Financial Regulation and Supervision - Essay Example

?Running head: Financial Regulation & Supervision Financial Regulation & Supervision Insert Insert Grade Insert 22 March Financial Regulation & Supervision Introduction Andrews Pick & Mix is an online UK retailer that needs to enhance and ensure it puts in place a reliable and versatile debit and credit card processing service, which would consequently go a long way in helping its business operations. Reliable and versatile debit and credit card processing service not only enhances business operations, but also increases sales through enabling retailers to accept all means of payment at any given time from any part of the world. A reliable and first-rate efficient credit and debit card processing service enables individuals to accept payments anywhere, accept all payment forms, and access security and fraud protection. Andrews Pick & Mix Options Andrews Pick & Mix should seek to put in place relevant PCI DSS compliance measure according to its level of operations, and accept to offer credit and debit card payments, which would go a long way in enhancing its online retail business. Credit and debit card services are advantageous in that, they enable the business to verify and accept payments from a variety of major debit cards, credit cards, traditional checks, and electronic checks. The business is also able to accept payments from anywhere, since transactions are processed online at any remote location all over the world given internet connectivity. Moreover, the services will enable entry of information manually incase sales and purchases are done in physical retail outlets. Andrews Pick & Mix would also be able to get protection from fraudulent activities that are rampant in transactions made over the internet. Credit and debit card services consequently offer security protection through modern encryption utilities to give customers assurance and confidence when transacting and processing their personal credit and debit card information. The service security measures focus on the use of VeriSign SSL Certificate that does not require individuals to separately purchase certificates, as well as Address Verification Service that would help them in protecting fraudulent credit card application. When deciding on whether to accept the bank’s offer, Andrews Pick & Mix retailers need to analyze which card of credit and debit card payment solutions are relevant with respect to the merchant account they had with the company. If need be, the company may process alternative merchant accounts with the bank with regards to what is convenient to them, since the online income was only a small part of their turnover, although it provided a wider access to their portfolio of products. These particular aspects are critical for decision making on the kind of credit and debit payment solutions they will put in place. Moreover, Andrews Pick & Mix retailers had their own web servers hosted and managed by a design agency that had developed and customized their online payment application, which was integrated with a third-party provider of credit and debit card transaction processing facilities. However, Andrews Pick & Mix were not completely aware of the level of charges for different types of transaction and the precise contractual obligations they had adopted, as well as the potential risks involved. Their services had client’s payment card details being entered on the retailer's website, while other orders were being accepted by fax, telephone, and physical shop where payments could be made with a point-of-sale card terminal. The retailer needs to comprehensively put into consideration a broad range of aspects such as the average approval rating, cost per month, customer service, account set up time, point of sale options, start up costs, and internet based features (Segel, 2008). Average approval rating evaluates percentage of applicants approved, the application fees, and speed of processing the application. Ideal service provisions seek to target high rates of approval at no fee with quick applications. An ideal desirable service provider would also offer low monthly costs, which enable businesses to keep their overhead costs at a lower level. Considering that Andrews Pick & Mix retailer was not completely aware of the level of charges for different types of transaction, it is evidently in need of a service provision that not only offers low costs, but also clearly communicates ongoing costs and fees with respect to gateway fee, charge back, and transaction fees. The start up costs should also be significantly reasonable and low. Service providers should also be able to set up accounts as quickly as possible and offer efficient customer care services through many contacts of service that encompass the use of instant messaging and telephone. Customer enquiries should also be served with useful information alongside quick and convenient response. Internet based features should also be able to offer a variety of virtual terminals and point of sale options to increase flexibility and sales by offering clients a variety of payment options. Above all, data security in credit and debit card payment services is paramount and it should be placed into consideration by Andrews Pick & Mix retailer in its options with its banks. Payment Card Industry Data Security Standard Debit and Credit card payment services have the mandate of ensuring relevant compliance with payment card industry data security standards, considering the high risks involved with online transactions. The widespread use of online payments has dramatically increased in the recent past, which has consequently led to increase in payment card fraud. However, strict security standards have been put in place to prevent breaches among credit and debit card payment service providers. The MasterCard and VISA service providers have played a huge role in drawing up security standards to be complied with by all businesses that handle credit and debit card data. This basically entails the Payment Card Industry Data Security Standard that governs e-commerce, credit and debit card payment channels, online retailers among other means such as mail orders and telephone orders (Information Resources Management Association, International Conference & Khosrowpour, 2000, p.24). It is important that Andrews Pick & Mix retailers should consider relevant compliance of PCI DSS with regards to decision making in storing, processing, and transmitting cardholder data to help in handling credit and debit card payment. Compliance enforcement deadlines and level of compliance depends on the bank with which Andrews Pick & Mix retailers has entered into an agreement with. Moreover, all businesses handling credit card and debit card payments must refer to deadlines and specific validation requirements from the specific banks with which they have merchants’ accounts with (Chuvakin & Williams, 2009, p.244). Andrews Pick & Mix retailers should seek to find out specific deadlines and validation requirements of the bank with regards to payment card industry data security standards to enable them weigh options that are friendly to their business in decision-making. The payment card industry data security standards framework is basically divided into three risk categories, although these categories are further subdivide into various specific requirements. These include storage and collection of all log data to avail them for analysis and comprehensive reporting as a proof to compliance alongside alerting and monitoring by administrators for immediate warning with respect to data usage and access. Objective of compliance includes building and maintain secure networks through installation and maintenance of firewall configuration and non-use of vendor supplied default systems in security parameters, such as passwords to protect cardholder information. Stored cardholder information is also protected through encryption of information being transmitted across public and open networks. Controls also seek to maintain vulnerability management programs using anti virus software that is regularly updated on all systems, while maintaining and developing applications and systems that are secure. This is in addition to implementation of strong control measures to access through assigning a unique identity that restricts access to information by individuals with computers. Controls also enable regularly tested and monitored networks through monitoring and tracking all access to cardholder information and network access. Organizations that comply with PCI DSS are also compelled to maintain a valid security policy that will enable the organization to address data security (Wright, 2008, p.20: Kim & Solomon, 2012, p.395). Payment Card Industry Data Security Standard Advisory Companies Andrews Pick & Mix retailers need to seek the expertise of payment card industry data security standard advisory companies to enable them make relevant decisions that are beneficial to their business. Information technology governance has a wide range of experts in the field of payment card industry data security standard. An advisory company would be able to provide retailers such as Andrews Pick & Mix with tailor-made and flexible payment card industry data security standard consultancy services. This would enable them to meet compliance requirements that are fit for financial position and operations of their organization. Consultancy services provide ideal governance for information technology among businesses for the purpose providing an ideal business environment. More so, consultancy services help online retailers to access quick and cost-effective services. Lack of payment card industry data security standards knowledge may render decision-making and business operations unfavorable, and thus necessitate the businesses to seek advice from consultancy firms. Andrews Pick & Mix would benefit widely from appointing a company to offer it with payment card industry data security standards consultancy services. Advantages of such advice would encompass effective use of its resources, compliance, and decision-making structured framework, and heritage preservation to efficient control of expenditure. Payment card industry’s data security standards consultancy services would also ensure that Andrews Pick & Mix understands business benefits of compliance to payment card industry’s data security standards. Credit and debit card payment service providers are now receiving increased pressure from clients, considering the increased number of breaches and fraudulent activities between merchant and service provider transactions. Clients now place much emphasis on the consideration of the status of compliance when choosing a service provider to deal with. Many organizations are viewing compliance to payment card industry’s data security standards as a marketing tool to attract clients who place much emphasis on security issues when choosing a service provider. Consultancy firms are ideally positioned to offer assistance to payment card industry’s data security standards with respect to the process of compliance and relieving business operations pressure, while enabling businesses to sustains their operations effectively. Consultancy firms not only seek to assist organizations in the process of compliance with payment card industry’s data security standards, but also general business success (CIO, 2008, p.28: Thomas II, Thomas, & Stoddard, 2012, p.80). Payment card industry data security standards compliance necessitates that organizations first undertake a self-assessment pertaining to the standards. However, the payment card industry data security standards self-assessment often involves lengthy and complex procedures, and it would be advisable to hire advisory firms to assist in the assessment. This would definitely have an advantage of time saving and professional hands at successful assessment, rather than the use of armature employees in a field they may not be qualified. In addition to saving time and professionalism, organizations also stand to gain on available human resource, since employees tasked with such duties would be freed to concentrate on other functions (Smedinghoff, 2008, p.125). Consultancy firms would also be advantageous in providing inspection checks for on-site compliance in the areas such as vulnerability management, network security, security polices, and data access and control systems. This would not only help in providing information to organizations regarding their level of compliance, but also help in validating the compliance aspects that have been put in place. More so, the companies can provide payment card industry data security standards training to organization’s webmasters and other employees that help the organization in maintaining data security in the long run (Johnson, 1980, p.46). Organizations are also able to operate under legal means as the consultancy company’s offer compliance advice in line with merchant organization that operates within the legal requirements of a particular country. Advisory services in its entirety follow particular steps in assisting businesses through scoping, gap analysis, remediation support, training, validation, and general governance. Scoping seeks to identify flow of cardholder data through storage, processing, and transmission of information. In addition, scoping is undertaken for the purpose of gaining an insight to the existing business environment and payment card industry data security standards compliance level. This generally results into reduced expenditure and resource use, since actual and unnecessary compliance needs will be brought to light. The stage of gap analysis seeks to ascertain the level of compliance by the organization at the moment, and identify the remaining compliance requirements that the organization needs to put in place. This is in consideration of the fact that, payment card industry data security standards must be complied with fully, thus, the gap between current compliance and full compliance is the aspect in question in this particular situation. Although organizations may choose to internally undertake a gap analysis, it is important that they seek the advice and service of payment card industry data security standards experts. This is because experts are well conversant with aspects that may lead to non-compliance to standards as a whole. More so, experts would enable organizations to limit their liability to non-compliance in case non-compliance requirements are not comprehensively recommended. Remediation support stage on the other hand would assist in implementing and designing the internal payment card industry data security standards project team. Here, the internal project team would be advantageous in undertaking compliance tasks and even saving costs that would have otherwise been used to outsource remediation services (Virtue, 2008, p.216). Recommendation Given the costs and sanctions, Andrews Pick & Mix retailers should comply to enable them ensure prevention of fraud risks and fine charges. More so compliance will enable the organization to meet favorable business standards with respect to available manpower, financial capabilities and general organizational resources among other necessary aspects. However, its cheaper to outsource such services since in-house operation is subject to risk to fines while outsourcing generally seeks to transfer the burden to a third party. Outsourcing would also enable surety to operation under legal requires and even reduced cost of professionals. The company has chosen to PCI-DSS compliance. Conclusion Businesses are continuously faced with the risk of sensitive cardholder data being hijacked by fraudulent individuals, thus resulting into negative company image, legal actions, and fines. Payment card industry data security standards compliance by all businesses that handle credit and debit card data is therefore extremely important with regards to data storage, processing, and transmission. Organizations that fail to comply with payment card industry data security standards face risks of being fined incase data is stolen or lost. Non-compliance renders organizations subject to enormous amounts of fine and even being banned from handling cardholder data cases where data is stolen or lost. Summary Payment card industry data security standards compliance generally helps businesses to succeed while entirely placing emphasis on security measures and requirements for the management of private and sensitive data of customers. Compliance to security measures, companies to evaluate software usage regulation, website policies, network security, and procedures to website data collection among other measures that may enhance security of customer’s data. Reference List Chuvakin, A., & Williams, B.R., 2009. PCI Compliance: Understand and Implement Effective PCI Data Security. NY: Elsevier. CIO. 2008. Truth Seeker. NEC Corporation. (Online). Available at: http://books.google.com/books?id=jwsAAAAAMBAJ&pg=PA28&dq=Advanrages+of+PCI+DSS+consultancy&hl=sw&sa=X&ei=lPFoT5GEPKiPiAfBk72bCg&ved=0CDQQ6AEwAQ#v=onepage&q&f=false (accessed 21 March 2012). Information Resources Management Association, International Conference & Khosrowpour, M., 2000. Challenges of Information Technology Management in the 21st Century. PA: Idea Group Publishing. Johnson, E.M., 1980. Managing Information Risk and the Economics of Security. NY: Springer. Kim, D., & Solomon, M., 2012. Fundamentals of Information Systems Security. London: Jones & Bartlett Learning. Segel, R., 2008. Retail Business Kit for Dummies. NJ: John Wiley & Sons. Smedinghoff, T.J., 2008. Information Security Law: The Emerging Standard for Corporate Compliance. Cambridgeshire: IT Governance Ltd. Thomas II, T.M., Thomas T.M., & Stoddard, T., 2012. Network Security First Step. IN: Cisco Systems, Inc. Virtue, T.M., 2008. Payment Card Industry Data Security Standard Handbook. NJ: John Wiley and Sons. Wright, S., 2008. PCI DSS: A Practical Guide to Implementing and Maintaining Compliance. Cambridgeshire: IT Governance Publishing. Read More