PSD2 has not much to do with payment security, as it is all about giving banks and other financial information processing firms the possibility to get payment records of customers containing details of purchases, as to provide them with "useful offers".
I was confused about updating my billing info until i read your post. I was concerned you wanted to bill me again right now. I thought you would be asking me for credit card info.
It would have been helpful for me if there was a big box I could have clicked on that said, "Why are we asking for this info? Click here" with a link to your post.
Once I read your post, i was happy to comply.
This entire request and process (including annoying pop-up reminders) is bogus.
You do not need my billing info, except at time of billing. You will not be getting my billing info, except at time of billing.
Please tell me what I can do to ensure when you DO get my billing info at time of billing, that you're not storing it on your computers.
The Second Payment Services Directive (PSD2) is a fundamental piece of payments related legislation in Europe, which entered into force in January 2016. PSD2 must be transposed into national law by Member States by 13 January 2018. (Source)
Why is LastPass doing this now, over three years later? It's a rhetorical question; I don't really care.
I would like to know whether LastPass:
As mentioned in the source you provided:
"However, PSD2 empowers the European Banking Authority (EBA) to develop a number of guidelines and technical standards, including a mandate (under Article 98) to deliver regulatory technical standards (RTS) on strong customer authentication and secure communication, implementation of which will run to a different timetable."
We are updating our billing system and implementing this new requirement now as part of the process. Other LogMeIn products have met this requirement for a few years already.
Sorry, with websites being hacked daily, the last thing I want is to keep more of my information "on file" with any site. It's scary enough to trust LastPass with what amounts to our online entire life, so it's too much to ask to want even more of our information. Ask me my billing info when its time to renew and do not keep it on file. Cross-reference it at the time of the transaction and then dump it.
Are hackers signing up for LastPass accounts? Are they breaking in and then renewing accounts for folks? What problem are you looking to solve here other than a financial one for yourselves so you can continue billing folks?
What exactly does keeping billing information on record do for your new billing system other than enable you to continue to bill folks who may / may not want to be on auto-renew? What specifically is the increased security for having billing information on record. Flat out, tell us, and stop listing regulatory jargon that nobody reads.
Sorry to be late to the conversation.
The risk you claim to be protecting me from is that someone else will use fraudulent card details to pay my subscription. Presumably they also wear Lincoln Green and hang around in Sherwood Forest.
Would it not have been more honest to say:
1) For sound business reasons, we are moving to a new E-commerce provider.
2) They are further advanced in the area of fraud prevention than our current supplier and routinely check card details against the billing address.
3) This extra step would protect you against some forms of credit card fraud and is strongly encouraged in EU legislation.
4) We would therefore be very grateful if you would supply your billing address when you next log in, to ensure that your next renewal proceeds smoothly.
The manner in which you have done this rings security/phishing warning bells and serves only to decrease customer confidence in your product. It rather suggests that the able security people you do have had no part in it and the task was given to employees who lack the necessary background.
It will leave me considering whether you are to be trusted with my sensitive data in the future.
I'm not in the EU, and always adhere to the policy of providing as little information as required for a transaction. Information not provided is information that cannot be stolen or sold. LogMeIn does not need my full details by EU law, as I'm not in the EU. Moreover, in my country of Australia the ACCC (AU government competition regulator) BANNED the mandating of 3D secure measures in Australia.
I can only presume this blanket policy has come about due to LogMeIn not being certain of the geographic location of all it's clients, instead taking the lazy way out if applying a blanket policy of requiring PII of all it's customers (grafting them into the logemin system)
I would speculate that LastPass's typical customer base would prioritize security more than the average Joe - after all, it's one of the main reasons to use a password manager. These same people consider LogMeIn's requirement to demand and store PII to be a risk in and of itself - that, and the way it's been managed is laughably amateurish, at best.
I suppose I could just move to the free version, but the cross-platform support for me was useful., and the about the best implementation I've come across. Others come close, however.
However, for some months I've been trialing out several of your competitors (as I suspect have others), and have found one that is sufficient (and better at filling in password forms on difficult sites). (I won't name it here)
Those in command of the LogMeIn ship should care to remember that. I'm sure I'm not alone.
The larger economic powers are trying to crack down on various forms of fraud and tax evasion.... hence you have requirements introduced like FATCA and the EU one mentioned here.
My guess is that one thing the EU is concerned about is that software buyers in the EU should be paying VAT on their purchases. I guess that is at least partly behind the request for billing details.