Jensen Beach, FL-April 15, 2010- CSRSI, a leading electronics payments consulting firm, proudly announced several new enhancements to their PCI ToolKit® web application at a Client Appreciation Dinner for 60 clients attending the Electronic Transaction Association’s Annual Meeting and Expo in Las Vegas April 14th. The dinner, held at Smith & Wollensky’s restaurant, highlighted a new look and feel and a more user-friendly interface for its survey-based system for merchants to complete their required annual Self-Assessment Questionnaire as mandated by the PCI Standards Council.

The PCI ToolKit® is a broadly used web-based, comprehensive system for merchants processing credit cards to become compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Introduced in 2005, the ToolKit also provides an interface to CSRSI’s clients composed of member banks, payment processors and ISOs to administer oversight of merchants’ progress.

Ross Federgreen, one of CSRSI’s founders, in appreciation of the moment, summed up the milestone event: “We continue to listen to our clients’ feedback and incorporate their requests for advancements in our development stages. We’re thrilled to see how many of our long term client/friends were present to show their confidence in and support of the PCI ToolKit®, representing many well-known member banks, processors and ISOs.

About CSRSI

CSRSI provides electronic payment consultation and management. Our areas of focus include PCI, PII (personally identifiable information), risk, liability, compliance, systems selection and vendor selection. Our expertise includes merchant services, ACH, SWIFT, IBAN and all other electronic formats. For more information, visit www.csrsi.com.

For further information, contact: jcarroza@csrsi.com.

Twitter: @pcitoolkit

Twitter: @csrsi

The report – which is offered free until the end of January – also says that companies adopting PCI-DSS compliance can save up to 45% on their costs by adopting a best practice strategy.

The study, which is billed as providing year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI-DSS , found that adopting a best-in-class approach can halve a company’s compliance costs.

On top of this, the report notes that best-in-class companies can divert the PCI-DSS compliance savings into other areas, such as sustainable programs and continuous improvement.

According to the research firm, best-in-class companies were found to have reduced their deficiencies related to PCI-DSS compliance by 7.5% on a year-over-year basis, when compared to `laggards.’

The conclusions of the security analysis show how companies can reduce the scope of their PCI-DSS compliance, as well as `map and adapt’ to better security practices.

One of the most interesting conclusions of the report is the need for managers to assign clear ownership of the PCI-DSS issues and so achieve better PCI-DSS efficiencies.

Source: Infosecurity Magazine

MYTH 1: I DO NOT HAVE TO BE COMPLIANT

This is untrue. Every merchant who in any manner accepts, handles, stores or transmits credit card information must be compliant. This extends to all merchants regardless of the type of credit card environment they are in. There are no exceptions for merchants who are in the card present environment.

MYTH 2: IF I HAVE PENETRATION SCANS I AM COMPLIANT

This is untrue. Penetration scans or vulnerability scans represent a small fraction of the requirements. Having penetration scans done is important but it is not all that is required. The merchant must complete the 75 questions that make up the annual self-assessment questionnaire (SAQ).

MYTH 3: FOR THE SAQ I CAN JUST ANSWER YES TO PASS.

This is untrue. You should only answer yes if you both understand the question and have the documented evidence that the answer should be yes. Fabricating yes answers is both inappropriate and opens the merchant to severe penalties including loss of credit card privileges.

MYTH 4: NO ONE WILL EVER LOOK AT MY ANSWERS TO THE SELF-ASSESSMENT QUESTIONAIRE

This is untrue. As part of the requirements for PCI compliance each merchant must file the SAQ with his or her acquirer. If a merchant is compromised, risk rated, randomly audited or for other reasons the response to the SAQ will be examined.

MYTH 5: ALL I NEED TO DO IS TO GET MY PENETRATION SCAN COMPLETED.

This is untrue.  It is vitally important to examine the results of the penetration scans and note findings. Each abnormal finding must be addressed regardless of which of the four levels from informational to severe is listed. Severe findings must be remediate within 30 days.

MYTH 6: IF MY SOFTWARE OR TERMINAL IS COMPLIANT THAN I AM COMPLIANT.

This is untrue. Every merchant to answer the questions of the SAQ correctly and honestly must have written policies, procedures and auditable logs. There are significant physical security requirements that are required as well which must be met. Compliant software and terminals arecritical but not the entire answer.

MYTH 7: IT CAN’T HAPPEN TO ME.

This is untrue security breaches happen everywhere and can happen to anyone at anytime.

MYTH 8: ALL SECURITY BREACHES OCCUR FROM EXTERNAL SOURCES.

This is untrue over 90% of security breaches occur because of employees are others with internal access to the merchant.

MYTH 9: MY PROCESSOR IS RESPONSIBLE FOR THE FINES SO WHY SHOULD I CARE.

This is untrue. The merchant is ultimately responsible for all financial fines and penalties. This can be up to $25,000 per month per event.

MYTH 10: I CAN DO THE SAQ MYSELF

This is true but no one should. The 75 questions on the SAQ are complicated and complex to answer them requires a detailed understanding of the meaning and intent of each of the questions.

With the above said it is incumbent for the MLS and or ISO to have a detailed understanding of PCI. The fact needs to be strongly emphasized to each merchant that they must comply with the PCI. Failure to do this can lead to civil penalties, criminal prosecution and loss of credit card accepting privileges.

The payment brands have spent considerable sums attempting to educate the merchant population. A number of resources are available to assist you in helping the merchant achieve compliance. The Green Sheet has published a number of articles addressing these issues. In addition each of the payment brands have information on their web sites defining the requirements and the various categories of merchants.

We strongly recommend that each merchant obtain qualified assistance in achieving PCI DSS compliance. Knowledge of PCI and what it really takes to be compliant will help you the ISO or MLS maintain, retain and obtain merchants.