Solving the Payments Data Security and Compliance Problem By Getting Rid of the Data

To improve compliance, ensure data privacy and cut costs, there are two ways to do it, Mahmoud Abdelkader, CEO and co-founder of Very Good Security, told Karen Webster.

You can build a better data mousetrap — leveraging technology and especially software to figure out how to automate and streamline the tasks themselves. But that still leaves firms administering and maintaining their compliance back-end functions, day to day, incurring costs along the way.

Or, you can get rid of the mousetrap entirely. That means changing the corporate mindset itself, with the acknowledgment that there is no reason to store the data in the first place.

“That’s really the whole point of Zero Data,” said Abdelkader. “It gives you the ability to just shift and lift that data from your servers to VGS’ servers while giving you the same value and utility. And we think that’s a way better approach to building a better mousetrap.”

Moving Data Out of Reach

In terms of mechanics, the Zero-Data approach replaces sensitive data with synthetic data, which means the value and business logic that has produced that data are separate from the actual custodianship — it’s never on the servers.

Abdelkader said firms that take that approach could convey to their end-users that data security is top of mind — and they can help build that reassurance into their brands.

For proof that consumers realize the value of their information, consider that a new PYMNTS and Very Good Security collaboration, The Privacy Paradox, revealed that 62% of consumers are less likely to provide personally identifiable information (PII) if an online platform doesn’t protect their data.

Read more: Almost Half of Consumers ‘Very’ or ‘Extremely’ Concerned With Putting Personal Information Online

The Ongoing Compliance Struggle

Under traditional data collection, maintenance and security constructs, compliance costs are high. For example, compliance costs can range from $75,000 to over a million depending upon PCI level. Baked into the costs are developing and maintaining CDE (hardware, networks, firewall, monitoring), PCI validation costs and ongoing compliance validation. The more global the firm is, the more they’ll have to monitor the scope of operations as they satisfy the slew of rules and regulations that vary from country to country — on an ongoing basis, of course.

As Abdelkader noted, we’re now amid the PCI DSS Compliance standards — and there’s a new version coming soon. As has been widely reported, PCI DSS 3.2 has been in place, and in the next year, version 4.0 looms.

“Compliance is not a discrete moment in time. It’s a continuous spectrum,” said Abdelkader — and that means ongoing costs. “With a Zero-Data approach in place, companies can tell users that ‘I can give you the best utility without having to see your data, because I take your data seriously.’” As noted in past coverage, VGS handles the encryption, data keys and other components of data security.

See more: Data Security’s Secret Sauce? ‘Zero Data’

Abdelkader quickly pointed out that the information being devalued and replaced by the alias is the sensitive data. (The data that can be kept ties in with general identifiers such as an anonymous user’s height.)

The Zero-Data approach, he said, transforms the landscape and possibilities for payments firms by removing the burden of compliance from their operations, allowing them to focus more directly on strategy.

“Most people come up with an idea [for innovation] and then say: ‘I’ve got to go to security and legal to figure out if I’m going to be able to achieve this outcome or not.’” But having Zero-Data practices in place means these same firms can focus instead on use cases.

As Abdelkader told Webster, VGS’ services “allow you the degrees of freedom to innovate without having to worry about what happens to the data that is necessary in order to launch something new. Security moves from an obstacle to an opportunity.”