January 15, 2020
Visa has invested in data custodian Very Good Security (VGS), a four-year-old startup that holds private customer data for fintech companies and large enterprises, helps reduce their compliance risk and ultimately, ideally, lowers the potential risk of data breaches.
VGS acts as a storage vault for data so companies can serve customers without seeing or touching the information businesses are required to collect forcompliance measures (proof of identity) along with other sensitive information (like payment or medical information). When companies need to use that information, VGS generates aliases for the data to keep it protected and still allow clients to use it.
“Why should your social security number need to live inside everyone else's servers?” Peter Berg, vice president of business development and strategy at Very Good Security, told Cheddar. “There’s a way to exchange the value of the data without exchanging the data itself.”
Visa and VGS declined to disclose the sum of the investment.
“We continue to invest in and partner with companies that provide valuable capabilities for our clients and for the network,” Kevin Jacques, vice president of Visa Ventures, said in an emailed statement. With VGS “companies can reduce the scope of their data security and compliance requirements by eliminating the sensitive data in their systems, enabling them to develop innovative ways to pay without compromising security or functionality.”
The news comes on the heels of Visa’s $5.3 billion acquisition of data aggregator Plaid, which was announced Tuesday.
There’s a pattern of “Visa wanting to devalue data,” said David Sica, a partner at Nyca Partners, which was an early investor in VGS, and a former Visa director. He noted Visa’s efforts, starting around 2014, in tokenizing credit card numbers, a similar practice of replacing the 16-digit card number with a different, one-time-use number to reduce the risk of disclosing sensitive information.
Tokenizing sensitive data doesn’t ensure that companies are meeting the compliance requirements set by the Payment Card Industry, however; it ensures data is hidden, but if the company still stores the raw sensitive data it will be responsible for data leaks. That is, in theory, why it would want to offload that original data to a company like VGS.
“There are plenty of examples where something has gone wrong, where a company wasn’t handling data properly,” Sica said. “It’s very hard to operate in the fintech world; privacy is incredibly important, it’s become table stakes that you need to be secure and operate in a compliant fashion.”
VGS has raised $43.5 million to date. Other investors include Goldman Sachs, Andreessen Horowitz and Max Levchin, Affirm CEO and PayPal co-founder. It was also a launch partner for the U.S. launch of Visa’s Fintech Fast Track program, which lends startups access to Visa’s fintech partners and expertise to help them go to market faster.
Data as a liability
While data might be the most important asset of any company with a digital strategy (read: every company), it can also be its biggest liability. There were 5,183 breaches reported by September 2019 and 7.9 billion personal data records exposed, compared to 1,632 breaches in 2018 and 446 million records, according to the third quarter 2019 RiskBased Data Breach QuickView Report. Most were hacking incidents, it said.
Further, while just 6.5 percent of data breaches in 2019 happened in financial services firms, they exposed 62 percent of the year’s total leaked data records, according to a Bitglass report, compiled from data by the Identity Theft Resource Center and the Ponemon Institute. The cost per average breached record in financial services is $210.
It’s unrealistic to call a system unhackable, but segmentation of different types of data and different consumer inputs of data is a high priority for VGS, Berg said. Its engineers work to make the data hard to access in the first place, but even if a hacker managed to get through the system, the data wouldn’t be useful thanks to that separation.
“You’re reading about all these breaches — it’s happening because big companies and merchants are storing customer identity information alongside payment information, so it's a one-stop-shop for people to come in and get a treasure trove of data,” Berg said.
“By separating out those data stores and aliasing them, you're inherently more secure by having different places you need to go to be able to stitch all that together,” he added.