Symptoms

The use of credit cards has been a convenient option to avail of goods and services, as it provides
security for consumers to experience cashless transactions. As more and more people are using
this alternative payment method, fraud has become a sophisticated business for criminals to steal
customers financial information. The system has become desirable and vulnerable to hackers,
who have been increasingly canny and crafty in accessing unauthorized data. As part of Visas
preventive measures, the company established a data center called Operations Center East (OCE)
with unknown location and that can immediately take action to potential hacks and risks, among
other things. With the increasing purchases made through Visa, potential network capacity issue
to handle big data has also been a concern for the company.
Problem Statement: What changes and enhancements in the current management control
systems can be recommended in order to achieve their goal in ensuring data protection of their
consumers?
Analysis
Appendix 1 shows how the Visa uses different types of control in order to provide reliable and
trusted services to its customers. The firm has been overly cautious by setting up several
measures, as these are deemed necessary order to protect not only the company but more
importantly, Visas most precious asset its customers financial information. More importance
is given to feedforward control, as this approach anticipate potential problems and provide action
even prior to occurrence of any security breach.
The organizational fraud triangle also stresses the importance of the link among culture,
leadership and management controls in order to prevent security risks. Even if the best system is
in place, leadership style and workplace culture, influenced by employee attitudes and behaviors,

could favorably or adversely affect the performance of the company. If too much pressure is
applied to targets, if Rick Knight and other members of the top management are unable to
actively take action fast amidst any crisis, and if individual goals are not aligned with the
company, control system will not be as effective and data breach will be more likely to happen.
With this, one of the biggest threats the company may face is the danger from within from its
employees and other stakeholders involved in the transaction cycle found in Appendix 2. The
data center fortress will not be enough to protect the customers information without additional
measures that could control and monitor stakeholder involvement along the process.
Alternatives
In order to ensure data protection of Visas customers, the following alternatives are
recommended for the company to implement. A more extensive discussion of the pros and cons
are shown in Appendix 3. 1) Raiseawarenessofemployeesandotherstakeholdersthroughbest
practices and technology updates and monitor them frequently. Since hackers are becoming
increasingly savvy, employees should be aware and updated of the likely threats and must
undergo customized trainings to test knowledge and skills to such danger. This would also
empowerthemtotakenecessaryactionsaswellasencouragethemtoreportunusualbehavior
andprohibitedtechnologiesexperiencedintheworkplace.However,thisalternativeiscostlyand
timeconsuming,especiallyingivingmuchtimetocurrentlystudypotentialdatabreachand
consistently training stakeholders to address it. 2) Ensure proper recruitment and selection
processforemployeesandotherstakeholders.Criminalbackgroundchecks,misrepresentations
onresumes,andprobinginterviewquestionsandskillstestsshouldbeincludedwhensearching
andhiringforemployeesandothercompanycredentials,financialviabilityandsecuritysystems
established should be checked for potential partners. This could help weed out obvious

dangerouspeoplebutmaynotnecessarilybeanindicatorofethicalbehaviorwhenhiredorwhen
partneredwith.Visamayalsolosepotentialgainonaffiliatesandincreaseinrevenuedueto
strictprocess.3)CreateStandardOperatingProcedures(SOPs)foremployeestoabide.This
detailed document will serve as the employee bible or handbook with all the policies and
proceduresinensuringemployeesarebehavingandactinginthebestinterestofthecompany.
However, the SOPs may only be good as a written document only and may not guarantee
awarenessandpreventionoftheirstafffromtakingharmfulactionsagainst.4)Rolemodeling
throughmanagementbywalkingaround.Topmanagersshouldleadbyexampleinensuringsafe
andsecuresystemsinplaceinorderforemployeestofollow.Withthemanagementbeinghands
onwiththeoperationsofthefirmaswellaswiththeemployees,subordinateswouldfeeltheir
workcontributiontothecompanyisimportant.Conversely,eachemployeemayperceivethis
leadershipstyledifferentlyandsomemaylookatitasmicromanagingorinvasionofpersonal
space.5)Establishchallengingbutattainablegoalsandstandards.Keysuccessfactors(KSFs)
suchasreportingofdangersandresolutionofincidentsshouldbeputinplaceinordertohavean
objectivemeasurementfortheperformanceofanindividualorteam.TheseKSFswillbetiedto
the compensation package of the employees and will therefore lead to motivation. As a
disadvantage,employeesmaybepronenottoreportpotentialthreatsinordertohittheirKSFsif
chosenmeasuresarenotcongruentwiththecompanysobjectives.6)Pairingofdeviceswith
locationsettingsofusersusedtopurchase.Inlinewiththecontemporaryissuessuchasconcerns
topurchasesmadeonline,cardholdersaremoresecuredandwillexperienceconveniencein
transacting online. As more people use this channel to buy, Visa will experience increased
revenue.However,somepeoplemayfinditannoyingbecauseadditionalstepswillbeembedded

inthesysteminordertoensuresafepurchasesonline.7)BackupdatapodswithinOCEand
otherdatacenters.Byinvestinginadditionalnetworkcapacity,Visawillensure24/7availability
andseamlessprocessingoftransactions.Establishingadditionaldatapodsorallottingcapacity
fromotherdatacenterswillbeexpensiveforthecompanyandwillthereforeneedtostudy
currentefficiencyandutilizationpriortoundergoingthisinvestment.
Decision/Recommendation
The main criteria used by the group in coming up with the final decision are: 1) effectiveness to
reduce data breach, 2) use of resources, 3) ease of implementation, and 4) acceptance of
stakeholders. The computation in selection of the best alternative/s is shown in Appendix 4.
Based on the results, Visa should implement all alternatives except establishment of SOPs and
back-up data pods within OCE and other Visa data center. Together, these approaches will ensure
additional data protection of the consumers in order for them to trust the company fully in
providing a secure and seamless processing of their transactions. IMPLEMENTATION PLAN
TO FOLLOW.
Appendix 1. Examples of Visas security measures under each type of control
Feedforward Controls
-

OCE location unknown to people

Hydraulic posts setup and road layout with a vicious hair-pin turn to stop a fast vehicle from

going 50 miles per hour

8-acre facility designed like a castle moat for protection
Concrete walls designed to withstand earthquake with magnitude of 7.0 and hurricane winds

of up to 270 kilometers per hour; ceilings can support 10 meters of snow

14 diesel generators (enough to run electricity for 25,000 homes) as back up in case of power

interruption
5.6 million liters of water to cool thousands of servers

Concurrent Controls

Hundreds of security cameras

Team of former military personnel
Rigorous process requirement for visitors prior to entry such as photo and fingerprint on

badge, which can easily be traceable within the premises

3 security experts watching over everything behind the main center

Appendix 2. Transaction process flow

Definition of parties involved other than Visa:

1. Cardholder account holder, consumer or business using Visa to make payments
2. Merchant retailer that accepts Visa for payments from consumers
3. Acquirer the merchants bank; financial institution that enables the merchant to accept Visa
payments from consumers
4. Issuer the account holders bank; financial institution that issues Visa cards to consumers to
use for availing goods and services; acts as a lender to the consumer to fund purchases
initially to complete the transaction
Transaction cycle:
The consumer purchases goods and services using their Visa account. The merchant processes
the transaction and submits to the acquirer for reimbursement. The issuer then reimburses the
acquirer, less the interchange fee. The acquirer pays the merchant with a service charge
deduction. The issuer charges the consumer with the retail price, which appears on the statement
of account. Along the transaction process, Visa ensures safe and seamless transmitted
information through its authorization system to check security features and send approval to
acquirer and issuer.
Appendix 3. Pros and Cons of the Alternatives

Alternatives
Raise awareness through best
practices technology updates
and monitor employees
frequently

Pros
Cons
Increased awareness and Costly
training
Timeconsuming
Encourages employees to
reportunusualbehaviorand
prohibitedtechnologies
Ensureproperrecruitmentand Weeds out obvious / EmployeesNotanindicator
selectionprocessforemployees dangerouspeople/partners ofethicalbehavioronthejob
andotherstakeholders
Stakeholders Lose
opportunities to gain more
affiliatesandrevenue
Create a Standard Operating Detailedanddocumented
Onpaperonly
Procedures (SOPs) for
employeestoabide
Does not guarantee
awareness and prevention
from staff from taking
harmfulactions
Management By Walking Leadbyexample
Each employee may have
Around (MBWA) role
differentviewsinthistypeof
modeling
Employeeswouldfeelwhat leadershipstyle
theyredoingisimportant
Establish challenging but Objective measurement for Employees prone not to
attainablestandardsandgoals
performance of individual reportpotentialthreatstohit
orteam
KSFtargets
KSFs tied to compensation
package may lead to
motivation
Pairingofdeviceswithlocation Usersecurity
Annoyingtosomeconsumers
settings of users used to
purchase
Convenienceofpurchasing
Additional steps for
consumers
This additional secured
channel may lead to
increasedrevenue
BackupdatapodswithinOCE Ensures24/7availabilityof Costly
andotherVisasdatacenter
networkcapacity
Seamless processing of
transactions

Appendix 4. Selection among Alternatives

On a scale of 1 to 10, each criterion was scored on how positive (10) or negative (1) the
implications are for choosing the approach. Weights of 10, 5, 7, and 8 were assigned to decision
criteria 1, 2, 3, and 4, respectively. A score of 80% and above reflected the groups opinion that
the effect is fairly positive, 50 to 70% is relatively neutral, and 10 to 4% is negative. Scoring is
not absolute but rather comparative or relative to other alternatives perceived degree of effect.
The minimum score for accepting an alternative is 80% as this is the threshold for a positive
effect.
Appendix 5. References
http://usa.visa.com/merchants/become-a-merchant/how-a-visa-transaction-works.jsp
http://usatoday30.usatoday.com/tech/news/story/2012-03-25/visa-data-center/53774904/1
http://www.networkcomputing.com/networking/inside-visas-data-center/d/d-id/1234221?
http://www.theglobeandmail.com/technology/tech-news/inside-visas-datafortress/article4216479/
http://blog.unibulmerchantservices.com/tag/credit-card-transactions/