Turn the Lemons of Compliance into Lemonade How compliance affects portfolio value.

Turn the Lemons of Compliance into

Lemonade

How compliance affects portfolio value

Moderator:

• Linda Grimm CIPP/US, PMP - Director of Compliance Services- CSR, and WSAA Board Member

Panelists:

• Steve Elefant - Managing Director - Soaring Ventures

• Darrel Anderson CIPP/US - Executive Vice President - CSR

• Heather Mark, PHD - SVP Market Strategy - ProPay

Agenda

• Has PCI really been effective at securing data?

• Panelist point of view:

Steve Elefant --The risks of failure to secure date; real world examples of the impact of a data breach

Darrel Anderson -- Turning compliance lemons to lemonade, how to turn compliance requirements into revenue opportunities

Heather Mark -- The future of data security, what’s in store for the industry?

• Audience Q & A

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

Has PCI really been effective?The number of data compromises investigated has INCREASED since

the introduction of PCI Data Security Counsel in 2006

Verizon Data Breach Investigation Reports, 2008-20122008 – 4 years worth of data

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

Has PCI really been effective?The the number of compromised records shows significant

fluctuation with steady INCREASE in number of records

Verizon Data Breach Investigation Reports, 2012

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

The Facts

Verizon Data Breach Investigations Report, 2012

Smaller merchants are the new target:

Number of employees

Percent of breaches by business size

Survey by The Hartford – 85% of small businesses

don’t believe they are at risk

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

Personally Identifiable Information (PII): Name Address Zip code Date of Birth Telephone number Cell phone number Email address IP address Business/employer address License Plate number Vehicle Identification number Log-in credentials Face, fingerprints, or

handwriting

Sensitive Personal Information: Social Security Number

Bank routing and account number

Driver’s license number Passport number Medical records Health information

Credit card information

Just one of

many forms

of PII

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

The FactsWhile only 4% of breaches contained PII, PII comprised 95% of the records lost

Verizon Data Breach Investigations Report, 2012

Steve Elefant

Managing Director - Soaring Ventures

What Happened? – After The Announcement

1/20/09 – Call to arms of all Heartland employees to visit clients and talk to partners

HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22

HPY 4Q08 earnings call – HPY drops to $3.43 on March 12; a 77.6% drop since the breach announcement

3/14/09 – Delisted from Visa list of approved vendors

4/30/09 – Reinstated on Visa list of approved vendors

1/8/10 – Settlement Agreement with VISA announced

2/18/10- 4Q 2009 results reported. Share price opens at $15.13 on 2/19.

09/30/2011 – Share price $21.07 after release of E3 and Mobuyle

09/20/2012 – Current share price $33.00

Turn Compliance Lemons into Lemonade

Darrel Anderson, CIPP/USExecutive Vice President - CSR

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

The changing way ISOs make money

Rev. 17.7¢

Cost13.1¢**

Profit 4.6¢

Rev.11.9¢

Cost 8.1¢**

Profit 3.8¢

25%38%

24%

13%

23%28%

31%

18%

*2005 Visa Functional Cost Study** Including Sponsorship Fee

*2010 Visa Functional Cost Study** Including Sponsorship Fee

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

How makes money on business Internet customers

*without interchange, VISA Functional Cost Study

Average ISO Level 4 Revenue $10 / month*

Average Go Daddy Client Revenue $38 / month

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

How would $5 per month extra revenue program affect ISO revenues and valuations?

– Annual Revenue **

– EBITDA (3 yr)***

– Revenue Stream Valuation

+ $331,912

+ $873,424

+ $1,109,581

Or the equivalent of 827 new merchants

*Based on 5,000 count portfolio** 3 year average, 10% growth YOY, 4% opt out

*** Assumes 15% commission rate

Confidential and proprietary

© 2011 CSR. All rights reserved. CSR is a trademark of CSR.

How to Generate Portfolio Revenue with Compliance

• Collect what is owed to you

– 83% of accounts aren’t being billed 100% accurately

• Use “GoDaddy” Mentality

– Don’t be afraid to introduce new products, Don’t be afraid to sell, Don’t be afraid of attrition – it weeds out those that won’t generate revenues

• Risk adjusted pricing for merchants that hold data

– Merchants that hold more PII data are more risky. Charge them a premium

• Opt out programs

– They work, and they work well and they DO NOT cause attrition. They cause retention

• Revenue outside the mid and track

– 40% of your revenue should be coming from non-transactional sources, what is your number?

• 2 Level Compliance and non-compliance fees

– Create second level of both compliance and non-compliance fees

Data, Data EverywhereGetting Beyond PCI DSS

Dr. Heather Mark, PhDSVP of Emerging Markets

Heather.mark@propay.com

ProPay Confidential - © 2012 ProPay, Inc. All rights reserved

Data Protection is Like an Onion…Payment Data/Customer Information•PCI DSS•State PCI DSS laws•State data security laws

Health Information•HIPAA•HITECH

Financial Information •GLBA•State Laws

Company Information•SOX• Civil Actions on behalf of shareholders

…It brings tears to your eyes.

ProPay Confidential - © 2012 ProPay, Inc. All rights reserved

Is this an ISO Problem?

• Focus has been on Merchants and on Payment Card Data Helping merchants be compliant can help secure the

portfolio

• But what data are YOU storing? Protecting PII in your own environment can help

secure your business• Employee information like SSN, health insurance• Merchant applications contain banking

information

ProPay Confidential - © 2012 ProPay, Inc. All rights reserved

Evolution

• Definition of personal data is evolving Payment information Identifying information What about answers to security questions?

• Regulatory Environment is evolving 46 state breach notification laws 2 states (so far) mandating compliance with PCI

DSS FERPA; HIPAA/HITECH; GLBA State level data security laws

ProPay Confidential - © 2012 ProPay, Inc. All rights reserved

What to Do?• Look beyond PCI DSS• Conduct a regular inventory of data• Determine your data protection strategy• Stay abreast of regulation/court precedent• Help secure the portfolio

Audience Q & A

Linda Grimm – PMP, CIPP/USDirector Consulting Services, CSR(707) 834-5147lgrimm@csrcorporate.com

Steve ElefantManaging Director, Soaring Ventures(925) 283-9311steve@soaringvc.com

Darrel Anderson – CIPP/USExecutive Vice President, CSR(480) 603-6129danderson@csrcorporate.com

Dr. Heather Mark, PHDSVP, Emerging Markets, ProPay(801) 341-5563heather.mark@propay.com

Contact Information: