The unintended consequences of emerging compliance regulations

Image credit: Shutterstock (Image credit: Wright Studio / Shutterstock)

Online data is more prevalent and valuable than ever before, for consumers, businesses and fraudsters alike. While the ability to do anything, from anywhere has its benefits, including convenience and constant connectivity, there’s also a dark side: criminals waiting to exploit your most personal, sensitive information. In fact, the total number of personal records exposed in data breaches more than doubled over 2018, compared to 2017. 

The value of data has led to new legislation intended to protect information shared and stored online. Europe’s GDPR became binding in May 2018, and a variant in California is slated to become effective in 2020, complicating matters for companies that limited their European data presence in hopes of avoiding GDPR. In addition, the revised Payment Services Directive (PSD2), intended to democratize access to data and simultaneously protect it through Strong Customer Authentication (SCA), will come into effect in Europe in September 2019.

A closer look at the unintended consequences

Perversely, both GDPR and PSD2, which were created to protect customers and their data, actually introduce new risks and complications for businesses operating online. Both sets of regulations were born to protect data (or in the case of PSD2, increase data security as a result of open banking) and consumers’ rights over their own data. But today’s payments ecosystem is intricate and complex, and it is hard for legislation to predict and guard against the moves criminals will take in reaction to it.

With GDPR, consumers can request deletion of their data at any time. But for fraudsters, this means they can disguise themselves as legitimate actors and demand all data on their personas be removed, then present themselves to online businesses as blank slates every time. Being able to identify fraudsters as returning bad actors is vital to all fraud fighting efforts, and not having previous visits to draw on would be a serious handicap to proper prevention.

In the case of PSD2, an unintended consequence is similar to the unfortunate side effect of EMV introduction. In that case, fraudsters were successfully deterred from carrying out card present fraud, and shifted online to card not present fraud instead. With PSD2, making fraud more difficult at the point of transaction within EU transactions is likely to shift fraud to other geographies and attack points. Most online businesses are global, and those that sell outside of the EU, as well as within it, will have to be particularly careful of non-EU transactions once PSD2 kicks in. Criminals who stop using European data won’t stop stealing; they’ll just start using data from elsewhere. 

Image credit: Shutterstock

Image credit: Shutterstock (Image credit: Shutterstock)

Know your ecosystem

To combat the unintended risks that GDPR and PSD2 bring in their wake, companies need to develop a deep understanding of their own ecosystem and the users who are part of it. Only a full comprehension of good and bad actors, and the connections both hidden and overt between them, can provide the necessary framework for protecting an online business.

A rich understanding of your ecosystem mitigates the GDPR risk because the legislation does not require you to delete the information of known criminals. If your system is accurate enough to detect fraudsters reliably, and to make the right connections to recognize them when they return in different guises, then you won’t need to delete their data — even on request. In fact, such a request would simply become additional, valuable information.

It isn’t enough to be able to match obvious data points such as addresses, names or even IP addresses. Your system needs to be able to match behavioral data and patterns and use cyber intelligence to piece together obfuscated elements. Only then can you identify malicious actors continuously, even when they have changed everything they can in their digital appearance.

A similar level of sophistication and sensitivity is necessary for dealing with the “attack shift” that will likely follow PSD2. In order to guard against the risk of geographical fraud changes, your system must be sensitive to the genuine behaviors of different geographical areas, and be able to flag when a user does not match the expected norms for their location. Different industries and businesses have different behaviors, and so it is vital that your system be attuned to your own ecosystem. 

Make sure your customers and accounts are protected by a system that knows your customer base just as well as you do. It requires flexibility and continuous innovation, and an ongoing effort to stay ahead of criminals, and abreast of the evolution in customer behaviors and expectations. However, with constant, accurate, informed protection, you can maintain compliance, security, and customer trust.

Iftah Gideoni, CTO of Forter

Iftah Gideoni

Iftah Gideoni is CTO of Forter, a fraud prevention solution provider. He is an experienced executive with a diverse technology background. Prior to Forter, Iftah served as Chief Data Officer and V.P. R&D of myThings. Before that, he led a portfolio of research projects for the Australian national research agency CSIRO. In the past, he was the V.P R&D and CTO of B.V.R. Systems and CTO of Proxy Aviation Inc. He has over 6 years of working experience in the field. 

Latest in Pro
An image of network security icons for a network encircling a digital blue earth.
Why multi-CDNs are going to shake up 2025
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Cybersecurity
Why OT security needs exposure management to break the cycle of endless patching
Latest in News
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Gemini on a smartphone.
Gemini 2.5 is now available for Advanced users and it seriously improves Google’s AI reasoning