Originally published in the PYMNTS.com Fraud eBook by Matthew Leavenworth
You have a secret that only you know. If you keep that secret to yourself and tell no one, then there’s no problem — no one else in the world knows what you know. But what if you have to share this secret? Who do you choose to tell? You may find someone who you trust with this secret. But how do you exchange that information? Do you tell them in person, face-to-face? Do you whisper it to them over the phone? Do you write it on a piece of paper? Do you text it? Do you email it? What is the most secure way to share the secret without anyone else listening in or reading over your shoulder?
The reality is that as soon as you share a secret with someone else, it is no longer really a secret. It’s not as secure or as safe as when you kept it to yourself. The problem with keeping secrets is that needing to share them makes us vulnerable. The most recent example of this is the unfortunate breach at Equifax, which occurred because the company is in the business of exchanging sensitive data, and, by definition, is sharing secrets that are potentially exposed in transit.
With Great Power Comes Great Responsibility
Data is power; by adding context you can create information, and information, in turn, can help one make better decisions. But with great power comes great responsibility. Almost all companies are responsible for exchanging, managing and securing some data in their custody. When handling and sharing their data, sometimes they overvalue it, sometimes they undervalue it, sometimes they hoard it and (unfortunately) sometimes they squander it.
And as with Equifax, some of these companies aren’t able to keep their data safe and protected from those wishing to misuse it. In this way, being responsible for data is also a double-edged sword. When faced with the downsides of that double-edge, many companies retreat and look for ways to stop exchanging data. That is too bad, because, for the most part, sharing data makes the world a better place for everyone. For instance, knowing more about customers (via data sharing from different pools of data) actually enables better protection of that very data, because when the data is misused, it is more readily identifiable. In payments, data is different from most other kinds of data, and its value comes from efficient (and secure) exchange of data.
Payment event data (the data related to the actions to prepare, execute and warehouse the data) is unique as it has special requirements for security. It’s used within financial systems as the basis for accounting. It describes the state of the relationship of the sender and receiver. It is embedded within the most important processes of every business. And, truly unique, it’s never owned just by a single party and so must be shared! Therefore, when data breaches cause companies to retreat from exchanging data, payments events don’t work as well as they could, should or need to [in order to] create the seamless experiences that customers want.
Next Steps to Security
So what is a potential way forward? It all comes down to the way that we have approached “the right” to use a specific customer’s data. Most companies today ask their customers to agree to provide them rights to the data (that customers actions produce with that company) in a “block grant” all-or-nothing approach. This approach is made worse by the open-ended and vague “potential” uses of the data that the legal agreements stipulate.
There is a better way to do this. Customers should not have to hand companies “carte-blanche” rights and should be asked for permission to use specific data for a specific purpose on a caseby-case basis. This is 100% technically feasible. Today’s always connected, smartphone enabled, real-time feedback culture is also ready. Of course this case-by-case request for permissions puts the burden on companies to succinctly explain the value proposition that they want the customer to accept. As a block, it is practically impossible to make consistent rational decisions about data. On a case-by-case basis, the right answer can almost always be quickly determined by the customer. Companies might be surprised just how often people will say yes. When customers understand the value of individual exchanges of data they will be better participants in the data sharing ecosystem. They will keep companies focused on the value of the exchange to their customers as opposed to the company (only). This process can also help companies understand more about what their customers value and then relate with them better in the future. Over time this will increase the confidence that the customer has in the company and very well may result in larger “bulk” agreements to data sharing. More data will be shared more intelligently and will help us all work better together. Especially in payments and the events they represent!