Our next set of input controls are those that may be applied when we have access to master data during the input process. The availability of such data can greatly enhance the control, and efficiencies, that be gained in the data entry process. For example, let’s say that we are entering orders from our customers. If we have available to us data entry programs such as those depicted in Figure 9.3, we can check to see if the customer number is in the range of valid numbers (i.e., a limit check) or has been entered without error (e.g., check digit verification). But, these edits determine only that the customer number might be correct or incorrect. If we have available the actual customer master data, we can use the customer number to call up the stored customer master data and determine if the customer number has been entered correctly, if the customer exists, the customer’s correct address, and so forth.
|While access to master data may facilitate and control the data entry process, access to master data needs to be controlled. For example, when we allow customers or other users to communicate with us over the Web, we need to be extra cautious in protecting access to stored data. Technology Excerpt 9.1 provides some control guidelines to protect against unauthorized Internet-enabled access to stored data.|
The next section describes some additional controls that become available when the master data is available during data entry.
Technology Excerpt 9.1
Protecting Against Credit Card Fraud
Many people are reluctant to give their credit card number over the Web because they are afraid of credit card fraud. In one sense this fear is justified, because credit card fraud is estimated to be 12 times higher for online purchases than for offline merchants, according to a recent survey by the Gartner Group. However, in either case, the holder of the card is not responsible for the fraud. In the case of face-to-face transactions, the credit card companies usually absorb the bill, but online merchants are held responsible when stolen credit card numbers are used.
Visa is beginning to require its merchants to employ a series of online controls in order to better guard its cardholders’ information. Merchants, gateways, and Internet service providers will be required to comply with Visa’s broad online security program, or face fines, sales restrictions or loss of membership. The program, summarized in the list below, is taken from Visa’s Web site.
Top Ten List
At the most basic level, the program consists of a “Top Ten” list of requirements plus several “best practices” for protecting Visa cardholder information. The Top Ten requirements include the following:
In addition, Visa recommends the following three “best practices”:
These top level principles apply to all entities participating in the Visa payment system that process or store cardholder information and have access to it through the Internet or mail-order/telephone-order.