In May, 2007 Visa USA published their Visa Business Review, Issue # 070508. In this publication, Visa USA announced a program that mandates acquiring banks to have a plan to address risk within their level 4 merchant population. The plan for addressing risk within
this group was to be submitted to Visa USA by July 31, 2007.
According to the VBR, this plan had to include a plan to address risk within the group as well as a compliance strategy that includes steps for 1) eliminating prohibited data, 2) protecting stored data and 3) securing the environment according to the PCI-DSS. While seemingly straightforward, analyzing risk within a merchant portfolio is a difficult task.
Understanding risk and how it applies to a merchant portfolio is critical to minimizing exposure to data compromises and to enabling effective, efficient management of groups of merchants. While the term ‘risk’ is used frequently within the payments industry, and especially when referring to information security, it is often used erroneously. In very simple terms, risk can be expressed as the likelihood of an event occurring and the resulting impact should the event be realized.
Consider the following example. There is a possibility that a meteorite will crash into a house which would likely result in the total destruction of the house. While the impact would be absolute,
the likelihood of the event occurring is infinitesimally small.
Contrast that with the probability that fire could start in a house.
While the likelihood of the house being completely destroyed is less than if it were hit by a meteor (we hope), the probability of the event occurring is much greater. This is why people have fire insurance on their homes and not meteorite insurance.
A basic method of quantifying risk in information security is to multiply the likelihood of an event occurring in a given year (expressed as a probability) by the expected impact should the event be realized. (This can be expressed with ordinals, monetarily or in numerous other ways). The calculation can be expressed as:
(% of Event A) X ($ Impact of Event A) = Annualized Loss Expectancy (ALE)
If there is a 5% probability that an event will occur in a given year and the estimated damage will be $1,000, then the Annualized Loss Expectancy will be $50 per year. Understanding the previous concept is critical as it allows for the evaluation of risk as it applies to acquirers’ merchant portfolios.
Every acquirer has a unique mix of merchants within their portfolio and therefore has a unique risk profile. Each of the merchants within
the portfolio represents varying degrees of risk to the acquirer.
From an acquirer perspective, the risk to which they are exposed by their merchants can be defined as the likelihood of being affected by a merchant’s data compromise. Notice that the risk is not simply that your merchant will be compromised, rather it is the likelihood of being affected (fines, fees, penalties) and the impact of the event, which is the cost associated with the event.
There are some very significant challenges with identifying the risk of a merchant portfolio. As an example, Visa USA recently published a statistic stating that restaurants accounted for over 40% of the compromises detected within the past year. Logically, a reader would make the assumption that the likelihood of a restaurant being compromised is much higher than any other type of merchant. This assumption would, however, be incorrect and dangerous. When evaluating the likelihood of a compromise, it is imperative that other factors be considered. According to the National Restaurant Association, there are nearly 1 million restaurants in the United States. In contrast there are only about 1400 four year colleges in the United States. If a given portfolio contained a single restaurant and a single university, the likelihood that a university
would be identified as compromised would be 8 times as great.
Extrapolating this data, that single university would be compromised
8 times for every time the restaurant was compromised. The only reason restaurants account for 40% of the compromises over the last
12 months is due to the unequal distribution of restaurants relative to universities within the US.
While there are some challenges with identifying the probability of a compromise in a merchant portfolio, there are also challenges in identifying the potential impact of a data compromise. Using the same example as above, while the university will be compromised more frequently, the restaurant will likely expose more data and will have a greater probability of exposing magnetic stripe data. This will result in a greater impact for each merchant exposed. As detailed in the first section, risk is expressed as the likelihood of an event occurring and the impact should it occur. While the likelihood of a single restaurant being compromised is 12.5% of that of a university, the impact when a compromise does occur is so great that the restaurant actually presents a greater risk.
Currently there are several vendors that offer risk analysis services to acquirers. A common method of evaluating the risk to which acquirers are subjected by their merchants uses forensic data compiled from data compromises. This method, which is an attempt to evaluate ‘absolute risk,’ is severely limited and provides grossly inaccurate data for several reasons. First, although currently there over 1000 data compromises on record at the major card brands this still represents less than .015% of the total population of nearly 6,800,000 merchants in the US. It is impossible to have enough data from compromises to be statistically significant and develop truly
accurate models. Secondly, as discussed, it is not possible to look
at data in a vacuum. To do so risks interpreting data with a very weak correlation as being a very strongly correlated trend. Consider the example given previously regarding the restaurants. Any acquirer that began focusing upon restaurants solely because of the raw forensic data would be at risk of focusing on a merchant or segment that may not represent the greatest risk. Finally, attempting to determine absolute risk can be dangerous as it relies upon static findings and does not account for the changes in risk when a portfolio is modified.
A more accurate and reliable method of evaluating risk is to use ‘Relative Risk’. Relative Risk is a very simple concept and is used
by every reader on a daily basis. Consider the following example.
If you have one garage space and two cars, then you need to determine which car to put into the garage. Imagine you have a brand new Maseratti Spyder and a 1971 Pinto that has seen better days. Which car would you put in the garage? By now all readers (unless you have a particular affinity for Pintos) are choosing the Maseratti. But why? This is where the fundamental difference between Relative Risk and Absolute Risk come into play. In this scenario, knowing the absolute risk of the cars is not necessary to reduce the risk. All you need to know is that the Maseratti presents a greater loss to you than the Pinto. That example was simple, but now consider the same
example where you add into the mix a 1971 Hemi-Cuda Convertible.
Which car now belongs in the garage? Unless you are a car buff, you may still think that leaving the Maseratti out presents the greatest risk. In this case you would be wrong. The Maseratti, while certainly more recognizable and likely at greater risk of theft based upon the perceived value, is in truth less than 10% the value of the
’71 Hemi-Cuda. While the ‘Cuda is less likely to be stolen, if it is stolen the impact is much greater. If you were to replace the Pinto with a 1995 Lamborghini, now the situation becomes even more complex. This type of scenario is not much different than a merchant portfolio. There are hundreds, or even thousands of merchants in a portfolio and the portfolio is changing but each acquirer has only limited resources to try and reduce the risk to a manageable level.
Using a risk analysis method based upon relative risk allows an acquirer to quickly see the risk posed by a merchant or group of merchants in relation to all other merchants. This enables the acquirer to quickly determine which merchants to pursue for the greatest percentage of risk reduction. Much like the example with the cars, once the highest risk merchants are addressed, they will be replaced by other merchants that now fill the void and present the greatest risk. This is the dynamic nature of risk management and why a relative risk methodology should be considered when evaluating methods to address risk in large numbers of merchants.