What emerging risks are exposed with a shift from paper to electronic retail payments?
Answers (5)
Lack of physical paper/audit trail. Increased privacy risk to customers if/when personal data is hacked/compromised. Increased demands placed on call centers for customers requesting assistance with records retreival, historical records, general computer support. This risk varies with effectiveness of deployment.
Elizabeth N.
Director - B2B Regulatory Support Services Limited
Best Answers in: Regulation and Compliance (1), Auditing (1)
The biggest risk you have is of the information being compromised during the transfer from paper to electronic. All of the other risks remain constant irrespective of what medium you choose to use, though it's alot easier to steal an electronic record than a paper record, just because of it's size.
Once you have gone all electronic (even though this could equally apply to paper records too) you would need to consider the aspects of ISO27002 (see link). If you obtain one of the audit books for this standard it will spell out what risks you need to think about. See also the 17799 (BS17799 was ISO27002's previous name) forum. (Links provided to BSI and 17799).
Links:
Frank F.
►CEO/Bd Director ►IT Governance Advisor ►Future-Proof Strategy ►Keynotes ►Inno-Change ►Social Media Mktg ►China Advisor
Best Answers in: Using LinkedIn (276), Organizational Development (102), Change Management (81), Government Policy (48), Economics (30), Staffing and Recruiting (29), Corporate Governance (29), Career Management (28), Ethics (26), Equity Markets (24), Business Development (21), Planning (21), Mentoring (20), Business Analytics (17), Communication and Public Speaking (17), Education and Schools (15), Internationalization and Localization (15), Personnel Policies (14), Web Development (14), Small Business (12), Energy and Development (12), Job Search (11), Internet Marketing (11), Financial Regulation (10), Advertising (10), Professional Networking (10), Project Management (9), E-Commerce (9), Compensation and Benefits (8), Sales Techniques (8), Writing and Editing (8), Manufacturing (8), Computers and Software (8), International Law (7), Starting Up (7), Blogging (7), Accounting (6), Quality Management and Standards (6), Government Services (5), Work-life Balance (5), Offshoring and Outsourcing (5), Lead Generation (5), Software Development (5), Customer Service (4), Health Care (4), Treaties, Agreements and Organizations (4), Search Marketing (4), Nonprofit Management (4), Philanthropy (4), Social Enterpreneurship (4), Branding (4), Market Research and Definition (4), Business Plans (4), Biotech (4), Facilities Management (3), Certification and Licenses (3), Occupational Training (3), Conference Planning (3), Risk Management (3), Public Health and Safety (3), Exporting/Importing (3), Contracts (3), Employment and Labor Law (3), Guerrilla Marketing (3), Viral Marketing (3), Public Relations (3), Customer Relationship Management (3), Labor Relations (3), Currency Markets (3), Derivatives Markets (3), Futures Markets (3), Nonprofit Fundraising (3), Inventory Management (3), Personal Debt Management (3), Wealth Management (3), Product Design (3), Green Products (3), Enterprise Software (3), Telecommunications (3), Regulation and Compliance (2), Car and Train Travel (2), Freelancing and Contracting (2), Event Marketing and Promotions (2), Public Funding (2), Criminal Law (2), Corporate Law (2), Property Law (2), Direct Marketing (2), Graphic Design (2), Bond Markets (2), Commodity Markets (2), Packaging and Labeling (2), Supply Chain Management (2), Personal Investing (2), Personal Real Estate (2), Distribution (2), Professional Books and Resources (2), Incorporation (2), Green Business (2), Air Travel (1), Business Dining and Entertainment (1), Travel Tools (1), Resume Writing (1), Conference Venues (1), Budgeting (1), Foreign Investment (1), Mergers and Acquisitions (1), Government Contracts (1), Environmental Health (1), Antitrust Law (1), Finance and Securities Law (1), Events Marketing (1), Mobile Marketing (1), Hedge Funds (1), Option Markets (1), Individual Insurance (1), Industrial Design (1), Pricing (1), Positioning (1), Information Storage (1)
As Amazon. eBay and numerous others have demonstrated, a digital system, if properly written and administered, is safer than a paper system.
Lynn W.
virtualization since Jan68, online at home since Mar70
Best Answers in: Financial Regulation (5), Information Security (5), Economics (4), Government Policy (3), Equity Markets (3), Risk Management (2), Blogging (2), Enterprise Software (2), Budgeting (1), Mergers and Acquisitions (1), Sales Techniques (1), Planning (1), Bond Markets (1), Derivatives Markets (1), Hedge Funds (1), Career Management (1), Computer Networking (1), Information Storage (1), Telecommunications (1), Web Development (1)
Electronic data breaches will frequently involve significantly more records than paper data breaches.
After having been called in to work with small client/server startup that wanted to payments on their server (& they had invented this technology SSL, they wanted to use), in the mid-90s, we were asked to participate in the x9a10 financial standard working group which had been been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments.
This was *ALL* retail , as in *ALL* credit, debit, stored-value, check, ACH, etc; as in *ALL* POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in *ALL* low-value, medium-value, high-value, etc.
Part of the effort involved doing detailed, end-to-end, threat and vulnerability studies and the effort resulted in x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959
The majority of data breaches that have been in the news have involved respositories of retail financial transaction information. The threat from the data breaches involve crooks being able to use the information from financial transactions to perform fraudulent transactions. The x9.59 financial standard protocol did nothing about preventing the data breaches ... but it does slightly change the paradigm, eliminating the threat of using data breach information for fraudulent transactions (and therefor the value of the information to crooks).
Recent post discussing the existing electronic retail payment data breach threat and the x9.59 protocol eliminating the threat (doesn't address breaches, but the threat from the breaches)
http://www.garlic.com/~lynn/2008o.html#76
Links:
Matt C.
COO at 365 Retail Markets
Best Answers in: Information Security (5), Budgeting (1), Risk Management (1), Starting Up (1)
Joshua: the risks are generally the same. The speed-to-exploit and scope of impact have the potential to be far greater, however.
It's important not to confuse the two - that is, not to confuse a Risk with an Impact. Fraud, theft and misappropriation take place in both types of transaction. However, the inherently insecure nature of the distributed systems which facilitate electronic payments provides for a much broader attack vector. Remember, for a risk to be realized a Threat must be able to exploit a Vulnerability or weakness to impact an Asset. The severity of that resulting risk will be determined by a number of factors, including: ease of compromise; value of asset/process; quantity and/or pervasiveness of the threat.
Net/net - in a provincial sense, I wouldn't look at top level risks to change based on transaction type, just the severity, frequency and impact per occurrence. please note that I am not saying eTx are or are/not safer - it's somewhat irrelevant and needs to be evaluated based on the value of the transaction/process.
E.g. If it costs me $2 to manage a paper process and I lose 20 cents on every transaction to Fraud/Theft and moving to electronic will save me 80% of that cost (in efficiency) then I might be willing to absorb increased losses up to a level comparable with with my prior cost ($2.00), because this new process provides me with other incremental benefit. In this case, increased risk is a good thing - it allows for a net gain (efficiency) and a potential competitive differentiator which drives increased revenue, for example.
