So, there are tremendous implications for their business model, but to place the spotlight on one area lets focus on data security and regulations (my favorite). AMEX is one of the organizations that built the PCI DSS, PCI SSC, and all recent publications. The intent of PCI was to have industry forced mandates that protect cardholder data. As private companies, Visa and MasterCard, had a lot of leeway on how they handled operations and were able to contain the management of requirements. Given the IPOs of these two associations, and now AMEX becoming a bank does present a future that is far different then it was 3 months ago and 12 months ago.
Banks are regulated under extensive regulations and there is substantial information surrounding the safeguarding of data through information technology controls. The FFIEC books are world renowned for their coverage in this area. In addition to these known requirements there are additional third party requirements that will be introduced. If anyone has done with a financial institution that is required to abide by GLBA, they know that they too must satisfy the requirements.
My highlighting of GLBA and regulatory leakage (when requirements of one trickle down into other sectors of the economy – SOX anyone) is that while PCI DSS is here to stay, there must be greater forms of validation surround Information Technology and Controls. Those who operate within the payment industry would be strongly advised to continue to practice PCI DSS, but also maintain a more holistic view of contributing and supportive regulation mandates to ensure smooth operations in the near future.
Other thoughts on how AMEX becoming bank will impact business?
James DeLuccia IV
Event Update: BOOK Signing, Free Tastings, and such at Starbucks 1400 Dunwoody Rd, 2-4pm Nov. 23rd. (there will be prizes, so feel free to stop by even for just a moment!)