The Battle for Payment Data: Who Owns Your Transactions?

In today’s digital age of contactless payments, credit card swipes, and mouse clicks, consumers have been increasingly worried about how their personal data is being used online. In one of the recent studies conducted by Pew Research Center, it was observed that 79% of Americans are worried about how their data is being used. Another banking survey conducted by Deloitte highlights that 64% of respondents are worried about their data while using online payments. Making online payments is making consumers worried as there is no clarity around who owns their payment data -- whether they do, merchants, or payment processors? 

To understand this better, let’s look at the typical payment lifecycle when a consumer makes an online payment. First, the payment credentials are verified by the payment gateway or the wallet provider (authentication). The payment gateway then sends the information to the acquiring bank, which then uses a payment network to forward it to the issuing bank of the consumer (authorization). The issuing bank then validates the payment request with the consumer’s account and sends back an authorization code (validation). This authorization code is then sent back to the merchants through the acquiring bank via the same payment network to indicate the status of the transaction (response). The merchant then provides the receipt of the transaction to the consumer (confirmation) and subsequently during settlement, the funds are transferred from the consumer’s account to the merchant’s account and during reconciliation; both merchant and consumer’s bank reconcile the transaction in their records.  

Related:Payment Trends to Watch in 2023

If you look closely, the key stakeholders in this lifecycle are the following: 

From a regulation perspective, in the United States there is no law that governs payment data ownership explicitly. The Gramm-Leach-Bliley Act of 1999 requires financial institutions to apply regulations for handling significant amounts of data, however; the scope is limited and does not apply to non-financial institutions handling payment data. It’s also based on an outdated framework that does not apply very well to data privacy and challenges posed by newer technologies. The California Consumer Privacy Act (CCPA) does offer consumers rights over their personal data and applies to a wider set of institutions. However, it only applies to California residents leading to a fragmented regulation environment in other states. The HIPAA act, on the other hand, does provide robust protection for patient’s payment data in the healthcare industry but again, is only limited to healthcare. 

Related:Confronting Financial Fraud in Payments with the Help of AI

Globally, the GDPR (General Data Protection Regulation) laws in Europe do offer extensive rights to consumers to their payment data which offers rights for consumers to access, delete and port their data and to object to their data processing. In APAC (Asia Pacific) countries, there is Australia’s Privacy Act of 1988; in Japan, the Act on the Protection of Personal Information (APPI); and in India, there is the Personal Data Protection Bill (Pending) -- and each of these regulatory frameworks comes with their strengths and weaknesses. 

Related:Why to Rethink and Update Approaches to Payment Security Management

There is also the involvement of big tech companies like Facebook, Google, Amazon, and Apple with their own payment methods (i.e., name-Pay) that have added onto the complexities around data ownership in the payments space. Each of these payment methods has made it easy for customers to make payments online at the same time has resulted in these tech companies creating elaborate customer profiles which include their personal information, online behavior, and their payment data to offer targeted advertisements and competitive pricing. 

This involvement of big tech has not just attracted privacy and security concerns in consumers thereby resulting in antitrust issues but traditional financial institutions like banks and payment processors are facing immense competition as well. 

As a result, consumers have been worried more than ever about how much of their data, to what detail -- including sensitive information, and to what extent is their data being used. Payment data also comes with its own security risks due to its high value; the Equifax and Capital One breaches being the most recent ones due to vulnerabilities in existing systems. And the consolidation of data has also resulted in companies gaining competitive edge and limiting newer companies to emerge in the payments space due to high cost of infrastructure and resources to meet regulatory and compliance requirements globally.  

While blockchain technology has proven to solve some of the security concerns around securing payment data through decentralized and tamper-proof ledgers, its widespread adoption and the issues around scalability, interoperability, and regulatory acceptance make it a hard choice in the current times. 

As businesses continue to grow and payment processing technologies evolve, it will be crucial for innovators and regulators to collaborate closely to ensure consumer data privacy is upheld along with technological innovation. Until then, the issue of privacy around payment data and ownership will continue to be in limbo.