GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Payment fraud, rising to the challenge

Patti Murphy
The Takoma Group

News

Industry Update

Did hackers gain insight into RSA's methodology?

Comodo compromise draws swift response

PCI SSC dials up call center compliance

Fifth Third seeks innovation through open platform

Trade Association News

Features

Do Tell

Innovations in check scanners

David Peterson
RemoteDepositCapture.com

ISOMetrics:
B2B payment fraud

Integrating your marketing efforts

Selling Prepaid

Prepaid in brief

Momentum builds for maritime cards

Providing prepaid self-serve for global markets

Views

PII and merchant portfolio acquisition

Daniel Federgreen
Analyst

Social redemption at the POS

Paul Rasori
VeriFone Inc.

Education

Street SmartsSM:
Straight talk on professional certification

Bill Pirtle
MPCT Publishing Co.

Leads, leads, leads - Part 3: Lead nurturing

Peggy Bekavac Olson
Strategic Marketing

Coach your way to a stronger organization

Vicki M. Daughdrill
Small Business Resources LLC

Projecting confidence, inspiring trust

Jeff Fortney
Clearant LLC

How to reboot a stalled PCI program

Tim Cranny
Panoptic Security Inc.

A brief on prospecting

Jeffrey Shavitz
Charge Card Systems Inc.

Company Profile

Merchant Implementation Services

New Products

A CRM solution for MLSs

Powerhouse Sales Agent CRM
Powerhouse Payments LLC

Inspiration

Stick with the truth

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Miscellaneous

2011 Calendar of events

Skyscraper Ad

The Green Sheet Online Edition

April 11, 2011  •  Issue 11:04:01

previous next

PII and merchant portfolio acquisition

By Daniel Federgreen

Personally identifiable information (PII) is a major driver of value in merchant portfolio acquisition. PII, by definition, is central to any discussion of privacy in the payments industry. Merchant service providers must be able to access and transmit PII securely to facilitate transactions, which are the heart of commerce.

The question is, how do the privacy policies of an acquisition target, compared to the acquiring entity's policies, affect the target's valuation and the ability to consummate a sale?

ISOs, merchant level salespeople, processors and acquiring banks are information-driven. For many, awareness of the responsibility to manage PII and the deep understanding of the harm that breach or loss of this information can cause is elusive. And a high-profile discussion regarding security and privacy continues: How should we, as an industry, manage PII in the portfolio acquisition process, and what are the challenges associated with this?

High-speed data transfer is central to the modern electronic world. However, too often data streams contain information that is ambiguous or unknown to both senders and recipients of the data, and the streams may contain PII. Thus the information is not only sensitive to individuals and entities, but it also often contains information that, if obtained by unauthorized parties, could be used for criminal purposes.

Value of data

When merchant portfolios are bought and sold, what is really being obtained - and therefore the item of value - is the information in the portfolio's database that, when transmitted among authorized payment entities, allows for the processing of payment transactions.

Associated with this information is a laundry list of data that may contain Social Security numbers, dates of birth, driver's license numbers, home and business addresses, and other items that define PII.

Of note, the PII being transmitted may contain not only current relationships; it also may contain details pertaining to prior relationships that were not appropriately purged from databases, as well as third-party data from extraneous inputs.

The need to address data transfer is not restricted to merchant portfolio acquisition. It is a basic fact of any business acquisition, merger or divestiture in today's economic climate. And the stated data privacy policy of the portfolio targeted for acquisition must be compared with the data privacy policy of the acquiring entity.

The policy of the target should reflect the various statutes that affect the target organization, based upon the jurisdictions in which the target operates.

This must be balanced with the business needs of the acquiring organization. The potential conflict between the privacy polices of the target and acquirer must be reconciled before a relationship can be consummated.

Data management challenges

Data privacy management has become a modern informational nightmare. Fundamental questions of whose data it is to who has the right to sell or transfer it are issues that must be addressed. Not just because of the legal liabilities associated with this, but also because of the social and ethical responsibilities of the entities involved.

In the book Information Privacy by Peter P. Swire and Sol Berman, the authors describe the four basic areas that every organization faces regarding the handling of information. They are legal compliance, reputation, investment and reticence.

All who are involved with the art of the deal should understand these four concepts. Legal compliance is the requirement that each organization comply with all applicable laws.

Reputation is that the organization must protect its reputation as a trusted institution with respected brands. Investment requires that the organization receive proper return on its investment. Reticence, in this context, is the need for the organization to use the acquired information as robustly as its competitors.

The organization acquiring a portfolio must understand and embrace the privacy policies of the entity it intends to acquire. The target's population of merchants has given them PII under the premise that the stated or published privacy policy will be maintained.

If, in the evaluation of the potential target, the privacy statement is deemed incompatible or unacceptable to the acquiring organization, the acquiring organization must factor in the costs related to providing appropriate notice of changes to the policy and the potential effects of said changes in terms of erosion of the target's merchant base.

To my knowledge, no study has addressed this issue. Therefore, no known predictive model can be applied. What might be called a reasonable guess is simply nothing more than a guess.

It is probably safe to assume the majority of published privacy policies are compatible in terms of immediate needs. Modifications so that privacy polices of merged entities can coexist across an entire enterprise can be put in place during a transitional period while the acquired portfolio's merchant population is integrated in a manner that is least disruptive. The concept of Privacy by Design can serve as a useful guide to accomplish this process.

Principles of privacy

A fundamental concept today is that of Privacy by Design developed by Dr. Anna Cavoukian. As described by Dr. Cavoukian, "Privacy by Design asserts that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization's default mode of operation."

Privacy by Design presents a set of "foundational principles" that can help companies innovate in ways that are consistent with fair information practices. These seven principles are:

  1. Proactive, not reactive; preventative, not remedial
  2. Privacy as the default
  3. Privacy embedded into design
  4. Full functionality; positive-sum, not zero-sum
  5. End-to-end lifecycle protection
  6. Visibility and transparency
  7. Respect for user privacy

The merger, acquisition or divestiture of merchant portfolios or any other entity with respect to the intrinsic PII of an entity targeted for acquisition must be accounted for in the predictive modeling of cost of acquisition and valuation of the target.

The issue is how to successfully integrate this information without compromising the security and privacy and, at the same time, meet the stated four objectives of Swire and Berman. As author Ursula Le Guin stated, "When action grows unprofitable, gather information; when information grows unprofitable, sleep."

Daniel Federgreen can be reached at exvala@gmail.com. He currently is employed in the corporate financial group of a Fortune 50 company.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services