Research paper Phase 1

RESEARCHING THE CREDIT CARD INDUSTRY:

The student is free to engage in research of the credit card industry using any medium and/or forum the student chooses, as long as the student acquaints himself/herself with the terminology used, the workings of the industry and the processes and interrelationships of the types of organizations that are vital to the process. Suggestions as to where the student may begin his/her research and some key terms are included herein below. Regardless of the manner or technique of research used by the student, it is expected that before the student engages in any meaningful undertaking of Phase I that the student become familiar with the process generally used in the credit card industry, the terminology used therein, and with the fictious company information used for this semester’s project prior to any undertaking of Phase I.

Specifically, the student should be familiar with the function or role of parties mentioned in the terminology document.

INTRODUCTION TO SUPERIOR CARD PROCESSOR, INC. (SCP), AND TO “YOU” THE NEW HEAD OF THE IG PROJECT MANAGER FOR THE INFORMATION GOVERNANCE PROJECT DESIGN AND DEVELOPMENT TEAM

Superior Card Processor, Inc., (“SCP”) is a new, startup Credit Card Processing company that has been in business for approximately two (2) years. Its principal place of business and original processing center is located in Louisville, Kentucky. In the past two years, SCP has opened 6 additional remote credit card processing centers, one in each of Indiana, Ohio, Tennessee, Florida, Texas and California.

SCP offers services and competitive rates similar to those offered by its competition, the larger and well established credit card processors such as Flagship Merchant Services and First Data Merchant Services. SCP offers credit card processing solutions to retail merchants as well as on-line merchants engaged in e-commerce. Services offered to merchants who accept credit cards from their customers include but are not limited to selling and/or leasing point of sale (POS) terminals and peripherals with built in security, wireless and mobile point of sale (POS) terminal solution that can be carried by the mobile merchant to accept payments anywhere the merchant does business for so long as the merchant has access to the internet, and on-line solutions for merchants engaged in e-commerce. Superior Card Processor, Inc. advertises that it offers state-of-the-art security and compliance packages designed to insure the merchant is best equipped to safeguard its data and that of its customers.

SCP also services Merchant Banks who handle Merchant deposit accounts and has an option whereby the Merchant Bank can contract with SCP and the Merchant Bank act as a middleman in placing SCP’s terminals with its Merchant depositors. In those cases, the “discount” fee charged to the Merchant by both SCP and the Merchant Bank is negotiated between SCP and the Merchant Bank, who enters into an agreement with the Merchant to bind it to the agreement between SCP and the Merchant Bank.

Depending on the contract terms negotiated between the Merchant Bank and SCP either the Merchant Bank or SCP will be responsible for installing the POS terminal for merchants maintaining a physical presence, or the web based application for e-commerce merchants. When the Merchant accepts a credit card from its customer it forwards the transaction, customer and credit card information directly to SCP using the POS terminal or web application. SCP will then determine which of the credit card associations will be involved, and will forward the details to the Issuing bank for that particular credit card association. The Issuing Bank will then either approve the transaction or decline it. The Issuing Bank’s decision regarding whether to approve the transaction is then forwarded back to SCP, who provides that information to the Merchant. This process takes only a minute or so, and is referred to as Authorization.

Assuming the credit card transaction is approved, the customer receives his goods or services paid for with the credit card, and the Merchant accepts the Issuing Bank’s promises to pay the Merchant for the goods or services sold to the customer by the Merchant, less its interchange fee, and SCP’s discount fee, and the Merchant Bank’s discount fee. Subsequent to the transaction, and generally within the next day, the Issuing Bank will deduct its interchange fee and forward the balance of the customer’s purchase price to SCP. SCP will deduct its own fee called a “discount”, and will likewise deduct the Merchant’s Bank’s discount fee. It will deposit the Merchant Bank’s fee into the Merchant Bank’s account earmarked for those funds and at the same time will deposit the net proceeds from the customer’s purchase into the Merchant’s bank account held by its Merchant Bank.

Monthly, SCP will generate reports for the Merchant Bank, the Merchant, and for each of the Credit Card associations (Visa, MasterCard, Discover, etc.) providing both detailed and summary data for the merchant transactions that it processed for the period.

SCP’s organizational structure includes a Board of Directors, Chief Financial Officer, Chief Executive Officer, President and Vice-President. The Vice-President answers to the President, the President to the CFO and CEO, who in turn are accountable to the Board of Directors. Housed in its principal office in Louisville, is the Small Merchant Department, Large Merchant Department, and Corporate Merchant Department. These are divided because of the different compliance requirements for each. Each the Small, Large and Corporate Merchant Departments have a departmental manager and chief compliance officer. Each of these three departments are responsible for receiving, processing, storing, sorting, analyzing, and forwarding information regarding the Merchant transactions on to the Issuing Bank and for receipt, storage, processing, sorting, analyzing and forwarding the Issuing Bank’s authorization or non-authorization of Merchant credit card transactions on to the Merchant. These three departments are also responsible for deducting SCP’s discount fee and each Merchant Banks’ fee and for depositing the Merchant Bank fee into is account, and the Merchant’s net proceeds into its account. These three departments are also responsible for issuing monthly reports for the Merchant, Merchant Bank, Credit Card Associations, and Issuing Bank detailing and summarizing the transactions for the period There is a Merchant Product Department responsible for sales and shipments of the POS terminals. There is a Web Hosting Department responsible for installing and training for Merchants engaged in e-commerce. There is the Merchant Banking Department who is responsible building and maintaining relationships with Merchant Banks. The Research and Development Department is tasked with responsibility to insure that all technology offered to SCP’s Merchants remain state-of-the-art and employ cutting edge technology. There is a PCI DSS Compliance Department that is responsible for insuring that SCP remains PCI DSS compliant. There is the IT Department responsible for traditional “IT” related functions and for data security and encryption. There is a Risk Management Department. In addition there are the traditional functional units or departments that are present in traditional organizations, including but not limited to the Human Resources Department, Accounting Department, in-house Legal Department, and a catch-all Other Services Department.

All Merchant accounts and corresponding Merchant Bank account is divided up and managed by either the principal office in Louisville, or is assigned to one of the six (6) remote locations depending on the Merchant’s location or geographic region. None of the six remote locations are

as large as the principal office location in Louisville. The remote locations house only the three departments responsible for processing Merchant transactions, i.e., the Small Merchant Department, Large Merchant Department, and Corporate Merchant Department. For web based e-commerce Merchants, the account is assigned to either the main office or a remote processing site depending on the physical location of the on-line Merchant’s Merchant Bank. There will be three departmental managers at the remote sites, a site manager and Human Resources Department.

In this scenario, you are an employee of Superior Card Processor, Inc., and have been since it first opened for business. Prior to accepting the position at SCP as the Chief Information Officer responsible for the IT department in the area of data encryption and security, you worked for approximately 15 years at one of the commercial banks now serviced by SCP. Initially you were employed as a teller for the bank while you were in college earning your BS degree with a double major in Business and Finance, and in Information Science and Technology. Upon graduation from college, you became a loan officer for about 6 months, until a position came open in the IT department, where you worked for the rest of your banking career, until accepting a position in IT with SCP two years ago.

Over the past 2 years SCP has grown rapidly and in response to the changing demands and needs of its Merchant customers. The Board of Directors and President and chief executive officers have expressed concerns that during this period of rapid grown that potentially SCP has not addressed comprehensive information governance of its Merchant customers or the Merchant’s customer’s credit card information. You have also had some of the same concerns in your capacity as Chief Information Officer for IT. A meeting was recently convened and attended by the CFO, CEO, President, Vice-President, Head of Risk Management, in-House legal counsel, and yourself where the topic of SCP’s lack of a comprehensive, enterprise wide Information Governance Plan or Program was addressed. It was the consensus of the group that the lack of an information governance program or plan has contributed to breaches in security resulting in disclosure of what should have been protected customer credit card information, and merchant information. In addition, there were concerns expressed by those present at the meeting that SCP has not been responsive to legal holds on customer and/or banking information, which has led to delays in the legal department responding to legal discovery requests. Further, there have been incidents where SCP did not retain information for as long as it should have, resulting in sanctions by the Courts for its inability to respond to legal discovery requests. Other times, SCP had retained potentially damaging information that legally it could have disposed of but did not. As the result of a legal discovery request for that information, SCP was required to turn it over, which led to sanctions and adverse affects that could have been avoided. This is evidence of the fact that SCP does not have a legally defensible data retention and disposal plan in place.

During the meeting there was a consensus that a comprehensive enterprise wide Information Governance Program or Plan was needed at SCB. To that end, it was decided that an Information Governance Team would be assembled to design and implement the IG program enterprise wide at SCP. A motion was made by SCP’s President that you serve as the Project Manager for the IG Design and Development Team. You have agreed to accept the position. The remaining embers of the IG design and development team have not been selected yet.