“We had these teams trying to sell their products to us. What wasn't really clear from them was how the whole picture was going to come together. Every vendor had a gaping hole—except VGS.”
TCB Launches a New Commercial Card 6+ Months Ahead of Schedule
Case Study
Client
Texas Capital Bank (TCB), is a commercial bank dedicated to providing highly personalized financial services to businesses and entrepreneurs. Headquartered in Texas, and serving clients throughout the state and across the country, Texas Capital Bank is a wholly owned subsidiary of Texas Capital Bancshares, Inc. (NASDAQ®: TCBI) and is consistently recognized by Forbes as one of the best banks in America and The Dallas Morning News’ Top 100 Places to Work.
Goal
Quickly and securely launch a new commercial card program; avoid PCI (Payment Card Industry) compliance issues.
Problem Summary
Create a commercial card product in-house, while avoiding and mitigating PCI compliance issues.
Solutions Summary
By building their commercial card infrastructure on Very Good Security’s (VGS) Zero Data platform, TCB is able to use sensitive data without ever touching it, securing customer data, and achieving their goal of PCI risk mitigation. And by using VGS for data security and PCI compliance rather than building a solution from scratch, TCB was also able to launch their commercial card 6-9 months faster while feeling confident regarding an important risk component in the program.
Background
Creating an In-House Commercial Card
With $36 billion in assets, Texas Capital Bank is ranked as one of the top 100 FDIC banks by asset size and one of the top 50 by market cap. Despite this impressive resume, they had no intention of resting on their laurels.
As growth continued, they decided to create a commercial card product. With a strong brand name associated with highly personalized services, they wanted to offer clients a TCB commercial card, rather than a third party option. This meant developing their own product in-house, with all of the security and compliance issues that entailed.
Knowing this card would be a reflection on their brand and reputation in the market-place, and since this was their first in-house card, they needed an experienced team to ensure a smooth, secure, and efficient roll-out. One key step they took was to hire Ramona Hall, Senior Vice President of Commercial Card, to join Bill Kniering as part of the card leadership team. With over 20 years under her belt, certification in P2P processing, and a background in accounting and procurement, Ramona immediately got to work identifying a solution for a top project priority: the card’s data security.
Challenge
Quickly Launch a TCB-branded Commercial Card—without Liability
“What’s unique about TCB is our PCI compliance risk mitigation strategy. If you don't bring data in, you certainly reduce, and in some cases eliminate, your compliance risks. Our rule was to attempt to limit and in some cases avoid data at all costs, to stop it from the beginning and not house any of the data, we eliminated the compliance risk.”
With the decision made to offer an in-house commercial card, TCB quickly needed to determine exactly how they would handle sensitive client data. They knew that creating a data security and compliance solution from scratch would be too expensive and time consuming, with the initial in-house setup for a PCI Level 1 environment at a minimum of $1M, and a timeframe of 6 - 9 months to build a DIY environment.
In fact, they wanted to avoid handling sensitive data altogether and get to market as quickly as possible. A data security partner could shrink or eliminate the costs for infrastructure and ongoing maintenance. It would also dramatically reduce the time and resources required to maintain PCI DSS compliance as well as lower the risks associated with storing the data.
So Ramona immediately went to work contacting vendors who could support TCB’s ‘PCI avoidant’ framework.
PCI...Plus
“We had these different partners trying to sell their products to us. What was not really clear, was how the whole picture was going to come together. Every partner had a gaping hole—except VGS.”
Though Ramona soon narrowed her vendor options down to a shortlist of five, including VGS, it became apparent to her that not all of her options were equal. One vendor had a hosted solution to address PCI Compliance, but it only secured card numbers; other sensitive data like personally identifiable information (PII)—email addresses, phone numbers, etc.—was not addressed. In addition, all card data would be locked up with the vendor, without easy access, which is exactly what TCB did not want. And finally, while the solution could handle the immediate commercial card product, it could not scale across TCB’s enterprise for other data security and compliance needs.
In turn, each vendor they talked to had these same limitations around vendor lock-in and expandability. Ramona said, “We had these teams trying to sell their products to us. And what wasn't really clear from them was how the whole picture was going to come together. Every vendor had a gaping hole—except VGS.
Solution
We had this whole list of predetermined questions and needs. Once VGS started talking about their solution, it was like they had our checklist. It was just seamless. We were blown away…VGS wasn’t just the best solution; they clearly demonstrated how they would help us grow our business and top-line revenue.”
Zero Data for the PCI Avoidant
TCB chose to partner with VGS to leverage the Zero Data approach and avoid coming in contact with sensitive data. VGS' unique platform uses data aliasing, an advanced form of tokenization, and proxy protocols, which enabled TCB to avoid handling sensitive data, taking them out of PCI scope and achieving their ‘PCI avoidant’ goals.
Flexibility and Extensibility
One of TCB’s top requirements was that the technology they chose, and its marketplace, was modern because flexibility and integration with all their systems were critical. Ramona said, “We didn't want to take something that had been out there for a while and have to piecemeal things together. We looked at how each solution would integrate into what we have, and VGS had the flexibility to feed into all of our systems as well as partner technologies.
The VGS platform provided the infrastructure for TCB to seamlessly connect to multiple ecosystem partners. In this process, TCB retains 100% ownership of their data, and are therefore never locked into a single or pre-defined set of providers. The data ownership and flexibility was essential for TCB’s future business growth plans.
A Partner Who Gets It
“A partner that can really understand our infrastructure and work with us, that was essential. Our team only partners with people that are smart and work hard, and these are just part of the qualities that the VGS team had. It was a natural fit,” said Ramona. “There was not one person that had any objections to us moving forward with VGS.”
A Holistic Solution
From the outset, TCB was looking at their big picture. As an enterprise who approaches their infrastructure projects strategically, they were looking for someone who could handle more than just their immediate commercial card security needs.
In addition to needing a partner who understood their product, the necessary infrastructure, and PCI DSS compliance requirements, the team also wanted a partner that provided more flexibility and wouldn’t lock them into a single vendor. They also needed a solution that could scale along with their business expansion plans, such as supporting multiple customer support channels that would evolve as the card program matured. “We're going to be traveling,” said Ramona, “so we're going to need to do support from our cell phones. Having that ability to take calls on the road and tokenize the data on the spot, on the cell phone… that was a deciding factor. Because here again, we VGS is helping us to be PCI avoidant by keeping that data out of our system."
Results
“We’re going beyond PCI data soon. Everything related to that near-term expansion of our offerings is being built based on VGS technology.”
TCB successfully launched their in-house commercial card program in August, months ahead of what could have occurred with any other solution provider. Most importantly, the partnership allowed them to avoid handling the sensitive data so they could focus on building the overall business.
VGS’ Zero Data approach aligned perfectly with TCB’s PCI data avoidance strategy, enabling the organization to completely stay out of PCI scope and operate with the flexible infrastructure to support future growth.
Unlike the other data security solutions TCB considered, getting locked into a single vendor was no longer a concern with VGS. They now have the connectivity and data portability they need, along with the flexibility to protect different types of sensitive data as they plan to expand their business beyond their new in-house commercial card offering.
