Research Paper Assignment | Homework Help Websites
As described in the Introduction to Superior Card Processor, Inc., you are an employee of SCP’s Chief Information Officer and head of IT in charge of encryption and data security. You have accepted the position of Project Manager for the Information Governance Team tasked with designing and implementing companywide an Information Governance Plan or Program for the organization that will address the concerns expressed in the company introduction.
1. You will need to discuss with your IG Team the different organizations, associations, affiliates and agencies who provide standards, oversight and accountability for credit card processing organizations such as yourself, as well as for the Merchants and Merchant Banks that you service. You will need to discuss with your team the significance of PCI DSS. In order to be enlighten your team members, conduct the necessary research to be able to respond to the following questions.
a. Who, or what organizations, bodies, associations, affiliates, etc., are responsible for setting standards, providing oversight and insuring accountability for data security and information governance in the credit card processing industry;
b. What is PCI DSS and how did it evolve;
c. Which player(s) in the credit card processing industry are affected or impacted by PCI DSS and in what way;
d. Who is responsible for setting standards and insuring compliance with PCI DSS;
e. Specifically how PCI DSS and the associated topics researched will impact SCP’s Information Governance design and implementation plan/program.
2. You, as Project Manager, are ready to select the members of your Information Governance Team who will be responsible for the design and implementation of the company wide Information Governance Plan or Program. Collectively, including yourself, the Project Manager, the Board of Directors for SCP have informed you that IG design and implementation team will consist of 10 representative from the different functional units of MBA. You have been told by the Board of Directors that you may hand pick 5 members of your team, and that after you have selected those you deem most important to the success of the project, that the Board of Directors, with input from SCP’s executive officers will appoint the remaining four (4) members of your team. Explain which five (5) representatives you would request be a member of your team. For each member selected, explain why you chose that representative.
3. You have been asked by the Board of Directors and Executive Officers to identify what
you expect (at this early stage in the process) to be the major tasks, steps or milestones
(whichever you choose to call it) in the design and implementation for the Information
Governance Plan or Program for SCP. Explain the order in which each of these major
tasks or steps will be taken, whether any can be performed at the same time, which must
be completed before beginning the next task or step, and try to project roughly how long
each will take. For each major task or step in this design and implementation process,
describe generally for the Board of Directors and Executive Officers what will take place
in task or step. That is, you are being asked to develop a high level plan that sets out the
major tasks to be accomplished, the order (steps) in which the tasks will need to be
performed, and an estimate of the time frame for accomplishing each step, in order to
complete the design and implement for the IG Plan or Program for SCP. This should be
the blueprint that you and your team will follow. In other words, explain how you and
your team will go about the business of designing and implementing the IG program for
the company. It is NOT the IG Program itself. This should be something that you will give
the Board of Directors and Executive Officers, as well as your team members, as the
“master plan” for accomplishing the goal of IG at Superior Card Processing, Inc. You may
use as many lists, diagrams, tables, drawings, illustrations or charts that will facilitate your
explanation. However, you are not to substitute these aids for your narrative explanation.
Further, in your narrative explanation, do not rely on bulleted items. You may include
bullet points, but they must have complete explanations in sentence form.
Please refer to the documents attached plus support your answers with peer reviewed articles or genuine sources. It should be a 5 page paper.
THE PLAYERS IN CREDIT CARD PROCESSING: Terminology
“Cardholder” or “Consumer” or “Retail Customer” – These are generally the three different names by which the same individual may be referred. This is the private citizen or business who has applied to an “Issuing Bank” for credit in the form of a major credit card such as MasterCard, Visa, Discover, Bank of America, or American Express, and who have been approved and issued a major credit card from the “Issuing Bank”. These Cardholder or Customers are the individuals or business who purchase goods and services from the retailer with the major credit card that has been issued it to them.
“Merchant” – This is a retail (sometimes wholesale) vendor or seller. It may also be a on-line vendor engaged in e-commerce, selling goods on the internet. The Merchant sells goods and services to the Cardholder, Consumer or Retail Customer and allows the Consumer to purchase the goods and services with his major credit card. The Merchant with the brick and mortar physical location will have a one or more forms of point of sale (POS) terminal in his place of business that will capture the relevant information for the credit card purchase made by the Consumer. The same is true for the on-line merchant, as the website will be set up in a way to capture the same information.
“Merchant Bank” or “Acquiring Bank” – This is a commercial bank, credit unions and other financial institutions who holds deposit accounts (checking accounts) for its Merchant customers/depositors is referred to as a Merchant Bank or an Acquiring Bank. The Merchant Bank offers an additional service to its Merchant customer/depositors by “handling” its Merchant customer’s credit card purchases. That is, the Merchant will have a checking account with the Merchant Bank whereby the Merchant Bank accepts (in the form of a direct deposit into its Merchant’s bank account) payment from an “Issuing” bank who has extended credit to the Consumer in the form of a credit card that the Customer can use to make his/her purchases. When the Merchant allows its Customer to purchase goods and services with a credit card, the actual payment for those goods and services are received by the Merchant a few days later in the form of a direct deposit into the Merchant’s bank account with its Merchant Bank, after certain fees are deduced by the different “players” who are involved in the processing of the credit card transaction between the Consumer and Merchant.
As you might expect, Merchants are not limited to accepting credit cards from Customers who hold only one of the major credit cards. Consider your own experience in the real world. If you walk into a merchant’s store or make a purchase from a merchant on-line, you generally have the option to make your credit card purchase with either Visa, Discover, Bank of America or MasterCard (and less frequently American Express).
“Credit Card Processor” – A Credit Card Processor is a organization that process credit cards for Merchants and Merchant Banks when the Merchant and Merchant Bank accepts more than one of the major credit cards (i.e. Visa, MasterCard, Bank of America, Discover, etc.). There is a
growing number of Credit Card Processors in the credit card industry today. At the time the Merchant decides to allow its Customers to make credit card purchases and before the POS terminal is installed at the Merchant site, or the website activated to accept credit card payments, the Merchant must make a determination as to which of the many credit card processors it will engage for the purpose of processing its credit card purchases. The different credit card processors offer varying terms and rates, and the Merchant is advised to compare the pros and cons of contracting with one credit card processor over another. Once the credit card processor has been selected the Merchant will receive his POS terminal and a contract will be signed between the credit card processor, Merchant and Merchant Bank.
Alternatively, it is possible that the Merchant will not have an option as to which Credit Card Processor will handle its credit card purchases. When the Merchant’s own Merchant Bank is responsible for selling or leasing the POS terminal to the Merchant, most likely the Merchant bank has already researched the services and rates offered by the different Credit Card Processors and has contracted with one Credit Card Processor to handle all of its Merchant Bank credit card transactions, and therefore all of its Merchant depositor transactions. In that case, the Merchant’s credit card sales will be processed by the Credit Card Processor selected for it by its own Merchant Bank. In this case also, a contract will be entered into between the Merchant and its Merchant Bank that sets forth the terms and rates charged to the Merchant for the Credit Card Processor and for the Merchant Bank’s services.
Either way, the Merchant will receive a monthly statement from the Credit Card Processor detailing the individual transactions that were processed by that Credit Card Processor, and the fees deducted by the different “players”. Furthermore, the Merchant’s Merchant Bank will disclose the amounts of money deposited into the Merchant’s account each month as the result of the Merchant’s credit card sales for the period.
The number of Credit Card Processor is growing rapidly. This is a big business. There are organizations that routinely rate the quality and comparative rates of the major Credit Card Processors in the credit card industry. A few of the more highly rated Credit Card Processors include Flagship Merchant Services, Quantum Electronic Payments, ProMerchant, North American Bancard, and Leaders Merchant Services. The services and rates offered by each has been tailored by the individual credit card processor to include features that it believes will attract more Merchants and/or Merchant Banks. See for example, https://www.comparisun.com/best-credit-card-processing.
“Credit Card Associations”- The Credit Card Associations are the major credit card brands such as are the card brands such as Visa, Mastercard, Discover, Bank of America and American Express. The card associations act as a clearinghouse for their respective card brands and also serve as governing bodies of payments processing. These card associations set what is referred to as the interchange rates and the qualification guidelines. Further, they act as an arbiter between Issuing Banks and Acquiring Banks. Sometimes these Credit Card Associations are referred to as “Networks”.
“Issuing Banks” – These are the commercial banks, credit unions, and other financial institutions that issue debit and credit cards to Cardholders through the card associations. The Issuing Bank
is not to be confused with the Merchant Bank/Acquiring Bank. When a Consumer applies for a major credit card (like Visa or MasterCard) he/she is applying to the Issuing Bank for credit.
THE TRANSACTIONS: Terminology
“Authorization” – This is the process whereby the Consumer is able to complete a purchase from a Merchant using his credit card. When the Consumer presents his major credit card (issued to him by the Issuing Bank), the Merchant will capture the Customer’s credit card information from the information stored for the card presented, and this combined with the information concerning the transaction is sent to the Credit Card Processor via the POS terminal (or in the case of on-line purchases through the information captured by the webpage). The Credit Card Processor will forward the information to the Issuing Bank to determine whether it appears the Consumer is the actual authorized purchaser for the credit card presented, whether the purchase amount is within the credit card limits, whether charges are allowed to the card or whether there has been a hold put on the card or it suspended or revoked for nonpayment, or other reasons. The Issuing Bank will make the determination as to whether to approve or decline the credit card purchase, with that information transmitted back to the Merchant via the same channel. The description herein is the simplified explanation of how Authorization works. Its takes only seconds.
“Settlement and Funding” – The Merchant wants to be paid for the goods or services it sold to the Consumer with just the swipe of his credit card, and no money changing hands. The Merchant will send information regarding the authorized transactions to the Credit Card Processor it has contract with. This can happen with “Batch” processing where they sent this information periodically for a batch of number of credit card transactions, or it can happen at the time the authorization has been completed. There was a time when this took place automated overnight. More often today, it occurs at the time of authorization. Either way, upon receipt of this information the Credit Card Processor passes these details to the appropriate Credit Cared Associations, who communicate the appropriate information to the Issuing Banks in their network. The Issuing Bank will then charge the Cardholder’s account for the amount of the transactions. The Issuing Bank then transfers appropriate funds for the transactions to the Merchant Bank, minus its fees for processing the transaction. This fee charged by the Issuing Bank is referred to as the “Interchange Fee”. The Merchant Bank (Acquiring Bank) deposits the funds into the Merchant account, minus its fee (referred to as a “discount”). There was a time when Settlement and Funding took days, sometimes a week or more. Today, the process is sometimes completed overnight with the Merchant receiving payment into his account the day following the credit card sale to the Consumer.
ADDITIONAL INFORMATION/RESEARCH THAT WILL ASSIST THE STUDENT:
The above information is intended to provide the student with a general introduction to the concept of credit card processing and the terminology used in the industry. Loosely, you can apply this same concept to “debit cards” as to credit cards. Please don’t get bogged down in the minutia surrounding the difference between credit card processing and debit cards.
The student is invited to conduct his/her own independent research for a more complete understanding of the process. Below is a sampling of just a few informational videos, blogs and
websites that explain how credit card processing works. These links are provided merely for your convenience and are not required viewing.
There is a utube video that is about 12 minutes long that provides fairly good information in an understandable form can be viewed at https://www.youtube.com/watch?v=nRzTaWZ6ebs. Careful with this one. It may overly simplify the process and does not make the distinction between the credit card processors and the credit card associations.
Another useful video you may want to view is https://www.youtube.com/watch?v=avRkRuQsZ6M. With this one focus on the transaction cycle and don’t get bogged down with the calculations for pricing (Example, the interchange processing model).
Also consider viewing a useful blog at https://blog.payjunction.com/credit-card-processing-diagram/ BY CHRISTINA LAVINGIA ON AUGUST 14, 2018
Further is https://wallethub.com/edu/credit-card-transaction/25511/
Somewhat useful might be https://www.vantiv.com/payment-processing/how-credit-card-processing-works
Independent of the student’s research concerning just “how” a credit card transaction is processed, and the parties involved, the student will want to consider who or what organization or group is responsible for regulation in the industry, for information governance of the highly confidential and sensitive data, and the related standards and accountability involved. A working knowledge of this information is important to the quality of the student’s research project. Hint: In that regard the student should consider researching Payment Card Industry Data Security Standards (PCI DSS), and the related information gleaned therefrom. This will provide the student with a wealth of relevant information for the research project.
Once the student has familiarized himself/herself with the concepts related to credit card processing, standards organizations and governance of information in the industry the student is then ready to familiarize himself/herself with the introduction to the “hypothetical/fictious” organization for which the student will serve as Project Manager in the design and implementation of an Information Governance Plan or Program for that organization.
Thereafter, upon having an understanding of the credit card processing industry, standards organizations, and accountability, combined with a familiarity of the fictious organization that has employed the student as Project Manager, the student is prepared to move on to Phase I of the research project.
RESEARCHING THE CREDIT CARD INDUSTRY:
The student is free to engage in research of the credit card industry using any medium and/or forum the student chooses, as long as the student acquaints himself/herself with the terminology used, the workings of the industry and the processes and interrelationships of the types of organizations that are vital to the process. Suggestions as to where the student may begin his/her research and some key terms are included herein below. Regardless of the manner or technique of research used by the student, it is expected that before the student engages in any meaningful undertaking of Phase I that the student become familiar with the process generally used in the credit card industry, the terminology used therein, and with the fictious company information used for this semester’s project prior to any undertaking of Phase I.
Specifically, the student should be familiar with the function or role of parties mentioned in the terminology document.
INTRODUCTION TO SUPERIOR CARD PROCESSOR, INC. (SCP), AND TO “YOU” THE NEW HEAD OF THE IG PROJECT MANAGER FOR THE INFORMATION GOVERNANCE PROJECT DESIGN AND DEVELOPMENT TEAM
Superior Card Processor, Inc., (“SCP”) is a new, startup Credit Card Processing company that has been in business for approximately two (2) years. Its principal place of business and original processing center is located in Louisville, Kentucky. In the past two years, SCP has opened 6 additional remote credit card processing centers, one in each of Indiana, Ohio, Tennessee, Florida, Texas and California.
SCP offers services and competitive rates similar to those offered by its competition, the larger and well established credit card processors such as Flagship Merchant Services and First Data Merchant Services. SCP offers credit card processing solutions to retail merchants as well as on-line merchants engaged in e-commerce. Services offered to merchants who accept credit cards from their customers include but are not limited to selling and/or leasing point of sale (POS) terminals and peripherals with built in security, wireless and mobile point of sale (POS) terminal solution that can be carried by the mobile merchant to accept payments anywhere the merchant does business for so long as the merchant has access to the internet, and on-line solutions for merchants engaged in e-commerce. Superior Card Processor, Inc. advertises that it offers state-of-the-art security and compliance packages designed to insure the merchant is best equipped to safeguard its data and that of its customers.
SCP also services Merchant Banks who handle Merchant deposit accounts and has an option whereby the Merchant Bank can contract with SCP and the Merchant Bank act as a middleman in placing SCP’s terminals with its Merchant depositors. In those cases, the “discount” fee charged to the Merchant by both SCP and the Merchant Bank is negotiated between SCP and the Merchant Bank, who enters into an agreement with the Merchant to bind it to the agreement between SCP and the Merchant Bank.
Depending on the contract terms negotiated between the Merchant Bank and SCP either the Merchant Bank or SCP will be responsible for installing the POS terminal for merchants maintaining a physical presence, or the web based application for e-commerce merchants. When the Merchant accepts a credit card from its customer it forwards the transaction, customer and credit card information directly to SCP using the POS terminal or web application. SCP will then determine which of the credit card associations will be involved, and will forward the details to the Issuing bank for that particular credit card association. The Issuing Bank will then either approve the transaction or decline it. The Issuing Bank’s decision regarding whether to approve the transaction is then forwarded back to SCP, who provides that information to the Merchant. This process takes only a minute or so, and is referred to as Authorization.
Assuming the credit card transaction is approved, the customer receives his goods or services paid for with the credit card, and the Merchant accepts the Issuing Bank’s promises to pay the Merchant for the goods or services sold to the customer by the Merchant, less its interchange fee, and SCP’s discount fee, and the Merchant Bank’s discount fee. Subsequent to the transaction, and generally within the next day, the Issuing Bank will deduct its interchange fee and forward the balance of the customer’s purchase price to SCP. SCP will deduct its own fee called a “discount”, and will likewise deduct the Merchant’s Bank’s discount fee. It will deposit the Merchant Bank’s fee into the Merchant Bank’s account earmarked for those funds and at the same time will deposit the net proceeds from the customer’s purchase into the Merchant’s bank account held by its Merchant Bank.
Monthly, SCP will generate reports for the Merchant Bank, the Merchant, and for each of the Credit Card associations (Visa, MasterCard, Discover, etc.) providing both detailed and summary data for the merchant transactions that it processed for the period.
SCP’s organizational structure includes a Board of Directors, Chief Financial Officer, Chief Executive Officer, President and Vice-President. The Vice-President answers to the President, the President to the CFO and CEO, who in turn are accountable to the Board of Directors. Housed in its principal office in Louisville, is the Small Merchant Department, Large Merchant Department, and Corporate Merchant Department. These are divided because of the different compliance requirements for each. Each the Small, Large and Corporate Merchant Departments have a departmental manager and chief compliance officer. Each of these three departments are responsible for receiving, processing, storing, sorting, analyzing, and forwarding information regarding the Merchant transactions on to the Issuing Bank and for receipt, storage, processing, sorting, analyzing and forwarding the Issuing Bank’s authorization or non-authorization of Merchant credit card transactions on to the Merchant. These three departments are also responsible for deducting SCP’s discount fee and each Merchant Banks’ fee and for depositing the Merchant Bank fee into is account, and the Merchant’s net proceeds into its account. These three departments are also responsible for issuing monthly reports for the Merchant, Merchant Bank, Credit Card Associations, and Issuing Bank detailing and summarizing the transactions for the period There is a Merchant Product Department responsible for sales and shipments of the POS terminals. There is a Web Hosting Department responsible for installing and training for Merchants engaged in e-commerce. There is the Merchant Banking Department who is responsible building and maintaining relationships with Merchant Banks. The Research and Development Department is tasked with responsibility to insure that all technology offered to SCP’s Merchants remain state-of-the-art and employ cutting edge technology. There is a PCI DSS Compliance Department that is responsible for insuring that SCP remains PCI DSS compliant. There is the IT Department responsible for traditional “IT” related functions and for data security and encryption. There is a Risk Management Department. In addition there are the traditional functional units or departments that are present in traditional organizations, including but not limited to the Human Resources Department, Accounting Department, in-house Legal Department, and a catch-all Other Services Department.
All Merchant accounts and corresponding Merchant Bank account is divided up and managed by either the principal office in Louisville, or is assigned to one of the six (6) remote locations depending on the Merchant’s location or geographic region. None of the six remote locations are
as large as the principal office location in Louisville. The remote locations house only the three departments responsible for processing Merchant transactions, i.e., the Small Merchant Department, Large Merchant Department, and Corporate Merchant Department. For web based e-commerce Merchants, the account is assigned to either the main office or a remote processing site depending on the physical location of the on-line Merchant’s Merchant Bank. There will be three departmental managers at the remote sites, a site manager and Human Resources Department.
In this scenario, you are an employee of Superior Card Processor, Inc., and have been since it first opened for business. Prior to accepting the position at SCP as the Chief Information Officer responsible for the IT department in the area of data encryption and security, you worked for approximately 15 years at one of the commercial banks now serviced by SCP. Initially you were employed as a teller for the bank while you were in college earning your BS degree with a double major in Business and Finance, and in Information Science and Technology. Upon graduation from college, you became a loan officer for about 6 months, until a position came open in the IT department, where you worked for the rest of your banking career, until accepting a position in IT with SCP two years ago.
Over the past 2 years SCP has grown rapidly and in response to the changing demands and needs of its Merchant customers. The Board of Directors and President and chief executive officers have expressed concerns that during this period of rapid grown that potentially SCP has not addressed comprehensive information governance of its Merchant customers or the Merchant’s customer’s credit card information. You have also had some of the same concerns in your capacity as Chief Information Officer for IT. A meeting was recently convened and attended by the CFO, CEO, President, Vice-President, Head of Risk Management, in-House legal counsel, and yourself where the topic of SCP’s lack of a comprehensive, enterprise wide Information Governance Plan or Program was addressed. It was the consensus of the group that the lack of an information governance program or plan has contributed to breaches in security resulting in disclosure of what should have been protected customer credit card information, and merchant information. In addition, there were concerns expressed by those present at the meeting that SCP has not been responsive to legal holds on customer and/or banking information, which has led to delays in the legal department responding to legal discovery requests. Further, there have been incidents where SCP did not retain information for as long as it should have, resulting in sanctions by the Courts for its inability to respond to legal discovery requests. Other times, SCP had retained potentially damaging information that legally it could have disposed of but did not. As the result of a legal discovery request for that information, SCP was required to turn it over, which led to sanctions and adverse affects that could have been avoided. This is evidence of the fact that SCP does not have a legally defensible data retention and disposal plan in place.
During the meeting there was a consensus that a comprehensive enterprise wide Information Governance Program or Plan was needed at SCB. To that end, it was decided that an Information Governance Team would be assembled to design and implement the IG program enterprise wide at SCP. A motion was made by SCP’s President that you serve as the Project Manager for the IG Design and Development Team. You have agreed to accept the position. The remaining embers of the IG design and development team have not been selected yet.