By Samantha Drake
Photography by Mitro Hood
During the height of the December 2013 holiday shopping season, Target Corp. admitted a massive data breach had occurred, exposing the personal information of 40 million customers who had used their credit and debit cards at the retail chain.
Ultimately, Target found that the personal data of approximately 110 million customers had been compromised, which led to a nosedive in sales, scores of lawsuits against the retail giant, and state and federal investigations. A few months ago, Target’s CEO resigned.
The data breach didn’t surprise Jeff Shanahan at all. “We knew that was coming,” says Shanahan, 36, who took over as CEO of payment processor CardConnect in February 2014. “We knew there were many, many merchants out there that were taking peoples’ cards and not securing them from the minute they got them.”
Huge data breaches tend to catch Shanahan’s attention because King of Prussia, PA-based CardConnect is in the business of making sure its clients’ in-person and online credit and debit card payment transactions are secure. Target’s was hardly the first big data breach, but it made CardConnect’s customers nervous enough to check in and make sure they were adequately protected, notes Shanahan.
“The Target thing was a wake-up call for our industry as a whole,” he says. In 2014 alone, Neiman Marcus Group Ltd., P.F. Chang’s China Bistro and Michaels craft store chains have all announced significant data breaches that compromised the information of millions of credit and debit card holders.
CardConnect’s goal is to ensure its customers don’t become a statistic in this disturbing trend. Its proprietary payment gateway and security products address the needs of merchants who accept credit and debit cards, as well as gift cards and loyalty cards. With more than 50,000 retail customers nationwide, ranging from the pizza place down the street to Fortune 500 companies, CardConnect processed $13.1 billion in card transactions in 2013, not including debit cards. The growing company brought in more than $349 million last year and has 125 employees, up from just 25 in 2010.
And along the way, Shanahan has made key strategic decisions that enabled the company to scale quickly by buying smaller, similar companies, and then focusing on obtaining technology CardConnect didn’t already have. At the same time, Shanahan drove CardConnect’s relocation from Ohio, led the company’s rebranding, and positioned the company to meet the latest security challenges.
Work and family
In 2006, a group of entrepreneurs, including Brian P. Shanahan, Jeff Shanahan’s oldest brother, formed the payment processing firm Financial Transaction Services LLC in Cleveland, OH. The founders picked Cleveland primarily because that’s where the company’s first president lived.
A few months later, at Brian Shanahan’s urging, Jeff Shanahan joined the new company as chief operating officer and relocated his family from Pennsylvania to Cleveland.
“I’d always thought about working with Brian before, but I didn’t think it would work too well being in the same office,” Shanahan admits, adding with a laugh. “We both have large personalities.” Fortunately, Brian Shanahan, who was CEO at the time and lives in Pittsburgh, left the day-to-day operations to his brother. “It actually worked out wonderfully,” Shanahan adds.
“It was time to pass the baton,” says Brian Shanahan, 43, a serial entrepreneur in the credit card processing space and now CardConnect’s non-executive chairman of the board. He notes that he and his brother think similarly and see high-profile breaches like Target’s as both vindication of CardConnect’s approach and an assessment opportunity. It’s a toss-up as to who calls the other first to talk about the latest data breach news, Brian Shanahan adds.
The two aren’t the only family members involved in the company. Their youngest brother, Patrick, joined CardConnect in 2008 and is now chief operating officer. In addition, their father, Jim, and another brother, Michael, are among the company’s more than 1,000 independent sales agents that resell CardConnect’s services. A fifth brother is a cardiologist in Pittsburgh. Naturally, at Shanahan family gatherings, the talk inevitably centers on work. “Fortunately or unfortunately, it always turns to business,” says Brian Shanahan.
On the move
The company remained in Cleveland for more than six years before relocating to the Philadelphia area. Shanahan says moving the company’s headquarters has been his biggest decision so far. “With all due respect to Cleveland, it was very hard to find new talent there,” he says. “I never felt like we could get to the next level there.”
Shanahan presented the move to the 30 employees in the Cleveland and Chicago offices as an opportunity to grow with the company. “We knew we had big things ahead,” he explains. He was pleasantly surprised when the Cleveland employees jumped at the chance, although the Chicago workforce was a harder sell. The company, renamed CardConnect, offered generous relocation packages to those who wanted to move, and separation packages to those who didn’t, says Shanahan.
The relocation cost CardConnect about $3 million, which was a big hit for the company in the short term but will pay off in the long run, Brian Shanahan points out.
King of Prussia’s suburban location outside of Philadelphia was a logical, affordable choice on the East Coast for the new headquarters, Shanahan says. CardConnect still has an office in Cleveland as well as offices in Boca Raton, FL, Kansas City, KS and Denver, CO. Shanahan and his wife, Tara, and their son and three daughters, ranging in age from one to nine years old, now live in Devon, PA.
CardConnect’s strategy since its inception has been to grow quickly by buying other companies. Between 2006 and 2012, CardConnect bought nine companies around the country.
The acquisitions — one in 2006; two in 2007; one in 2009; one in 2011; and four in 2012 — brought scale to CardConnect and reversed its negative cash flow. “We were a small merchant service provider to a few thousand merchants back in 2006. Our first few acquisitions were done more out of necessity; we needed to get bigger quickly,” explains Shanahan. “Until you get to scale, you’re kind of always behind.”
Each new purchase brought a new salesforce and customers on board, enabling CardConnect to increase the number of transactions conducted, a key measurement in the industry, he points out. As CardConnect grew, its strategy became more selective as it began focusing more on technology and buying similar, small providers of merchant services, Shanahan says.
The purchase of Princeton Payment Solutions (PPS) in 2012 represented this focus and, because PPS is located in the Princeton, NJ, area, it also reinforced the decision to move the company headquarters to the East Coast, Shanahan explains. The deal boosted CardConnect’s customer list with customers including General Electric Co., and Adobe Systems Inc.
PPS brought CardConnect a tokenization process it had developed and patented for its Fortune 500 customers. Tokenization involves replacing sensitive payment data with a unique identiﬁer known as a token, which renders cardholder data unreadable and therefore useless to hackers. According to CardConnect, combining tokenization with point-to-point encryption (P2PE) — where plain-text card data is converted into cipher text at the time of collection — offers the best protection against data theft.
Building a brand
“When I look back, most of our great decisions were made fairly quickly and based on our instincts,” notes Shanahan. “When you’re growing fast, nobody sits down with a playbook and scripts what you’re going to do with the company.”
Rebranding the business, for example, was a swift and intuitive process. In April 2013, Financial Transaction Services changed its name to reflect the company’s shift from working primarily with independent distributors to developing and selling its own products and services. Shanahan says he also wanted the new name to be the company’s URL.
Brainstorming sessions and consultations with a local public relations firm focused on what the new name should convey about the company and its business. “It boiled down to ‘we connect card transactions,’” says Shanahan. So the company settled on the name CardConnect, tested it out, and then ran with it.
Too much analysis and planning can undermine the decision-making process, says Shanahan, pointing out that, “the more you analyze things and the more you think about things, the more complex they get. Oftentimes the answer is sitting right in front of you.” He advises others to simply “go with your gut and don’t overcomplicate things.” Mistakes will be made along the way, of course, but your decision-making track record will improve over time, he adds.
Shanahan admits it was easier to make quick, instinctive moves when the organization was small because at that point, the decisions were made “out of survival.” In the early days, management knew the company had to get bigger fast, so they researched the best acquisition opportunities and then went out and bought those companies. CardConnect could afford to take risks because it had less to lose, he notes.
Shanahan is known for his ability to make quick, confident decisions, confirms Patrick Shanahan, 29, who became chief operating officer in 2011 after joining CardConnect to help manage a new acquisition. Buying another company is already a long process without spending months hashing out details, he says, noting that Jeff Shanahan knows what’s important and what’s not in closing a deal.
A rapidly growing business needs a leader who is “nimble and can change directions quickly,” Patrick Shanahan says. “Not everyone is cut out for it.”
Test, evaluate and pivot
As CardConnect grew, Jeff Shanahan says, he started taking a more analytic approach to decision making. “You don’t do things as fast as you did early on because you’re trying to do the ‘perfect’ acquisition or the ‘perfect’ deal,” he explains.
The company pivoted its business strategy in 2012 with the purchase of PPS. Until then, CardConnect primarily resold other companies’ processing services and payment gateways, which capture the credit card information and send it to the processor. In order to keep up with competitors, CardConnect began providing its own payment solutions through PPS. The new strategy gave CardConnect a foothold in payment gateways, which continue to be a dynamic, developing part of the payment processing industry.
Of course, not all decisions work out as planned. Shanahan acknowledges CardConnect overextended itself in 2012 when it bought four companies. As the company struggled to absorb its new assets while continuing day-to-day operations, it took a needed break from acquisitions in 2013.
“You have to pace yourself a bit. I think at certain times we tried to grow too fast,” says Shanahan. “As a result of doing too many acquisitions at once, we ended up with some problems.” There’s only so much time and so many people to manage the issues that come up, he notes.
Shanahan says the organization is now ready to jump back in and is scouting potential firms. “We are looking to buy,” he says.
A bright future
As CardConnect continues to create new security solutions for its customers, its biggest upcoming challenge is helping customers comply with certain security mandates by their 2015 deadlines.
U.S. merchants adhere to standards for protecting payment card data set by the Payment Card Industry (PCI). PCI is mandating the replacement of credit and debit cards that have a magnetic stripe on the back with cards embedded with EMV chips that encrypt the card’s information. “EMV” stands for Europay, MasterCard and Visa, the card issuers that first championed chip-based payment cards.
Europe and Canada got on board with the initiative right away, but the U.S. held off and is now playing catch-up with the rest of the world, says Shanahan. Merchants must now have EMV-compliant terminals to accept payment cards with EMV chips by October 2015 or face a shift in liability from the card issuer to the merchant.
Shanahan considers the move to be too little, too late. “The EMV thing is great, but implementing it after the fact doesn’t help much,” he says. Furthermore, “the cost of converting to EMV is a lot higher than it would have been 10 years ago.”
In advance of the deadline, CardConnect is partnering with payment solution provider Ingenico to offer customers EMV-compliant payment acceptance devices integrated with CardConnect’s encryption technology, says Shanahan. While CardConnect had no control over the timing of the migration to EMV cards, the company hopes to capitalize on the mandate by enticing customers to use point-to-point encryption as well.
A second 2015 deadline also looms. PCI is rolling out its latest Data Security Standard (DSS), known as PCI DSS 3.0, which governs the controls on sensitive data stored on credit, debit and other types of cards to reduce data breaches and fraud. Among other things, PCI DSS 3.0 will require merchants to be more vigilant about monitoring for security breaches. PCI DSS 3.0 is being phased in over time, but will officially take effect on July 1, 2015.
Once again, the stricter PCI DSS 3.0 standard is a reaction to breaches that have already happened, Shanahan points out. Still, CardConnect has its work cut out helping get customers on board with the new, costly requirements, particularly smaller merchants. “It’s hard to get a small pizza shop to get concerned about fraud or security,” he says.
Predictably, as a proactive decision maker in a reactive industry, Shanahan isn’t waiting for customers to ask for help with the new requirements. CardConnect is pushing EMV compliance while developing EMV-compliant terminals and other solutions as quickly as possible. If customers still need convincing, Shanahan can point to the Target data breach as a recent example of what can happen if a business isn’t prepared. CEO
Samantha Drake is a freelance writer based in Lansdowne, PA. Contact us at firstname.lastname@example.org.
When it comes to huge data breaches that affect millions of customers, Target has plenty of company. Here are a few examples of other companies whose security systems were hacked, exposing the personal information of millions.
In 2011, hackers attacked several divisions of Sony, including its PlayStation Network. In all, personal information of 77 million customers was put at risk.
TJX, the parent company of the T.J. Maxx and Marshalls store chains, announced in 2007 that 94 million customers’ records had been affected by a data breach.
Heartland Payment Systems
The payment processor for more than 250,000 businesses nationwide said in 2009 that hackers had exposed information of 130 million credit and debit cards. It’s considered the largest data breach at a U.S. company.
Last fall, Adobe announced that the data of 38 million of its customers was breached when hackers accessed its systems.
CardConnect’s business plan includes growth through acquisition. Over the course of the last six years, CardConnect has expanded its services, geographic reach and company size by acquiring the following nine companies.
Aliant Financial Services Sarasota, FL
Boaz Payment Systems Atlanta, GA
Allied Bancard Chicago, IL
Optimal Card Present Business Unit Detroit, MI
Efficient Payment Processing Chicago, IL
Princeton Payment Solutions Princeton, NJ
Change Card Systems Boca Raton, FL
Marathon Solutions Inc. Mission, KS
Dependable Payment Processing Inc. and Discount Processing Inc. Pittsburgh, PA