We have to be compliant with Canadian law for the data for Canadian citizens. Right now the majority of transactions take place at our St. Louis or Kansas City facility. There are other locations that also do work for us. The data needs to remain local only. From where I sit globally I can see threat actors attempt to work against the payment system no matter where they are. But as countries localize or look for localization of data, and that data can't be used in other places, the ability for me to analyze and see where the threat actor moves becomes more difficult.
The threat actors don't care about borders. They're willing to attack Latin America or Europe or Canada or the U.S. If I can see their attacks taking place in Latin America, but I'm not allowed to use that information to help protect another country, the attacker can then move without my using the learning to protect the other, so attackers can continue to attack different places without my using the information to help protect it.