CSRSI team members will show off the new version in Meeting Room #1524 and Booth #1424 at the annual Electronic Transaction Association (ETA) meeting in San Diego May 10-12.

“The new enhancements increase the ease and speed of completion of the SAQ by merchants while incorporating the fifth and newest SAQ C-VT, which reduces the number of merchants requiring a quarterly system scan. The policies in the system are more detailed with instructions that are easier to follow. The scanning reporting is improved for both merchant and processor. Current users beta-tested this version, providing important feedback,” said Heroux.

“With the PCI Toolkit, we have found, without fail, that our merchants are now embracing these very necessary security measures,” says Abe Maghaguian, President of Atlantic-Pacific Processing Systems, Inc.

The PCI ToolKit® is the only system to provide a self-guided interview system written to the 7^th grade level of reading, making it very helpful to the average small merchant. It is complete with all the policies and procedures each merchant will need as required by the PCI Security Standards Council. The PCI ToolKit® is integrated with ComplyGuard Network for scanning and single sign-on reporting, however the ToolKit works with all approved scanning vendors. Tens of thousands of merchants use the ToolKit each month.

The new version 2.0 offers greater flexibility to banks and processors who oversee the process to encourage all the merchants in their portfolio to become PCI compliant. Implementation protocols are simpler and expanded. Requirements are presented in even more simpler terms. Greater detail is provided for merchants taking the longer SAQ D allowing workarounds. Overall version 2.0 creates a better experience for bank, payment processor and merchant.

About CSRSI

Reducing risk and liability are core competencies for this consulting team of advocates knowledgeable in privacy legislation, compliance, detecting and protecting personally identifiable information.

In over 1750+ engagements since 1999, CSRSI provides guidance in electronic payments, PCI compliance and security of personal data to companies and institutions. For more information, visit csrsi.com.

Federgreen will moderate Regulatory Update, Part 1: Interchange outlining a status of the Durbin Amendment with commentary on the practical effects and implications on acquiring businesses.

Brady will join the Regulatory Update, Part 2: Market Landscape panel, discussing the new IRS reporting requirements, levy rights on merchants, US Treasury/FINCEN compliance, US Anti-Money Laundering and new data security and breach requirements. Commentary will follow on the challenges presented and response by acquiring community and the ETA.

The Challenges of PCI Compliance panel will also be moderated by Federgreen covering reasonable expectations for these programs, handling merchant resistance, avoiding attrition and a discussion on selection of PCI Compliance vendors.

“We always enjoy the give and take of discussions on compliance topics that affect the payments industry and their merchants. These are interesting times with many forces from Federal, state, judicial and regulatory directions causing bank, acquirers, processors and merchants all alike to make significant changes in how they do business and how they strategize for the future.”

Federgreen has personally completed compliance, risk mitigation and liability engagements for companies ranging from the Fortune 100 to start-ups.  His experience includes the hospitality, grocery, e-Commerce and self-storage industries.

Author of over 100 articles appearing in professional and trade journals like Transaction Trends, The Bottom Line, Inside Self-Storage, Grocery Headquarters, Federgreen has authored critical white papers on transaction security compliance and currently serves on the Advisory Board to the “Green Sheet” and is section editor for payments for Inside Self-Storage Magazine.

Brady’s compliance expertise in data protection extends from MasterCard International and as Compliance Officer for EVO Merchant Services. He provides a regulatory perspective to CSRSI clients.

About CSRSI

Reducing risk and liability are core competencies for this consulting team of advocates knowledgeable in privacy legislation, compliance, detecting and protecting personally identifiable information.

In over 1750+ engagements since 1999, CSRSI provides guidance in electronic payments, PCI compliance and security of personal data to companies and institutions. For more information, visit csrsi.com.

By Mark Brady and Ross Federgreen

The Dodd-Frank Wall Street Reform and Consumer Protection Act, signed by President Obama on July 21, 2010, is now the law of the land. Included in the act is the Durbin Amendment, a provision in the final bill aimed at debit card interchange fees and other issues to increase competition in payment processing.

Section 1075 of the Act (“Reasonable Fees for Rules and Payment”) offers implications for acquirers and issuers. The Federal Reserve Board still has to write specific rules for implementing the new regulation; the devil will be in the details. The following discusses some of the major points of Section 1075 and provides our take at this point in time. Issuers must provide costs to justify debit interchange rates.

Section 1075 states that “the amount of any interchange transaction fee that an issuer may receive or charge with respect to an electronic debit transaction shall be reasonable and proportional to the cost incurred by the issuer.” This is the most far-reaching piece of Section 1075. Experts predict electronic debit may surpass cash in the next few years. According to the National Retail Federation, merchants pay approximately $20 billion annually in fees for accepting debit cards. American Banker’s PaymentSource.com estimates that if debit fees are cut by 50 percent, $4.15 billion in interchange fees for Visa Inc. issuers and $1.45 billion for MasterCard Worldwide issuers would be eliminated. As such, the stakes are significant.

Several years ago MasterCard and Visa justified interchange rates, at least in part, on a cost basis. They now promote their product based on value. For example, in January 2010, The New York Times reported that, according to Visa, merchants’ cost for accepting debit hasn’t gone down because the cards provide greater value than they did previously and that merchant acceptance has doubled in the last 10 years, so the costs of accepting debit cannot be too onerous.

The article also quoted Elizabeth Buse, Visa’s Group Executive, International, who said the fees are “not a cost-based calculation but a value-based calculation” and William M. Sheedy, Visa’s President for the Americas, who said, “Debit has become so mainstream, some of the people who have benefited have lost sight of what their business model was, what their cost structure was.”

The Fed is requiring issuers to provide information biannually on costs “in connection with the authorization, clearance or settlement of electronic debit transactions.” It further stipulates that “costs incurred by an issuer which are not specific to a particular electronic debit transaction shall not be considered.”

Fed can allow adjustments for issuer fraud costs

Section 1075 states that the Fed may allow for “an adjustment to the fee amount received by an issuer if such adjustment is reasonably necessary to make allowance for costs incurred by the issuer in preventing fraud in relation to electronic debit transactions.”

Given that fraud rates for signature debit are much higher than for PIN debit, it will be interesting to see how issuers and the Fed deal with that aspect of the law. Will the Fed address the issuer promotion of signature debit versus PIN debit due to higher fraud rates for signature? Or will the Fed disallow a portion of signature debit fraud from issuer’s cost calculations?

Also, Section 1075 states “any fraud-related adjustment of the issuer … takes into account any fraud-related reimbursements (including amounts from chargebacks) received from consumers, merchants or payment card networks in relation to electronic debit transactions.” This appears to say fraud-related chargebacks issuers return to merchants (and are not successfully represented back to issuers) must be removed from the issuers’ interchange cost workups. Many fraud related chargebacks are not returnable to issuers per MasterCard and Visa rules. Will the Fed require issuers to eliminate these chargebacks from their cost workups?

Finally, the law allows issuers to include data security costs in their fraud calculations. While issuers certainly incur costs for data security, it is the acquiring side of the business that is responsible for data security breaches. These acquiring costs include reimbursement to issuers for new card reissuance in the event of data security breaches. Will the Fed consider these acquiring data security costs in the issuer interchange cost calculations?

The cost data will provide the Fed significant information about this market – information issuers may not be happy to provide. In 2009 the Government Accountability Office requested some of these costs and had a difficult time obtaining this information.

The Fed intends to prescribe the new regulations no later than nine months after the law was signed. This means the new interchange rates will probably be determined in the first quarter of 2011 or early second quarter.

Regulation is limited to the largest U.S. banks

Section 1075 states that the regulations will not apply to any issuer that, together with its affiliates, has assets of less than $10 billion. As such, most U.S. banks will be exempt from Dodd-Frank, even with their affiliates included. How will these banks react to their exemption? How will it affect their merchant business? Will they be helped or hurt?

Government programs are exempt

Governments appear to have exempted themselves from the interchange transaction fee regulation for “a debit card or general-use prepaid card that has been provided to a person pursuant to a federal, state or local government-administered payment program.” The U.S. government was obviously concerned about the debit card issuing impact on its own government card programs.

Issuer network fee increases are restricted

The regulators appear to be concerned that the card companies will substitute increased network fees for interchange rate decreases. As such, the Fed will “prescribe regulations to ensure that a network fee is not used to directly or indirectly compensate an issuer with respect to an electronic debit transaction, and a network fee is not used to circumvent or evade the restrictions of the regulation.”

Also, issuers may not restrict the number of payment card networks on which an electronic debit transaction may be processed. This may help MasterCard, which trails Visa significantly in debit card transaction volume. Concern also exists among issuers that the United States will further pressure MasterCard and Visa to lower network fees.

Merchants can set minimum or maximum amounts for credit card transactions

The law allows merchants to establish minimum and maximum dollar values for credit card transactions: “A payment card network shall not, directly or through any agent, processor, or licensed member of the network, by contract, requirement, condition, penalty, or otherwise, inhibit the ability … to set a minimum or maximum dollar value for the acceptance of credit cards.” Merchants may not differentiate between issuers or between payment card networks, and the minimum dollar value may not exceed $10.

Minimums at the POS are much more pervasive than maximums and are bound to confuse merchants, as the new rule does not apply to debit card transactions. Many transactions under $10 involve signature debit cards. Clerks at the POS are going to have a difficult time distinguishing between debit and credit cards; they will understandably think the $10 minimum applies to all cards. It’s bound to result in confusion at the cash register.

The regulation also allows maximum limits to be set by merchants, specifically citing “institutions of higher education.” Colleges and universities have been among the most likely entities to set maximums. Again, maximums may not differentiate between issuers or between payment card networks and apply to credit card transactions only.

Merchants’ ability to establish discounts is expanded

The regulation stipulates that networks may not “inhibit the ability of any person to provide a discount or in-kind incentive for payment by the use of cash, checks, debit cards or credit cards to the extent that – the discount does not differentiate on the basis of the issuer or the payment card network.” The discount must be applied to the advertised price of the item or service. As such, a “card price” cannot be added to the regular price of an item in the form of a surcharge.

The card brands and issuers appear to have given up little here, except that merchants can now offer a discount for, say, PIN debit. As the MasterCard and Visa rules are now written, discounts for cash are allowed under these conditions. These cash discounts have been common in gas stations for several years.

It’s difficult to predict whether the new discount provisions will be utilized by a significant number of merchants, especially small merchants. Many big-box and wholesale or warehouse merchants do not offer discounts for entering a PIN at the POS, but they make sure a PIN pad is right in front of the customer at checkout.

MasterCard, Visa and card issuers may have successfully avoided repeating their Australian experience several years ago when courts in that country allowed merchants to surcharge transactions. Over the next several months, as the Fed issues drafts of the new regulations, there will be more to say about the Dodd-Frank Act and it’s implications for the major card brands, issuers and acquirers.

Stay tuned.

Jensen Beach, FL-April 15, 2010- CSRSI, a leading electronics payments consulting firm, proudly announced several new enhancements to their PCI ToolKit® web application at a Client Appreciation Dinner for 60 clients attending the Electronic Transaction Association’s Annual Meeting and Expo in Las Vegas April 14th. The dinner, held at Smith & Wollensky’s restaurant, highlighted a new look and feel and a more user-friendly interface for its survey-based system for merchants to complete their required annual Self-Assessment Questionnaire as mandated by the PCI Standards Council.

The PCI ToolKit® is a broadly used web-based, comprehensive system for merchants processing credit cards to become compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Introduced in 2005, the ToolKit also provides an interface to CSRSI’s clients composed of member banks, payment processors and ISOs to administer oversight of merchants’ progress.

Ross Federgreen, one of CSRSI’s founders, in appreciation of the moment, summed up the milestone event: “We continue to listen to our clients’ feedback and incorporate their requests for advancements in our development stages. We’re thrilled to see how many of our long term client/friends were present to show their confidence in and support of the PCI ToolKit®, representing many well-known member banks, processors and ISOs.

About CSRSI

CSRSI provides electronic payment consultation and management. Our areas of focus include PCI, PII (personally identifiable information), risk, liability, compliance, systems selection and vendor selection. Our expertise includes merchant services, ACH, SWIFT, IBAN and all other electronic formats. For more information, visit www.csrsi.com.

For further information, contact: jcarroza@csrsi.com.

Twitter: @pcitoolkit

Twitter: @csrsi

The report – which is offered free until the end of January – also says that companies adopting PCI-DSS compliance can save up to 45% on their costs by adopting a best practice strategy.

The study, which is billed as providing year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI-DSS , found that adopting a best-in-class approach can halve a company’s compliance costs.

On top of this, the report notes that best-in-class companies can divert the PCI-DSS compliance savings into other areas, such as sustainable programs and continuous improvement.

According to the research firm, best-in-class companies were found to have reduced their deficiencies related to PCI-DSS compliance by 7.5% on a year-over-year basis, when compared to `laggards.’

The conclusions of the security analysis show how companies can reduce the scope of their PCI-DSS compliance, as well as `map and adapt’ to better security practices.

One of the most interesting conclusions of the report is the need for managers to assign clear ownership of the PCI-DSS issues and so achieve better PCI-DSS efficiencies.

Source: Infosecurity Magazine

MYTH 1: I DO NOT HAVE TO BE COMPLIANT

This is untrue. Every merchant who in any manner accepts, handles, stores or transmits credit card information must be compliant. This extends to all merchants regardless of the type of credit card environment they are in. There are no exceptions for merchants who are in the card present environment.

MYTH 2: IF I HAVE PENETRATION SCANS I AM COMPLIANT

This is untrue. Penetration scans or vulnerability scans represent a small fraction of the requirements. Having penetration scans done is important but it is not all that is required. The merchant must complete the 75 questions that make up the annual self-assessment questionnaire (SAQ).

MYTH 3: FOR THE SAQ I CAN JUST ANSWER YES TO PASS.

This is untrue. You should only answer yes if you both understand the question and have the documented evidence that the answer should be yes. Fabricating yes answers is both inappropriate and opens the merchant to severe penalties including loss of credit card privileges.

MYTH 4: NO ONE WILL EVER LOOK AT MY ANSWERS TO THE SELF-ASSESSMENT QUESTIONAIRE

This is untrue. As part of the requirements for PCI compliance each merchant must file the SAQ with his or her acquirer. If a merchant is compromised, risk rated, randomly audited or for other reasons the response to the SAQ will be examined.

MYTH 5: ALL I NEED TO DO IS TO GET MY PENETRATION SCAN COMPLETED.

This is untrue.  It is vitally important to examine the results of the penetration scans and note findings. Each abnormal finding must be addressed regardless of which of the four levels from informational to severe is listed. Severe findings must be remediate within 30 days.

MYTH 6: IF MY SOFTWARE OR TERMINAL IS COMPLIANT THAN I AM COMPLIANT.

This is untrue. Every merchant to answer the questions of the SAQ correctly and honestly must have written policies, procedures and auditable logs. There are significant physical security requirements that are required as well which must be met. Compliant software and terminals arecritical but not the entire answer.

MYTH 7: IT CAN’T HAPPEN TO ME.

This is untrue security breaches happen everywhere and can happen to anyone at anytime.

MYTH 8: ALL SECURITY BREACHES OCCUR FROM EXTERNAL SOURCES.

This is untrue over 90% of security breaches occur because of employees are others with internal access to the merchant.

MYTH 9: MY PROCESSOR IS RESPONSIBLE FOR THE FINES SO WHY SHOULD I CARE.

This is untrue. The merchant is ultimately responsible for all financial fines and penalties. This can be up to $25,000 per month per event.

MYTH 10: I CAN DO THE SAQ MYSELF

This is true but no one should. The 75 questions on the SAQ are complicated and complex to answer them requires a detailed understanding of the meaning and intent of each of the questions.

With the above said it is incumbent for the MLS and or ISO to have a detailed understanding of PCI. The fact needs to be strongly emphasized to each merchant that they must comply with the PCI. Failure to do this can lead to civil penalties, criminal prosecution and loss of credit card accepting privileges.

The payment brands have spent considerable sums attempting to educate the merchant population. A number of resources are available to assist you in helping the merchant achieve compliance. The Green Sheet has published a number of articles addressing these issues. In addition each of the payment brands have information on their web sites defining the requirements and the various categories of merchants.

We strongly recommend that each merchant obtain qualified assistance in achieving PCI DSS compliance. Knowledge of PCI and what it really takes to be compliant will help you the ISO or MLS maintain, retain and obtain merchants.