After GDPR Struggle, Are Companies Ready for the Next EU Data Law?

Robert Hackett

Is your business prepared?

A year ago, the European Union adopted the General Data Protection Regulation, or GDPR, a piece of legislation designed to force companies to protect people’s data. In just a few months, another data-related EU law is coming into effect: the Second Payment Services Directive, or PSD2.

The new law, which becomes mandatory on September 14, takes aim at financial firms. The goal: Boost competition and innovation within the industry by making banking and payments safer and more open through stronger security and data portability provisions.

Claire Hughes Johnson, chief operating officer of Stripe, the highest privately valued fintech startup in the U.S., dropped by Fortune’s Balancing The Ledger studio to discuss her company’s approach to compliance. She said the infrastructural challenges presented by the rules are “pretty rough.”

One aspect of the new law requires that companies support “strong customer authentication“; in other words, banks must reject payments that fail to verify the identity of the purchaser, in real time, through multiple steps. Financial firms have been ordered to use a combination of passwords or PINs along with a second factor, which could involve a text message sent to a phone number, a hardware security token, or biometrics, like a fingerprint or face scan. (There are some exemptions.)

“For people who study consumer behavior and shopping carts it’s really scary because it does create a lot of friction,” Johnson said. “Our mission is to take away that complexity and cover all the compliance and the infrastructure you need for payment acceptance and paying out.”

In April 2018, Stripe for an undisclosed sum acquired Touchtech Payments, a Dublin-based fintech startup that builds authentication technologies for banks, specifically to address the regulatory challenge. At the time, John Collison, Stripe’s cofounder and president, told TechCrunch that the regulation “is a huge deal” and that “people are sleepwalking into it.”

Three months after GDPR went into effect, one oft-cited study found that out of 103 GDPR-applicable businesses, about 70% failed to comply with one of the law’s basic mandates: supplying personal data to a consumer who requests a copy within a month. That sluggish response does not bode well for companies facing down the new rules’ deadline.

To quote Billie Joe Armstrong, frontman of the punk rock outfit Green Day: Wake me up when September ends.