GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Lose the price war, win the merchant

News

Industry Update

Tribul Merchant Services: Bullish on merchants

Visa's vigilance pays off, PCI compliance takes off

When the system is down: Yipes!

Amazon flexes muscles with flexible payments

Cashless vending catches on

Features

Taking the kiosk to the ATM

Tracy Kitten
ATMmarketplace.com

Industry Leader

Mary Gerdts –
Pluck and intergrity lead from bean field to board room

Views

Knock fraudsters down with knowledge

Patti Murphy
The Takoma Group

Certify the good, blacklist the bad

Biff Matthews
CardWare International

Education

Street SmartsSM:
Buyer beware: That means you, dear MLSs

Dee Karawadra
Impact PaySystem

Risk assessment: What you need to know

Ross Federgreen
CSRSI

A real-life approach

Nancy Drexler
Marketing Moguls

Primo processor practices

Adam Atlas
Attorney at Law

The key to EBT

Jason Felts
Advanced Merchant Services Inc.

Banish chargebacks through communication

Steve Schwimmer
Renaissance Merchant Services

Company Profile

All card Processing-AAMonte-USA

3 Delta Systems

New Products

Merchant boarding simplified

Product: Comprehensive merchant application
Company: United Bank Card Inc.

Easy-as-pie PCI compliance

Product: HackerGuardian PCI PLUS Daily Scanning
Company: Comodo

Inspiration

Feed your reps, and they'll feed you

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

August 27, 2007  •  Issue 07:08:02

previous next

Risk assessment: What you need to know

By Ross Federgreen

Risk assessment is central to everything we do in the payments industry. The pervasive underlying question for you, as ISOs and merchant level salespeople (MLSs), is What degree of risk do specific merchants pose to the integrity of the electronic payments system?

In May 2007, Visa U.S.A. issued a new Cardholder Information Security Program bulletin.

The bulletin set forth acquirers' responsibilities in 1) defining risks associated with level 4 merchants as a class, and 2) prioritizing compliance with the Payment Card Industry (PCI) Data Security Standard, based on assessing risk merchant by merchant.

Five areas of scrutiny

Visa defined five areas to consider in determining the level of risk a given merchant poses to the system:

  1. Acceptance channel
  2. Payment technology
  3. Transaction volume
  4. Number of locations
  5. Merchant category.

Each of these areas is divided into two levels: "lower risk" and "higher risk."

For example, it has been found that restaurants, as a group, are higher-risk because they are targeted more than any other industry segment for security compromise.

The risks associated with acceptance channel and payment technology are not intuitively understood or easily predicted by the bulk of merchants or most members of our industry.

Acceptance channel can be either card not present (lower risk) or card present (higher risk).

In the card present environment, the capture of magnetic stripe information and PIN data pose a high potential for fraud exposure.

In addition, merchants who use integrated POS systems are more vulnerable than those who use stand-alone dial-up systems.

Input from the GAO

In November 1999, The U.S. General Accounting Office (GAO) published the Information Security Risk Assessment: Practices of Leading Organizations. It is a primer that everyone involved in the payments industry should study.

According to the GAO, risk assessments are associated with three types of activity:

  1. Development of new computer systems
  2. Procurement of production systems from other vendors
  3. Improvement of legacy system security features.

Also, the GAO stated risk assessments generally are "limited in scope to a primary business process and supporting systems.

"The supporting systems include the software, databases, and the hardware and network technology supporting the software, as well as the people who use and rely on these resources."

The preceding paragraphs bring into focus the issues of electronic security, physical security and system development, which are the core issues of PCI.

In addition, the Federal Reserve Policy on Payments System Risk, as amended July 20, 2006, clearly defines the areas of greatest concern that must be considered when evaluating particular business relationships for threat to the electronic payment system.

Questions to ask pertaining to such relationships in our industry include:

Elements of risk assessment

Risk assessment aids in understanding negative influences on operations and outcomes and helps in making informed judgments about what needs to be done to increase data security.

For example, bank officials conduct assessments to manage the risk of default.

Risk assessments generally delve into potential harm that could be done by intruders, criminals, disgruntled employees, terrorists and natural disasters.

As reliance on computer systems and electronic data has increased, the need to understand and manage data security risk has grown.

It is essential to base estimates of the likelihood of harm on historical information, and the judgment of knowledgeable individuals. As part of risk assessment, it is imperative to do the following:

  • Rank the value, sensitivity and criticality of the asset in question.

  • Estimate the potential for damage.

  • Estimate recovery costs.

  • Identify actions to reduce risk.

    The risk of a specific event occurring and the costs associated with its correction are difficult to quantify.

    Some traditional considerations in this analysis are the possibility of a hacker attack and the costs of the damage, which include disruption of normal business operations, loss of client confidence, and expenses associated with the replacement or modification of both hardware and software.

    PCI shaping statutes

    In addition to the traditional costs merchants face associated with security, data loss is now incorprated into legislation, including a new set of regulations in Minnesota (Minnesota Statutes, Chapter 325E, Section 1. [325E.64] Access Devices; Breach of Security).

    When they violate industry data protection standards under the Minnesota law, retailers will be forced to pay for resulting data co promises.

    The law adopts PCI guidelines, which require that companies not retain card data, including security codes, PINs and magnetic strip data, for more than 48 hours after a transaction is approved.

    If a data breach occurs and the retailer has failed to comply with payment card security protocol, the retailer will have to pay related costs.

    These include refunds for unauthorized purchases, and expenses related to reissuing cards, notifying cardholders, and closing and reopening accounts.

    It is important that you have a firm understanding of risk assessment. It will help your business interests, as well as those of your merchants. It will also enhance the value of your contributions to the industry.

    As always, knowledge is power.

    Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 23, or rfedergreen@csrsi.com.

    Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

    previous next
  • Spotlight Innovators:

    North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems