In today’s digital age of contactless payments, credit card swipes, and mouse clicks, consumers have been increasingly worried about how their personal data is being used online. A recent study by the Pew Research Center found that 79% of Americans are concerned about how their data is being used. Another survey by Deloitte showed that 64% of respondents are worried about their data when using online payments. Consumers are increasingly uneasy about online payments as there is no clear understanding of who owns their payment data—whether it’s them, merchants, or payment processors.
To understand this better, let’s examine the typical payment lifecycle when a consumer makes an online payment:
- Authentication: Payment credentials are verified by the payment gateway or wallet provider.
- Authorization: The payment gateway sends the information to the acquiring bank, which forwards it through a payment network to the issuing bank.
- Validation: The issuing bank validates the payment request against the consumer’s account and returns an authorization code.
- Response: The authorization code is sent back to the merchant through the acquiring bank, signaling the transaction’s status.
- Confirmation: The merchant provides a receipt for the transaction to the consumer.
- Reconciliation: During settlement, funds are transferred from the consumer’s account to the merchant’s account. Both banks reconcile the transaction in their records.
The key stakeholders in this lifecycle are:
- Consumers – Data generators: These are the data points generated based on consumer buying patterns.
- Merchants – Data collectors: Merchants are interested in studying consumer buying patterns to leverage loyalty programs and offer other incentives.
- Payment Processors – Data intermediaries: They aggregate data across various merchants and consumers, which helps identify trends and improve payment systems.
- Banks – Data custodians: Banks have traditionally been custodians of financial data by storing transaction histories and offering fraud detection services.
Regulatory Landscape and Data Ownership
From a regulatory perspective, in the United States, no law explicitly governs payment data ownership. The Gramm-Leach-Bliley Act of 1999 requires financial institutions to implement regulations for handling significant amounts of data. However, its scope is limited and does not apply to non-financial institutions handling payment data. The California Consumer Privacy Act (CCPA) offers consumers some control over their personal data but applies only to California residents, resulting in fragmented regulation across other states. The HIPAA Act offers robust protection for patient payment data in healthcare but is restricted to the healthcare industry.
Globally, the General Data Protection Regulation (GDPR) in Europe offers extensive rights to consumers regarding their payment data, including the rights to access, delete, and port data. In the Asia-Pacific (APAC) region, Australia’s Privacy Act of 1988, Japan’s Act on the Protection of Personal Information (APPI), and India’s Personal Data Protection Bill (pending) each provide varying levels of protection with distinct strengths and weaknesses.
Additionally, big tech companies like Facebook, Google, Amazon, and Apple, with their own payment methods (i.e. name-Pay), have added complexity to the question of data ownership in the payments space. Each of these payment methods has made it easy for customers to make payments online at the same time has resulted in these tech companies creating elaborate customer profiles which include their personal information, online behavior, and their payment data to offer targeted advertisements and competitive pricing. This involvement of big tech has not just attracted privacy and security concerns in consumers thereby resulting in antitrust issues but traditional financial institutions like banks and payment processors are facing immense competition as well
Privacy, Security, and Challenges in Payment Data
The involvement of big tech companies has not only raised privacy and security concerns but also led to antitrust issues. Traditional financial institutions like banks and payment processors now face immense competition from these tech giants.
As a result, consumers have been worried more than ever about how much of their data, to what detail — including sensitive information, and to what extent is their data being used. Payment data also comes with its own security risks due to its high value; the Equifax and Capital One breaches being the most recent ones due to vulnerabilities in existing systems. And the consolidation of data has also resulted in companies gaining competitive edge and limiting newer companies to emerge in the payments space due to high cost of infrastructure and resources to meet regulatory and compliance requirements globally.
Blockchain: A Potential Solution?
While blockchain technology has proven to solve some of the security concerns around securing payment data through decentralized and tamper-proof ledgers; its widespread adoption and the issues around scalability, interoperability, and regulatory acceptance make it a hard choice in the current times.
As businesses continue to grow and payment processing technologies evolve, it will be crucial for innovators and regulators to collaborate closely to ensure consumer data privacy is maintained while fostering technological advancement. Until then, the issue of payment data ownership and privacy remains unresolved.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.
