An interesting discussion about digital asset valuation is floating around the internet. It seems that I mostly agree with Alex Hutton's approach. It closely parallels how I think in terms of business disruption. Rather than revisiting that, I want to use the valuation discussion as a springboard for looking at the business value of stored credit card numbers and PCI.
See, I think that for most businesses, stored credit card numbers are not an asset, they are more like a liability. In most cases the stored number is never going to be used again--it will never generate additional revenue[1]. Credit card numbers are kept only because businesses feel that they must keep them to defend against fraudulent chargeback claims. Take a close look at that: businesses must accept additional risk (storing credit card numbers) as a protection against existing risk (fraudulent chargebacks). Don't you just ache to start a business! Add the PCI requirements into the mix, and now businesses must spend a significant chunk of change to protect data that is not wanted because it is already a liability.
Is it any wonder that businesses are not thrilled about PCI? Even businesses that are eager to secure their digital assets would rightfully see PCI as a distraction since credit card numbers are not assets. The PCI requirements are pretty good, and I'm pleased to use them to protect actual digital assets. However, since credit card numbers are not assets, businesses will never be strongly motivated to protect them. If businesses must spend money on security, they'd rather protect their actual assets.
Because of this, credit card brands would achieve far greater security of card numbers if they instead prohibited businesses from storing credit card numbers. This would better align security incentives with the realities of business. Yes, the banks would have to support tokenization or some other scheme, but presumably they have the budget, expertise, and motivation to do security right. I'll leave it to the cynics amongst us to ponder why the focus is instead on forcing businesses of all sizes to adhere to the PCI requirements.
[1]: I know. Many larger businesses feature 1-click shopping or some other type of credit card "reuse" system. Customers enter the credit card once and can then use it in the future without having to renter the number. In that case, the stored credit card number is more like an asset--a certain amount of future revenue is based on the ease of purchasing. My analysis here does not apply to such companies, nor is PCI compliance limited to such companies. But even so, a scheme could be devised where even 1-click does not require the business to store the card number.
Kevin,
Thanks for the shout.
Also, great point about CC#'s not being "assets" (or more specifically, assets whose value decreases exponentially over time).
I've had more than one conversation with retail IT managers who basically resent having to shoulder the burden of risk.
Posted by: Alex | October 30, 2009 at 04:24 PM
ya right i also know this. Businesses that are eager to secure their digital assets would rightfully see PCI as a distraction since credit card numbers are not assets.
Posted by: Debt Rescue | January 05, 2010 at 02:03 AM