Presentation Transcript

1. Turn the Lemons of Compliance into Lemonade How compliance affects portfolio value
2. Moderator: Linda Grimm CIPP/US, PMP - Director of Compliance Services- CSR, and WSAA Board Member Panelists: Steve Elefant - Managing Director - Soaring Ventures Darrel Anderson CIPP/US - Executive Vice President - CSR Heather Mark, PHD - SVP Market Strategy - ProPay
3. Agenda Has PCI really been effective at securing data? Panelist point of view: Steve Elefant --The risks of failure to secure date; real world examples of the impact of a data breach Darrel Anderson -- Turning compliance lemons to lemonade, how to turn compliance requirements into revenue opportunities Heather Mark -- The future of data security, what’s in store for the industry? Audience Q & A
4. Has PCI really been effective? The number of data compromises investigated has INCREASED since the introduction of PCI Data Security Counsel in 2006 Verizon Data Breach Investigation Reports, 2008-2012 2008 – 4 years worth of data
5. Has PCI really been effective? The the number of compromised records shows significant fluctuation with steady INCREASE in number of records Verizon Data Breach Investigation Reports, 2012
6. The Facts Smaller merchants are the new target: Survey by The Hartford – 85% of small businesses don’t believe they are at risk Number of employees Percent of breaches by business size Verizon Data Breach Investigations Report, 2012
7. Personally Identifiable Information (PII): Name Address Zip code Date of Birth Telephone number Cell phone number Email address IP address Business/employer address License Plate number Vehicle Identification number Log-in credentials Face, fingerprints, or handwriting Sensitive Personal Information: Social Security Number Bank routing and account number Driver’s license number Passport number Medical records Health information Credit card information Just one of many forms of PII
8. The Facts While only 4% of breaches contained PII, PII comprised 95% of the records lost Verizon Data Breach Investigations Report, 2012
9. Steve Elefant Managing Director - Soaring Ventures
10. What Happened? – After The Announcement 1/20/09 – Call to arms of all Heartland employees to visit clients and talk to partners HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22 HPY 4Q08 earnings call – HPY drops to $3.43 on March 12; a 77.6% drop since the breach announcement 3/14/09 – Delisted from Visa list of approved vendors 4/30/09 – Reinstated on Visa list of approved vendors 1/8/10 – Settlement Agreement with VISA announced 2/18/10- 4Q 2009 results reported. Share price opens at $15.13 on 2/19. 09/30/2011 – Share price $21.07 after release of E3 and Mobuyle 09/20/2012 – Current share price $33.00

11. Turn Compliance Lemons into Lemonade

    Darrel Anderson, CIPP/US Executive Vice President - CSR
12. The changing way ISOs make money 23% 25% 28% 38% 13% 18% 31% 24% Rev. 17.7¢ Cost 13.1¢** Profit 4.6¢ Rev. 11.9¢ Cost 8.1¢** Profit 3.8¢ *2005 Visa Functional Cost Study ** Including Sponsorship Fee *2010 Visa Functional Cost Study ** Including Sponsorship Fee
13. How makes money on business Internet customers Average Go Daddy Client Revenue $38 / month Average ISO Level 4 Revenue $10 / month* *without interchange, VISA Functional Cost Study
14. How would $5 per month extra revenue program affect ISO revenues and valuations? – Annual Revenue ** – EBITDA (3 yr)*** – Revenue Stream Valuation + $331,912 + $873,424 + $1,109,581 Or the equivalent of 827 new merchants *Based on 5,000 count portfolio ** 3 year average, 10% growth YOY, 4% opt out *** Assumes 15% commission rate
15. How to Generate Portfolio Revenue with Compliance Collect what is owed to you 83% of accounts aren’t being billed 100% accurately Use “GoDaddy” Mentality Don’t be afraid to introduce new products, Don’t be afraid to sell, Don’t be afraid of attrition – it weeds out those that won’t generate revenues Risk adjusted pricing for merchants that hold data Merchants that hold more PII data are more risky. Charge them a premium Opt out programs They work, and they work well and they DO NOT cause attrition. They cause retention Revenue outside the mid and track 40% of your revenue should be coming from non-transactional sources, what is your number? 2 Level Compliance and non-compliance fees Create second level of both compliance and non-compliance fees

16. Data, Data Everywhere

    Getting Beyond PCI DSS Heather.mark@propay.com Dr. Heather Mark, PhD SVP of Emerging Markets
17. Data Protection is Like an Onion… …It brings tears to your eyes.
18. Is this an ISO Problem? Focus has been on Merchants and on Payment Card Data Helping merchants be compliant can help secure the portfolio But what data are YOU storing? Protecting PII in your own environment can help secure your business Employee information like SSN, health insurance Merchant applications contain banking information
19. Evolution Definition of personal data is evolving Payment information Identifying information What about answers to security questions? Regulatory Environment is evolving 46 state breach notification laws 2 states (so far) mandating compliance with PCI DSS FERPA; HIPAA/HITECH; GLBA State level data security laws
20. What to Do? Look beyond PCI DSS Conduct a regular inventory of data Determine your data protection strategy Stay abreast of regulation/court precedent Help secure the portfolio
21. Audience Q & A Contact Information: Linda Grimm – PMP, CIPP/US Director Consulting Services, CSR (707) 834-5147 lgrimm@csrcorporate.com Steve Elefant Managing Director, Soaring Ventures (925) 283-9311 steve@soaringvc.com Darrel Anderson – CIPP/US Executive Vice President, CSR (480) 603-6129 danderson@csrcorporate.com Dr. Heather Mark, PHD SVP, Emerging Markets, ProPay (801) 341-5563 heather.mark@propay.com