GDPR: Why It Matters for US Merchants

You’ve probably heard news about the GDPR (General Data Protection Regulation), but do you know what it means for you and your merchants? GDPR is a complete game changer for consumer privacy, and by extension also for all businesses that handle consumer personal data.

GDPR  is a set of consumer privacy regulations enacted in the European Union on May 25, 2018. It’s meant to combat the abuse of consumer data and prevent breaches that result in harms such as identity theft. By returning control of personal data to the consumer, GDPR forces businesses to behave ethically in regard to data acquisition and maintenance.


Worldwide, the abuse of consumer data is rampant and out of control. All too often, personal data is unethically acquired, stored and sold, with little regard for consumer privacy or data security. While all this wheeling and dealing results in profit for marketers, consumers pay the price through identity theft, compromise of healthcare and financial information, and of course card fraud.

You Thought PCI Compliance Was Tough?

GDPR is an EU-wide set of regulations that replaces the previous ineffective and inconsistent patchwork of rules established by various countries. It requires explicit consent (and proof) for the use of personal information, secure storage of necessary personal data, and deletion of all non-necessary data.  

This regulation has teeth: companies found out of compliance will face expensive fines. What’s more, GDPR compliance applies to ALL vendors and partners with which a business interacts. If a vendor is out of compliance, the customer is also held liable. As you can imagine, GDPR is causing major shockwaves through the EU business market.

What Does GDPR Mean for US Merchants Now

Right now, the majority of the impact lies within EU countries, but it also affects merchants here in the US. Any US businesses that sell to EU citizens must also comply with GDPR standards. How exactly US businesses are supposed to accomplish this goal is still a little murky. At the very least, merchant acquirers need to stress the importance of PCI compliance. In payments, PCI-DSS ought to align closely with GDPR.

Regarding data outside the scope of payments, your merchants will be facing a strange new horizon. But as we all know, challenges equal opportunities: it might be a great opportunity for payment service providers to deepen relationships by helping merchants navigate and accomplish GDPR compliance.   

What Does GDPR Mean for the Future

In payments, we need to take a lesson from the EU’s playbook. Fintech developments in Europe accurately predict what’s headed down the road for the US. Consider the EMV transition: it was adopted in Europe years before it made its way here, and the challenges and results of that process have been similar.

In one form or another, we can expect GDPR standards to hit our shores in the next few years. Due to the scale and complexity of the US payments ecosystem, implementing change here will undoubtedly be more difficult. But just as the EMV switch was eventually pushed though, consumer privacy protections will eventually pass as well.

It’s a good idea for payment service providers to plan ahead to meet data privacy and security requirements. Considering the dire straits in which US consumers find themselves, change can’t come soon enough.   

Get Social
Access Payment Industry Info
& Merchant Insights.