Do you ever wonder how we got into this situation?  Where merchants are facing tremendous fines for non-compliance, companies are being compromised by hackers here and overseas, and data security programs seem to be non-functional at best (if not non-existant)?

Image by constantly_Jair

Image by constantly_Jair

I’ll tell you how… MBAs.  Yep, those pesky folks that learn the inner workings of how to take advantage of numbers to best increase their own personal compensation?

Yes, another MBA dog-pile.  And I feel qualified to pick on my MBA brethren because I are one.

All seriousness aside (did I do that right?), let’s think about how payment systems started inside retailers.  This is a classic example of the Build vs. Buy problem in every single MBA finance class.  In the last three decades of the 20th century in the US, retailers faced more pressure to accept branded bank cards for payment—those brands being virtually the same as they are today.  Before the significant advances in computing power in the 1970s and 1980s, credit cards typically were processed by hand with something affectionately referred to as a knuckle buster.  The first electronic authorization systems were not even released to the market until the 1973.

So in the late 1970s and early 1980s, MBAs were presented with the following problem.  Outsource processing to a third party, or build my own processing systems and pocket the difference in cash.

As we all know, most went with the latter.

The financial models typically were quite compelling and showed a relatively rapid payback of the initial investment.  The problem is that early in this decade, the financial models changed.  Various governments and industry institutions created regulations for protecting data—something that security professionals have argued for years.  Now the maintenance costs for touching this data has dramatically increased, thus rendering the old financial data that went into the original Build vs. Buy model irrelevant.

In fact, I challenge any merchant to take a hard look at this part of their business.  Why are you processing and/or storing all of this data?  Shouldn’t you go back to your core competencies (another fun MBA term) and focus on retailing?  Why are you building a giant cost center around processing credit cards for a few cents per transaction?  Isn’t that the money that you should be spending toward information security (and as a secondary supported by the first point, compliance)?  Knowing information about your customers is essential to doing business, but what information do you need?  What can you outsource?

Information Security IS a cost of doing business, but it’s impact on your bottom line can be greatly reduced by smartly outsourcing items that do not fall under your core competency.

So there you have it.  Blame those savvy MBAs for making the numbers work in such a way that caused this giant mess!

This post originally appeared on