Why protect other people’s data that you didn’t ask for?

Do these questions sound familiar:
“Has your luggage been in your possession at all times?”
“Has anyone given you anything or asked you to carry on or check any items for them?”

If you’ve flown recently they will be only too mind-numbingly familiar, obviously you wouldn’t volunteer to take responsibility for someone else’s luggage, yet we expect retailers to take responsibility – at considerable cost to them – for someone else’s data. Just whose data is it (and who should bear the costs)?

ACI has commissioned an independent white paper to capture the mood of retailers on the broader topic of security in payments – where they are currently in their programmes, and where they expect to be in the near future. “Why protect the data” is one aspect covered. If you’d like a free copy please register your interest on our microsite. This 4 part blog series introduces the themes covered in the white paper which will be released during October.

Back to the question, whose data is it? First let’s be specific about what the data is. 47% of consumer-present purchases are made using cards*1. The remainder are cash or on-account purchases. Despite its high media profile, mobile is insignificant when one looks purely at the numbers. So in terms of payment-related data the security focus is card data. The problem is also bigger for in-store than e-commerce, so in this blog we’re looking at card data where the consumer is physically.

So the question is who owns the card (and therefore who should be responsible for keeping the card data secure). If you ask the average consumer whose card it is he/she may say one of two things:
“It’s my card, I keep it with me and I’m the only person who uses it”
“It’s my bank’s card: they decided what numbers go on it, it has their logo, and when I close my account I have to destroy or return the card.”

One could argue that the data belongs to the bank, or that it belongs to the cardholder but everyone would agree that the data does not belong to the retailer! (apart from store cards). Not only that, it’s useless to the retailer for anything other than completing the card-based transaction: it contains no demographic data such as age, gender, home address, or financial status.

The payments industry – in particular the international card schemes – determine the rules that retailers must follow, with seemingly no consideration of the costs – which are spiralling out of control. To put these costs into context many tier 1 retailers have spent more than £5 million*2 on their PCI DSS projects. How do retailers feel about being put into this situation? We’ll address that in the white paper, but if you’re a retailer, or a supplier to retailers, please post your comments!

Why spend the money? Philosophical discussions about fairness aside, what compels a retailer to comply with the rules? Ultimately it’s customer satisfaction: a retailer who makes a business decision to accept cards chooses an acquirer (or more than one) and in doing so agrees to comply with the acquirer’s rules (which are governed by the card schemes). A retailer may choose not to accept cards, but to say that this may result in lost sales (for all by the smallest retailers) is an understatement. So the question becomes not whether to accept card payments or not, but how to do so at the lowest cost. This is the topic of next week’s blog, and qualitative data on the topic is included in the white paper (don’t forget to register your interest!).

A word about the author, and the sponsor of this blog: my name is Michael Kyritsis, I’ve worked in the payments industry for 17 years, and I’m employed by ACI as lead solution consultant. Throughout my career I’ve been determined to see how EFT software is used by real customers, and am continually discovering that each customer has unique requirements – there’s no one-size-fits all solution. Similarly each customer has unique perspectives to contribute to a collective “industry view”. Distilling this industry view, and seeing how it compares to our solution’s capabilities is both reassuring and challenging. I’ve concluded that in the ACI retailer solution we have the expertise and products to build a solution perfectly tailored to the requirements of the largest and most demanding global retailers. Thanks for reading this far, until next week, Michael.

1: http://www.finextra.com/news/fullstory.aspx?newsitemid=26120
2: http://www.computerweekly.com/feature/The-real-cost-of-PCI-DSS-compliance

One thought on “Why protect other people’s data that you didn’t ask for?

Leave a Reply