This application relates generally to information security. More specifically, this application relates to risk assessments regarding the security of information maintained by entities on shared networks.
A concern that has always existed with various types of transaction instruments has centered around the possibilities of fraud, theft, and other types of misappropriation of information. Over time, the nature of such concerns has shifted as technology has developed to embrace new types of transactions, always attempting to anticipate the variety of ways in which information may be used improperly. In recent years, this evolution has been particularly marked with the rise of electronic transactions in which consumers may purchase goods and enter into other types of transactions over a public shared network such as the Internet.
The public nature of the Internet has presented hackers with a mechanism for intercepting information that was traditionally confined to a private network. In particular, most electronic transactions today take place by providing information identifying card instruments, such as credit, debit, stored-value, and similar cards, to a merchant over the Internet. This information may subsequently be used by the merchant over a private network to solicit authorization for the amount of the transaction, to verify that the card instrument has not been reported stolen, and the like, but the initial presentment of information may still be intercepted by a backer. In many cases, Internet merchants and gateways often set their electronic perimeters with little regard for security. Internet merchants also tend to store the electronic identities and financial information of their customers on their web sites behind these less-than-secure perimeters. Because the security perimeters are easily penetrable, the customer identities and financial information are at risk and, in fact, have sometimes been compromised by hackers, resulting in fraud.
In response to these concerns, card associations and other payment-processing organizations have recently been developing requirements for entities that are designed to maintain the security of sensitive information and thereby reduce the potential for fraud. In order for entities to accept the corresponding cards or instruments for transactions, they must adhere to the requirements that have been promulgated. While the existence of such requirements is expected to mitigate against the possibility of theft and fraud, they have also caused significant inconvenience to merchants. In particular, each payment-processing organization has tended to promulgate its requirements in isolation so that a merchant who wishes to offer multiple card services is faced with attempting to comply with a variety of different requirements. Furthermore, verifying compliance with each set of requirements can be extremely costly depending on the scope and complexity of the requirements.
There is accordingly a general need in the art for methods and systems that simplify accommodating diverse information-security requirements.