Impact of New Regulation - GDPR, PSD2, ARL - On Merchants

Payments Industry Regulation 2019


The last couple years have been a boom time for new regulatory frameworks in the ecommerce and digital payment spheres. In addition to the 400-kilogram gorilla that is the European Union’s General Data Protection Regulation, 2018 saw the amendment of California’s Automatic Renewal Law, as well as the passing of the deadline for the revised Payment Services Directive to be codified into national legislation.

These regulations may apply only to specific geographical regions, but the internet doesn’t play well with borders—especially when the specific geographical regions in question are enormous markets like the EU and the state of California. For businesses, it’s almost always safer and more cost effective to apply regulatory changes across the board whenever possible, and that’s why even internet surfers outside the EU see all of the mandatory pop-up warnings about browser cookies mandated by the GDPR.

Unless you plan to strictly limit your business dealings to regions outside the coverage of these regulations, it is imperative that merchants learn what these regulations require of them and take the necessary steps to become compliant.

General Data Protection Regulation (GDPR)

The GDPR applies to all organizations that process data belonging to citizens of the European Union and the European Economic Area, no matter where those organizations themselves are based. The goal of the regulation is to protect individuals from the theft or misuse of their personal data.

Although it has been in effect for less than two years, the GDPR has already demonstrated that it isn’t kidding around when it comes to enforcement—British Airways was fined £183 million for failing to protect its customers from a data breach, and Marriott International was fined £99 million for a similar incident.

Companies in the United States are taking the GDPR seriously, with most projecting that they will reach full compliance by the end of 2019. This is no small feat; the requirements of the GDPR are fairly extensive and can be difficult for some companies to implement. Among other things, the GDPR may require businesses dealing with citizens of the EU to:

  • Provide notice of a data breach within 24 hours
  • Allow customers to view and delete their stored personal data
  • Establish a Chief Data Office
  • Design their sites in accordance with principles of privacy and transparency

Download our New Visa Claims Resolution WhitepaperAnd while the penalties for violating the GDPR are severe—4% of worldwide revenue or €20 million, whichever is higher—most US companies aren’t complying out of fear, but to meet consumer expectations in the EU and have a greater chance of making inroads in that market.

For the average merchant, operating a small business and not a multi-million dollar international concern, the GDPR offers both some benefits and some challenges.

From a merchant perspective, the customer’s right to delete their own data is concerning. They could potentially delete data that can be utilized for fraud detection and analysis, or information that merchants could use to bolster their case in chargeback representments. On the other hand, the GDPR has spurred improved fraud prevention and incident response strategies throughout the ecommerce industry. If the US ever enacts a law similar to the GDPR, merchants will have a big head start on compliance.

It’s also important to be aware of some of the exceptions allowed under the GDPR. Data used for fraud prevention, for instance, is not subject to the consent requirements of the regulation.

Revised Payment Services Directive (PSD2)

Originally intended to make online transactions safer for consumers and facilitate open banking and cross-border payments within the EU, the Payments Services Directive was revised in 2015. EU governments were given ten years to enact laws based on PSD2, and the deadline for businesses to achieve compliance was September of this year.

The main requirement of PSD2 is that companies use Strong Customer Authentication (SCA) processes to approve transactions. SCA relies on authenticators that would be difficult for fraudsters to steal or replicate, such as:

  • Inherent characteristics (example: retinal patterns or fingerprints)
  • Private knowledge (example: a password or security phrase)
  • Personal ownership (example: a specific device or smart card)

SCA exemptions are offered for merchants who fall below certain fraud activity thresholds.

New call-to-actionEven without the threat of PSD2 enforcement, it’s a good idea for merchants to implement SCA, which can be done by utilizing the widely-available 3-D Secure 2.0 anti-fraud protocol—but note that improved fraud prevention does not come without costs. Merchants who use SCA methods such as 3-D Secure may find that the increased payment friction leads to a reduction in acceptance rates, and may elicit some pushback from customers.


Automatic Renewal Law (ARL)

Effective July 2018, California revised its existing Automatic Renewal Law to better address automatically renewing payments in the context of ecommerce. Primarily, the law requires that companies who do business in California provide customers with a way to cancel their subscriptions or recurring payments over the internet. The revisions also touch on the handling of free trial periods and promotional pricing.

For the most part, this regulation should be the easiest of the three to comply with. In most cases, full disclosure of the terms and conditions of your subscriptions and renewable offers, along with a simple online form for cancellations, will suffice, but subscription-based merchants should read the details of the law carefully. Civil penalties are applicable to merchants who fail to comply.

Unlike the EU’s regulations, the ARL is unlikely to cause any friction or inconvenience for customers, and in most cases should contribute to greater transparency and improved customer experience.


When you’re engaged in ecommerce, the whole world has the potential to be your customer market—which means that you need to concern yourself with laws and regulations worldwide, ensuring that you comply with the ones that apply to you. This can be a lot of work and responsibility for a small business, but the rewards are considerable when you take into account the incredible reach of the internet and the revenue potential of selling your products and services to anyone who wants them, no matter where on the planet they’re located.

So don’t stick your head in the sand and hope that the EU won’t bother to pick on a small American company just for violating a few little GDPR requirements. Learn what changes you need to make, work out a plan and a timetable for implementing them, and let your business take on the world!

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Download our New Visa Claims Resolution Whitepaper

Similar Posts