Conversation with Kıvanç Harputlu, Co-Founder & CEO at PCI Checklist
Peter Sidenius (Director, London) recently spoke with Kıvanç Harputlu, Co-Founder & CEO at PCI Checklist. During their conversation, Kıvanç details the origin and value proposition of the company as well as his views on the evolution of cyber risk for Banks and Payment Facilitators in the coming years.
1) Can you describe what PCI Checklist does and what inspired you to start the company?
PCI Checklist is a highly specialised product for the Payment Card Industry and helps Acquiring Banks and Payment System Providers (PSPs) assess and manage the cyber risks of merchants who get online payments on their websites. The continuous and exponential growth of e-commerce made cyber security a major challenge for merchants, who can be described as the weakest chains security-wise in the Payment Card Industry. In addition to that, this market is a great opportunity for Banks and PSPs as well. So, to solve this problem in the most accurate way, PCI Checklist helps enterprises maximize the merchant security of their portfolios, minimize data breach and compliance risks of merchants and also increase their own competitive power via the automated merchant onboarding product. This allows Acquirers to accelerate their merchant onboarding process from weeks to just minutes. Thus, PCI Checklist plays a huge role in the democratization of cyber security at the merchant level and so far we have remediated more than 5.000 merchants all around the world on behalf of our Bank and PSP customers, most of which are placed in the global top 100.
Before PCI Checklist I and my business partners were providing system infrastructure solutions to online payment systems and payment facilities. In that business, we've faced many cyber and compliance issues regarding online merchants. These issues mainly consisted of card data breach-related fraud & chargebacks, regulatory fines, social engineering attacks and reissuing of customer cards. Acquirer companies; banks and payment facilitators urgently needed cyber risk and compliance management products to assess and manage their e-merchants. Also, these needs are parallel to the statistics; 90% of digital card data breaches happen on the merchant side.
2) What are the key differentiators of PCI Checklist versus competitors?
The best answer to this question stems from our company's starting point. When we define a problem in the market, we have to find a solution to make things right. First, we tried to implement vulnerability management tools and 3rd party security assessment tools to solve this problem. However, these products are well-designed for different needs and these turned out to be unsatisfactory for the needs of Acquirers. We've understood this after spending a great deal of time on various PoCs and demos. Then, we decided to establish PCI Checklist as a laser-focused product to solve Banks' and payment Facilitators' specific problems in the merchant risk assessment. With this focused mindset, PCI Checklist created a new market which is described as "Merchant Cyber Risk & Compliance Management''. In all of our sales, our product is not replaceable by any other tools and because of that, I can safely say that we don't have any competitors in the field. This is a totally new business and our customers really helped to create and shape this.
3) From your experience, how do you see cyber risk for Banks and Payment Facilitators evolving in the coming years?
The digitalization of the world is leading to a greater risk of card data breaches for issuers, acquirers, and merchants. For this reason, it is essential for financial institutions and payment facilitators to be proactive in their assessment and management of merchant cyber risks. This is not only for the protection of the finance sector, but also to protect customers from the financial or reputational damage that may come from a data breach. The Merchant Cybersecurity Report from the National Cyber-Forensics and Training Alliance (NCFTA) accentuates the importance of merchant cyber security for the financial industry and the need for banks and payment facilitators to be proactive in managing the cyber risks of their merchants.
The cost of a card data breach will be more significant for all parties. Warren Buffet famously said, “It takes 20 years to build a reputation and five minutes to ruin it.” A data breach can cause a massive loss of trust and customers, which can have long-term consequences. For issuers, such as banks or credit card companies, this could include reissuing cards, fines, and penalties. The 2022 Cost of a Data Breach Report by IBM and the Ponemon Institute says the average cost per record is $4.35 million. Acquirers, like payment processors, may have to reimburse merchants for fraudulent transactions and face fines or penalties. Merchants, such as retailers or e-commerce sites, could have to reimburse customers, update security systems, or face legal action. Costs for merchants range from $36,000 to $50,000 per incident, plus extra expenses if a lawsuit is filed.
4) What do you do in your spare time? What are your hobbies?
In my spare time, I'm a radio host, mentor, squash player, and avid reader. I find great satisfaction in mentoring start-ups and sharing our experiences to help them to reach their full potential. Squash is an exciting and challenging game that I've been playing for many years. It's a great way to stay fit (or try to) and have fun, as well as a great way to relax and socialize. I'm also a big fan of reading business and startup books and listening to podcasts which are related to them.
5) What book are you reading, or which is one of your favourite books?
As a lover of books related to business, strategy, and startups, I'm always searching for useful and interesting reads. "The Hard Thing About Hard Things" by Ben Horowitz is one of my favourites. This book offers amazing advice on how to deal with the tough decisions that come with running a business, and how to stay strong during challenging times. It's a must-read for anyone interested in the world of startups, and I definitely recommend it! As Ben Horowitz puts it, "The hard thing isn’t making decisions; it’s understanding which decisions to make."
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).
Peter is a senior advisor in the London office and and heads up the regulatory practice for EDC. Peter has over 30 years of experience in strategy consulting to a variety of leading industry clients in financial services, with wide geographical experience across the European, North American, Middle Eastern, and African markets. He has delivered strategic consultancy assignments within the physical and e-business arena of financial services, providing strategic payment service analysis, profitability analysis, operational reviews, new product development, benchmarking studies and providing regulatory advice to leading clients. Peter is a regular conference speaker and Chairman at events concerning payments and fintech business. Outside work, Peter enjoys playing golf and following Formula 1 racing.