Data ownership of your payments data (particularly card data) is especially important because no other bank or financial product will generate as much insightful data about your customers as your card payment products. It can lead to insights that lead to making the right offers or even development of the right products and services.
Securing PCI Data
In the realm of card payments there are two types of data. First there is the data that provides insight to drive the business and leads to innovation. Second, there is validation data that is used to not only authenticate the transaction but to also tie the insight back to the segment or the individual cardholder. In order to access the data that drives the insight, you need to have an environment that securely stores and transmits the validation data which in this case is card data. This is where PCI DSS comes into play.
PCI DSS provides the framework for how your card data should be secured both in storage and in transit. Although PCI DSS only specifically addresses PCI data, it can also be used as a good framework for securing other sensitive data such as PII, PHI, etc thus allowing you to extend your data ownership beyond PCI data to any sensitive data.
PCI Overhead Can be a Burden to Your Innovation
Becoming PCI DSS certified is not only costly, but also time consuming. PCI certification requires an annual audit. The thought of one audit a year sends chills down most people’s spine, but PCI compliance also entails quarterly vulnerability scans and on-going maintenance. On top of that, due to the sensitivity of PCI data, a vulnerability scan and remediation each time you release a new product or feature are also required, bringing innovation to an extremely slow drip.
The more channels in which you touch sensitive data, the greater PCI DSS overhead you incur. If you are able to reduce the number of channels where sensitive data is used, it will have a direct correlation to the reduction in effort to maintain your PCI and data security posture. The more you reduce your PCI and data security overhead, the faster you will be able to innovate and release new products and features.
The Value of Data Ownership is Worth the Effort and Cost
For many banks and issuers, the cost to build a PCI compliant infrastructure comes with a 7-figure price tag and a 8 to 12 month effort as well as maintenance and management costs ranging in the 6 figures annually. Although this is obviously a huge investment, banks and card issuers are willing to make it because of the opportunity costs in growing wallet share and cross-sell opportunities if they don’t tap into the value of their data. Once you start to tap into the value of that data, your return should more than cover the costs and effort associated with your data security posture. If this was not the case, large banks and card issuers would not hord that data.
While at a large regional bank as the Head of Cards, I had a similar experience where my internal IT team quoted ~$1.5MM and a 12 month timeline to build a PCI compliant environment. Due to the need to get to market faster, I was forced to select the environment offered by my issuing processing platform. I did not understand the tradeoff as getting access to my payment data required a project submission and consulting fees paid to my issuer processor. This was a major inhibitor to not only grow my wallet share and identify cross-sell opportunities, but also to be able to understand my portfolio behavior to be able to deliver the right features and functions in a timely manner.
If data was not that valuable, there would not be a marketplace for buyers and sellers of data. Some of the largest businesses in the world are built off data ownership. The more data they are able to collect and sell, the more valuable these companies become...such as social media companies for examples. In many of these cases, many of these social media companies are starting to tip their toes into the realm of payments.
As the need to store data in a PCI compliant environment continues to grow, especially in the world of payments, there are a number of solution offerings. Each offering provides a specific value proposition but also comes with tradeoffs that many are unaware of. These shortcomings include but are not limited to the following:
- Protects my PCI data, but not my other sensitive data such as PII, PHI, etc
- It protects my data at rest but not in transmission or vice versa
- It’s almost as much as building it myself and requires a 3 to 5 year commitment
- They store my data O.B.O., but access and usability of my data is extremely difficult
- I’m happy with it, but now I’m locked in and replatforming is almost impossible
What if I told you there is a solution out there that does not force you to make any of the tradeoffs above while saving more than 50% versus building it yourself and reducing your operational overhead such management, maintenance and operational audit effort...all this while giving you full data ownership with easy access to your data Contact VGS and we will walk you through how our Zero Data approach can secure your sensitive data without the tradeoffs of other solutions while saving you more than 50%.
This is the final part in a 2 part series. Read Part 1 here.