hero_PSD2 is here.  Are you ready_

How to Balance Ecommerce Regulations and Customer Experience

As ecommerce businesses work to comply with regulations, they must also deliver a superior customer experience (CX).

Today’s ecommerce businesses must balance complying with regulations and delivering a superior customer experience. Find out how you can do both.

As ecommerce growth continues, online businesses are subject to more regulations designed to protect customers and their privacy. These regulations are necessary, but they require more of an operational lift and can create friction in the CX.

Ecommerce businesses must understand which regulations impact their business — especially if they have cross-border sales — and find a balance between compliance and CX. Let's take a look at the impact of current regulations around the world.

Ecommerce Regulations and Guidelines to Consider

Ecommerce has not only grown over the last several years, but it has also become more global.

Online businesses are no longer just selling to customers in their own countries. Cross-border ecommerce is becoming the norm, which creates a challenge for companies if they aren’t aware of the regulations and guidelines associated with the countries and regions they’re selling into. Here are some of the most prevalent regulations to consider.

Localization requirements

According to McKinsey, about 75% of countries have some kind of "localization requirement" designed to prevent identity theft, create jobs and protect consumer privacy. The requirements vary widely and fall into four categories:


Restrictions on where exported data is stored and processed dictate that companies must have separate servers and teams to manage data within a given country or region. This applies to countries in Europe, the Middle East, China and others.


In Indonesia and Malaysia, data can be copied for processing, but the original data must be stored in the country of origin. This is meant to develop local economies.


Brazil and Argentina have permission-based regulations that require individual consent to transmit customer data.


Almost every country requires that ecommerce businesses ensure the security and privacy of their customers’ data.

General Data Protection Regulation (GDPR)

The toughest privacy and security law in existence today is GDPR, which was published in 2018. It was the first law to address data privacy and protection, and it details eight consumer privacy rights.

  • 1.

    The right to be informed

  • 2.

    The right of access

  • 3.

    The right to rectification

  • 4.

    The right to erasure

  • 5.

    The right to restrict processing

  • 6.

    The right to data portability

  • 7.

    The right to object

  • 8.

    Rights in relation to automated decision-making and profiling


If your ecommerce business collects any data from an EU citizen, you’re subject to GDPR. What’s more, there has to be a legitimate reason to collect data and the amount of data has to be minimized as much as possible.


Once the data is collected, it must remain accurate and can be kept for only a set period of time. In addition to those requirements, the data must be encrypted to ensure data integrity and confidentiality.


The penalty for violating GDPR? It starts at €20 million or 4% of your business’s global revenue, whichever is higher. Those are high stakes.


In 2019, data privacy evolved in a new direction.

Payment Services Directive 2 (PSD2) and Strong Customer Authentication (SCA)

In September 2019, Europe’s payment industry witnessed a profound new digital transformation with PSD2. PSD2 was designed to encourage competition among financial providers and enhance consumer protection.

Part of the new directive, SCA is especially important for shop owners because it is required for all electronic transactions in the European Economic Area (EEA). Specifically, it requires the checkout process to include at least two of three authentication factors:

1. Something a customer knows (like a password or a PIN)

2. Something they have (like a mobile device or a token)

3. Something they are (like a fingerprint or facial recognition)

Each factor of SCA must be unique to ensure that, even if one element of an SCA transaction is compromised, the other elements will still be secure. Additionally, each transaction authentication code is dynamically linked to both a transaction amount and payee. If either is changed, the authentication code is invalidated.

SCA applies to all contactless in-person card payments and customer-initiated online payments — including credit card payments and bank transfers — when both the business and the cardholder’s bank are located in the EEA. That means most customer-initiated online transactions within the EEA, transactions using cards issued in the EEA and payments acquired in the EEA.

The good news is SCA should be implemented directly by your payment service providers (PSPs). Ecommerce businesses need to ensure their PSP complies with the SCA requirements.

3D Secure 2.0, also known as EMV 3-D Secure, is one (but not the only) way to meet SCA requirements. In the United States, most consumers are accustomed to 3D Secure, as well as other data and privacy regulations

The 3D Secure 2.0 process is as follows
  • Step 1
  • Step 2
  • Step 3
  • Step 4

Step 1

3D Secure 2.0 sends several data points (shipping address, IP address, etc.) on each transaction to the cardholder’s bank.

Step 2

The cardholder’s bank uses this information to assess the transaction’s risk.

Step 3

If the data is satisfactory and the bank judges the transaction as legitimate, the bank can qualify the transaction for immediate approval. This means the user doesn’t have to do anything else to authenticate the transaction.

Step 4

If the data isn’t enough, the transaction is forced into the challenged flow. This is similar to 3D Secure 1.0 — an additional page branded by the bank that asks for more information. This step has two major issues: (1) it’s another step in the checkout flow, which can lead customers to abandon the process; and (2) buyers must remember another password from the card-issuing bank.

California Consumer Privacy Act (CCPA)

In the United States, there’s no single, comprehensive data and privacy law. Instead, there are governing laws for individual sectors, including telecommunications, health care, credit information, financial institutions and marketing. Each is governed by a separate agency, and each agency can take action against organizations that fail to comply with regulations in that sector. That being said, there’s one regulation that’s evolving in line with GDPR.

The CCPA, which has had several iterations, affords consumers the right to rectification, the right to restriction and sensitive identifiable information rights. It also has a section specific to children’s data with higher fines for information breaches. Beginning July 2023, CCPA also applied those same requirements to companies using third parties to store consumer and children’s data.

Even Latin America has a number of laws that protect customers.

La Ley de Protección del Consumidor de California: lo que los comerciantes de ecommerce deben saber

Regulations in Latin America!

Aside from the localization requirements mentioned previously, Latin America has a range of provisions and laws that oversee ecommerce:

Código de Defesa do Consumidor (CDC).

This consumer protection legislation regulates consumer relations, whether over the internet or not.

Decree nº 7.962/2013.

This specific rule requires information for ecommerce sites such as: 

  • Provider identification (full legal or natural name)
  • Physical and electronic address
  • Clear and accurate information about offers, including products, services, delivery and availability, purchase confirmation, and contract information.

Marco Civil da Internet (Law 12.9655/2014).

This law defines the principles for regulating the internet in Brazil and, by extension, ecommerce.


Lei Geral de Proteção de Dados (LGDP).

This GDPR-based, Brazilian legislation regulates personal data processing activities.

Law nº 12.846/2013.

This Brazilian anticorruption law deals with the objective administrative and civil liability of companies for the practice of acts against the Public Administration, national or foreign.
In addition, SCA has led to the widespread use of two-factor authentication (2FA) in Brazil. 

Exemptions to Ecommerce Regulations

For most ecommerce regulations, there are no exemptions. However, PSD2 has defined some exemptions to the general requirement of SCA for every transaction. While these exemptions are available for consideration, it’s ultimately the issuer’s decision as to whether they’ll accept a waiver. Some exclusions to be noted:

  • Alternative payment methods: Such as debit, invoice or payment in advance.
  • Subscriptions: The first transaction in a subscription is customer-initiated, but the recurring payments are business-initiated and don’t require SCA. However, if the amount changes — for example, a service bill fluctuates — by more than 30 euros, it would no longer be exempt.
  • One leg inside the EEA: Transactions involving a business within the EEA but a buyer outside of the area (or vice-versa) are exempt. A payment is considered within the scope of the law only if the cardholder AND business are both located in the EEA.
  • Low-risk transactions: Low-risk transactions don’t necessarily require SCA; payment processors will do a real-time risk analysis to judge whether to apply SCA.
  • Mail order and telephone order (MOTO): MOTO transactions are not considered “electronic” payments and do not require SCA.
  • Allow lists: Customers can place trusted beneficiaries on a list maintained by the customer’s bank. SCA then is only required for the first payment to whitelisted business and exempted for subsequent payments.
  • Prepaid cards: Payment cards/devices that can only be identified by the issuing bank, such as anonymous prepaid cards, are out of the scope of SCA.
  • Low-value transactions: Any amount less than 30 euros is exempt. However, SCA is required if the payment method has seen more than five exempt transactions (every fifth transaction below 30 euros will need to be challenged) or if the total of exempted transactions exceeds 100 euros in a day.
  • Low-fraud players: For transactions above 30 euros, the procedure depends on the reference fraud rates of the issuer and the acquiring bank — not the business.
    If the fraud rate is below 0.13%, SCA is not required for transactions of up to 100 euros.
    If the fraud rate is below 0.06%, the ceiling rises to 250 euros.
    For those with a rate of under 0.01%, a transaction can be as high as 500 euros before SCA is implemented.


While much of the regulations that ecommerce businesses have to consider don’t impact customers, SCA and 3D Secure do. And that doesn’t always sit well with customers. In the past, they’ve only needed their credit card number, security code, login and password. But with these new regulations, customers also need to satisfy a second security step to complete payments. 
For example, instead of typing the CVV code for a credit card transaction, SCA might require the customer to enter a code generated by their banking application as a second step. And customers first need to register their smartphone or wearable device with their payment service provider so they can complete the additional security step. 
While the extra step is crucial to ensuring security standards, ecommerce businesses know all too well that their customers want a seamless, easy payment experience. The new policies impact the speed and convenience of online shopping, which will undoubtedly lead to some drop-offs at checkout.


Striking a Balance Between Data Privacy and Customer Service

For ecommerce businesses, ensuring data privacy and offering a superior CX is a balancing act. In our most recent original research, we discovered that consumers have mixed feelings about data privacy and CX.

Consumers place a high value on their data privacy and security:

  • 41% would not shop with an online store that had insufficient security measures
  • 39% would be reluctant to shop if they didn’t know where their personal data was being stored and who had access to that data
  • 78% said they feel more comfortable providing payment information to an online store with a prominently displayed security certification

At the same time, CX has become a driving factor for consumers who shop online:

  • 15% said they would abandon their purchase if the checkout process took too long
  • 40% ranked “great customer service” as one of the top three factors that keep them shopping online
  • 73% said that a bad experience with customer support would be enough to not shop there again

Almost 90% of customers now say they prioritize experience when they’re deciding whether or not to make a purchase. Yet, according to Forrester Research’s 2022 Customer Experience Index, 19% of brands had declines in CX quality

While online businesses must comply with regulations — and with 3D Secure and 2FA becoming the norm — companies can’t afford to have any other friction in their customers’ buying journey.  That’s why it’s critical to focus on offsetting the inconvenience of security measures with world-class CX.

Six Ways to Offset Security-Related Friction

Customers are more than happy to shop with a competitor if your company doesn’t meet their expectations, which makes CX more critical than ever. Here are six tips for delivering excellent CX and offsetting friction from security measures.



The first impression customers have of your website or shopping app can make or break those relationships. And without any data to personalize offerings, you’ll be hard-pressed to help them find what they’re looking for right away. But you can make those new customers feel welcome by offering an online concierge. In fact, nearly two-thirds of customers say they prefer having a live chat option over having to call customer service and ask questions.



Another way to improve the experience for first-time and long-time customers is by making it easy for them to find what they’re looking for. More than 75% of customers told us that accurate search and filtering options are the key to them making a purchase and becoming a loyal customer. Make it worth their while and evaluate your search and filtering functions to ensure they’re as easy to use as possible.


Online customers are natural bargain hunters. They may be willing to pay full price, but a discount is even better. It turns out, customers are even willing to share personal information in exchange for a discount. Our research found that 56% of customers like receiving an immediate discount in exchange for providing their email address.


Did you know that price is the single most important factor for online consumers? That extends to shipping costs as well. The majority of consumers we surveyed said they would even wait longer for their purchases if it meant they could take advantage of free or inexpensive shipping.


One of the biggest issues that online companies struggle with when trying to protect the security of their customers is making their fraud filters too strict and declining valid orders. False declines don’t just cost your business money; they also turn good customers away:

  • 41% of customers will never shop with you again after being declined.
  • 32% will post a negative comment on social media about their experience.


One of the most important steps you can take to provide great CX to customers and comply with regulations is to communicate with them. Here are some suggestions:

  • Post your privacy policy on your website — explain what data is collected, why it’s collected and how you keep it safe.
  • Give customers the opportunity to consent to data collection. Not only is that great service, but it’s an almost surefire way to prevent penalties related to regulations.
  • Publish your process for deleting and disposing of personal data from your customers.
  • Always give customers the option to block or disable cookies on your website to make sure data isn’t stored without them realizing it.

What else can ecommerce businesses do?

Prioritize Fraud Prevention 

Central to superior CX is making sure your customers aren’t victims of fraud on your site. Preventing fraud helps maintain customer relationships and protects your bottom line – even more so when it comes to false declines.

That means screening all orders, even those from known good customers, and evaluating them for signs of fraud. Companies also need to understand how to calculate cutoff points for automatic approvals. 

While you can try to do this through fraud filters, an automated system or manual review of all orders by your staff, ClearSale offers a hybrid fraud prevention solution that can deliver results including fewer fraud-related chargebacks, fewer false declines and more order approvals.

Here’s how it works

ClearSale’s hybrid solution starts with an AI-enabled algorithm that leverages trends, intelligence and data gathered from decades of fighting fraud in the most high-risk regions of the world. Using this technology, we can automatically approve most orders quickly.

Suspicious orders are flagged for contextual secondary reviews performed by our more than 2,000 fraud analysts who have the experience to recognize some of the hardest-to-spot fraud patterns. If necessary, our analysts may reach out to customers, but they do so in a way that demonstrates why consumers can trust your business to protect their information.

We then leverage the data gathered from those contextual reviews to help our system better distinguish valid transactions from fraud. That means our system can more easily recognize “good” transactions as we process more for the client, which increases their approval rates and revenue.

We also offer end-to-end chargeback management.

  • Total Chargeback Protection allows businesses to recoup a portion of losses due to fraudulent transactions.
  • Chargeback Guarantee reimburses the transaction amount plus the chargeback amount for any unauthorized transaction that’s approved.
  • End-to-End Chargeback Management delivers comprehensive chargeback mitigation and resolution services, including team training, data audits and timely responses to issuers.

For more information about how your company can balance regulatory compliance and CX while preventing fraud, reach out to us. ClearSale can help.

ClearSale Reviews


From the viewpoint of someone who has been the victim of credit card fraud

"We are in the Durable Medical Equipment supply industry and we use Shopify as our shopping cart. With Covid 19 we have seen a tremendous increase web traffic and online purchases. Prior to Covid 19 we had a number of fraudulent transactions that led to multiple investigations on Local, State and Federal levels all of which produced no returns only because the crooks were faster. This cost us in..."



Amazing - takes the stress away from me!

"I love that it takes the stress away from me worrying about fraud charges."

Dustin D.


Clear Sale gives us confidence that we will get paid

"ClearSale is very good, the orders get approved quickly ,which is great so we know we can confidently send out the goods. Payment confirmation usually happens in 2-3 hrs. Once that happens we know we are covered."

Tony H.


Saves a ton of time and headaches!

"I don't have to spend time researching orders to see if they are fraud or not. I love that ClearSale backs up their approvals with a money-back guarantee if the order turns out to be fraud."



Ready to
Get Started?

Let’s Talk!

Find out how to prevent chargebacks AND sell more.
Talk with a ClearSale CNP fraud expert today!