You are here

Control Plans for Data Entry with Master Data

15 January, 2016 - 09:49

Our next set of input controls are those that may be applied when we have access to master data during the input process. The availability of such data can greatly enhance the control, and efficiencies, that be gained in the data entry process. For example, let’s say that we are entering orders from our customers. If we have available to us data entry programs such as those depicted in Figure 9.3, we can check to see if the customer number is in the range of valid numbers (i.e., a limit check) or has been entered without error (e.g., check digit verification). But, these edits determine only that the customer number might be correct or incorrect. If we have available the actual customer master data, we can use the customer number to call up the stored customer master data and determine if the customer number has been entered correctly, if the customer exists, the customer’s correct address, and so forth.

media/image2.png While access to master data may facilitate and control the data entry process, access to master data needs to be controlled. For example, when we allow customers or other users to communicate with us over the Web, we need to be extra cautious in protecting access to stored data. Technology Excerpt 9.1 provides some control guidelines to protect against unauthorized Internet-enabled access to stored data. 
 

The next section describes some additional controls that become available when the master data is available during data entry.

Technology Excerpt 9.1

Protecting Against Credit Card Fraud

Many people are reluctant to give their credit card number over the Web because they are afraid of credit card fraud. In one sense this fear is justified, because credit card fraud is estimated to be 12 times higher for online purchases than for offline merchants, according to a recent survey by the Gartner Group. However, in either case, the holder of the card is not responsible for the fraud. In the case of face-to-face transactions, the credit card companies usually absorb the bill, but online merchants are held responsible when stolen credit card numbers are used.

Visa is beginning to require its merchants to employ a series of online controls in order to better guard its cardholders’ information. Merchants, gateways, and Internet service providers will be required to comply with Visa’s broad online security program, or face fines, sales restrictions or loss of membership. The program, summarized in the list below, is taken from Visa’s Web site.

Top Ten List

At the most basic level, the program consists of a “Top Ten” list of requirements plus several “best practices” for protecting Visa cardholder information. The Top Ten requirements include the following:

  1. Install and maintain a working network firewall to protect data accessible via the Internet.
  2. Keep security patches up to date.
  3. Encrypt stored data accessible from the Internet.
  4. Encrypt data sent across networks.
  5. Use and regularly update anti-virus software.
  6. Restrict access to data by business’ “need to know.”
  7. Assign unique IDs to each person with computer access to data.
  8. Track access to data by unique ID.
  9. Don’t use vendor-supplied defaults for system passwords and other security parameters.
  10. Regularly test security systems and processes.

In addition, Visa recommends the following three “best practices”:

  1. Screen employees with access to data to limit the “inside job.”
  2. Don’t leave papers/diskettes/computers with data unsecured.
  3. Destroy data when it’s no longer needed for business reasons.

These top level principles apply to all entities participating in the Visa payment system that process or store cardholder information and have access to it through the Internet or mail-order/telephone-order.

 
Source: Maria Trombley, “Visa Issues 10 ‘Commandments’ for Online Merchants,” Computerworld, August 11, 2000. Reprinted with permission from Visa.