Authorities Regulation

Regulation, Political Economy of

N.L. Rose , in International Encyclopedia of the Social & Behavioral Sciences, 2001

Regime regulation of firms uses the 'coercive power' of the state to change firms' pricing, entry, production, investment, and product choice decisions. An extensive empirical literature analyzes the effects of 'economic regulation' of cost and entry every bit well as environmental, health, safety, and information regulation. Results of this work propose that regulation cannot be understood merely as an efficient intervention to right market failure. Inquiry on the political economy of regulation seeks instead to understand the origin, construction, and reform of regulatory policy as an consequence of hire-seeking behavior by interest groups mediated through the political process. These models have considerable empirical power in explaining variation in back up for item regulations, but fall short in explaining why some industries are regulated while others are not, and why policy in this area tends to occur in waves.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B0080430767047525

The Agile Enterprise

Fred A. Cummins , in Building the Agile Enterprise (2nd Edition), 2017

Regulatory Compliance

Government regulation is an increasing concern. Managers are being held responsible for the integrity of their operations and protection of stockholder interests. Multinational enterprises must comply with business regulations of countries in which they operate as well as regulations for products or services in countries in which they sell. Not only are regulations constantly irresolute, simply the regulations impose different requirements in different countries and changes to the business system itself can create risks of violations. Regulatory compliance affects all industries.

Implementation of compliance is a claiming in conventional organizations because the afflicted processes may exist undocumented and may be performed in multiple organizations in unlike ways.

The agile enterprise is able to chop-chop and reliably assess the implications of regulations to the business and plan advisable changes and controls to ensure compliance. The consistent business concern compages and robust business pattern model showing one or more applications of a relevant adequacy, clarifies responsibility, and accountability for compliance. Formally divers collaborations and business concern process automation support the implementation and enforcement of regulations. In order to address differences in different countries, capability methods must include concern rules that consider the country of delivery and/or the land of origin of the product.

An important aspect of regulatory compliance is reliable recordkeeping. Formal definition and automation of business processes support the capture of appropriate records. Electronic identity and signatures ensure proper authorization and accountability for record content. Where regulated activities involve planning and decision-making by knowledge workers, adaptive case management engineering science tin assistance employ rules and track compliance.

Outsourcing regulated activities such as accounting, purchasing, human resource management, and information technology development or operations reduces an enterprise's burden and provides greater assurance that appropriate expertise is applied to implementation of regulations and related changes. Of class, outsourcing nonetheless requires oversight and performance measurement at the interfaces.

Aspects of regulatory compliance are discussed in Chapters 5, nine, x, and 11.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780128051603000016

Business Rules

Fred A. Cummins , in Building the Active Enterprise, 2009

Regulations

Government regulations are finer rules that ascertain the bounds of legal behavior. Most regulations are expressed in a natural language (e.chiliad., English language), a form that requires some interpretation. In some cases regulations are intentionally vague to accommodate special interests or political pressures or to let for a range of circumstances.

Regulations must be interpreted in the context of a detail enterprise, and the approach to application of the regulation may reflect consideration of risks of violation such equally the likelihood of accidents, oversights, or mistakes, too as the potential consequences to the enterprise and private employees.

Some regulations are quite abstract, expressing an objective rather than a clear restriction on operations. The Sarbanes-Oxley Act, for example, requires accountability and command. Executives must ensure accurate corporate reporting. This requires measures such as separation of duties, disclosure of conflicts of interest, restrictions on spending authority, and contained review of operations. These measures are pervasive and must be addressed in the design of enterprise processes.

On the other hand, some regulations tin can be very specific. Tariffs, for example, define the rates to be charged for specific types of service. Taxes are usually very specific besides. Similarly, hazardous materials regulations can be very specific about precautions and prohibitions regarding utilise, storage, and transportation. It may be relatively straightforward to implement such regulations. Simply some regulations, such as the Corporate Average Fuel Economy (CAFE) regulations, are very specific but cannot be controlled directly since the target average depends on production schedules that are driven by marketplace demand.

Nearly regulations are not published in a form that can be used directly past automated systems. There must be some transformation by humans to codify the required intent and identify where, if possible, the controls can be implemented in business concern processes or computations.

In the future, regulations may be codification so that they can be interpreted and analyzed by computers. The Semantics of Business Vocabulary and Rules (SBVR) specification from the Object Management Grouping provides a formal way to capture and limited rules in a tongue-like form. In fact this facility enables the same rules to exist expressed in alternative natural languages. The rules are represented in a computer model that can exist used to analyze the rules for inconsistencies. The formal structure of the rules helps remove ambiguities. Somewhen, it may be possible to use such rules to clarify business processes for potential risks and violations.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123744456000042

Why Business Modeling?

David K. Bridgeland , Ron Zahavi , in Business Modeling, 2009

Compliance Management

Businesses must comply with law, regime regulations, and other guidance. They must comply with terms of contractual agreements with their lenders, suppliers, and customers. Corporate employees must comply with corporate policies. Compliance often impacts financial results. Sometimes the impact is larger than money; noncompliance can lead to jail.

Businesses need to manage their compliance. They demand to check it, to ensure that they are adhering to regulations and policies. If the business organization is not compliant, it needs to understand how far from compliance information technology is. Information technology needs to design processes to ensure compliance. And when regulations change, it needs to empathise the touch on of the new regulations on its business organisation.

Business models help with compliance management. An organization can model a new business procedure that complies with a new law. The existing process can be compared to determine the differences and what must be done to achieve compliance. A project plan can so be created to close the compliance gap.

The new process tin besides be used in compliance training. By including the new process in the preparation, all employees will sympathise the desired country in the same way. Employees can learn what they must do to ensure company compliance.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978012374151600001X

Why Is PCI Here?

Dr. Anton A. Chuvakin , Branden R. Williams , in PCI Compliance (Second Edition), 2010

What Is PCI and Who Must Comply?

First, "PCI" is not a government regulation or a constabulary. 1 As you know, when people say "PCI," they are actually referring to the PCI DSS, at the time of this writing, of version 1.2.one. However, to brand things easy, we will go along to use the term PCI to identify the payment industry standard for card data security.

Different many other regulations, PCI DSS has a very simple and direct answer to a question "who must comply?" Despite its credible simplicity, a lot of people have attempted to misunderstand it, which leads the authors to believe that most of such people had their own agenda. This always reminds u.s.a. of a quote from Upton Sinclair, a noted American novelist, who said "It is hard to get a man to understand something when his task depends on non understanding it" [1]. Then, PCI's reply to "who must comply?" is whatsoever organization that accepts payment cards or stores, processes, or transmits credit or debit card data must comply with the PCI DSS.

Note

PCI applies if your organization accepts, processes, stores, and transmits credit or debit card information.

It is very like shooting fish in a barrel to empathize the motivations for such broad applicability. It is conspicuously pointless to protect the menu data only in a few select places; it needs to happen wherever and whenever the card data is present. This is where a thought might cantankerous your mind every bit to why the data is present in then many places. A recent MasterCard presentation at a payment security conference presented a curious statistic that at that place are more than 200,000 locations where payment card data is stored in large amounts. Please hold that thought every bit it is a very important i to keep while reading this book. Without jumping too much ahead in our story, we'd say that in many cases, adjusting your business process to not affect the card data directly will save you from a lot of security and compliance (and non just PCI DSS compliance!) challenges!

In this book, nosotros are primarily concerned with merchants and service providers. The merchants are pretty easy to identify – they are the companies that take credit cards in substitution for goods or services. The PCI official definition of a merchant [2] states: "a merchant is defined as any entity that accepts payment cards bearing the logos of whatever five members of PCI SSC (American Limited, Discover, JCB, MasterCard, or Visa) equally payment for goods and services." For example, a retail store that sells groceries for cash or credit cards is a merchant. An e-commerce site that sells electronic books is also a merchant.

However, when it comes to service providers, things get a bit trickier. PCI Quango Glossary [3] states: "Business entity that is non a payment card brand member or a merchant straight involved in the processing, storage, transmission, and switching or transaction data and cardholder data or both. This too includes companies that provide services to merchants, services providers or members that command or could bear on the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well every bit hosting providers and other entities. Entities such equally telecommunications companies that merely provide communication links without access to the application layer of the communication link are excluded."

A merchant can also be a service provider at the same time: "…a merchant that accepts payment cards equally payment for appurtenances and/or services can also be a service provider, if the services sold issue in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers" [ii]. A more esoteric situation arises if a company accepts credit cards every bit a payment for services it provides to other merchants who besides accept credit cards. In this case, such an entity is both a merchant and a service provider. For example, if you provide hosted shopping cart and processing services to merchants and accept payment cards, yous would be both.

Later those initial definitions, we will depict the whole payment ecosystem for the purposes of PCI DSS.

Electronic Menu Payment Ecosystem

Before nosotros go into detail on PCI compliance, we'd like to paint a quick picture show of an entire payment card "ecosystem" (see Fig. 3.one).

Figure iii.1. PCI Payment Ecosystem

Figure three.1 shows all the entities in payment carte "game":

Cardholder, a person belongings a credit or debit card

Merchant, who sells appurtenances and services and accepts cards

Service provider (sometimes Merchant Service Provider (MSP) or Independent Sales Organization (ISO), who provides all or some of the payment services for the merchant

Payment processor, which is a particular example of an MSP

Acquiring banking concern, which actually connects to a card brand network for payment processing and also has a contract for payment services with a merchant

Issues banking company, which issues payment cards to consumers (who and then become "carte holders")

Card brand, which is a particular payment "ecosystem" (called "clan network") with its ain processors, acquirers, such as Visa, MasterCard, and Amex

The primary focus of PCI DSS requirements is on merchants and MSPs. This is understandable since this is exactly where most of the data is lost to malicious hackers. Whether TJX in 2005 to 2007 (45 or 90 million cards stolen, depending on the source) or Heartland Payment Systems in 2008 to 2009 (more than 100 one thousand thousand cards stolen), merchants, and service providers have allow cards exist stolen from them without incurring any of the costs to themselves and without having a motivation to improve their security even to depression levels prescribed by PCI DSS. While the merchants were letting the bill of fare data "run away," the issuing banks were replacing them at their own cost and incurring other costs every bit well. Thus, PCI DSS was born to restore the residue to the system by making sure that merchants and service providers took care of protecting the card information.

Goal of PCI DSS

In lite of what is mentioned above, PCI DSS is here to reduce the run a risk of payment card transactions by motivating merchants and service providers to protect the carte data. Whether this goal is worthy, whether at that place are other secondary goals, or even whether this goal is being achieved past a electric current version of the data security standard is irrelevant. What matters is that PCI is aimed at reducing the take chances of transaction and it seeks to accomplish that by making merchants and service providers to pay attention to many key aspects of data security, from network security to organization security, awarding security, and security sensation and policy. What is even more important, it encourages merchants to drop the data and carry their business in a fashion that eliminates costly and risky data storage and on-site processing, whenever possible. Reduction of fraud is expected to be a natural result of such focus on security practices and technologies. One of the original PCI creators has also described PCI every bit the following: "the original intent was to design, implement, and manage a comprehensive, cost constructive and reliable security effort" [iv] and not a patchwork of security controls.

It is interesting to note that the "Ten Common Myths of PCI DSS" document from the PCI Council presents the vi domains of PCI DSS as its goals [five]:

1.

Build and maintain a secure network

2.

Protect cardholder information

iii.

Maintain a vulnerability management programme

4.

Implement strong access control measures

5.

Regularly monitor and test networks

half dozen.

Maintain an information security policy

While the above half dozen domains can be seen as tactical goals while implementing PCI DSS, the strategic focus of PCI DSS is card data security, payment card risk reduction, and ultimately the reduction of fraud losses for merchants, banks, and menu brands.

Overall, while motivating security improvements and reducing the risk of menu fraud, PCI DSS serves an fifty-fifty higher goal of boosting consumer confidence in what is currently the predominant payment system – credit and debit cards. While we tin can fence whether cash is truly on the mode out, the volume of card transactions is withal increasing at an impressive 20 to 40 per centum rate annually. If anything – whether malicious hackers, insiders, or whatsoever other threat – can hinder information technology, major implications to today's economy may be incurred. Thus, PCI DSS defends something even bigger than "bits and bytes" in computer systems, only the functioning of the economic system itself.

Applicability of PCI DSS

It is probable that the statements about accepting card data or processing, storing, and transmitting payment card data will likely sound deadening by the time you lot are finished reading our book; it is worthwhile to remind you that PCI DSS applies to all organizations that exercise but that, and in that location are no exceptions. Our Chapter xv, "Myths and Misconceptions of PCI DSS" covers some of the common delusions and clarifies that the above PCI applicability is indeed the reality and not the myth.

While the applicability of PCI DSS to organizations that deal with card information is certain and all the DSS requirements use, the question of validating or proving PCI compliance is a bit different. It differs for merchants and service providers; it too differs by card brand and by transaction volume.

First, there are different levels of merchants and service providers. Tables three.ane and iii.2 show the breakdown.

Tabular array 3.ane. Merchant Levels

Merchant Level Clarification
Level one Any merchant that processes more than half dozen one thousand thousand Visa or MasterCard transactions annually
2.5 million American Express Carte du jour transactions or more per year, or any merchant that has had a information incident; or whatever merchant that American Express otherwise deems a levelMerchants processing over 1 million JCB transactions annually, or compromised merchants
Merchants processing over ane one thousand thousand JCB transactions annually, or compromised merchants
Level 2 Whatever merchant that processes between 1 and 6 million Visa transactions annually
Whatsoever merchant with greater than 1 million but less than or equal to 6 meg total combined MasterCard and Maestro transactions annually
Whatever merchant that processes between 50 thousand and 2.v 1000000 American Express transactions annually
Merchants processing less than 1 million JCB transactions annually
Level 3 Whatever merchant that processes between xx thousand and 1 1000000 Visa e-commerce transactions annually
Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to i one thousand thousand total combined MasterCard and Maestro e-commerce transactions annually
Any merchant that processes less than 50 grand American Express transactions annually
Level 4 All other Visa and MasterCard merchants

Table three.2. Service Provider Levels

Level MasterCard Visa Inc
Level 1 All third-party providers (TPPs), all data storage entities (DSEs) that shop, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually VisaNet processors or any service provider that stores, processes, or transmits over 300,000 transactions per year
Level 2 Includes all DSEs that store, transmit, or process less than 300,000 full combined MasterCard and Maestro transactions annually Any service provider that stores, processes, or transmits less than 300,000 transactions per twelvemonth

Note

Visa Canada levels may differ. Visa Europe is also a separate organization that has different rules. Discover and JCB practice not allocate merchants based on transaction volume. Contact your payment make for more information while paying attention to your location.

Note

Visa Canada levels may differ. Visa Europe is besides a separate system that has different rules. Notice and JCB do non classify merchants based on transaction volume. Contact your payment brand for more than data while paying attention to your location.

As we mentioned to a higher place, these levels exist for determining compliance validation that is discussed in the adjacent section. The levels are also sometimes used by the menu brands to determine which fines to impose upon the merchant for noncompliance.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494991000088

Why is PCI here?

Branden R. Williams , ... Derek Milroy , in PCI Compliance (Fourth Edition), 2015

What is PCI DSS and who must comply?

First, "PCI" is not a regime regulation or a law. i As you know, when people say "PCI," they are actually referring to the PCI DSS Version 3.0 (at the fourth dimension of this writing). However, to make things easy, we volition go along to utilise the term PCI to identify the payment manufacture standard for carte du jour data security interchangeably with PCI DSS.

Different many other regulations, PCI DSS has a very uncomplicated and direct reply to the question "Who must comply?" Despite its credible simplicity, many misunderstand the question to the point that they incorrectly name specific players equally "in" or "out," which leads the authors to believe that many of such people have their own calendar. This e'er reminds us of a quote from Upton Sinclair, a noted American novelist, who said "It is difficult to get a man to understand something when his job depends on non understanding it" [ane]. And so, PCI's answer to "who must comply?" is any organization that accepts payment cards or stores, processes, or transmits credit or debit card data must comply with the PCI DSS.

Note

PCI DSS applies to you if your organization accepts, processes, stores, and/or transmits fellow member-branded card data. Member-branded bill of fare data is whatever bill of fare that is office of the Visa, MasterCard, American Express, Discover, and JCB payment schemes, including their subsidiaries or international partners. Should a new member be added to this listing, their cards would as well be included in the scope of PCI DSS compliance (rumors are running rampant that Red china Union Pay and PayPal may bring together). Because of so-chosen "check" cards, you tin expect that nearly every debit carte du jour will fall into the PCI DSS telescopic simply because they can be used equally either a debit or member-branded credit card.

It is very easy to understand the motivations for such wide applicability. Information technology is pointless to protect card data but in a few select places; it needs to happen wherever and whenever said card data is physically and electronically present. Y'all might be thinking, "why is the data present in so many places?" A recent MasterCard presentation at a payment security conference presented a curious statistic that there are more than 200,000 locations where payment card data is stored in large amounts. Visa believes that they work with over 32,000,000 acceptance locations, worldwide! Each of those could potentially exist storing months or years of payment menu data in places where criminals tin steal it. Keep those statistics in mind as you read through the book to provide context on both the macro- and microscales. Without jumping too far ahead into our story, we'd say that in many cases, adjusting your business processes to non impact the carte du jour data directly will relieve you from a lot of security and compliance (and not only PCI DSS compliance!) challenges!

In this book, we are primarily concerned with merchants and service providers. Merchants are pretty easy to identify—they are the companies that accept credit cards in substitution for goods or services. The PCI official definition of a merchant [ii] states: "a merchant is defined as any entity that accepts payment cards begetting the logos of any of the v members of PCI SSC (American Limited, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services." For example, a retail store that sells groceries for cash or credit cards is a merchant. An e-commerce site that sells electronic books is also a merchant.

However, when it comes to service providers, things get a bit trickier. The PCI Council Glossary [three] defines them as: "[a] business entity that is not a payment brand [merely] directly involved in the processing, storage, or transmission of cardholder information. This also includes companies that provide services that control or could touch the security of cardholder data. Examples include managed service providers that provide managed firewalls, Intrusion Detection Organisation (IDS) and other services besides equally hosting providers and other entities. Entities such as telecommunication companies that merely provide communication links without access to the application layer of the communication link are excluded." This definition is clunky and verbose. A ameliorate way to express service providers would exist any entity that can touch the security of payment card information (excluding the same companies as the above definition does). If you have a provider that does something that tin impact the security of cardholder data, they are a service provider and should exist validated as compliant with PCI DSS.

Sometimes a merchant can too exist a service provider at the same time: "…a merchant that accepts payment cards equally payment for goods and/or services can too be a service provider, if the services sold event in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers" [2]. Equally an case, a merchant could stand up a business model whereby a company accepts credit cards as a payment for services information technology provides to other merchants who also accept credit cards. In this case, such an entity is both a merchant and a service provider. For example, if you provide hosted shopping cart and processing services to merchants and take payment cards, you lot would be both.

At present that nosotros accept some baseline definitions described, we will describe the whole payment ecosystem for the purposes of PCI DSS.

Electronic card payment ecosystem

Before we get into detail on PCI compliance, nosotros'd similar to paint a quick picture of an entire payment menu "ecosystem" (Figure three.1).

Effigy iii.one. PCI Payment Ecosystem

Figure 3.1 shows all the entities in payment card "game":

Cardholder, a person holding a credit or debit card.

Merchant, who sells goods and services and accepts cards.

Service provider (sometimes Merchant Service Provider [MSP] or Independent Sales Organization [ISO], who provides all or some of the payment services for the merchant.

Payment processor, which is a particular example of an MSP.

Acquiring bank, which connects to a card make network for payment processing and also has a contract for payment services with a merchant.

Issuing banking company, which problems payment cards to consumers (who and so go "cardholders").

Card brand (likewise known as a payment brand or card scheme depending on regionalization), which is a item payment "ecosystem" (called "association network") with its own processors, acquirers, and for the purposes of PCI DSS includes the member brands (Visa, MasterCard, American Limited, Observe, and JCB).

The primary focus of PCI DSS requirements is on merchants and service providers. This is understandable since this is exactly where nigh of the data is lost to malicious hackers. Whether TJX in 2005–2007 (45 or 90 million cards stolen, depending on the source), Heartland Payment Systems in 2008–2009 (more than 100 million reported cards stolen), or Target in 2013 (more than 40 million cards), merchants and service providers take had cards stolen from them and paying fines to go toward reissuance. Prior to some of the regulations in PCI DSS becoming mainstream, issuing banks were replacing compromised cards at their own cost and incurring other administrative and fraud costs likewise. Thus, PCI DSS was born to restore the residue to the organization by making sure that merchants and service providers took care of protecting the card data. The motivation for merchants to comply with PCI DSS comes in the form of fines, college processing costs, and litigation take chances.

Goal of PCI DSS

In light of what is mentioned above, PCI DSS is hither to reduce the fraud risk of payment card transactions by motivating merchants and service providers to protect card data. Whether this goal is worthy, whether there are other secondary goals, or even whether this goal is existence achieved by the current version of the data security standard is irrelevant. What matters to us is that PCI DSS is aimed at reducing the fraud gamble of transactions. It seeks to achieve that past forcing merchants and service providers to pay attention to many central aspects of data security including network security, organisation security, application security, security awareness, incident response, and policies. Fifty-fifty more importantly, it indirectly encourages merchants to drop cardholder data entirely and conduct their business in a manner that eliminates costly and risky data storage and on-site processing. The focus on security practices and technologies naturally begets a reduction of fraud. One of the original PCI DSS framers as well described information technology as the following: "the original intent was to blueprint, implement, and manage a comprehensive, price effective and reliable security effort" [4] and non a patchwork of security controls.

Interestingly plenty, the "Ten Common Myths of PCI DSS" document from the PCI Quango presents the six domains of PCI DSS as its goals [5]:

ane.

Build and maintain a secure network,

ii.

Protect cardholder data,

3.

Maintain a vulnerability direction program,

4.

Implement potent access control measures,

v.

Regularly monitor and test networks,

6.

Maintain an information security policy.

While the to a higher place six domains can exist seen every bit tactical goals during a PCI DSS implementation, the strategic focus of PCI DSS is card data security, payment card risk reduction, and ultimately the reduction of fraud losses for merchants, banks, and carte brands.

Overall, while motivating security improvements and reducing the risk of card fraud, PCI DSS serves an even higher goal of boosting consumer confidence in what is currently the predominant cashless payment arrangement—plastic cards. While we can contend whether paper, plastic, and metallic money is truly on the fashion out, the volume of cashless transactions is increasing annually though the percentage numbers will vary depending on how you slice the enquiry. Some countries like Nigeria are attempting to movement to entirely cashless payment systems (encounter http://www.cenbank.org/cashless/ for info). If anything—whether malicious hackers, insiders, or whatever other threat—can hinder information technology, our global economy will suffer losses. Thus, PCI DSS defends something even bigger than "$.25 and bytes" in computer systems—primarily attempting to protect a major money-exchanging cog in the economic organisation itself.

Applicability of PCI DSS

Although the statements about accepting, processing, storing, and transmitting payment card data will probably audio tiresome past the time y'all are finished reading our book, remember that PCI DSS applies to all organizations that perform the to a higher place and there are no exceptions. Our Chapter 19, covers some of the common, industry-wide delusions and clarifies that the in a higher place PCI applicability is indeed the reality and not the myth.

The question of validating or proving PCI compliance is a bit different from the statement of PCI DSS applicability to organizations that deal with card data. The type of validation and requirements you lot must follow can differ for merchants and service providers, and by carte brand and transaction volume.

Commencement, there are different levels of merchants and service providers. Tables 3.one and 3.2 show the breakdown.

Table 3.1. Merchant Levels

Merchant Level Description
Level one Whatever merchant that has suffered a hack or an set on that resulted in an account data compromise (tin vary based on payment brand), or any merchant deemed Level 1 by whatever payment brand
Any merchant that processes more than 6 million Visa, MasterCard, or Find transactions annually
2.5 meg American Express Bill of fare transactions or more per year, or any merchant that has had a information incident; or whatsoever merchant that American Express otherwise deems a level
Merchants processing over 1 one thousand thousand JCB transactions annually, or compromised merchants (equally RECOMMENDED), still, JCB doesn't take firm levels anymore. This is an approximation of level based on requirements from other payment brands
Level 2 Any merchant that processes between 1 and half-dozen 1000000 Visa or Observe transactions annually
Any merchant with greater than i one thousand thousand merely less than or equal to 6 million total combined MasterCard and Maestro transactions annually
Whatsoever merchant that processes between 50,000 and two.5 meg American Express transactions annually
Merchants processing less than i 1000000 JCB transactions annually
Level 3 Whatever merchant that processes betwixt xx,000 and ane million Visa or Discover card not present (due east-commerce) transactions annually
Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to 1 meg total combined MasterCard and Maestro e-commerce transactions annually
Whatever merchant that processes less than 50,000 American Express transactions annually
Level 4 All other Visa, MasterCard, and Find merchants

Table 3.two. Service Provider Levels

Level MasterCard American Express Visa Inc
Level 1 All third-party providers (TPPs), all information storage entities (DSEs) that shop, transmit, or process greater than 300,000 full combined MasterCard and Maestro transactions annually two.5 million American Express Card transactions or more than per year; or any Service Provider that American Express otherwise deems a Level 1 service providers VisaNet processors or whatsoever service provider that stores, processes, or transmits over 300,000 transactions per year
Level 2 Includes all DSEs that shop, transmit, or procedure less than 300,000 total combined MasterCard and Maestro transactions annually 50,000–two.5 1000000 American Limited Bill of fare transactions per yr Whatsoever service provider that stores, processes, or transmits less than 300,000 transactions per year
Level 3 Less than 50,000 American Express Card transactions per year

Annotation

Some Visa levels may vary, and it is e'er upwardly to an acquiring institution or payment brand to make adjustments to your level. For example, Visa Europe is a separate system that has dissimilar rules, especially equally information technology relates to compliance around their Technology Innovation Program (TIP) and Chip & Personal Identification Number (PIN) (EMV) transactions. For more specific information, contact your acquiring bank to provide level and validation guidance.

Equally we mentioned higher up, these levels exist for determining the type of compliance validation required as discussed in the next department. The levels are also sometimes used by the payment brands to determine which fines to impose upon the merchant for noncompliance.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128015797000030

An executive-level business procedure management group

Paul Harmon , in Business Process Change (4th Edition), 2019

Manage Risk/Compliance Reporting and Documentation

Every big arrangement today has to comply with several government regulations that are process oriented. The all-time example in the United States is Sarbanes-Oxley, a law passed to ensure, amongst other things, that executives tin demonstrate that they understand where and how fiscal decisions are made in their organizations. The police requires that companies certificate their process conclusion points. In a similar style, most organizations that do business in Europe need to obtain International Standards Organization (ISO) 9000 certification. This ISO certification is meant to demonstrate that the companies understand their concern processes and have quality control standards in place. Organizations respond to initiatives like Sarbanes-Oxley and ISO 9000 in very dissimilar means. Some integrate these initiatives into their overall procedure compages, while others simply hire an outside consulting visitor to generate the required documentation for the project (see Figure 7.11).

Nevertheless companies create the initial documentation for Sarbanes-Oxley, ISO 9000, or whatever of the other risk and compliance requirements the documentation has to exist maintained. Processes modify and the documentation has to be kept up to date. This can either exist a boring, tedious task, or it can be integrated with a business concern process architecture initiative, maintained in a repository, and get an active part of the effort that provides management with useful tools.

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780128158470000078

Regulations, Guidelines, and Standards

In The Manager's Handbook for Business organization Security (Second Edition), 2014

The Security Professional's Role

It is imperative that the get-go obligation of the security executive is to understand completely the elements of compliance and the means to cost-effectively demonstrate conformance with applicative regulations.

Developing a Regulatory Compliance Strategy

Based on a review of several security-related government regulations, there are multiple elements involved in conformance to their respective requirements. While you may desire to runway your organization'south compliance with the specifics of those regulations that use to your operations, you may observe the chart in Figure vii.1 to be useful in preparing management for the common elements found in most regulatory compliance exercises.

Figure 7.i. The Elements of a Regulatory Compliance Strategy.

The examples in this figure are useful in preparing management for the common elements found in most regulatory compliance exercises.

Preparing for Regulation

Regulations and standards do non go far overnight. They oftentimes take years to discuss, refine, and gain back up from key constituencies. Security professionals and their corporations tin can play a function in the creation and modification of any legislation or regulations that may bear on their business. Information technology'south simply a matter of knowing how to practise it and recognizing when the window of opportunity is opened.

Legislation

A bill receives its about intense scrutiny when in commission. Committees request multiple reports on differing views for all proposed legislation, and they are also authorized to hold hearings that incorporate testimony from qualified experts on the subject field in question. In the legislative process, in that location are a few ways to ensure that your vox is heard when information technology matters:

Make Contact

It'south important to make your views known to your senators and representatives if or when y'all become enlightened of proposed legislation that may impact your arrangement'due south security operations. You tin can achieve members of Congress by phone, mail, or eastward-mail. Complete directories are available at www.house.gov and www.senate.gov. When contacting a member of Congress, go on your comments articulate and curtailed. If appropriate, request an in-person meeting with the congressperson, or offering yourself as an on-telephone call resource.

Build Relationships

If y'all're in a heavily regulated industry, it will be particularly useful for your organization to build ongoing relationships with legislators. There's no reason to wait until a significant bill comes along. Actually, if your legislators already know your arrangement, they may be more inclined to give weight to your concerns when information technology actually counts. Advanced observe of legislative hearings is sometimes sent to relevant individuals and organizations, then it's a adept idea to practice what y'all can to go yourself on that listing. Introduce your concern early in the relationship. Some organizations even invite legislators for facility tours to build a more lasting impression.

Go Active in Industry and Security Organizations

Industry associations can amplify your voice past joining it with the voices of others. They too take their ain resources dedicated to monitoring legislative and regulatory proposals, besides as their own government-relations teams with existing legislator relationships. Speaking through an association also allows your organization to piece of work against sometimes publicly popular legislation without suffering a PR hit for doing so.

Regulation

When a authorities entity has created a draft regulation, information technology is required to allot at least thirty days for public comment. Typically, agencies allow 90 days of public annotate on proposals. The spider web site world wide web.regulations.gov provides an up-to-date list of all proposals that are upwardly for public comment and that is searchable by agency and keyword.

Brand Your Own Comments

More often than not, you may submit comments on behalf of yourself or your system through www.regulations.gov or by mail. (Be sure to provide three copies of comments and reference the appropriate docket number in your observe).

Comment Through an Industry Organisation

As noted above, associations provide a unique opportunity to arroyo an issue with a loud and unified voice. Regulatory agencies carefully evaluate all public comments and execute revisions earlier drafting final regulations for blessing.

Voluntary Guidelines

As in legislative development, information technology is of import to approach regime agencies and industry organizations with your input on proposed voluntary guidelines. This means maintaining stiff relationships and being active in your association'southward meetings and committees where appropriate. Voluntary guidelines or industry standards are the nigh frequent starting point for new regulations.

If you determine to take any of the higher up deportment, you lot will find success only if you deed as a knowledgeable representative of your enterprise, having coordinated with all relevant corporate entities and keeping the best involvement of the business in mind.

Standards

Standards are grounded on juried industry best practices that fix measurable targets for those who cull to comply. Simply every bit regulations have an independent review of compliance, so too do standards, and in that location is usually a certification process upon successful conformance review. Skilful examples are ISO 17799, the information security standard, NFPA 1600 Standard on Disaster/Emergency Management and Business organization Continuity, and Control Objectives for Data and Related Technology (COBIT). More contempo examples are from ASIS International, which has transformed its guidelines program into a more formal standards effort, and the American National Standards Institute's Homeland Security Standards Panel (ANSI/HSSP).

Know When to Act

Unfortunately, information technology doesn't help to know how yous can impact new rules if you are unaware of them. You lot can't change anything if you don't know what's on the docket and what it might mean to you.

While a security department can try to keep rails of all security-pregnant legislation, the complexities of proposed rules and regulations make this a sometimes-insurmountable challenge. It takes some digging to go to the security affect of many regulations, and often that impact isn't explicitly stated. Unfortunately, it might not exist recognized until the rule is put into action.

Organizations would do well to make law-watching a coordinated, enterprise effort. About large companies already rely on their government affairs department to watch laws that affect their business, such as taxes, EPA problems, and FDA issues. Security must partner with other corporate entities, such as regime affairs, legal, quality, safety, and human being resource, to jointly track and empathise the import of proposed rules. An enterprise view helps individual departments more clearly sympathise when it's important to human activity and when information technology'due south important not to act. Some legislation affects numerous aspects of an enterprise, some positively and some negatively. Only with a business mindset can the benefits and drawbacks exist accurately measured.

Regulation Management Worksheet

Using the Responsible, Accountable, Consulted, Informed (RACI) methodology (meet Tabular array 7.1), make up one's mind which of these regulations and voluntary guidelines affect your system, either directly or indirectly, who should be involved, to what extent, and who should carry them out. For each particular, place the responsibility in the appropriate championship cell as either: R=Responsible, A=Accountable, C=Consult, or I=Inform (i.east., RACI). When completed, an additional practise of replacing the RACI letters with FTE estimates will serve every bit both a high-level staffing model and provide insight as to how much labor is going to be needed to back up a given process or program.

Table vii.1. The Responsible, Answerable, Consulted, Informed (RACI) Methodology

Regulation or Guideline CSO Legal Counsel SVP of Supply Chain CIO Dir. of Hr Other
Command Objectives for Data and Related Engineering science (COBIT)
Issued past the IT Governance Institute, this guideline has been developed every bit a standard for good information technology (IT) security and control practices that provides a reference framework for management, users, and data systems, audit, control, and security practitioners.
http://www.itgi.org/
http://www.isaca.org/0
Customs-Trade Partnership Against Terrorism (C-TPAT)
A voluntary authorities/business initiative developed to strengthen and amend the overall international supply chain and U.South. border security.
http://www.cbp.gov/xp/cgov/import/commercial_enforcement/ctpat/
Executive Order 13224: Blocking Property and Prohibiting Transaction, with Persons Who Commit, Threaten to Commit, or Support Terrorism
Prohibits government agencies, contractor, and financial institutions from sponsoring, supporting, or otherwise funding terrorists. Enforced by the U.S. Treasury Department's Office of Strange Nugget Control.
http://www.treas.gov/offices/enforcement/ofac/sanctions/terrorism.Shtml
Gramm-Leach-Bliley Deed (The Financial Modernization Act of 1999) (GLBA)
A federal law that requires fiscal institutions to ensure the confidentiality and security of their customers' personal data.
http://www.ftc.gov/privacy/privacyinitiatives/glboct.html
Health Insurance Portability and Accountability Deed of 1996 (HIPAA)
Regulation that provides patients with greater access to their medical records and more than control over how personally, identifiable health information is used. The regulation also addresses the obligations of healthcare providers and health plans to protect health information.
http://world wide web.hhs.gov/ocr/hipaa/
ISO 17799
A lawmaking of practice for information security management adult by the International System for Standardization. The objectives outlined provide general guidance on the commonly accepted goals of information security management.
http://www.iso.org/iso/en/ISOOnline.frontpage
http://en.wikipedia.org/wiki/ISO/lEC_17799
ISO 27001
Published by the International Organization for Standardization (ISO) on October 15, 2005, this standard establishes best practise for an information security
management organisation and complements ISO 17799. The two standards are related only perform distinctive roles.
http://www.iso.org/iso/en/commcentre/pressreIeases/2005/Ref976.html
Maritime Transportation Act (MARSEC or MTSAct)
Regulations for U.Due south. port facilities and vessels requiring the development of security plans and implementation of security measures and procedures.
http://www.uscg.mil/hq/thou-g/mp/mtso.shtml
National Strategy for Physical Protection of Critical Infrastructures and Key Assets
Voluntary guidelines to protect physical infrastructures from terrorist attacks. Similar its counterpart cyberspace strategy (meet immediately beneath), information technology emphasizes public/private partnership equally the way to protect disquisitional infrastructures.
http://www.whitehouse.gov/pcipb/physicol.html
National Strategy to Secure Cyberspace
Voluntary guidelines make official long-established best practices for protecting information security.
http://www.whitehouse.gov/pcipb/
Public Company Bookkeeping Reform and Investor Protection Act of 2002 (Sarbanes-Oxley)
The federal Sarbanes-Oxley Human action was created to protect investors by improving the accuracy and reliability of corporate disclosures. The Act covers issues such every bit establishing a public company accounting oversight board, auditor independence, corporate responsibility, and enhanced financial disclosure.
http://en.wikipedia.org/wiki/Sarbanes_Oxley
Public Health Security and Bioterrorism Preparedness and Response Act (PHSBPR)
Establishes national, state, and local preparedness and response strategies and procedures to protect U.S. food, h2o, and drug supplies.
http://www.fda.gov/oc/bioterrorism/bioact.html
Trade Deed of 2002—Advance Electronic Information
Requires advance transmission of electronic cargo information to U.S. Community and Border Command regarding arriving and departing cargo. This consolidates the implementation strategy of the 24 hr rule and the implementation strategy of the Trade Human activity.
http://www.cbp.gov/xp/cgov/import/communications_to_industry/advance_jnfo/
U.S. Customs Container Security Initiative
Places U.S. Customs officers at major foreign ports to preclude terrorists from accessing container ships. The incentive for foreign ports: In case of a terrorist attack involving cargo, program participants would be less probable to exist shut down.
http://www.cbp.gov/xp/cgov/border_security/international_activities/csi/
U.S. Dept. of Transportation's Pipeline and Chancy Materials Safety Administration (PHMSA) HAZMAT Regulations
Federal Hazardous Materials Regulations set along transportation and packaging regulations for all modes of moving hazardous materials.
http://hazmot.dot.gov/regs/rules.htm
http://www.admission.gpo.gov/nara/cfr/waisidx_04/49cfrv2_04.html
U.S. Environmental Protection Agency'due south Water Infrastructure Security
Affects community water systems. Organizations must certify and submit vulnerability assessments and emergency response plans. Provisions could i day be applied to factories that discharge into public water sources. Role of the U.South. Bioterrorism Act of 2002.
http://cfpub.epa.gov/safewater/watersecurity/bioterrorism.cfm

Use this tabular array to determine how regulations and voluntary guidelines affect your organization, either directly or indirectly, who should be involved, to what extent, and who should acquit them out.

If your visitor chooses to ignore whatsoever of these or the myriad of other regulations or voluntary guidelines, you lot'd better have a good reason why.

Components of a Cost of Security Compliance Model

In the federal government'south rule-making process, there are a number of milestones to enable bear on assessment on your arrangement. Trade associations will be engaged early on, and typically, your legislative liaison or general counsel office volition be tracking legislation or regulations of consequence to the company. In the final stages of rollout of a slice of legislation in the Federal Annals, yous will be able to identify the components of work required by the proposed regulation. Table 7.2 provides a template for consideration every bit yous assess the potential cost of compliance impact.

Table 7.2. Components of a Price of Security Compliance Model

Cost Component Unit Cost Ext. Cost
Direct Costs (Assumes that the visitor using the model has an efficient time tracking system in place and the items under the proprietary staff fourth dimension logged to compliance activities are divers in that organization.)
Billable time straight applied to compliance administration (Split up annual bacon only by 2080 hours and multiply by 38% for hourly rate)
Proprietary staff time logged to compliance activities.

Program planning and administration

Policy evolution of modification

Gamble assessment

System engineering/construction documentation

Contract staff time logged to compliance activities

Consultant fees directly related to compliance

Grooming and awareness programs

Plan development

Trainee participant time

Activities that can be directly allocated to auditing for ongoing compliance

Development and delivery of employee and agent awareness programs directly related to appliance with regulations

Evolution and ongoing administration and maintenance of required regulatory reporting

If security costs [e.g., account administration, access control list administration, etc.]

Other straight charges
Capital Expenses to Meet Required Security Standards
Determine local capital expense depreciation rates for one-twelvemonth cost. See following equipment list for selected items:

Security equipment

Structure/installation/security arrangement enhancement

Unique software evolution direct related to compliance

Other upper-case letter expense
Estimated Loss of Productivity Due to Compliance Activities
Redirected labor by specific persons, project delays, lost sales, etc.
Indirect Costs Confirm with CPO/Legal if allocatable to impact:

Physical space costs

Cost of supervision

Recruitment costs

Authoritative costs

Maintenance costs

Third-party licensing

Documentation maintenance

Sensation and educational activity costs

Periodic filing costs

The toll[s] at change and recertification

Cost of repair
Offset to Costs Recovery from increased cost to consumers, 1-fourth dimension assessments, or other recovery processes.

Use this table every bit a template for consideration as you lot assess the potential price of compliance impact.

Prospectively tracking the progress of security-related regulations and and then estimating their financial and productivity impacts is an excellent way to work collaboratively with counsel and others in senior direction. You are also demonstrating the blending of your professional knowledge with the financial objectives of the company.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780128000625000075

Regulation, Economic Theory of

D.E.M. Sappington , in International Encyclopedia of the Social & Behavioral Sciences, 2001

v Competing for Regulatory Benefits

The preceding discussion illustrates some of the means in which authorities regulation of producers can be designed to benefit consumers. It is important to note, yet, that regulation need non but serve this role in practice. Since regulators typically have the power to evangelize benefits to some parties and impose costs on others, the affected parties will have an incentive to endeavor to secure favorable handling from regulators. When industry producers are better organized and have more at pale than industry consumers, regulation that benefits producers at the expense of consumers can ascend (Stigler 1971, Peltzman 1989). For example, new competitors may be barred from an industry even though their entry and functioning would be in the best involvement of consumers. These realistic possibilities merit conscientious consideration when evaluating the benefits and costs of existing and proposed regulations.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B0080430767023007