Stories
Slash Boxes
Comments

SoylentNews is people

Your business passed the GDPR challenge — but SCA is next

posted by mrpg on Tuesday May 14 2019, @10:00AM   Printer-friendly
from the ohoh dept.

An Anonymous Coward writes:

Europe is bracing itself for a big shake-up in how we pay for things online, which will have significant consequences for businesses across the region. Similar to how GDPR hugely impacted how millions of organizations handle personal data when it was enforced last year, Strong Customer Authentication (or SCA) will have profound implications for how businesses handle online transactions and how we pay for things in our everyday lives when it is enforced on September 14.

SCA will require an extra layer of authentication for online payments. Where a card number and address once sufficed, customers will now be required to include at least two of the following three factors to do anything as simple as order a taxi or pay for a music streaming service. Something they know (like a password or PIN), something they own (like a token or smartphone), and something they are (like a fingerprint or biometric facial features).

https://thenextweb.com/podium/2019/05/10/your-business-passed-the-gdpr-challenge-but-sca-is-next/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Your business passed the GDPR challenge — but SCA is next | Log In/Create an Account | Top | 65 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by NotSanguine on Tuesday May 14 2019, @05:37PM (1 child)

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Tuesday May 14 2019, @05:37PM (#843502) Homepage Journal

    An excellent point. I was unaware that the new California law (it is this law [wikipedia.org], right?) required deletion of comments or the "right to be forgotten."

    Now that I've read the text, it's clear that Soylent News doesn't collect the sorts of information covered under the law [wikipedia.org]:

    CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.[2]

    An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.[17]

    IIUC (and please correct me if I'm wrong), IP addresses are not logged by the system, just hashes of such IP addresses, and those are purged on a rolling schedule.

    What's more, the law has specific requirements as to which entities are covered:

    Compliance

    The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and satisfies at least one of the following thresholds:


            Has annual gross revenues in excess of $25 million;
            Possesses the personal information of 50,000 or more consumers, households, or devices; or
            Earns more than half of its annual revenue from selling consumers' personal information.[8]

    [emphasis added]

    I didn't realize that Soylent News met any of those thresholds. If we do, SN is really profitable! And if that's true, you should definitely get paid for all your hard work Buzzard.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 3, Informative) by The Mighty Buzzard on Wednesday May 15 2019, @11:25AM

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Wednesday May 15 2019, @11:25AM (#843778) Homepage Journal

    We do have unique personal identifiers and email addresses stored. The unique personal identifier is just an auto-incrementing bigint column but it technically fits the definition. The email address is stored but doesn't have to be true.

    Compliance...

    Sweet! I'm all about not doing things. I can even not do things in my sleep. It's going to eventually become an issue again but the one requirement we're likely to ever hit, 50K or more consumers having info here, almost certainly isn't going to happen before I'm back to having plenty of free time.

    --
    My rights don't end where your fear begins.