turn the lemons of compliance into lemonade how compliance affects portfolio value
TRANSCRIPT
Turn the Lemons of Compliance into
Lemonade
How compliance affects portfolio value
Moderator:
• Linda Grimm CIPP/US, PMP - Director of Compliance Services- CSR, and WSAA Board Member
Panelists:
• Steve Elefant - Managing Director - Soaring Ventures
• Darrel Anderson CIPP/US - Executive Vice President - CSR
• Heather Mark, PHD - SVP Market Strategy - ProPay
Agenda
• Has PCI really been effective at securing data?
• Panelist point of view:
Steve Elefant --The risks of failure to secure date; real world examples of the impact of a data breach
Darrel Anderson -- Turning compliance lemons to lemonade, how to turn compliance requirements into revenue opportunities
Heather Mark -- The future of data security, what’s in store for the industry?
• Audience Q & A
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
Has PCI really been effective?The number of data compromises investigated has INCREASED since
the introduction of PCI Data Security Counsel in 2006
Verizon Data Breach Investigation Reports, 2008-20122008 – 4 years worth of data
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
Has PCI really been effective?The the number of compromised records shows significant
fluctuation with steady INCREASE in number of records
Verizon Data Breach Investigation Reports, 2012
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
The Facts
Verizon Data Breach Investigations Report, 2012
Smaller merchants are the new target:
Number of employees
Percent of breaches by business size
Survey by The Hartford – 85% of small businesses
don’t believe they are at risk
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
Personally Identifiable Information (PII): Name Address Zip code Date of Birth Telephone number Cell phone number Email address IP address Business/employer address License Plate number Vehicle Identification number Log-in credentials Face, fingerprints, or
handwriting
Sensitive Personal Information: Social Security Number
Bank routing and account number
Driver’s license number Passport number Medical records Health information
Credit card information
Just one of
many forms
of PII
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
The FactsWhile only 4% of breaches contained PII, PII comprised 95% of the records lost
Verizon Data Breach Investigations Report, 2012
Steve Elefant
Managing Director - Soaring Ventures
What Happened? – After The Announcement
1/20/09 – Call to arms of all Heartland employees to visit clients and talk to partners
HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22
HPY 4Q08 earnings call – HPY drops to $3.43 on March 12; a 77.6% drop since the breach announcement
3/14/09 – Delisted from Visa list of approved vendors
4/30/09 – Reinstated on Visa list of approved vendors
1/8/10 – Settlement Agreement with VISA announced
2/18/10- 4Q 2009 results reported. Share price opens at $15.13 on 2/19.
09/30/2011 – Share price $21.07 after release of E3 and Mobuyle
09/20/2012 – Current share price $33.00
Turn Compliance Lemons into Lemonade
Darrel Anderson, CIPP/USExecutive Vice President - CSR
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
The changing way ISOs make money
Rev. 17.7¢
Cost13.1¢**
Profit 4.6¢
Rev.11.9¢
Cost 8.1¢**
Profit 3.8¢
25%38%
24%
13%
23%28%
31%
18%
*2005 Visa Functional Cost Study** Including Sponsorship Fee
*2010 Visa Functional Cost Study** Including Sponsorship Fee
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
How makes money on business Internet customers
*without interchange, VISA Functional Cost Study
Average ISO Level 4 Revenue $10 / month*
Average Go Daddy Client Revenue $38 / month
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
How would $5 per month extra revenue program affect ISO revenues and valuations?
– Annual Revenue **
– EBITDA (3 yr)***
– Revenue Stream Valuation
+ $331,912
+ $873,424
+ $1,109,581
Or the equivalent of 827 new merchants
*Based on 5,000 count portfolio** 3 year average, 10% growth YOY, 4% opt out
*** Assumes 15% commission rate
Confidential and proprietary
© 2011 CSR. All rights reserved. CSR is a trademark of CSR.
How to Generate Portfolio Revenue with Compliance
• Collect what is owed to you
– 83% of accounts aren’t being billed 100% accurately
• Use “GoDaddy” Mentality
– Don’t be afraid to introduce new products, Don’t be afraid to sell, Don’t be afraid of attrition – it weeds out those that won’t generate revenues
• Risk adjusted pricing for merchants that hold data
– Merchants that hold more PII data are more risky. Charge them a premium
• Opt out programs
– They work, and they work well and they DO NOT cause attrition. They cause retention
• Revenue outside the mid and track
– 40% of your revenue should be coming from non-transactional sources, what is your number?
• 2 Level Compliance and non-compliance fees
– Create second level of both compliance and non-compliance fees
Data, Data EverywhereGetting Beyond PCI DSS
Dr. Heather Mark, PhDSVP of Emerging Markets
ProPay Confidential - © 2012 ProPay, Inc. All rights reserved
Data Protection is Like an Onion…Payment Data/Customer Information•PCI DSS•State PCI DSS laws•State data security laws
Health Information•HIPAA•HITECH
Financial Information •GLBA•State Laws
Company Information•SOX• Civil Actions on behalf of shareholders
…It brings tears to your eyes.
ProPay Confidential - © 2012 ProPay, Inc. All rights reserved
Is this an ISO Problem?
• Focus has been on Merchants and on Payment Card Data Helping merchants be compliant can help secure the
portfolio
• But what data are YOU storing? Protecting PII in your own environment can help
secure your business• Employee information like SSN, health insurance• Merchant applications contain banking
information
ProPay Confidential - © 2012 ProPay, Inc. All rights reserved
Evolution
• Definition of personal data is evolving Payment information Identifying information What about answers to security questions?
• Regulatory Environment is evolving 46 state breach notification laws 2 states (so far) mandating compliance with PCI
DSS FERPA; HIPAA/HITECH; GLBA State level data security laws
ProPay Confidential - © 2012 ProPay, Inc. All rights reserved
What to Do?• Look beyond PCI DSS• Conduct a regular inventory of data• Determine your data protection strategy• Stay abreast of regulation/court precedent• Help secure the portfolio
Audience Q & A
Linda Grimm – PMP, CIPP/USDirector Consulting Services, CSR(707) [email protected]
Steve ElefantManaging Director, Soaring Ventures(925) [email protected]
Darrel Anderson – CIPP/USExecutive Vice President, CSR(480) [email protected]
Dr. Heather Mark, PHDSVP, Emerging Markets, ProPay(801) [email protected]
Contact Information: