The Green Sheet Online Edition
August 27, 2007 • Issue 07:08:02
Risk assessment: What you need to know
Risk assessment is central to everything we do in the payments industry. The pervasive underlying question for you, as ISOs and merchant level salespeople (MLSs), is What degree of risk do specific merchants pose to the integrity of the electronic payments system?
In May 2007, Visa U.S.A. issued a new Cardholder Information Security Program bulletin.
The bulletin set forth acquirers' responsibilities in 1) defining risks associated with level 4 merchants as a class, and 2) prioritizing compliance with the Payment Card Industry (PCI) Data Security Standard, based on assessing risk merchant by merchant.
Five areas of scrutiny
Visa defined five areas to consider in determining the level of risk a given merchant poses to the system:
- Acceptance channel
- Payment technology
- Transaction volume
- Number of locations
- Merchant category.
Each of these areas is divided into two levels: "lower risk" and "higher risk."
For example, it has been found that restaurants, as a group, are higher-risk because they are targeted more than any other industry segment for security compromise.
The risks associated with acceptance channel and payment technology are not intuitively understood or easily predicted by the bulk of merchants or most members of our industry.
Acceptance channel can be either card not present (lower risk) or card present (higher risk).
In the card present environment, the capture of magnetic stripe information and PIN data pose a high potential for fraud exposure.
In addition, merchants who use integrated POS systems are more vulnerable than those who use stand-alone dial-up systems.
Input from the GAO
In November 1999, The U.S. General Accounting Office (GAO) published the Information Security Risk Assessment: Practices of Leading Organizations. It is a primer that everyone involved in the payments industry should study.
According to the GAO, risk assessments are associated with three types of activity:
- Development of new computer systems
- Procurement of production systems from other vendors
- Improvement of legacy system security features.
Also, the GAO stated risk assessments generally are "limited in scope to a primary business process and supporting systems.
"The supporting systems include the software, databases, and the hardware and network technology supporting the software, as well as the people who use and rely on these resources."
The preceding paragraphs bring into focus the issues of electronic security, physical security and system development, which are the core issues of PCI.
In addition, the Federal Reserve Policy on Payments System Risk, as amended July 20, 2006, clearly defines the areas of greatest concern that must be considered when evaluating particular business relationships for threat to the electronic payment system.
Questions to ask pertaining to such relationships in our industry include:
- Could this create significant liquidity (monetary) disruptions in any part of the payments chain?
- Could this create large, significant liquidity disruptions relative to the acquirer's/ISO's (risk holder's) financial capacity?
- Are the settlements likely to be for large-value (high-ticket) transactions?
Elements of risk assessment
Risk assessment aids in understanding negative influences on operations and outcomes and helps in making informed judgments about what needs to be done to increase data security.
For example, bank officials conduct assessments to manage the risk of default.
Risk assessments generally delve into potential harm that could be done by intruders, criminals, disgruntled employees, terrorists and natural disasters.
As reliance on computer systems and electronic data has increased, the need to understand and manage data security risk has grown.
It is essential to base estimates of the likelihood of harm on historical information, and the judgment of knowledgeable individuals. As part of risk assessment, it is imperative to do the following:
Rank the value, sensitivity and criticality of the asset in question.
Estimate the potential for damage.
Estimate recovery costs.
Identify actions to reduce risk.
The risk of a specific event occurring and the costs associated with its correction are difficult to quantify.
Some traditional considerations in this analysis are the possibility of a hacker attack and the costs of the damage, which include disruption of normal business operations, loss of client confidence, and expenses associated with the replacement or modification of both hardware and software.
PCI shaping statutes
In addition to the traditional costs merchants face associated with security, data loss is now incorprated into legislation, including a new set of regulations in Minnesota (Minnesota Statutes, Chapter 325E, Section 1. [325E.64] Access Devices; Breach of Security).
When they violate industry data protection standards under the Minnesota law, retailers will be forced to pay for resulting data co promises.
The law adopts PCI guidelines, which require that companies not retain card data, including security codes, PINs and magnetic strip data, for more than 48 hours after a transaction is approved.
If a data breach occurs and the retailer has failed to comply with payment card security protocol, the retailer will have to pay related costs.
These include refunds for unauthorized purchases, and expenses related to reissuing cards, notifying cardholders, and closing and reopening accounts.
It is important that you have a firm understanding of risk assessment. It will help your business interests, as well as those of your merchants. It will also enhance the value of your contributions to the industry.
As always, knowledge is power.
Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 23, or firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.