How does 3DS2 additional data collection impact my business’ GDPR responsibilities?

As a business you have responsibilities to inform your customers about what personal data you collect from them, how that data is being used, and why this data is needed. These responsibilities will extend to the additional data you need to collect as part of the 3DS2 authentication process.

It is important that you review your current GDPR position to reflect any changes to how you collect data and to be transparent that this data will be used as part of cardholder authentication. All additional personally identifiable information provided to a payment provider as part of the 3DS2 process will only be used for the express purpose of this authentication protocol and will not be stored beyond the lifecycle of this processing.