Free Essay

The Management of Online Credit Card Data Using the Payment Card

In: Computers and Technology

Submitted By insummery
Words 4316
Pages 18
The Management of Online Credit Card Data using the Payment Card Industry Data Security Standard
Clive Blackwell Information Security Group Royal Holloway, University of London. Egham, Surrey. TW20 0EX. C.Blackwell@rhul.ac.uk Abstract
Credit card fraud on the Internet is a serious and growing issue. Many criminals have hacked into merchant databases to obtain cardholder details enabling them to conduct fake transactions or to sell the details in the digital underground economy. The card brands have set up a standard called PCI DSS to secure credit card details when they are stored online. We investigate the standard and find significant flaws especially in its requirements on small businesses. Finally, we propose some general rules for the secure management of online data. The initial version 1 of PCI DSS was set up in 2004 and updated to the current 1.1 standard [2] in 2006 by the main card brands in order to protect sensitive cardholder data stored online by merchants and other card processors. It followed on from the informal program started in 1999 by Visa and formalised in 2000 into the Cardholder Information Security Program [3]. It is designed to meet the problems of storing large amounts of credit card data stored online that may be compromised. The largest number of cards compromised so far is the TK Maxx case, where over 46 million cardholder details were stolen over a number of years [4]. The hackers used the common method of breaching insecure wireless networks from car parks outside the shops and installing malware to steal the card details. Many of the PCI DSS controls would have avoided or mitigated this attack. For example, networks must be protected from external intruders by adequate firewalls, and wireless networks must use a recent standard for protecting data such as WPA. Organisations are advised not to store card details for longer than necessary, and it is a violation of PCI DSS to store sensitive card details such as the 3-digit CVV or the complete magnetic stripe at all. Any organisation that transmits, stores or processes credit card data must be compliant with PCI DSS. This applies to organisations of any size and non-compliance can lead to loss of the ability to take credit cards, fines and liability for any losses from fraud. Organisational compliance must be proved with an annual assessment, whose completeness and rigour depends on the number and value of the transactions. It poses a special risk for small merchants who do not have specialist knowledge and rely on their providers. Many small businesses are not even aware of the PCI DSS standard and its mandatory requirements.

1

Introduction

There is a pressing need for better security of credit card transactions on the Internet as more and more people make purchases online, and we move to more secure payment mechanisms such as Chip and PIN in face-to-face transactions. In particular, the sensitive credit card details must be stored and processed securely by merchants. In general, people need to have faith that their personal information that was difficult to compromise when it was stored on paper will still be adequately protected when it is stored online. There are numerous issues for online storage because the large amounts of data are an inviting target for criminals and there are multiple ways of compromising it externally over a network or internally by insiders breaching the physical and procedural controls. We investigate the Payment Card Industry Data Security Standard [1] (hereafter abbreviated as PCI DSS) created by the credit card industry to protect sensitive credit card information when it is stored and processed online. This standard may suggest a way forward in the protection of other sensitive data held online such as medical records. However, it is arguable if PCI DSS deals with the right problems in the right way and some issues of secure online storage are inherently difficult.

2

The PCI DSS Requirements

The PCI DSS standard has 12 requirements within 6 groups [2]. It applies to any organisation such as merchants where credit card numbers are stored, processed or transmitted. The requirements apply

978-1-4244-2917-2/08/$25.00 ©2008 IEEE

838

to any system or component with access to the cardholder data including secondary systems and applications connected over a network as well as the primary storage and processing computers. The PCI DSS is not comprehensive and is supported by other standards to deal with card readers and payment software applications. We first give a high-level overview of the standard before appraising each requirement in turn. There is no clear overview of PCI DSS stating its objectives precisely. Without a proper set of goals and a threat model for adversaries that can impede the requirements, the resulting controls are likely to be incomplete and inadequate. It is a document to be read, understood and acted upon by business people, but it clearly fails to meet this crucial requirement. The main goal is to protect the sensitive cardholder data and all other requirements are subordinate and support this primary goal. The best method to achieve this goal is not to store the cardholder data persistently after the end of the transaction, but it may not be possible. We assume that there is some valid business requirement for storing the cardholder data in the rest of the paper. The numerous controls proposed by the standard may interfere with efficient management of the organisation. By focussing on the primary goal of protective sensitive cardholder data, we may discover that simpler and more trustworthy procedures can achieve the goal with less disruption to the business. We shall see that there is an inordinate focus in the standard on technical controls, whereas procedural and physical controls may be simpler and give higher assurance. There are some requirements covered by existing regulations such as EMV [5]. Merchants are allowed to store the cardholder’s name, PAN and expiry date. They are not allowed to store the complete data on the magnetic stripe still used in many face-to-face transactions at point-of-sale (POS) terminals, or the 3-4 digit card validation code (CVC) or value (CVV) used in card-notpresent (CNP) transactions on the Internet. These are used for authentication and if compromised can result in unauthorised credit card transactions.

sense of security and possibly interfere with other business activities. Arguably, there should be no network access to stored cardholder data from other computers within the organisation as any logical protection such as provided by firewalls may be defeated. The most secure architecture isolates machines handling the sensitive data on their own secure wired network housed in secure physical areas, which only perform tasks related to managing cardholder data. For a small business, a single isolated computer may suffice for managing the cardholder data. This renders moot the compromise of the rest of the organisational network that is difficult to secure because it would be running multiple applications with many bugs and insecure features. The sensitive machines should not have a wireless adaptor, as insiders may be able to access it surreptitiously over a wireless link. Do not use vendor-supplied defaults. The second requirement is not to use vendor-supplied defaults for system passwords and other security parameters. They also suggest using checklists such as from NIST [6] to remove unnecessary functionality. The suggestion is valid for the systems holding cardholder data, but would be time-consuming and expensive for all the computers in the organisation. It is often unrealistic to disable every apparently unused service or protocol, as it may in fact be used in support of an important service, and make the system unusable, unstable and difficult to fix.

2.2

Protect Cardholder Data

2.1

Build and Maintain a Secure Network

Install and maintain a firewall. The first requirement is to install and maintain a firewall configuration to protect cardholder data. It suggests network controls such as perimeter and personal firewalls to protect the other computers in the organisation, as they form indirect paths of attack on the systems that hold the cardholder data. PCI DSS proposes detailed sets of controls for other organisational networks connected to the sensitive machines that are liable to give a false

Protect stored cardholder data. The third requirement is to protect stored cardholder data. It suggests a large number of controls on the use of the cryptographic keys that encrypt sensitive cardholder data that cannot plausibly be carried out by small businesses. More attention should be given to storing the data on physically secured machines backed up by simple cryptographic protection of the cardholder data and considering not storing it at all unless essential. Some old systems automatically store the entire card details in breach of the regulations. Some small businesses such as Lodi Beer have been fined [7], even though the systems were provided by third parties that are in a better position to ensure their own systems meet the PCI DSS regulations. Encrypt transmission of cardholder data over networks. The fourth requirement is to encrypt transmission of cardholder data across open, public networks. Wired networks such as Ethernet should be used, as wireless is too risky given the possibility of access from outside the secure physical area.

839

2.3

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software. The fifth requirement is to use and regularly update anti-virus software. It fails to mention the need to detect and remove other types of malware such as spyware, which needs its own special anti-spyware tool, which can also detect software keyloggers among other things. Develop and maintain secure systems and applications. The sixth requirement is to develop and maintain secure systems and applications. Most merchants rely on third parties for their systems so the requirement is not applicable. Trust must instead be placed in reputable suppliers, but this is problematic as merchants may be held accountable for the insecurity of their suppliers’ systems as shown in the Lodi Beer case above [7]. This section also claims that all patches should be checked before use, but this is unrealistic for many merchants. Most companies get their updates automatically using Microsoft Update [8] and other similar services, as a manual process is intractable when handling numerous machines and many organisation cannot afford separate test machines. The few machines handling the sensitive data can be treated differently with patches checked before deployment, as it is crucial they remain secure.

2.4

Implement Strong Access Control Measures

Restrict physical access to cardholder data. The ninth requirement is to restrict physical access to cardholder data. It discusses access by unauthorised individuals, but fails to properly consider authorised users operating in unauthorised ways. The standard suggests using video cameras in sensitive areas, but they may not work, can be disabled by insiders, and it assumes they are carefully monitored. It treats temps and consultants as regular employees, but they may not be as loyal and trustworthy, so should have fewer rights and undergo more extensive checks. Maintenance workers such as cleaners can attach hardware keyloggers and come back next day. We are certain to see an increasing problem of organised crime placing people with false identities in organisations as the value of credit card data is so high. Many of the proposed access controls are irrelevant against attacks by organised crime, as they do not care if they are detected. Storing backups offsite in a secure facility is required by PCI DSS, but again the employees at that location can access the backup, which may include the cardholder data. This indicates the need to encrypt or sanitise cardholder data first. The standard suggests sending media containing sensitive data by secure courier, but this is hardly acceptable and additional controls such as encryption are always necessary. Destroying media such as hard disks is not realistic for small companies and should be carried out by specialist organisations, but some of their employees may not be honest.

2.5

Restrict access to cardholder data by need-toknow. The seventh requirement is to restrict access to cardholder data by business need-toknow. Restricting access is the goal and should be the title of this group of controls (2.4) rather than a subsidiary requirement. The individual requirements would then be the various methods of restricting access. Assign a unique ID to each person. The eighth requirement is to assign a unique ID to each person with computer access and use authentication such as a password, token or biometric. It does not distinguish adequately between passwords that are considered a weak method of authentication [9] and the other methods that are possibly stronger. Physical attacks are possible to circumvent these logical controls and are once again overlooked. Passwords are easily defeated by insiders using multiple methods such as discovering passwords when they are written down, observed by shoulder surfing and installing keyloggers, and they can also be eavesdropped if they are used over a network.

Regularly Monitor and Test Networks

Track and monitor access to network resources and cardholder data. The tenth requirement is to track and monitor all access to network resources and cardholder data. Auditing and logging are obviously important, but they occur after the event and the loss of cardholder data is often permanent even when detected. The checks can be avoided especially by trusted insiders such as administrators that may avoid auditing altogether or change the logs afterwards. Employees can easily acquire passwords and steal or borrow authentication tokens to pass responsibility to an innocent victim. The fraudster may not care if they are detected after they have left especially if they assumed a false identity. Many of the controls proposed are unrealistic for smaller companies, who do not have access to specialist security advice and the money and time to install all the controls suggested. Regularly test security systems and processes. The eleventh requirement is to regularly test security systems and processes using vulnerability scans, penetration testing, intrusion detection

840

systems and file monitoring tools among other things. This is a completely unrealistic requirement for many merchants such as small businesses.

2.6

Maintain an Information Security Policy

The last requirement is to maintain a policy that addresses information security. It states correctly that the policy needs to be disseminated to all employees to let them know what is expected of them. What is omitted is that many security policies are very lengthy, written in legalese and therefore never read or followed by anyone. Many policy documents also present an unrealistic idealised view of work processes. The policy needs to be stated in clear and simple terms that can be understood and is relevant for every employee. It should demonstrate a business need for each policy requirement so that the employee is less motivated to breach policy to save time. The consequences of failure for the employee should be spelt out as well as the general repercussions for the company. Some employees will only change their behaviour by effective warnings and discipline, so the policies need to be consistently enforced including on management. The standard prohibits the transfer of cardholder data onto employees’ workstations or external media, but this is unenforceable and needs to be backed up by technical controls. This can be achieved by physical isolation of the machines with the cardholder data from employees that do not need access. Use of the machines should be limited by controlling the use of USB ports and CD/DVD recorders. Stealing thousands of cardholder details would take seconds using a USB memory stick. These controls also limit phishing attacks as well if the employee cannot access the requested information. It mentions background checks before people are employed, but it does not mention subsequent checks, or monitoring for suspicious or unusual behaviour. Organisations should attempt to improve motivation and encourage loyalty by good pay and an interesting working environment, which should reduce fraud.

may be able to piece together enough to get the complete cardholder details. For example, by phoning the customer and demonstrating they have some of their details, they can then ask the customer to prove who they are by giving the sensitive cardholder details. The liability for fraud still lies with the merchant irrespective of any contract (although they may be able to pass on any loss or fine to the third party), and they may also suffer consequential damage such as loss of reputation. Customers will leave in droves if there are persistent data breaches [10], and they are not too concerned if the ultimate responsibility is with a third party.

3

Issues for merchants using PCI DSS

2.7

Further requirements on outsourcers

It is common to outsource administrative tasks such as answering questions and other clerical tasks such as printing bills to external organisations. They may employ numerous temps whose backgrounds are not properly checked, and compliance may be inadequate so breaches of cardholder data could be straightforward. A crooked employee may not have access to all of a customer’s details but they

We discuss the issues for merchants using PCI DSS, which is a complex and poorly understood standard. The card issuers used their economic power to design PCI DSS with a view to dump liability onto other organisations such as merchants. This is known as moral hazard [11 pp823-4], which avoids the need for the originator of a problem to take sufficient care because third parties have to deal with the consequences. An established legal principle is that problems should be handled by the subject that is best able to deal with them [12]. For example, cardholder authentication could always be carried out by the card issuer, which avoids altogether the need for the merchant to store credit card details. The costs of PCI DSS are pushed onto the merchants, which will then be passed to its customers. Merchants will continue to accept credit cards if their customers demand to use them, which seems certain unless alternative payment methods are developed. Insisting that all merchants meet challenging cardholder data protection requirements does not solve the problem, as many merchants will not be able to comply. Small merchants may have inordinate costs to comply with PCI DSS relative to the level of threat and the benefit of taking credit cards. Compliance with a standard makes people feel better, but it can become reduced to an exercise in ticking boxes without proper thought of the issues. The standard deals with some issues in the wrong way by proposing excessively complicated technical controls. In contrast, there is a lack of detail about organisational controls to deal with employees acting maliciously or inadvertently. It hardly considers that the most trusted staff such as management or security administrators that can cause the most damage may be crooked. Insiders account for most instances of fraud [13] and phishing and other social engineering attacks are on the rise. ‘Only amateur attack machines: professionals target people’ (Bruce Schneier) [14].

841

Auditing is obviously important, but it can be bypassed by anyone with physical access to the system. It does not deter organised criminals, or a dissatisfied employee with a grudge against the company. Companies must look after their staff to ensure they are highly motivated and loyal. There is always the change that criminals will find and exploit weaknesses in the system if they are highly motivated, so the risks are high because of the value of compromising large numbers of cards. Many activities may be outsourced for efficiency to third parties who may pay less attention to the protection of the sensitive data. These organisations must be efficient because they work on very small margins, which may allow breaches in their policies. Contracts with outsourcers do not avoid liability for fraud in their primary contract with the card issuer, and there are possible consequential issues such as loss of reputation. Trust is slowly gained, but easily lost.

4

Conclusions

We conclude by determining some general rules for the management of sensitive online information. We need stronger regulations backed up by enforceable laws for the protection of sensitive personal data. Regulations must deal with the problem of moral hazard, where the value of the privacy of personal data is not highly rated by the most powerful players such as governments and large organisations. The regulations may need to be backed up by strong enforceable legislation for organisations to take data breaches seriously. Some states in the US such as California [15] hold organisations accountable for breaches of personal data requiring them to write to customers explaining what happened and maybe having to offer compensation. Even so, it is doubtful if victims will be compensated fully for the loss of personal data, which may be intangible such as hurt feelings from the loss of medical records, or include other factors such as the time and inconvenience of recovering from identity fraud. We propose that the minimum amount of data should be stored to meet strictly defined business requirements. There is little incentive to reduce the amount of stored information as it does not meet a business goal and costs money. On the contrary, retaining information in case it is ever needed again can help organisations be more efficient, and information used for one purpose can be subsequently used for another. The availability and malleability of information is also its weakness allowing its use for other business purposes not envisaged or agreed by the subject, or stolen and used for criminal activities. There would be an incentive to reduce the quantity and increase the protection of personal data if there was a cost for each data breach. Revenue and Customs in the UK

lost 25 million personal records when that were sent through the post on 2 CDs [16]. If they were under strict liability and had to pay £100 for every record compromised, their data controls may not have been so lax. Regulations should however be crafted to the particular need and not be excessive as they may unnecessarily increase bureaucracy and thereby reduce efficiency and profitability. For example, the passing of laws to control the activities of publicly traded companies in the US such as Sarbanes-Oxley (SOX) [11 p320-1] in the wake of the Enron and WorldCom scandals may have been excessive. It has been estimated that the cost of compliance with SOX may be as much as $1.4 trillion [17] and has led to many companies moving abroad to other financial centres such as London. Any controls will eventually be compromised if the rewards are high enough. Many regulations such as PCI DSS focus on technical controls, which may give a false sense of security, as they can always be defeated especially by insiders. We suggest using controls at many layers and locations to provide defence-in-depth. Technical controls need to be supported by procedural and physical controls. There should be protection measures to separate sensitive systems from the rest of the organisation as well as protection from external threats. For example, the physical separation of systems that store sensitive data in secure areas without network connection to the rest of the organisation would be more secure than logical partitioning mechanisms such as firewalls. Insiders pose the biggest risk to organisations, especially trusted insiders as they can evade the controls and cause the most damage. Problems are more likely to arise when staff are poorly motivated, which could be improved by good pay and work conditions. The trusted employees check and control the activities of the other employees, but trusted employees themselves need control, which unfortunately is likely to be easily breached. Employees are also a potential weakness if they are not trained properly. For example, phishing and other social engineering attacks are becoming more widespread as computer systems become more secure. There should be proper background checks for employees. For example, employees of companies working airside at airports are background checked for criminal convictions and other undesirable behaviour for obvious reasons. However, not all of these checks can be completed, because some other countries do not provide criminal records for their citizens. There was the case of the Afghan national working at Heathrow who had previously been convicted of aircraft hijacking. People should only be accepted if there is sufficient information about their good character rather than the lack of negative

842

information as the checks may be incomplete as above or abused by using a false identity.

5

References

[1] PCI Security Standards Council, “Welcome to the PCI Security Standards Council” at http://www.pcisecuritystandards.org. [2] PCI Security Standards Council, “Payment Card Industry Data Security Standard” at http://www.pcisecuritystandards.org/security_standards. [3] VISA, “Visa USA Cardholder Information Security Program (CISP) Overview”, at usa.visa.com/download/merchants/cisp_overview.pdf. [4] BBC, “Q&A: TK Maxx credit card fraud” 30 March 2007 at http://news.bbc.co.uk/1/hi/business/6509993.stm. [5] EMV, “EMV Specifications” at www.emvco.com/specifications.cfm. [6] NIST, “NIST checklist program” at http://csrc.nist.gov/pcig/cig.html. [7] Wall Street Journal, “In data leaks, culprits often are mom, pop”, 22 Sept 2007. [8] Microsoft, “Microsoft Update FAQ” at www.update.microsoft.com/microsoftupdate. [9] Alfred J Menezes, Paul C van Oorschot and Scott A Vanstone, “Handbook of applied cryptography”, CRC Press, 1996. [10] L Wood, “Security feed” in CSO, 20 April 2007 at www2.csoonline.com. [11] Ross Anderson, “Security Engineering”, Wiley, 2008. [12] RJ Mann, “Payment systems and other financial transactions (3rd ed)”, Aspen Publishers, 2006. [13] DTI, “2008 Information Security Breaches Survey”, BERR, 2008. [14] B Schneier, “Secrets and Lies”, Wiley, 2000. [15] FindLaw, “California Raises the Bar on Data Security and Privacy” at http://library.findlaw.com/2003/Sep/30/133060.html. [16] BBC, “UK's families put on fraud alert”,20 Nov 2007. [17] The Economist, “A price worth paying”, 19 May 2005.

843…...

Similar Documents

Premium Essay

Credit Cards

...convenience in everyday life. For example, credit cards, in particular, give consumers the ability to purchase goods or services with little effort. Simply by making a phone call or opening a laptop, a product can be bought and even shipped to the front door just by entering those little raised numbers on the front of the card; just ask my friend Emily! She ordered an enormous new 70in. flat screen TV, without even needing to go into a store. The funny thing is she doesn’t watch or own a TV. Not only did the store allow somebody to fraudulently use her credit card but it also allowed the TV to be shipped to an unauthorized location. That’s the rub! Credit cards may seem great, and they are for certain things, however, there is an obvious security threat when owning one. The temptations for overspending and the high interest rates that credit card companies add create other issues that cause potential problems for consumers as well. First of all, fraud can be a cause for concern when debating whether or not to get a credit card. It is becoming easier for criminals to acquire card numbers without ever even meeting the person they stole it from, and as technology advances, they devise new and devious ways to beat the system. For example, criminals have created ways to steal card numbers with machines that Luchsinger 2 can read a card number just by standing behind a person in line at a coffee shop. There are also reports of stolen card numbers being sold on the......

Words: 704 - Pages: 3

Premium Essay

Truth About Credit Cards

...truth about credit card reward schemes | GulfNews.com February 21 2013 | Last updated 2 minutes ago gulfnews.com Business | Your Money The bitter sweet truth about credit card reward schemes If you are the type of person who can pay off your credit card in full each month, exploit the advantages. If you are not, stay well away as nothing compares to the pain of unpaid debt By Cleofe Maceda, Senior Reporter Published: 00:00 January 21, 2012 loading Close [x] gulfnews.com/business/your-money/the-bitter-sweet-truth-about-credit-card-reward-schemes-1.968638 1/11 2/21/13 The bitter sweet truth about credit card reward schemes | GulfNews.com Image Credit: Supplied Perhaps the biggest allure of credit cards is the ability to spend without having to carry cash. But for some people, part of the appeal is the belief that frequent card use can bring a host of incredible rewards. In rewards schemes, the cardholder earns a fraction of the amount spent in the form of cash, vouchers and gifts. Free tickets to a dream destination, weekend stays at a luxury resort, dining and retail discounts are just a few of the freebies up for grabs. Because the offers often look too tempting to resist, cardholders are increasingly pursuing air miles and points to supplement their expenses. Consequently, as consumers swipe more, spending and debt levels also rise. A Federal Reserve Bank of Chicago paper published in December 2010 tackled the impact of credit card rewards......

Words: 2936 - Pages: 12

Premium Essay

Credit Card Debt

...Proposing a solution to Credit Card Debt Credit cards have become a very familiar feature to our life style that it is difficult to imagine a world functioning without them. Credit cards are the most convenient type of payments. The craze of the credit card industry has affected everyone in the world. That could be why Credit card debt is the cause of over one million bankruptcies each year. The reason is that many people get a credit card without reading the fine print before signing for them. By the time annual fees are added on, along with spending needlessly, payments are missed; your balance has already reached its maximum limit. Also in some cases a Lack of knowledge is likely due to a lack of education about personal finances. Almost all students on college campuses report that they are likely to ask their parents questions about finances. However, 30 percent also say that their parents have not discussed such issues as setting financial goals or the importance of savings with them. Students also aren't learning about money in school. Although 62 percent of students reported that they had been offered a personal finance class, only a third of those offered a class actually took it (Norvilitis p 356). Although we all like to place the blame on the credit cards and the credit card companies we need to keep in mind that the real cause of our financial mess is us. It is usually a pattern of unneeded......

Words: 779 - Pages: 4

Premium Essay

Credit Cards

...Article: Homepage (credit cards) Description: Credit Card is substitute of cash and by having best credit card one can get different benefits. As the world is advancing new technologies are introduced in the market. These technologies are made to make our life easier and simpler. These technologies are also helping in our spending life style. Like nowadays plastic money (credit card) is gaining fame because most of the people don’t want to carry huge amount of money along with them and they prefer credit cards. Credit card is used as a mode of payment which can be used as substitute cash in the trade of commodities. It is a small plastic card, generally 3(1/8) inches by 2(1/8) inches in size, with a small electronic chip given to consumers of the system. The card holds credentials information like an image or signature, and person name to charge for services, the charges for which he will be payable periodically. A credit card is not like debit cards as in debit card money is not deducted from the client’s account after each transaction. In the case of credit cards, the issuers give loan to the punter and the consumer revolves their balance at the cost of having interest charged. Today, automated teller machines (ATMs), bank and Internet computers and store readers are used to interpret the information which is present on the card and are accepted as means of payment in many restaurants, internet businesses, stores, hotels and shopping malls. These cards are issued......

Words: 566 - Pages: 3

Premium Essay

Bimb Marketing Credit Card

...BANK ISLAM BANK BERHAD CREDIT CARD A MARKETING PLAN MOHD HALIM RIDHAUDDIN BIN ABD MANAP ( 2013133609) ABD RAZAK BIN AWAB ( 2013519593 ) NOOR IDAYU BINTI OTHMAN ( 2013191665 ) HAFIZAH BINTI ABD WAHAB ( 201339929) MKT 750 : MARKETING MANAGEMENT GROUP EMBA12JB PM KAMEL TAUFIQ BIN ABDUL GHANI TABLE OF CONTENTS 1. | Executive Summary | | 2. | Company description | | 3. | Strategic focus and plan | | | * Mission | | | * Goals | | | * Competency and Sustainable Competitive Advantage | | | | | 4. | Situation Analysis | | | a) SWOT analysis | | | * Strengths | | | * Weaknesess | | | * Opportunities | | | * Threats | | | | | | b) Market Summary | | | * Market Trends | | | * Market Growth | | | | | | c) Competitor analysis | | | | | | d) Customer analysis | | | | | | e) Company analysis | | | | | 5 | Product – Market Focus | | | a) Marketing objectives | | | b) Target market | | | c) Customer Value Proposition | | | d) Positioning | | | e) SWOT analysis | | | | | 6. | Marketing program | | | a) Marketing mix | | | * Product Strategy | | | * Price Strategy | | | * Promotion Strategy | | | * Place/ distribution Strategy | | | | | 9. | Financial Data and Projections | | | a)Break- even Analysis | | | b)Sales Forecasting | | ...

Words: 5817 - Pages: 24

Premium Essay

Credit Cards

...“Comparative Analysis of Impulsive Buying Behaviour between Youth and Elderly Credit Card Consumers” A research report submitted in partial fulfilment for the degree of Master of Business Administration Submitted By Aditi Bhatt C 02 Anshul Chaudhary C 04 Rohit Kumar C 35 Rohit Nair C 36 Vinika Yadav C 53 Symbiosis Institute of Management Studies Symbiosis International University September 2014 ACKNOWLEDGEMENT We take this opportunity to express our gratitude to the people who have been instrumental in the successful completion of this project. We are extremely thankful to Professor Dr Asha Nagendra, the Guide of this project. She has guided us on this research and correcting various documents and amending them with attention and care. She has taken pain to go through the project and make necessary correction as and when needed at each and every step. We express our thanks to the Director of Symbiosis Institute of Management Studies, Pune for extending its support. We would like to show our greatest appreciation for the support extended to us by the respondents, which was vital for the success of the project. We are also thankful to all the friends, faculties and the respondents whose enthusiastic participation has helped us in our research. TABLE OF CONTENTS Sr. No | Topic |......

Words: 5183 - Pages: 21

Premium Essay

Credit Card

... CREDIT CARD CONTENT Sl. No | | Page. No | 1 | INTRODUCTION | 1-3 | 2 | CREDIT CARD: WHAT ARE CREDIT CARD | 4-6 | 3 | ADVANTAGES OF CREDIT CARD | 7 | 4 | DISADVANTAGES OF CREDIT CARD | 8 | 5 | CREDIT CARD: PROS AND CON | 9-11 | 6 | HOW YOUR CREDIT CARD IS CHANGING | 11-13 | 7 | HOW TO GET OUT OF CREDIT CARD DEBT | 14 | 8 | CONCLUSION | 14-15 | Credit Cards: Introduction Are you thinking about making a purchase? Among the payment choices tucked away in a consumer's a wallet is the credit card. Its popularity since its debut in the late 1950s has skyrocketed. Many people enjoy the convenience and protections it offers, such as the ability to defer payments and keep records of purchases. However, credit cards can either help to improve your lifestyle by offering convenient payment and helping you build credit, or they can leave you with a pile a of debt - it all depends on how you use them. Problems can be avoided but understanding the terms of the credit card agreement, spending wisely and selecting the appropriate card. Here we take an in-depth look at credit cards and provide useful information about how you can use one to your best advantage. How Credit Cards Built A Plastic Empire :- Credit cards are nearing necessity status in modern life. If you want to rent a video, book tickets online, or place an......

Words: 7132 - Pages: 29

Premium Essay

Credit Card Debt

...Credit Card Company's Marketing to College Students Credit Card Company's Marketing to College Students The credit card companies marketing their products to college students on campus leads to debt, money management, and unnecessary stress. Ultimately, when they first obtain a credit card they feel some sense of empowerment. Most young adults have typically never had the responsibility of paying bills and managing money compared to an older mature adult. College students should be focused more on receiving their education than dodging creditors on campus looking to inflate their sign up numbers. Getting a credit card too soon can lead to problems down the road. Credit “is no longer considered an earned privilege. It’s now considered a social entitlement and the screening criterion for applicants is weak” (Manning, 2001, p. 157). So a student just signed up for a shiny new piece of plastic with a low to fair credit limit and a very high interest rate because they are considered high risk. If they do not work or have any others sources of income, they can find the trap of debt before they know it. Once the debt piles up, it becomes very hard to recover with no job and no plan in hand. Manning (2001) explains “Credit card companies encourage fantasies of easy money because students are so profitable. Teens have financial naiveté, high material expectations and responsiveness to relatively low-cost marketing campaigns, high potential earnings, and future demand for......

Words: 818 - Pages: 4

Premium Essay

Smith Credit Card Processing

...Mobile Secure Credit Card Processing for St. Clair Land Surveying Denise A. Gregorcyk Abstract The object of this paper was to provide Robert and Mike Smith, owners of Smith Land Surveying, a viable means of processing payments through various means primarily by utilizing an app and hardware provided by a credit card processing service that can be easily integrated into existing hardware, namely cell phones. Three services were chosen based on qualifying criteria and the best two were presented as viable solutions to a growing need to be able to process payments quickly and conveniently. The three services were Flagship ROAMpay, Intuit GoPayment and PayAnywhere. Of these three, two were chosen to be the most viable, convenient solutions with limitations and drawbacks listed. The need for a convenient, versatile and cost effective manner in which Smith Land Surveying can charge and receive payment for services rendered will allow them to save money in the long run due to not having to incur the costs of legal fees to force clients to pay for services in which they try to dodge or otherwise skip out on. Keywords: Credit card processing, Intuit, Flagship, PayAnywhere Mobile Credit Card Processing for Smith Land Surveying Smith Land surveying has been losing money on services rendered due to not being able to process credit cards at the time of delivery of services. This proposal will present a viable, affordable solution to Smith Land Surveying and......

Words: 972 - Pages: 4

Premium Essay

Credit Cards

...Final Draft Although there are many advantages of possessing credit cards, most Americans should not use them; because they do not use them properly to where they become liable or subject to overwhelming debt, which could damage their credit history. Personal credit card debt has doubled in the past four years and personal bankruptcies are at the highest ever, and still more Americans are spending money that they do not have. Credit cards allow and encourage individuals to buy more than budgeted, and this is obviously a situation, which is best to avoid. Knowing when it is a bad idea to use a credit card can help you to avoid adding debt to your credit card. It is no doubt that the use of credit cards have eased the rate in which people obtain goods and services, but the use of credit cards have done more damage to the finances of Americans credit card users than good. Credit cards have become a problem for most American credit card users and there are even cases that some Americans have committed suicide because of the heavy debts he or she owes the credit card companies. Should Americans continue using credit cards? The answer is definitely no as the detriment that comes with using credit cards outweighs the benefits. Credit cards are a huge convenience in everyday life, yet most people are irresponsible when using them. The convenience of possessing credit cards increase the risk of overspending because people can convince themselves to spend more than what......

Words: 1136 - Pages: 5

Premium Essay

Using a Credit Card Leads Most Americans Into Debt.

...My thesis will be covering why I think that American’s should not use credit cards and the consequences that come along with being in such an industry. It will be covering the regulation’s benefits many companies have and the don’ts on having them and what will come along with accepting them. I will talk about hidden fees along with annual fees and all the fine print that everyone seems to not read. I will also touch basis on how one can stay out of debt in the paying process even though everyone wants a credit card some should not have one due to mismanaging of their incoming funds period. Writing on how my views on the credit card industry and why it is targeting the venerable and the young college students and people they know need credit and give it to them at a APR that is out of this world keeping them bound and in debt to them. My views on the credit card industry is that if they know that a person has more outgo then income then they should not extend the credit. Some people are so desperate and they know it that they will give them the credit but it will cost them just as much for the credit than the credit itself. My view from my stand point of view because I been there is that as long as you pay on time regardless if it’s the minimum they will keep extending credit to you so you can stay in debt to them and by the time you have paid one thing off you could have bought three of the same thing. In my thesis I want you expect that the information that I...

Words: 312 - Pages: 2

Premium Essay

Credit Card

...essay on Credit Card A barometer of the maturity of an economy with a few exceptions is the stage of development reached by its payment systems. Cash in the form of notes and coins makes up just one form of payment system. The development in banking brought about a second phase in payment system, through paper instruments namely cheques and credit transfers. The requirement for greater flexibility and convenience and development of technology has given rise to electronic payments and this is where plastic cards have been provided with. During 1914, a number of oil companies in United States issued the first credit card to their customers for the purchase of gasoline, oil and accessories at the companies' stations. Thereafter, local departmental stores, air travel companies and railway companies also started issuing credit cards. In 1950, the Diners' Club Inc, was the first company to issue an all purpose card. The Franklin National Bank of New York was, in 1951, the first bank in the United States to adopt a credit card plan. Around 1958, the American Express Company and two large banks, the Bank of America and Chase Manhattan entered the credit card field. Some of these companies introduced their cards into United Kingdom, and in 1966 Barclays Bank was the first British Bank to introduce credit cards, known as 'Barclays Cards'. In 1972 "Access" cards were introduced by Lloyds Bank. Credit Cards by Indian Banks is a recent history. The Credit Card can be......

Words: 411 - Pages: 2

Premium Essay

Credit Cards

...Part 1 1. How old do you have to be to get a credit card? What requirements do you need, besides age, to obtain a credit card? You must be 18 years old and you must have some kind of income. Or, a parent who has a card account at the bank as well. Also, have the parent cosign the card and open a savings/checking account at the bank. 2. What are some benefits of using credit cards? Card offers protection from theft. You can buy goods/services when you need them even if you don't have the money at the time. They can be used for emergencies. 3. What are some consequences of using a credit card? Credit cards give the belief that you can actually afford things. If you miss your bill, your credit score gets damaged. 4. What is credit history? Your past with credit cards. How you handled them and how you payed your bills. 5. How does your credit history affect what credit cards you can get and your APR? If you don't pay your bills on time, your credit history will be worse and you will have less access to cards while your APR on those cards will be higher because the companies don't believe that they can trust you to pay. 6. How do you think people can get into credit card debt? A situation occurs such as a job loss or a medical emergency and credit card bills are not the family's main priority. 7. Do you feel that consumers are being protected? No, because credit card companies target the consumers that are in debt. They are the real people to make......

Words: 801 - Pages: 4

Premium Essay

Credit Card

...Bank ltd as sales officer since 2011 in Credit card division at sylhet zone, Before this role I worked as a sales coordinator of credit card three years in Chittagong. As we all know that credit card plays vital role in modern economic position, any officer working credit cards sales need to be dynamic . Its need to know the attitude of customer as well as social status of the customer, As a sales officer I have to maintain monthly target assigned upon me as well as customer Service after issuing the credit card . I have to complete certain responsibility as a incharge of Sylhet division. 1. My team should be filled in between ten members. 2. Team members should be trained properly exp; product knowledge, customer face, market position. Target market. Competitor’s current position, KYC, application fill up. 3.Visit with fresh member to different office potential enough to credit card. 4. Monitor their daily works such as ensuring daily call report, customer feedback, and finding problem they face during visit and solve that problem. 5. Checking the application files sourced by team member meet the drawbacks to complete the file ex; asking customer for proper document, having any loan, knowing about credit limit. 6.Team members are given new company list , corporate list , payroll customer list etc weekly basis. 7. I report to my line manager through mail who office in Dhaka weekly. 8. I have to ensure credit card to customer within 7 working......

Words: 539 - Pages: 3

Premium Essay

An Project on Credit Card

...Chapter one Rational of the study In the sophisticated digital age, the importance of the development of debit card sector is under description for the rapid economic development of the country. It is precondition to have well improved transaction for the rapid development of a country. The debit card is one of the vital and important parts of the bank sector. Basically the economic development of the country depends on the development of trade and commerce of the country. On the other hand the development of trade and commerce depends on the bank sector. So, it is the fair arms to have well improved bank sector for the economic development of the country. In this sense, debit card plays important role for the safely carry and transferring money from one place to another. we concisely enjoy how much they are benefited due to the debit card introduction in Rajshahi city. Not only trade and commerce, we can observe the change of personal life due to the debit card users in Rajshahi. Now it is the age of modern technology. In this age debit card is being used highly as a medium of technology. Debit card is keeping active role in transferring money from are corner to another of Bangladesh. It is the contribution of the bank sector to keep balance development between urban and rural area of Bangladesh. Long-term maximizing profit through customer satisfaction is the main objective of the marketing. To achieve those objectives, it is urgent to eliminate or meet the need of the...

Words: 11167 - Pages: 45