A year ago, the European Union adopted the General Data Protection Regulation, or GDPR, a piece of legislation designed to force companies to protect people’s data. In just a few months, another data-related EU law is coming into effect: the second “payment services directive“, or PSD2.
The new law, which becomes mandatory on September 14, takes aim at financial firms. The goal: Boost competition and innovation within the industry by making banking and payments safer and more open through stronger security and data portability provisions.
Claire Hughes Johnson, chief operating officer of Stripe, the highest privately valued fintech startup in the U.S., dropped by Fortune’sBalancing The Ledger studio to discuss her company’s approach to compliance. She said the infrastructural challenges presented by the rules are “pretty rough.”
One aspect of the new law requires that banks support “strong customer authentication“; in other words, these companies must reject payments that fail to verify the identity of the purchaser, in real time, through multiple steps. Financial firms have been ordered to use a combination of passwords or PINs along with a second factor, which could involve a text message sent to a phone number, a hardware security token, or biometrics, like a fingerprint or face scan. (There are some exemptions.)
“For people who study consumer behavior and shopping carts it’s really scary because it does create a lot of friction,” Johnson said. “Our mission is to take away that complexity and cover all the compliance and the infrastructure you need for payment acceptance and paying out.”
In April, Stripe for an undisclosed sum acquired Touchtech Payments, a Dublin-based fintech startup that builds authentication technologies for banks, specifically to address the regulatory challenge. At the time, John Collison, Stripe’s cofounder and president, told TechCrunch that the regulation “is a huge deal” and that “people are sleepwalking into it.”
If history teaches us, somnambulism will abound. Three months after GDPR went into effect, one oft-cited study found that out of 103 GDPR-applicable businesses, about 70% failed to comply with one of the law’s basic mandates: supplying personal data within a month to a consumer who requests a copy. That sluggish response certainly does not bode well for companies facing down the new rules’ deadline.
To quote Billie Joe Armstrong, frontman of the punk rock outfit Green Day: Wake me up when September ends.