Frequently Asked Questions

Payment SDKs:

Are sets of tools and resources that enable developers to build and enhance mobile applications for specific platforms.

Provide developers with the necessary resources to create mobile applications for specific platforms.

Are designed for specific platforms, such as Android or iOS, and provide platform-specific functionalities and features.

Payments APIs:

Are application programming interfaces that enable apps and eCommerce sites to accept payments by ensuring communication between all entities involved in that process.

Allow businesses to configure their payment processing infrastructure and create custom credit or debit card processing setups unique to their eCommerce business.

Provide encryption and security features to protect sensitive payment information, such as card numbers and personal data.

ActiveSDK is a 3-D Secure 2 solution provided by GPayments Pty Ltd. It is a mobile SDK that facilitates the collection of data about the consumer to make an informed decision about the transaction's risk of being fraud. ActiveSDK can be deployed in various ways; it can be a standalone SDK for developers to connect to and use, or it can be wrapped inside another SDK for payment gateways to distribute as part of their own SDK. 

ActiveSDK was developed in accordance with the official EMVCo 3D Secure 2 specifications. This means ActiveSDK utilises a standard set of APIs and can be used with any other 3D Secure 2 component on the market. ActiveSDK simplifies the integration process for the end merchant and helps issuers achieve more accurate authentication results, which in turn helps secure the consumer's credit card from fraud.

An Access Control Server (ACS) is a tool used in various contexts to prevent fraudulent transactions and authenticate users. An example of an ACS is 3D Secure Protocol.

A Merchant Plug-in (MPI) is a software module designed to facilitate 3D-Secure verifications and prevent credit card fraud during online transactions. The MPI identifies the customer's card details and queries the servers of the card issuer (Visa, MasterCard, or JCB International) to determine if it is enrolled in a 3D-Secure program. If the card is enrolled, the MPI returns the web site address of the issuer access control server (ACS). The ACS is responsible for authenticating the cardholder by verifying their username and password. The MPI verifies the ACS signature and decides whether to proceed with the transaction. 

Verification of an individual's identity based on their unique biological characteristics, including facial recognition or voice identification. Biometric authentication systems compare captured biometric data with confirmed authentic database data. For authentication to be validated, both biometric data samples must match.

Occurs when a customer manually enters credit card information during a transaction without physically presenting the card to the merchant, it is considered card-not-present (CNP) fraud. This type of fraud typically occurs online when the fraudulent party obtains the cardholder's information without their consent, such as their three-digit security code. Commonly, CNP fraud is committed via phishing.

Card schemes are payment networks that establish regulations and provide infrastructure to issue cards and process card-based transactions, such as debit and credit card transactions. Issuers (bank or financial institution) and acquirers (merchant or customer) must be part of the same network as the card for a payment to be processed.

A central repository for storing and operating data, including identity profiles. Directory Server can be used to authenticate and authorise users to ensure safe access to an organisation, internet services, and applications. Directory Server is expandable as it can be integrated within existing systems, and permits the integration of employee, customer, supplier, and associates data.

An authentication and authorisation technology that uses a variety of user-provided factors. This includes evaluating the user's behaviour, devices, and other variables to determine if they pose a threat. If the user fails to meet a set standard, they will be urged to provide additional verification information. This could be the answer to a security question or a biometric element. Explore the topic of risk-based authentication.

Instated through risk-based authentication performed in the ACS, this feature enables issuers to approve a payment without interacting with the cardholder. As the customer confirms an online purchase, all their shopping details, including device data, item purchased, and value, are sent to the ACS to verify the cardholder's identity using risk-based elements. Since this procedure occurs invisibly, it is considered frictionless.  Customers are guided to the order confirmation page without being informed that their transaction has been screened.

When the liability for chargeback loss is transferred back to the bank from the merchant. This typically occurs during eCommerce transactions in which the cardholder denies making a purchase, as well as fraudulent transactions.

A category of 3DS messages that can be used to verify identity outside of the payment ecosystem, allowing wallet providers and issuers to streamline the provisioning and activation of cardholders in a secure manner. Discover more about 3DS2 non-payment authentication.

One-time passwords are a system that provides a mechanism for logging on to a network or service with a password that is unique and valid for only one login session or transaction. This protects online bank accounts, enterprise networks, and other systems that contain sensitive information, from certain types of identity fraud by making sure that a stored username and password cannot be used more than once.

A type of multi-factor authentication that verifies the claimed identities of users.  

The method authenticates the transaction using two of the three factors:

  1. Information the user knows, such as a password or PIN

  2. Something the user owns, such as a card or mobile phone

  3. Something the user is, such as fingerprints or facial recognition

Out of band (OOB) authentication is the protection authentication mechanism that requires two distinct signals from two distinct separate channels or networks. In a business environment, an OOB satisfies security requirements by generating a request for secondary verification.

Using biometrics to validate card-not-present digital transactions is a new European legal mandate designed to make online payments more secure. With the PSD2 (Revised Payment Service Directive) regulations, the user will be required to provide more information than just the card number and CVC verification code at the time of payment.  

SCA uses three distinct types of information to confirm user identities:

  1. Information the user knows, such as a password or PIN

  2. Something the user owns, such as a card or mobile phone

  3. Something the user is, such as fingerprints or facial recognition

The act of a potential eCommerce customer abandoning their purchases/shopping cart during the payment phase of the checkout process. This typically occurs when a customer forgets the additional 3-D Secure verification requirement or when the page does not display correctly on a mobile device.

False declines are legitimate credit card transactions that are incorrectly declined by the credit card issuer or merchant as suspected fraud attempts. They are also known as false positives. False declines occur when a legitimate transaction is flagged as fraudulent and rejected, causing frustration for the customer and lost revenue for the merchant.

• Filters for the location of the shopper
• Delivery address not matching the card’s billing address
• Incorrect credit card information entered by the customer
• High-risk transactions
• Suspicious activity on the customer's account

• Technical issues with the payment processing system
• Overly strict fraud detection criteria

Authentication channels are communication channels that are used to verify the identity of users or devices accessing a system or application.

Examples of authentication channels include:

• Standard authentication
• Encrypted authentication
• Omni-channel authentication  

• Verification channels  
• Channel authentication records  

No, it is the responsibility of each merchant to implement 3D Secure. However, in nations such as India and South Africa, 3D Secure is mandatory.

Authentication:

• 3DS 1.0: Used static passwords or OTPs, often inconvenient and less secure.
• 3DS 2.0: Employs dynamic, user-friendly methods like biometrics and device fingerprinting, enhancing security.

Frictionless Experience:

• 3DS 1.0: Typically involved user intervention for every transaction.
• 3DS 2.0: Offers a smoother, "behind-the-scenes" authentication process for low-risk transactions, reducing cart abandonment.

Risk Assessment:

• 3DS 1.0: Had limited risk assessment capabilities.
• 3DS 2.0: Utilises real-time data sharing for better risk evaluation.

Mobile Optimisation:

• 3DS 1.0: Not mobile-friendly.

• 3DS 2.0: Designed for mobile devices, improving the user experience.

Merchant Benefits:

• 3DS 1.0: Merchants had less control and faced potential sales loss.
• 3DS 2.0: Offers customisation options and enhanced liability protection for merchants.

• AusPayNet regulations require all big Australian merchants to implement 3D Secure.

• Visa has withdrawn the proposed 3DS2 mandate, so it is no longer mandatory for merchants operating in Australia and New Zealand to have 3DS2.0 enabled by 15 October 2022 to continue transacting with Visa. However, it is still strongly recommended to have 3DS2 as an additional protection against fraud.

• Mastercard has increased the price of 3DS1 authentication in the APAC region, including Australia, Hong Kong, Malaysia, New Zealand, and Singapore\

• Strong Customer Authentication regulation as part of PSD2 in Europe and similar regulations in the UK, India, and Australia may require the use of 3DS for card authentication.

• 3DS2 awareness and adoption lag in Australia ahead of an October 2022 implementation target set by card issuers, and some retailers.

EMVCo enhances card-based payment security worldwide by setting global standards for EMV chip technology, 3D Secure, tokenisation, and security assessments. It ensures interoperability, certifies compliance, and educates stakeholders, making card transactions more secure and resilient against fraud.

Real-world applications of biometric authentication in the payment industry include fingerprint and facial recognition for unlocking mobile wallets, authorising transactions, and accessing banking apps, enhancing security and user convenience.

A liability shift in eCommerce transactions typically occurs when the party that does not support EMV chip or 3D Secure authentication bears responsibility for fraud losses. This shift is influenced by factors such as card network rules, compliance, and adoption of secure payment technologies.

GPayments' ActiveSDK can be integrated into various payment systems using its APIs and libraries. It offers benefits like 3D Secure 2.0 compliance, improved security, fraud reduction, and enhanced user experience for issuers and merchants in online card transactions.

Merchant Plug-ins (MPIs) contribute to preventing credit card fraud during online transactions by facilitating the authentication process for cardholders. They enable the use of 3D Secure protocols, which add an extra layer of security through user authentication. MPIs help verify the identity of cardholders through methods like one-time passwords, reducing the risk of fraudulent transactions and providing liability protection for merchants.

Risk-based authentication can improve the user experience in online payments by reducing unnecessary authentication steps. It assesses the risk of a transaction and, for low-risk ones, allows seamless, "behind-the-scenes" processing without user intervention. This reduces friction, making online payments faster and more user-friendly.

Practical examples of frictionless flow in online payments include one-click purchases, biometric authentication (e.g., fingerprint or facial recognition), and risk-based authentication, where low-risk transactions are processed without requiring users to enter additional verification. These streamline the payment process, enhancing user convenience.

Non-Payment User Authentication in 3DS2 extends authentication beyond payments. It's used for various online activities like accessing accounts, changing settings, or performing high-risk actions. This adds security without disrupting user experience in non-payment scenarios, such as account login, password reset, or device management.

One-Time Passwords (OTPs) enhance security in online banking and transactions by providing a dynamic and time-sensitive code that users must enter for verification. They offer an additional layer of security, as these codes are generated for each transaction or login attempt and are valid only for a short time. This makes it significantly harder for attackers to gain unauthorised access or conduct fraudulent transactions, improving overall security.

Common examples of Two-Factor Authentication (2FA) in the payment industry include:

• OTP via SMS: Users receive a one-time password via text message to verify their identity during transactions.
• Biometric Authentication: Users authenticate using fingerprints, facial recognition, or other biometric data.
• Hardware Tokens: Users carry physical devices that generate OTPs for authentication.
• Mobile Authenticator Apps: Users employ smartphone apps like Google or Microsoft Authenticator to generate OTPs.

Out-of-Band Authentication enhances security in multi-factor authentication by using separate communication channels for verification. For example, if a user logs in on a computer, the authentication code is sent to their mobile device via SMS. This prevents attackers from intercepting both the login request and the verification code in a single channel, making it more difficult for them to compromise the authentication process.

Strong Customer Authentication (SCA) enhances online payment security and ensures compliance with PSD2 by requiring two or more authentication factors for electronic transactions. This includes something the customer knows (e.g., a password), something the customer has (e.g., a mobile device), or something the customer is (e.g., biometric data). SCA reduces the risk of fraud and unauthorised access, protecting both consumers and businesses, and aligns with PSD2 regulations to make electronic payments more secure and trustworthy.

To reduce transaction/cart abandonment during checkout, businesses can employ strategies such as:

• Streamlined Checkout: Simplify the checkout process with as few steps and form fields as possible.

• Guest Checkout: Allow users to check out without creating an account for a faster experience.
• Transparency: Clearly display shipping costs, taxes, and any additional fees upfront.
• Multiple Payment Options: Offer a variety of payment methods to accommodate user preferences.
• Mobile Optimisation: Ensure a seamless mobile experience with responsive design and mobile-friendly payment options.
• Trust Signals: Display security icons, customer reviews, and trust badges to build confidence.

• Remarketing: Use email reminders or retargeting ads to bring back abandoned carts.
• Exit-Intent Popups: Show popups with special offers or incentives when users try to leave the checkout page.
• Progress Indicators: Show users where they are in the checkout process with progress bars.
• Error Handling: Provide clear error messages and guidance if users encounter issues.

False declines can negatively impact a merchant's revenue and customer experience by rejecting legitimate transactions. This frustrates customers, leads to lost sales, and damages the merchant's reputation. Customers may seek alternatives, and merchants lose revenue opportunities, hurting their bottom line and customer relationships.

Proactive measures to minimise false declines include:

• Advanced Fraud Detection: Implement robust fraud detection systems.
• Machine Learning: Use AI and machine learning to improve fraud detection accuracy.
• Customer Profiling: Analyse customer behaviour for abnormal patterns.
• Dynamic Rules: Adjust fraud rules based on real-time data.

• Behavioural Analytics: Monitor user behaviour for signs of fraud.
• Risk-Based Authentication: Use risk assessment to trigger authentication when needed.
• Transparent Communication: Educate customers about security measures to prevent false alarms.
• Transaction Analysis: Carefully examine transactions before declining.
• Review Systems: Employ manual review processes for borderline cases.

• Feedback Loop: Continuously improve fraud prevention based on insights.

Authentication channels recommended for securing online payment transactions include:

• EMV Chip: For card-present transactions, EMV chip technology is highly recommended due to its strong security features.

• 3D Secure 2.0: A risk-based authentication method for card-not-present transactions, offering improved security and user experience.
• Biometric Authentication: Utilising fingerprints, facial recognition, or other biometric data for added security.
• Tokenisation: Replacing sensitive card data with tokens to protect against data breaches.
• Out-of-Band Authentication: Using separate channels (e.g., SMS or mobile apps) for verification to enhance security.
• Multi-Factor Authentication (MFA): Combining two or more authentication factors (e.g., something you know, have, or are) for stronger security.

Merchants should consider factors like transaction volumes, fraud risk, customer experience, and regulatory requirements when deciding whether to implement 3D Secure on their e-commerce sites. Assessing the balance between security and user convenience is key.

GPayments ensures compatibility with payment gateway providers through rigorous testing and adherence to industry standards and protocols, allowing their solutions to seamlessly integrate with a wide range of payment gateway services.

The Payment Services Directive (PSD2) reshapes the European payment landscape by promoting competition, enhancing security through Strong Customer Authentication (SCA), and fostering innovation. It opens up access to payment data and services for third-party providers, leading to new payment methods and improved consumer protection in online transactions.

GPayments assists businesses in implementing risk-based authentication for online transactions by offering solutions that assess transaction risk in real-time. Their technology adapts authentication requirements based on the risk level, ensuring a secure and user-friendly experience while mitigating fraud.

Tokenisation replaces sensitive card data (such as credit card numbers) with a unique token. This token is valueless to attackers and can be safely used for payment processing, reducing the risk of data breaches and fraud. It enhances security, facilitates recurring payments, and supports various payment methods across different channels.

Payment processors handle cross-border transactions by:

• Currency Conversion: Converting payment amounts to the local currency.
• Compliance: Ensuring adherence to international regulations.
• Risk Management: Assessing and managing the unique risks of cross-border transactions.

• Multi-Currency Support: Offering the ability to accept and settle payments in multiple currencies.
• Fraud Detection: Employing advanced fraud detection systems to safeguard transactions.
• Global Reach: Partnering with international banks and networks to facilitate transactions worldwide.
• Language Support: Providing multilingual customer support and documentation.

This enables merchants to accept payments from customers around the world while navigating the complexities of international commerce.

Here is a list of countries where 3D Secure is mandated or required by regulations:

• India
• South Africa

• Nigeria
• Singapore
• Bangladesh
• Malaysia

Here is a list of countries where 3D Secure is not necessarily mandated but is encouraged for customer security:

• Europe (all countries in Europe are complied with the PSD2, which makes 3DS compulsory to them all)
• USA
• Australia
• China
• Vietnam

India introduced a mandatory 2-factor authentication for cards in 2014, which means that 3D Secure is effectively mandated on all online payment transactions in India. However, there have been some reports that international payment gateways may not always require 3D Secure for Indian credit cards. Starting July 28, 2021, all international card payments made to new Indian Stripe accounts created after this date will go through 3D Secure (3DS). Other sources also confirm that India is one of the countries where 3D Secure is mandatory.

The 3D Secure mandate in India affects merchants in the following ways:

• Higher mandate for customer verification: The 3D Secure mandate effectively places a higher mandate on merchants to ensure they are only dealing with real, trustworthy customers. This means merchants will have to implement additional measures to verify the identity of their customers.
• Compliance with regulations: Merchants in India are required to comply with the 3D Secure mandate to ensure the security of online payment transactions and protect against fraud. Failure to comply with the mandate may result in penalties or fines.
• Impact on acceptance rates: Implementing 3D Secure may result in lower acceptance rates for some merchants. However, India have mandated 3D Secure, which means that merchants in these countries may not have a choice but to implement it.
• Improved security: Implementing 3D Secure can help merchants improve the security of online payment transactions and protect against fraud. This can help to build trust with customers and improve the overall customer experience.

• Additional costs: Implementing 3D Secure may require additional costs for merchants, such as upgrading their payment systems or implementing new security measures. However, the cost of non-compliance may be higher in the long run.

Challenges related to payment security in the mobile app ecosystem include:

• Device Diversity: Numerous devices and operating systems pose compatibility and security challenges.

• Data Storage: Protecting sensitive payment data stored on mobile devices.
• App Store Security: Ensuring app stores are free from malicious apps.
• Authentication: Balancing security and user convenience in authentication methods.

GPayments' ActiveSDK has several advantages over other 3D Secure 2 solutions in the market, including:

• Frictionless authentication process: ActiveSDK enables customers to checkout faster through the frictionless authentication process of 3D Secure 2. Customers won't notice a thing, and merchants can create a clean and unified app interface, allowing authentication to occur natively inside the app.
• More accurate authentication results: ActiveSDK facilitates the data collection process by gathering information about the customer's mobile device. In turn, authentication results can be more accurate than ever before.
• Reduced liability and potential chargebacks: The primary benefit of 3D Secure Authentication for merchants is reduced liability and potential chargebacks. If a fraudulent transaction occurs, the card issuer may take responsibility instead of the merchant.

• Improved customer experience: With improved security measures, customers will feel more secure making purchases from a business. This can result in increased customer satisfaction and loyalty.
• Lower processing fees: Card issuers often offer lower processing fees for transactions made with 3D Secure 2.

GPayments takes the security and privacy of user data seriously when providing authentication solutions. Here are some ways they ensure security and privacy:

• Controlled and secure environment: GPayments secures the personally identifiable information provided by users on computer servers in a controlled and secure environment, protected from unauthorised access, use, or disclosure.
• Robust fraud prevention solutions: GPayments offers robust fraud prevention solutions for eCommerce and mCommerce transactions, which can prevent chargebacks and false declines with their comprehensive range of integrated solutions.
• Stronger fraud protection: GPayments' 3D Secure 2 solutions separate payments and mCommerce purchases using eWallets to reduce risk and enable an extra layer of security. This provides stronger fraud protection for users.
• Compliance with regulations: GPayments complies with relevant regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR).  
• Informative and enjoyable discussions: GPayments' Product, Sales, and Engineering teams engage in informative and enjoyable discussions with partners to ensure that their solutions meet the partners' needs.

Key considerations for businesses when selecting a Merchant Plug-in (MPI) for 3D Secure verifications include:

• Compatibility: Ensure the MPI is compatible with your payment gateway and technology stack.
• Authentication Methods: Choose an MPI that supports various authentication methods (e.g., OTP, biometrics) to enhance user experience.

• Scalability: Ensure the MPI can handle your transaction volume and scale as your business grows.
• Compliance: Verify that the MPI complies with relevant 3D Secure standards and regulations.
• Customisation: Look for customisation options to tailor the user experience and authentication flow to your specific needs.
• Security: Prioritise MPIs with robust security features to protect against fraud.
• Vendor Reputation: Select a reputable MPI provider with a track record of reliability and customer support.

• Costs: Consider the pricing model and fees associated with the MPI, ensuring it aligns with your budget.
• User Experience: Focus on MPIs that offer a seamless and user-friendly authentication process to minimise cart abandonment.
• Integration: Assess how easily the MPI integrates with your existing systems and processes.

• Providing access to accurate and coherent payments data, allowing businesses to make informed decisions when adapting to evolving payment technologies and customer preference.
• Offering robust fraud prevention solutions for eCommerce and mCommerce transactions, which can prevent chargebacks and false declines with their comprehensive range of integrated solutions.
• Providing 3D Secure 2 solutions, which separate payments and mCommerce purchases using eWallets to reduce risk and enable an extra layer of security. This provides stronger fraud protection for businesses and their customers.
• Engaging in informative and enjoyable discussions with partners to ensure that their solutions meet the partners' needs.
• Integrating with RESTful API, making it easier for businesses to implement GPayments’ solutions quickly and easily without disrupting their existing operations.

• User Experience:

Risk-Based: Offers a more seamless and user-friendly experience by selectively applying authentication based on risk.

Traditional: Often requires the same level of authentication for all transactions, potentially causing friction.

• Risk Assessment:

Risk-Based: Uses real-time data and analytics to assess transaction risk and applies authentication accordingly.

Traditional: Typically relies on fixed, predefined authentication methods.

‍

• Adaptability:

Risk-Based: Adapts to changing risk levels, allowing for frictionless processing of low-risk transactions.

Traditional: Applies the same authentication regardless of transaction risk.

‍

• Security vs. Convenience:

Risk-Based: Balances security and user convenience by applying stronger authentication when needed.

Traditional: May prioritise security at the expense of user convenience.

‍

• Fraud Prevention:

Risk-Based: Effective at detecting and preventing fraud by focusing authentication efforts where they are most needed.

Traditional: Provides a consistent but potentially less nuanced approach to fraud prevention.

‍

• Transaction Volume:

Risk-Based: Scales efficiently to handle varying transaction volumes and types.

Traditional: May lead to bottlenecks and delays during high-volume periods.

‍

• Regulatory Compliance:

Risk-Based: Aligns with evolving regulations and standards, such as PSD2 in Europe.

Traditional: May require adjustments to comply with new regulations.

‍

• Cost Efficiency:

Risk-Based: Can lead to cost savings by reducing the need for authentication in low-risk scenarios.

Traditional: May involve higher authentication costs for all transactions.

• Expertise: Evaluate your in-house team's expertise in authentication technologies and compliance.
• Cost: Compare the costs of in-house development, including staffing, infrastructure, and ongoing maintenance, with outsourcing.

• Time-to-Market: Assess how quickly you need the solution and whether in-house development can meet deadlines.
• Compliance: Ensure the solution aligns with industry regulations and standards, and whether outsourced providers have compliance expertise.
• Scalability: Consider the scalability of both options to handle future growth and evolving needs.
• Security: Evaluate the security measures and practices of both in-house and outsourced solutions.
• Customisation: Determine whether your requirements necessitate a highly customised solution that may be better suited to in-house development.

• Vendor Reputation: Research the reputation, track record, and client reviews of potential outsourcing partners.
• Support and Maintenance: Consider ongoing support, updates, and maintenance requirements for the chosen solution.
• Resource Allocation: Evaluate how in-house development or outsourcing aligns with your organisation's resource allocation and strategic goals.

Businesses that do not implement 3D Secure or risk-based authentication in regions where it's not mandatory may face potential consequences such as:

• Increased risk of fraud: Without 3D Secure or risk-based authentication, businesses are more vulnerable to fraudulent transactions. This can lead to financial losses and damage to the business's reputation.
• Increased chargebacks: Without 3D Secure or risk-based authentication, businesses may be held liable for chargebacks resulting from fraudulent transactions. This can lead to financial losses and increased processing fees.
• Negative impact on customer experience: Without 3D Secure or risk-based authentication, customers may be hesitant to make purchases from the business due to concerns about security. This can lead to a negative impact on the customer experience and reduced customer loyalty.
• Abandoned transactions: Without 3D Secure or risk-based authentication, customers may abandon transactions due to concerns about security or a cumbersome authentication process. This can lead to a loss of revenue for the business.

‍

• Risk Exposure: Measure changes in the organisation's risk exposure over time.
• Incident Rate: Track the frequency and severity of security incidents.
• Loss Reduction: Assess the reduction in financial losses due to risk mitigation efforts.
• Compliance Adherence: Monitor compliance with industry regulations and standards.
• Incident Response Time: Measure how quickly the organisation responds to and resolves security incidents.
• False Positive Rate: Evaluate the accuracy of risk detection by assessing false alarms.
• Customer Satisfaction: Collect feedback from customers on the security and privacy of their data.
• Employee Training: Assess the effectiveness of employee training in risk awareness and mitigation.
• Vendor Risk Management: Evaluate the performance of third-party vendors in adhering to security standards.
• Business Continuity: Measure the organisation's ability to maintain operations during and after a risk event.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards and requirements designed to protect payment card data and ensure secure handling, processing, and storage of this data by organisations that accept, store, or transmit credit card information. It aims to prevent data breaches and fraud related to payment cards.

• Assess Risk: Identify and assess potential security risks and vulnerabilities in their payment processing systems.
• Implement Controls: Implement security controls and measures to protect cardholder data, including encryption, access controls, and network security.
• Regular Audits: Conduct regular security assessments and audits to ensure compliance.
• Network Segmentation: Isolate cardholder data from other networks and restrict access.
• Secure Software: Develop and maintain secure software applications used in payment processing.
• Training: Train employees on security best practices and the importance of safeguarding cardholder data.
• Incident Response: Develop an incident response plan to address and mitigate security breaches.
• Vendor Compliance: Ensure that third-party vendors and service providers also comply with PCI DSS.
• Compliance Validation: Validate compliance through self-assessment questionnaires or third-party assessments, depending on the business's size and volume of transactions.
• Documentation: Maintain records of compliance efforts and security policies and procedures.

The General Data Protection Regulation (GDPR) is a European Union regulation that governs the protection of personal data and privacy of individuals. It establishes rules for the collection, processing, and storage of personal data and gives individuals greater control over their data. GDPR applies to organisations that handle the data of EU citizens, regardless of where the organisation is located, imposing strict requirements and potential fines for non-compliance.

Penalties for non-compliance with GDPR can be substantial and include:

• Fines: Violators can face fines of up to €20 million or 4% of the company's global annual revenue, whichever is higher.

• Warnings and Reprimands: Regulatory authorities can issue warnings and reprimands for less severe violations.
• Data Processing Suspension: Authorities may order the suspension of data processing activities in cases of serious non-compliance.
• Data Breach Notifications: Failure to report data breaches within the mandated timeframe can result in penalties.
• Lawsuits: Individuals can bring private lawsuits against organisations for GDPR violations, potentially leading to additional financial liabilities.

Tokenisation is a security technique that replaces sensitive data, such as credit card numbers, with a unique token. These tokens are valueless to attackers and can be safely used for transactions, reducing the risk of data exposure and fraud.

Tokenisation differs from encryption in that:

• Data Transformation: Tokenisation replaces data with tokens, while encryption transforms data into a scrambled, unreadable format.
• Decryption Requirement: Encryption requires decryption to recover the original data, whereas tokens cannot be reversed to reveal the original data.
• Security Focus: Tokenisation is primarily focused on protecting sensitive data during storage and transmission, whereas encryption secures data in transit and at rest.
• Token Value: Tokens have no intrinsic value or meaning, whereas encrypted data can be decrypted to its original form.
• Use Cases: Tokenisation is often used for payment card data and identity information, while encryption is more versatile and can be applied to various types of data.

Open banking APIs are software interfaces that allow third-party developers to access and interact with a bank's financial data, services, and infrastructure securely. These APIs enable the sharing of customer-permitted financial information and the initiation of payments, fostering innovation in the financial services industry and promoting competition among financial institutions.