One of the things that baffles me every time I walk into a retailer struggling with PCI compliance is why management doesn’t consider completely outsourcing all of their cashless payment processing.  I know how we ended up in this situation, but who takes the blame for continuing to push this paradigm forward? Let’s take payments off the table and re-focus on the information we store.

Information today is the lifeblood of business.  The value of information is in the process of distilling petabytes of information into actionable tasks that create competitive advantage.  Because information is perceived as highly valuable, the general position of information managers is “store or get access to every piece you can, then we’ll figure out how to make sense of it.”  Modern security and risk departments are fighting owners of high-risk (actual or perceived) information over what to do next.  The question that the information owner needs to HONESTLY answer is, “If I devalue or remove this data, can I still do my job effectively enough?”

Commerce bank card 2, by The Consumerist

Commerce bank card 2, by The Consumerist

Usually the answer is “Yes,” but with the caveat that some business process may need to change.

Stop and think about credit card data.  What retailer in their right mind thinks they can run a payment processing business?  I’m taking an extreme position on purpose.  But for a fun exercise, what would happen if you brought a trusted third party to talk to a retail CIO and CEO and they said just that?  What would the CIO or CEO say?

One of the first things that many business schools teach students is that businesses should focus on what they consider to be core competencies.  For retailers, that tends to be things like product placement, store flow, inventory management, marketing, and advertising.  In all of those cases, having good information in real time is a required.  But what kind of information is needed to make that a success?  And did you notice that payment processing is not one of those items?

Without delving into a business discussion about the merits of how to run a business, the real question here is why would you keep this in house.  2010 is another year with many more deadlines and fines to come for a larger pool of merchants.  Those merchants now facing more fines should take a hard look at why they do not outsource their processing for the few cents they may “save” by doing it in house1.

There are two things I am personally curious about, and I would love your comments below.  I’ll probably end up using them as research for a future post, so please do comment!

Question 1: If you do not outsource your payment processing, why?  Is there some reason other than “we’ve always done it this way” that is allowing companies to spend tons of money adding extra security into these systems and processes?

Question 2: Does the added cost of outsourcing processing outweigh the cost of compliance with PCI or other compliance and security initiatives?  This one is of utmost interest because I believe that with some hard data, we can prove that outsourcing is ultimately cheaper than doing this in house.

This post originally appeared on

  1. Can you tell I am a huge proponent of offloading this risk and cost? []