Sunday, January 30, 2011

Comparing VISA and DoD I.T.

Analysis of commercial operations offers interesting insights how DoD information technologies could possibly become more efficient. Although VISA is completely different from DoD, there are nevertheless differences that can explain why VISA and DoD budgets are so far apart. As DoD will be looking for cost reductions in I.T. spending there are lessons to be learned from VISA operations that could possibly have merit in planning for DoD improvements.

VISA makes available data about its “Network, EDP and Communications” costs. * For one year, ending on September 30, 2010, the total expenses for I.T. were $425 million. VISA information technology expenses are therefore only 1.3% of the total cost of DoD information technologies.

Although VISA processes are much different than DoDs, from the standpoint of speed, security, reliability, flexibility and scalability the VISA operations can offer useful lessons how to design and how to manage a wide ranging information complex.

Here are the major differences between VISA and DoD:
1. VISA operates globally from three data centers, DoD from 772.
2. VISA data centers are redundant and provide for fail-over in real time. Most DoD data centers are not backed up.
3. VISA network uptime is close to 100.0%. DoD uptime availability is not measured.
4. VISA manages the software and configuration management for the entire world from only two locations. DoD does that from at least 2,200 separate projects.
5. VISA provides a global infrastructure and leaves to individual financial institutions to manage their operations and input terminals as long as they conform to centrally dictated standards. DoD is reported to have 15,000 communication infrastructures, each of which is attempting to achieve complete integration down to desktops, laptops and smart phones.
6. There are only two carefully managed software updates for the VISA infrastructure per year. DoD software updates are as needed, whenever and wherever that is affordable.
7. A single VISA executive group controls VisaNet budgets and priorities in quarterly reviews. In DoD the management over budget is widely dispersed so that planning, development, testing, installation and operation is separate both in organization and in timing.

VISA can deliver a formidably collection of services for a fraction of DoD costs because its organization and its concept of operation is completely different.

The following illustrates what VISA delivers for the money it spends: **
1. Every day, VISA processes up to 1.8 billion credit card entries and has the capacity of handling over 20,000 transactions per second. The number of DoD daily transactions not more than a tenth of this amount.
2. VISA accepts cards at 1.7 million locations. DoD supports not more than a tenth of this.
3. VISA processes entries for 15,700 financial institutions. The DoD network interfaces with not more than a tenth of that.
4. VISA processed at peak time more than 200 million authorizations per day. The peak load on DoD, under warfare conditions, is unknown but would not be comparable.
5. VISA operates globally from three synchronized data centers linked by 1.2 million miles of optical lines. The DoD GIG does not permit real time synchronization of data centers because it has limited capacity for that.

VISA shows the following operating characteristics:

Fast – On average, transactions are processed in less than a second. This includes providing business-critical risk information to merchants and banks. DoD applications will average a latency that is much greater. DoD latencies are not measured and not tracked.

Secure – VISA employs multiple defense layers to prevent breaches, combat fraud and render compromised card data unusable. These defense layers include data encryption, network intrusion detection and neural network analysis.

Real-time risk scoring capabilities are the result of more than 30 years of monitoring transaction patterns and applying sophisticated risk management technologies during the authorization process. Risk analysis methods detect unusual spending patterns and flag possible fraud in real time. These examine 40 separate transaction aspects and 100 or more known fraud patterns which they weigh against a profile of all of the cardholder’s transactions from the last 90 days. The result is an instantaneous rating of a specific transaction's potential for fraud, which is then passed to the card issuer. The card issuers, based on their own proprietary criteria, decide to accept or to decline transactions. DoD does not have the forensic assets in place to apply  “artificial intelligence” screening methods either to infiltration or exfiltration of its traffic.

Reliable – VISA runs multiple redundant systems to ensure near-100% availability. A self-correcting network detects transmission faults and triggers recovery. For DoD a real time redundancy is not affordable. Up-time reliability is not measured. In fact, standards for up-time reliability measurement and reporting do not exist.

Flexible –VISA supports a diversity of payment options, risk management solutions and a number of different information products and services. This includes more payment methods as well as a choice of access and controls. In DoD the GIG is only a telecommunications carrier, with limited capacity. The GIG does not include a capacity to vary its functionality.

Scalable – VISA processed over 92 billion transactions per year, each settled to a choice of currencies such as penny, peso, ruble or yen. This is accomplished in over 50 languages. On a peak single day last year, VISA processed more than 200 million authorization transactions. VISA stress tests show the capacity to process close to a billion transactions per day. DoD network scalability is fractured and therefore has a very limited capacity.

VISA authorization transactions can be complex. The following is a simplified description of the authorization and payment processes. VISA offers to Issuers a wide range of collection plans and features, such as customer loyalty programs, which add more steps to the following sequence:

1. The Cardholder swipes a credit card into millions of VISA-compatible card readers or accounting machines. Hundreds of different manufacturers make these devices, each with different software. These devices are located even at the most remote locations in the world.

2. The authorization transaction is checked, secured and encrypted by the Merchant’s software.
3. It is passed to the Acquirer — usually a merchant's bank — where the Cardholder’s account is credited after checking and verification using bank-specific software.
4. The Acquirer reimburses the Merchant instantly after verifying the authorization request. The purchase is authorized at the point of sale.
5. The encrypted authorization is then passed from ten thousands of Acquirers to one of three VisaNet global data centers where every authorization transaction is subject to further risk analysis, security verification and protection services.
6. VisaNet then passes the authorization transaction to hundreds of Issuers, which are the Cardholder’s bank. The issuer collects from the Cardholder’s account by withdrawing funds if a debit account is used, or through billing if a credit account is used. After the funds are successfully transferred, the approved transaction is returned to its origin where it would be displayed on different formats.
7. If the Cardholder’s account is overdrawn, the sequence of the entire process is reversed and the credit authorization is withdrawn.

The entire workflow of credit card authorization from start to finish takes place over the public Internet, or over dedicated optical lines, in encrypted format using the “tunneling protocol” in conformity with VISA dictated standards. By using “tunneling” the VisaNet can receive and transmit over incompatible trusted networks, or provide a secure path through untrusted networks.

In the case of DoD applications it is impossible to track, evaluate or measure end-to-end performance. The DoD architecture has not been designed for assigning separate and distinct roles to the required standards, to the functions of the infrastructure, to the roles of enterprise systems and to the missions that have been delegated for completely decentralized control.

VisaNet is not just a network service. It can be best described as a global cooperative organization that reaches directly into each of its 15,700 financial institutions with software upgrades, standards enforcement, compliance verifications, security assurance and diagnostic help. VisaNet is a confederation of banks for VisaNet voluntary participation since competitive offerings are also available.

Perhaps the most important single insight to be gained from the VISA environment is a focus on applying systems engineering to the credit card network in its entirety from points of entry to the processing of authorizations in banks.  VISA views its business as an integrated continuum that requires continuous tuning as technologies, features and networks change. For instance, VISA tracks the latency (response times) and up-time availability in every link. VISA deploys network engineers who work closely with application designers and data center operators to shave microseconds from transactions.

Perhaps the greatest economies of scale are gained from a complete centralization of control over the management of the software infrastructure of VisaNet. While leaving the complete management of banking software in the hands of each of the 15,700 financial institutions, Visa continuously implements enhancements to its global payment network from a central location. There two major system upgrades each year for the entire network. Each of these upgrades is a carefully choreographed event, which involve the collaboration with each of the financial institutions, merchants and processors around the world. An average system upgrade requires some 155,000 person-hours. In each case there are up to 100,000 lines of code changed, creating 50,000 application upgrades each year.

The VISA approach is different from current DoD practices where the severance between the developers, infrastructure operators and the managers of the client environment takes place without synchronized integration of every part.

The VISA operates in close coordination between IT management and business executives.  Business managers control the budget and dictate how to make trade-offs between schedule, cost and features.
In VISA computer networks are treated as an integrated and seamless workflow that is continually maintained and upgraded. In contrast, the DoD approach is to tear asunder planning, engineering, software implementation, testing, installation, infrastructure operations and data processing.  Nobody is in charge of the entire workflow from conception to the delivery of results.

DoD is trying to create and manage something that is fundamentally an inseparable process. DoD systems are a collection of subdivided efforts that are time-separated into contractually organized parts. Such an approach is not affordable any more.