) system here, a new payment portal there, and various other new technologies cobbled together elsewhere in the infrastructure. These systems become a Frankenstein’s monster of disparate parts: it’s amazing they work but they’re also quite terrifying.

Take the example of a retailer who is in the process of implementing an omni-channel strategy: to deliver the benefit of omni-channel, they need to unite often siloed payment systems for in-store, online, mobile and call centres. Think of it like a tent – the seams are where you’re most likely to develop holes and subsequently a leak. It’s where these siloed systems are stitched together that vulnerabilities exist and the risk of a data breach increases. Merchants should work with a single gateway platform wherever possible. Not only will this better protect them and their customers but deliver a more consistent consumer payment experience unified across all channels.

The point of encryption

Sealing up the holes in your systems is just the beginning – payment data still needs to be treated with significant care. Through Point-to-Point Encryption (P2PE), merchants are able to encrypt their data immediately at the point of sale. Payment data is then transmitted to a secure payment gateway where it is then processed. The upshot of this is that consumer card data – encrypted or otherwise – is never handled by the merchant. Consumer data is protected and the merchant reduces the risk of a potentially damaging data breach.

There are additional benefits to P2PE too. Not only does it protect the merchant from risk of data breach, but if they work with a PCI-certified provider they limit the scope of their PCI compliance audit. The complex is made simple for the merchant allowing them to focus on what they do best….. selling.

Tokenisation: insight through security

The challenge though, isn’t just securing data but being able to turn it into actionable insight. With tokenisation, you can do exactly that with payment data while retaining security of the precious card data. When payment data is processed, it’s assigned a unique alphanumeric code or ‘token’ which is returned to the merchant. This token itself has no value and is of no use to hackers meaning that consumers can be safe in the knowledge their card is secure. This also helps retailers mitigate risk, as in the event of a breach, the sensitive data elements have been replaced with a non-sensitive anonymous token keeping customer details safe.

Extending these technical controls to all personal data will increase protection in the event of a breach. However, for the merchant, these unique tokens still allow the behavioural analysis that is essential to optimising the business.

Secure the data and get the insight

Payment data can be something of a double-edged sword; providing crucial insight but requiring stringent control and protection.  But taking an approach which values seamless and integrated systems and processes which incorporate the latest encryption technologies, merchants can still stay safe in the world of GDPR whilst gaining that valuable intelligence.

Now’s the time for merchants to get prepared for the changes the regulation will bring. Those who understand the implications of GDPR will be the ones who won’t find themselves coming unstuck with customer payment data.

About the author:

Andy Mellor is product manager at The Logic Group where he is responsible for helping guide the development of the company’s technology solutions and product roadmap. He boasts a strong understanding and wealth of experience in architecting security solutions.

Related reading