A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

December 14, 2020 • Issue 20:12:01

PI dwarfs PCI

By Mark Dunn
Field Guide Enterprises LLC

Everyone in the payments industry knows PCI. But have you met PCI's giant younger brother, PI? The onslaught of hacking commercial websites to steal personal information and credit card numbers had two major effects:

  1. It focused the payments industry on preventing storage of payment card data through the Payment Card Industry Data Security Standard (PCI DSS).
  2. It accelerated the development of federal, state and international regulations mandating protection of personal information, or PI.

PCI was rolled out more than 10 years ago to create a uniform standard for keeping personal account number information protected. PCI compliance was mandated by the card brands and implemented to include all sizes of merchants. The practical effect of PCI compliance was that every merchant had to fill out a self-assessment questionnaire and undergo a scan of their website.

ISOs made a significant amount of profit from PCI. They instituted PCI monthly fees for every merchant ID or MID, typically between $9 and $15 per month. For merchants who didn't comply with the Self-Assessment Questionnaire (SAQ) or website scan, they instituted a monthly PCI non-compliance fee, typically between $19 and $30 per month. Over time, many ISOs were able to drive the cost of the SAQ and scan to below a $1 per MID. Thus, PCI drove $8 to $20 per MID per month, or more, to an ISO's bottom line.

What do merchants get for their PCI compliance dollars? With most ISOs, it's pretty limited. The SAQ should identify any possible gaps in the merchant's use or handling of credit card data.

The scan of the merchant's website should identify any vulnerabilities in the website's programming that might allow access to payment card data. Some ISOs also include a very basic breech insurance policy.

The point is that PCI's aims are limited. And the program that most ISOs deliver doesn't do very much for the money they get from the merchant.

PI is enormous

PI is the big leagues of data compliance. To stretch the sports analogy a little further, we might think of PCI as only the first quarter of a four-quarter game called PI.

Today, the elements of PCI are considered a subset of the broader issue of PI. PI is information that can be used to potentially identify an individual. PI is regulated by federal, state and international laws. PCI just touches the payments industry; PI covers every industry. In the United States alone, more than 300 regulations affect the utilization of PI, including more than 20 federal regulations and specific regulations for all 50 states. Violations of these regulations can lead to both civil and criminal penalties and sanctions.

The federal, state and international laws mandate that businesses and merchants must comply in how they collect, use and store personal information. PI includes every kind of data, both electronic and physical. It includes such items as financial records, health data, orders, personal data, data from apps and credit card data.

For example, you may have heard of the California Consumer Privacy Act of 2018 (CCPA) or the General Data Protection Regulation (GDPR) in the European Union.

Since the onset of the COVID-19 pandemic, businesses of every size and description have expanded their online presence. This is especially true for smaller merchants who have had to pivot to online sales. As a result, they have increased the ways in which their suppliers, vendors and customers interact with them. Many have launched new online order systems. And touchless systems have seen an explosion in sales. This means the touchpoints for PI have seen a dramatic increase as well.

So, if you've made it this far, you may be thinking to yourself, "Yeah, so what? Why should I care?"

First, your brick-and-mortar merchants, B2B clients and online merchants are subject to the mandates of these PI regulations. They have to comply. It's not optional. They have a need that they probably aren't even aware of and they surely are not focused on. And the question here is, who will supply the solution(s) that they need? And what value will they receive for the fees charged?

Second, you might want to view this as another revenue opportunity. PI, like little brother PCI, has the potential to generate substantial recurring monthly revenue if the compliance package has good value.

Third, there is the issue of who sets the trend for merchant services. PCI is stale, limited and needs a refresh. Merchants need PI services, that is, services that provide them protection, help and information about PI. The company that provides the greatest value in services for the best price will be able to grab the early lead in the market.

How to I choose a PI service partner

So, hopefully, you agree it's important to offer PI services to your portfolio. What criteria must a potential partner have? I recommend that you choose a partner that has all of these credentials:

  • The company has documented success in the provision of PI-mandated regulations to the SMB and major corporation business community for a minimum of five years.
  • Professionals within the organization are certified by the International Association of Privacy Professionals (IAPP).
  • The IAPP professionals within the organization are full-time employees.
  • The company should have at least one full-time Fellow of Information Privacy on staff.
  • The company should be certified as an SOC II company.
  • The company provides services that are driven by local jurisdictional standards.
  • The company has a declared focus on privacy regulation, for example, cyber privacy.
  • The partner company provides end-to-end support for both you and each of your merchants by having fully operational intake centers in multiple jurisdictions.
  • The partner company provides services in an economically sensitive manner.
  • The partner company has a deep understanding of the intersection between PCI and PI.

With the correct partner you will be on your way to offering a needed service to your merchants. end of article

Mark Dunn is an executive consultant in the merchant bankcard industry and heads up Field Guide Enterprises LLC, a bankcard consulting and training firm. For more information, please e-mail Mark at mark@gofieldguide.com or visit www.gofieldguide.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing