Since the General Data Protection Regulations (GDPR)’s enactment across the European Union in May, businesses worldwide have had to re-examine their levels of data security.
Have they done enough to prevent breaches? Can they stop their data being compromised? Do the new regulations place them at greater risk? What will happen next?
Many businesses are still at severe risk of failing to comply with GDPR, despite widespread publicity of the potential penalties and support in understanding the best ways to secure their data. Furthermore, anecdotal evidence suggests that only a handful (around 15%) of the hundreds of payment service providers have so far implemented PCI point to point data encryption (PCI P2PE), a critical means of complying with GDPR requirements as it pertains to payment data.
Although encryption is not a legal imperative, official GDPR documentation strongly advises businesses to consider it. “The controller [such as a merchant] and processor [such as a card company] shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” states Article 32. Number one among the suggested measures: “The pseudonymisation and encryption of personal data.”
Article 34 urges businesses to implement measures “that render personal data unintelligible to any person who is not authorised to access it, such as encryption.”
With encryption, when a business suffers a security breach, if the hacked data contains no useful information, there is no material loss. Importantly, such a breach does not have to be reported to any authorities, avoiding reputational damage.
Despite the severe financial penalties threatened for breaches of GDPR – up to €20m or 4% of annual turnover per infringement (whichever is the greater), it appears that the majority of businesses still run insecure systems, based on technologies ill-equipped to comply with these new regulations.
Too many companies and organisations approach GDPR compliance without looking closely at their underlying vulnerabilities. Smaller businesses rely upon service providers to comply on their behalf, but lack the resources or the expertise themselves to determine whether they fully comply.
Consumers today routinely provide far more data during transactions than in the past. Online pharmacies require personal health information; travel companies need passport details or driving histories; even magazine subscriptions may ask about consumers’ personal interests. In the hospitality sector, hotels, restaurants and event locations collect personal data, while social media payment applications may have access to personal data via mobile phones.
The upshot is that consumer-facing enterprises, from the simplest website requesting email details to the largest corporation, collect data that comes under the scope of GDPR, placing them at risk of non-compliance.
Businesses that are found to be in breach of GDPR face a daunting list of consequences: potential class actions, loss of business and reputation, a distraction from their core business, inspection by forensic teams and the time and expense of mounting a legal defence.
Hacking data security providers is extremely difficult to achieve, given their many layers of security including inaccessible hardware solutions and tokenisation. It would involve adversaries breaking into both the merchant’s and the security provider’s systems and then cross-referencing data, having de-tokenised and deciphered information unique to each transaction. Further, with PCI P2PE, data is enciphered using a unique key for each transaction thereby making data compromise nigh on impossible.
By contrast, we have found some important misconceptions about GDPR:
• Many do not realise that the data PCI Data Security Standards serve to protect is considered personal data under GDPR regulations. Being PCI DSS compliant will not make you GDPR compliant. When accepting payments, particularly over the internet, modern data payloads carry much more personal information than is covered by PCI DSS alone.
• There is a lack of awareness of how the Strong Customer Authentication element of PSD2 (the European Commission’s Second Payment Services Directive), which deals with remote access to accounts, such as mobile payments to merchants, will impact GDPR.
When this comes into force in September 2019, the amount of information that consumers will pass on to merchants and their payment providers will increase exponentially, placing far higher demands upon their GPDR compliance procedures.
• Some fail to appreciate how widely GDPR rules extend: any business dealing with European consumers, or employing European staff, or transacting with European companies, fall into its remit. Businesses need to consider the security of their suppliers’ and partners’ systems, as well as their own.
• The scope for non-compliance with GDPR is far higher than with earlier Standards such as PCI DSS, since it encompasses health, social security and multiple types of personal data, in additional to financial details. We think that there is a general lack of understanding of this issue, which may have serious consequences for businesses in future.
The €20m penalty for a single GDPR data compromise could bankrupt a small business. Too few vulnerable companies have taken steps to mitigate this risk.
We’ve seen several high-profile data breach cases in the spotlight recently, involving multinational corporations. Data from millions of consumers has been compromised with some of the data dating back many years. The GDPR authorities will not stand by and watch mistakes happen, they will tackle these as a priority, knowing that their widespread publicity and relevance to society will alert smaller and medium sized enterprises to their own risks and responsibilities.
Nevertheless, it is vital that all companies and organisations, of whatever size, take steps to protect themselves. They must ensure they are GDPR compliant by using the best tools and partnerships available to them.
Tony Hammond has more than thirty years’ experience in the payments and technology industry. He is currently leading business expansion in Europe for FreedomPay