May/June 2014 – Issue 3

Go to: Previous page | Next page

Is the Data You Share With Your Lenders Secure?

By: Cheryl Conner
Taking a look behind the alternative curtain.

The current economy and the banking crisis has put a damper on traditional business loans, but entrepreneurs and growth companies have never had so many alternative choices. The newest March 2014 data from Bizz2Credit reports that banks approved only 18.8% of business loan submittals in February (however there is some good news in that the rate is a near 20% increase over the same time period in 2013).

Yet as bank loans continue to languish behind the 45% approval ratios in the era before Lehman Brothers crashed and other banks began closing, alternative lending has stepped forward to fill in the gap. New choices such as peer-to-peer lending, factoring solutions and merchant cash advances are advancing rapidly to keep new and growing companies on positive ground.

But are these alternatives safe? I’m not referring in this discussion to the appropriateness of fees and interest charged or compliance with securities and trade regulation. These are separate issues. Aside from those concerns, is the sensitive data you share and is the transaction technology you use to transmit payments to your lending provider keeping your money and your sensitive data secure?

What's Behind the Alternative Lending Curtain?

By now we’ve all heard the nightmare stories of online transactions gone wrong, payment authorizations gone haywire and business information (and customer information as well, in the case of the Michaels and Target breaches) somehow falling into scurrilous hands as it ascends to the cloud.

These are issues no business can afford and, in worst cases, could even close your company down.

Before we begin this discussion, it’s important to note that even the major banks are no stranger to security breaches. Some of the biggest data breaches involve the world’s largest financial institutions. Why? Because the incentive for criminals to breach a major system is larger, with bigger dollars and more customer information involved. Human error is a factor as well, as some of the seemingly most secure organizations in the world can fall victim to a forgotten data certificate renewal or an ex-employee who continues to hold a system password.

some respects a bit of a Wild West, and it is vital to ensure that the program you choose is keeping your data secure.

And what about PCI DSS security? What is PCI DSS security, you may say? As reported by Wikipedia, http://en.wikipedia.org/wiki/PCI_DSS in 2009, The Payment Card Industry Security Standards Council, an independent and widely trusted organization, developed a proprietary security standard called the Payment Card Industry Data Security Standard (PCI DSS) to reduce the incidence of credit card fraud. The PCI standard dictates 12 requirements for compliance that ensure payment card transaction providers have an appropriate level of security in place.

PCI compliance is not required by federal law, however, multiple federal laws make reference to the PCI requirements and in at least two states (Nevada and Washington) PCI compliance has become a state law. Minnesota, interestingly, enacted a law in 2007 that prohibits organizations from retaining credit card data at all. (Do you remember the legal offices that used to send an invoice and asked you to send it back with your credit card information for them to keep in their files? Wrong, wrong, wrong—and also illegal in any state that recognizes PCI rules.)

In an email interview, Laura Johnson, spokeswoman for the PCI Security Standards Organization, tells me that all five major credit card providers are PCI compliant, as follows:

“PCI standards apply to payment card data branded by one of the five founding brands, which means any entity that accepts, processes, transmits or stores account data from a PCI branded payment card should be applying PCI DSS for the protection of that data,” she says. “However, PCI DSS doesn’t apply to bank account data.”

Some critics have argued that the full PCI standard (there are 800 pages of documentation) is too complex, and that even strict adherence provides in some opinions “only a security baseline,” Wikipedia says.

However, according to Visa Chief Enterprise Risk Officer, Ellen Richey (also quoted by Wikipedia), “…no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”

Do alternative lending companies meet PCI Compliance? I posed this question to several leading providers this week. In some cases, respondents noted that their organizations do not hold any credit card data within their server facilities, but simply pass their clients directly to the payment portals of their transaction processing partners, making the PCI compliance requirements a non-issue for them. They are correct. In one case, one of the fastest growing and most popular peer-to-peer lending organizations, Lending Club, flatly refused to respond.

I was highly impressed, however, by two of the organizations I queried. In the first case, Kabbage (www.kabbage.com), has admirably stated in the privacy policies on its company website that the company ensures that all of its transaction partners are PCI compliant. Way to go! Here’s a great example of a company that has moved beyond simply noting they are “in the clear” and has taken the practical steps of doing all within their power to protect their customers’ data and to give their customers full insight into the ways they have gone the extra mile to keep their data secured.

The second great example I encountered is Merchant Cash & Capital, (www.merchantcashandcapital.com, MCC) a fast-growing provider of business advance funding, a product that allows merchants to leverage their credit card sales towards financing. In a phone interview with President and CEO Stephen Sheinbaum he was highly open to discussing the importance of data security in the financial products his organization provides. Like Kabbage, MCC has gone above and beyond in holding themselves to a higher standard of security than is legally required.

Said Sheinbaum, “Unofficially, we’re holding ourselves to PCI-like standards. We think maintaining the security of data is essential, and critical to any business.”

“We enforce clean desk and locked file cabinet policies,” he reports. “Most of our executives come from banking backgrounds, which is helpful, but we’ve grown our company up with the knowledge that maintaining data security is paramount to us all.”

“We see the more substantial companies in this space are taking these issues more seriously,” he notes, “but as alternative lending progresses, I believe we’ll see this area starting to be more regulated as well.”

Sheinbaum notes that speed of funds is obviously important in alternative lending transactions, but security is vital as well. “People should definitely be doing their homework when choosing a lender.”

While MCC is currently focused on funding through merchant cash advances, Sheinbaum reports the company expects to be launching additional new lending products in the near term as well. “We are experiencing hyper growth, and much of it is because of new technology and distribution channels we’ve rolled out to get approvals into merchants hands as quickly as possible without sacrificing the integrity of our underwriting process,” he says.

In the Wild West of alternative lending, I give strong kudos to the organizations such as Kabbage and MCC who are voluntarily taking more steps than required to ensure their customers’ money and data is safe.

In a nutshell, when it comes to transaction and data security, I would like to share the advice of security expert Jon Orwant, as reported in O’Reilly’s OpenP2P.com: In any organization, small or large, you shouldn’t look for security to be assured by a chunk of software or hardware alone. Proper security is a process, he notes, which means developing an understanding of how data flows through your own organization as well as through the organizations of your lending partners so you can enforce the policies and enact the safeguards to “keep your data in the hands of Alice and Bob, but not Eve.”

And here are some final words to the wise to alternative business loan customers: Be careful as you select a lending partner. Weigh out all aspects of the funding providers you’re considering to ensure that every aspect of your funding arrangement—in addition to speed of funds and the rate of interest—will prove to be a good deal.


cheryl connerCheryl Conner is a communications expert whose ongoing columns on business appear in the Entrepreneurship channel of Forbes.com. Her entrepreneurial stories have also been published in WSJ, Huffington Post and Yahoo News. Additional reporting for this article provided by writer and editor W. Craig Snapp.

Go to: Previous page | Next page


Go to: | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20



A special thanks to the magazine's most recent advertisers
Issue #5 | Issue # 4 | Issue #3 | Issue #2 | Issue #1
DailyFunder's CEO Corner
Call us at 646-531-5815