"The Data Protection Directive has some significant challenges and requirements around customer data that are going to make PCI look like a walk in the park," said King.
"If you have got to protect all of your customer data, that means significantly more work; and if you're then required to notify your information commissioner within 24 hours of a breach, that's going to be a challenge; and if the data commissioner can then have the opportunity to fine you 2% of your global turnover, then that is not just the card schemes that are giving you fines."
Kiron Farooki, partner at Bond Pearce law firm, pointed out that some insurance companies are already responding to the European Data Protection Directive by providing "cyber insurance" that will allow businesses and retailers to spread out the cost of insurance over time.
However, Birch maintained that a more cost-effective solution is needed.
"You're never going to get the cost reductions that everybody needs, we have to rethink it, and I think looking at these more identity-centric ways is the way forward," he said.
"We have to work with a proper identity infrastructure, which isn't something to do with payments or banks, it's a cross-sector thing."