Greg: Hey everyone, this is your host, Greg Myers and I wanted to make special and exciting announcement today. The entire month of July is Women Leaders in Payments Month and it is being sponsored by Paysafe. We’ve got a great line up of executives that will be announced soon, so please follow us on LinkedIn and Twitter for more updates.
Now on to episode 20 of the Leaders in Payments Podcast. My special guest this week is Tom Wimsett, the Chairman of ControlScan. ControlScan provides technologies and services that defend their customers against cybersecurity threats and at the same time they help their customers streamline and simplify the process of complying with PCI DSS. ControlScan’s depth of knowledge, experience and expertise in the small business market in both compliance and managed services solutions provides them true differentiation in the marketplace today. Tom is a Kentucky native and he has been married for 35 years to his wife that he met in high school. They moved around the country five times in a 10 year period and finally settled back in Kentucky, specifically Bardstown, better known as the Bourbon Capital of the World. Tom has a passion for education and giving back to the community. Over the course of his career, he has served on school boards, educational foundation boards, and advisory councils for public and private institutions. Tom provides some great advice for those just starting their careers in payments, including love to learn, work hard, and build healthy relationships. We’ve got a great show this week, so let’s get started.
Greg:
Hi Tom. Thank you for being here and welcome to the Leaders in Payments podcast.
Tom:
Thanks Greg. Happy to join you today.
Greg:
Great. So let’s just dive right in. Tell our audience a little bit about yourself, maybe where you grew up, where you went to school, where you currently live, a few things like that.
Tom:
Okay, thanks for the question. I grew up on a farm near a small town in central Kentucky. It was a small town called New Haven, Kentucky. I met my future wife in high school. We both graduated from the University of Louisville, her with an education degree and myself with a degree in accounting. We’ve been married for over 35 years. We have three children from ages 23 to 32, one grandchild and another on the way. We moved all over the United States during a ten-year timeframe. We actually moved five different times to different major cities during that timeframe. Each of my three children were actually born in different states. In 1997 we had the opportunity to move back to Kentucky, and so we settled in a small town about 30 miles south of Louisville called Bardstown, Kentucky. I don’t know if you’ve ever heard of Bardstown or not, but it’s rather famous. Bardstown is also known as the Bourbon Capital of the World and it’s really like the Napa Valley of bourbon. You know, having been back here for over 20 years now, my wife and I both came from large families, most of whom still live in the area. And it’s been really nice to be near family again after having spent 10 years kind of on the road exploring the country.
Greg:
All right. And so Kentucky is the Bluegrass State, right? So is the grass really blue there?
Tom:
It does have a blue tint to it. So depending on what time of year. But yes, Kentucky is a beautiful state with a lot of rolling pastures and a lot of rivers and streams and lakes and just beautiful area.
Greg:
Yeah, I’ve actually driven through it several times. So yeah, it is a very beautiful state. Let’s change gears a little bit and talk about ControlScan. So tell the audience what ControlScan does.
Tom:
Sure. So, ControlScan provides technologies and services that defend our customers against the barrage of cybersecurity threats. At the same time, we help our customers streamline and simplify the process of complying with the payment card industry data security standard or PCI DSS. You know, we are also certified to provide HIPAA compliance and attestations, but most of our focus is around the payment card industry data security standards. ControlScan started as a pure play PCI DSS compliance service provider. But over the years we’ve expanded our staff and our offerings to meet the security needs of our customers entire network environment. So now as both a managed security and a compliance service provider, ControlScan is able to deliver the expertise, the technologies, the solutions that really match our customer’s unique business requirement and the technologies that they utilize and the preferred payment acceptance environments in which they operate.
Greg:
Great. And being that you’re in that sort of payments ecosystem, I would assume sort of the standard payments verticals that you serve, are there certain verticals that are different than others or are they all, since they all take payments, pretty similar when it comes to what you guys do?
Tom:
So we work with a lot of the merchant acquirers and payment technology companies, payfacs, ISV, independent sales organizations as well as finance institutions. Really anyone who has an aggregator of small businesses. And so our portfolio, we have over a million merchants in our compliance portal that you know, they come to our portal to go through their annual attestation process. Of course the larger merchants have to have individual QSAs assigned to their account to actually go on premise. Now Covid changed a little of that, but generally they go on premise and they do onsite evaluations and they report on the attestation of that particular provider. Either issuing a report on compliance or a gap assessment, other types of assessment, type services that we’re able to provide. But yes, our portfolio of SMB merchants who are kind of the end users of a lot of our products, typically those verticals look very much like the merchant processing industry.
Greg:
Okay, great. And as you know, the industry is quite competitive. Any part of payments seems to be pretty competitive. So what differentiates you guys from your competitors out there?
Tom:
So, Greg really what differentiates ControlScan is our depth of expertise for the SMB market in both compliance and managed security solutions. I mean that’s a skillset that frankly is very unique and it provides us with strong differentiation. You know, most of our competitors either have a strong PCI DSS focus and they work on compliance needs of businesses or they’re a managed security services provider. They focus on one or more different types of cybersecurity, you know, manage products that they provide to businesses and lots of times you’ll see those in certain vertical markets that you know have a bigger need than other vertical markets. But I think that deep expertise in really both areas sets us apart from our competition. The other thing I want to emphasize here is our focus on the SMB merchant, the small and medium sized business. Again, we work with merchant acquirers and other payment aggregators over 150 different partners that really rely on ControlScan to not only provide this portal and compliance solution that’s easy and simplified for them to follow.
But we also provide support services for those businesses. If they run into any problem through that compliance journey and they can reach out to our call centers and ControlScan also gets high marks in the market for our customer service focus. Last point I want to make is that the managed security service providers, again, I talked about most of our competitors usually have a focus on PCI or managed security in the major security space. Most of those suppliers are really focused on the enterprise level customers. The bigger guys, obviously there’s a lot more revenues that can be generated from these large enterprise organizations who might have hundreds of millions of dollars invested in their infrastructure versus small and midsize businesses, mom and pop businesses. Often they’re operating one or two locations. Maybe they’ve built a small chain. Those organizations, they don’t have the internal expertise. They often lack the tools. And in fact one study recently estimated that approximately 71% of those businesses are not fully equipped to protect themselves against the cyber security threats that they see.
Greg:
So let’s talk a little bit about the industry has a whole. Where do you think the payments industry is headed, say in the next two to three years?
Tom:
Yeah, I think Covid has really created a lot of disruption in every industry. You know, through how our society and our world, as we all know, think in the near term and we’ve already seen some of this. There’s a big push toward contactless payments and I think you’re going to continue to see more innovation, more disruption around contactless payments. Contactless payments has had better penetration in some international markets and in the U.S. they’ve been working on contactless for years. But I do think that the pandemic has caused consumer demand to increase exponentially. And I think people see the real world benefits of these types of solutions in the next five to 10 years. I think we’re going to see a huge increase in frictionless payments. We’ve already seen that trend start and I think you’re going to see it accelerate things such as unattended payments.
I think as more and more of generation Z enters the workforce and big numbers, you’re going to see a lot of these card present processes and environments all move to unattended and low friction environments. Of course software based processing, the likes of Global and Worldpay and others who have invested heavily in those vertical markets. I think you’re going to continue to see growth in those segments. Mobile solutions including contactless, as I mentioned earlier and of course e-commerce and frankly the retailers and businesses that were early adopters of some of those technologies found themselves better equipped to deal with some of the challenges of the pandemic as well. And so I think you’re going to continue to see a lot of innovation and growth around those areas of payments.
Greg:
I agree. You know, I hear that contactless all the time and we’re far behind other countries, but I have a feeling this is going to really speed up that learning curve for people. And I’ve even talked to friends who have used contactless lately and never used it before and said, you know, they’re pretty hooked on it and they’ll probably never go back. So I think you’re spot on with that. And then the whole e-commerce, you know, moving online, I would think that’s really going to help ControlScan. I mean don’t you see that being very helpful as there’s going to be more need for the types of services you provide as more and more companies go online?
Tom:
Absolutely. The more devices that are online, the broader the attack surface is for cyber criminals. There’s a really a lot of tailwinds that help ControlScan because of the risk associated with cybersecurity threats and the push by regulators and others to follow best practices and to be compliant and adhere to data security standards and other security frameworks that exist. So we think all of those things, plus the continued expansion of card-based payments, I mean we talked about it may be card based payments is not the right term because there’s no card, it’s mobile, it’s frictionless. We’re going to continue to see, I think, rapid increase in those technologies.
Greg:
Yeah, absolutely. Well, let’s switch gears a little bit and talk about you. I know that you mentioned Kentucky and your time moving around a little bit there. So maybe talk about your professional journey and how you got to be the chairman of ControlScan.
Tom:
So Greg, I started my career in the payments industry when I was 19 years out. Believe it or not, I was an undergraduate student at the University of Louisville and I started out in an entry level role with National Processing Company and ultimately I spent 19 years at National Processing Company. NPC was an early pioneer in the payments industry. I grew with that company and I mentioned earlier, I moved all over the country for 10 years, five different cities running different businesses within National Processing Company’s organization. Ultimately I was promoted to the CEO in 1998 and really during my 19 years at the company, I helped the organization and under my leadership over four years as the CEO, we created over $2 billion in market value for our owners. That business was ultimately acquired by Bank of America and is still part of the Bank of America and First Data divorce frankly that those two firms are going through now. Probably most of that portfolio or a big part of it I’m guessing will stay with B of A, but that’s up for them to decide. From there I went on to form a company called Iron Triangle Payment Systems in partnership with GTCR. GTCR is one of the large private equity firms who’s been very prolific in payments. We built our Triangle Payment Systems over seven years, so about 240,000 small and medium sized businesses. And we sold that business in 2010 to Fifth-third Processing Solutions who paid us a little over $620 million for our business, combined it with Fifth-third Processing, change the name to Vantiv and went public 15 months later as you know, ultimately became Worldpay and is now part of FIS. Since selling that business to Vantiv, I’ve done a lot of entrepreneurial things as well as serving as a board director and chairman of a community bank.
You know, I’ve become an investor in a number of payment related businesses through an operating partnership with Thompson Street Capital Partners that I created in 2014, specifically with ControlScan that really came out of the partnership with Thompson Street Capital Partners. That’s a mid-market growth-oriented PE firm based in St. Louis, Missouri. Great firm, good group of folks there. We were competing against each other to try to buy a security services and network provider in Lexington, Kentucky called Echosat and Thompson Street ended up outbidding me for Echosat but then invited me to partner with them and help develop the company and expand it. And so Thompson Street partnered together and we acquired that business from the founding family. We promoted a gentleman named Mark Carl who’s the CTO to the CEO position and I became executive chairman and over the past five and a half years, we’ve really quintupled the size of that original investment.
We’ve acquired SmartLink Managed Services division from Heartland Payment Systems. Just as they were merging with Global, we acquired a managed detection and response solution. And a great security operations center or SOC that’s based in Hunt Valley, Maryland. We acquired that from Dunbar Security when they were selling the rest of their company to Brinks. And then of course we merged all those managed security businesses in with ControlScan who has always been one of the leading PCI DSS companies in the world. And so, we really brought kind of best in class security solutions and best in class compliance solutions under one roof when we merged Echosat and ControlScan. Also in 2012 I joined the board as an independent director for Jack Henry and Associates who’s also a large processor. They sell software to banks and credit unions all over the country as well as processing solutions to those banks and credit unions. Again, most of my careers been around payments and banking and financial services and most of the businesses I’m involved in today are involved in those industries in one form or another.
Greg:
So let’s talk about some things maybe you’re passionate about. So maybe one personal thing and one maybe business related that you have a lot of passion for.
Tom:
Well, thanks for asking you. I’m passionate about ControlScan and the opportunities that lie ahead there, but, but I’m also very passionate about education and really giving back to our communities. Over the past 25 years continuously I’ve served on school boards, educational foundation boards and advisory councils for both public and private institutions from elementary schools all the way up to the collegiate level. I think I mentioned earlier my wife and I both came from large families. We were both the first ones in our families to obtain four year undergraduate degrees. And it was life changing for us. We had really good education at the other levels too, both elementary, middle school and high school. But I think we just saw the difference it created in our lives. And so we’ve been very passionate about that throughout our lives. And one way that we feel like we can give back to the communities and particularly to young people and those that are really just starting their careers.
You know, one thing I’m particularly proud of in that area is probably for six years I recently stepped off this board, I served my term but for six years I served on the board of the Catholic Education Foundation for the Archdiocese of Louisville. And for two of those six years I served as the chairman of that foundation board. And we dramatically increased the opportunities for families who couldn’t afford to send their kids to private school. They really had no school choice and my children always had a choice where I could send them. And so Catholic Education Foundation we donate about, we raised and contributed about $6 million a year to about 3000 children to help partially fund the tuition for their, private school selection someplace their family wants them to go. So that’s something I guess I’ve been particularly proud of giving back to the community, particularly through educational opportunities and organizations has been a passion of mine since I was a college graduate myself, I would say.
Greg:
You mentioned also people just starting out their careers. And you know, even when I started in payments 15 years ago, I don’t think people I got out of college or were in other industries and looked at payments and said, Oh I want to go do that. But I think today it’s a lot different. I think wrapped all this around the term FinTech and that’s become a sexy term and there’s been a lot of money invested in this industry. So I think a lot of people actually want to start a career in this industry. So what would be some advice you would give someone maybe coming right out of college and they choose this industry? What would your advice for them be?
Tom:
I used to tell my employees constantly that one of the first things I would tell them, new employees always attend orientation for new employees. And when I was an operator and I would tell them, Hey, you’ve picked a great industry, whether you know it or not, 20 years ago, most people didn’t know it to your point. But now a lot of them do. And a lot of them really want to build careers in this industry. And it is a great industry. I mean you look back throughout my career, over 30 years in this industry and the industry has grown at more than double GDP for that entire timeframe. And you work in an industry that’s growing at more than twice GDP, you know that you’ve landed in a pretty good spot. The second thing I would tell them is love to learn. The Payments industry is very, very innovative now more than ever.
You talked about the attraction around FinTech and all the capital and resources it’s attracting and love to learn because there’s a lot that you can learn. I learn something new every day in this industry. And then the last thing I would tell them is work hard and build healthy relationships. And you know, hard work in my view is steel irreplaceable. People used to ask me all the time, well how’d you get ahead Tom? And, and one things I would tell him is when you were sleeping, I was working, you know, I’d work a lot of hours, particularly early in my career. And it’s something that’s kind of stayed with me, but anyway, and build healthy relationships. It’s okay to be determined, ambitious and decisive and bold. You know, frankly we’ve got a lot of people with those characteristics in payments. It’s best to do so in a kind, compassionate and considerate way. And I think people that do that are able to build, you know, numerous bridges that they can access throughout their careers. Whether it be a question that comes up down the road, whether it be a career opportunity, whether it be a recruiting opportunity, whatever that is, a referral opportunity. So build those bridges and enjoy the ride.
Greg:
Absolutely. I think that’s all great advice. I think anyone coming out of school that would listen to that and actually do it would be, would be successful for sure. So we’re about to wrap up. Is there anything else you wanted to add, either about ControlScan or yourself?
Tom:
I looked at your profile on LinkedIn and congratulations on your podcast609. And I love your philosophies as well. Those are very similar to my beliefs and how I’ve always tried to get involved with businesses that are differentiated because I mean being the same as everybody else, there’s just, I don’t know, there’s not much fun in that I don’t think.
Greg:
Yeah. Interesting. When you were talking about you know, your passion and education, I mean that’s how this podcast was born. I really saw where there was no one in our industry talking to the leaders and I think a lot of people, they put CEOs and chairmen and the C level people on a pedestal and I really wanted to create something where people, like you had an opportunity to tell your story and to share how you were successful so that people that listen and do it will then become successful as well. So it’s been part of my mission is to make sure this stays educational and hopefully inspires some people. And so I think we have a little bit in common when it comes to that. I think with that, Tom, we’re going to wrap up the show today and I know your time’s valuable. So I want to be sensitive to that, but I really appreciate you being on.
Tom:
Yeah, thank you, Greg. Really appreciate you having me.
Greg:
To all your listeners out there, I thank you for your time as well, and until the next story…