CSRSI team members will show off the new version in Meeting Room #1524 and Booth #1424 at the annual Electronic Transaction Association (ETA) meeting in San Diego May 10-12.

“The new enhancements increase the ease and speed of completion of the SAQ by merchants while incorporating the fifth and newest SAQ C-VT, which reduces the number of merchants requiring a quarterly system scan. The policies in the system are more detailed with instructions that are easier to follow. The scanning reporting is improved for both merchant and processor. Current users beta-tested this version, providing important feedback,” said Heroux.

“With the PCI Toolkit, we have found, without fail, that our merchants are now embracing these very necessary security measures,” says Abe Maghaguian, President of Atlantic-Pacific Processing Systems, Inc.

The PCI ToolKit® is the only system to provide a self-guided interview system written to the 7^th grade level of reading, making it very helpful to the average small merchant. It is complete with all the policies and procedures each merchant will need as required by the PCI Security Standards Council. The PCI ToolKit® is integrated with ComplyGuard Network for scanning and single sign-on reporting, however the ToolKit works with all approved scanning vendors. Tens of thousands of merchants use the ToolKit each month.

The new version 2.0 offers greater flexibility to banks and processors who oversee the process to encourage all the merchants in their portfolio to become PCI compliant. Implementation protocols are simpler and expanded. Requirements are presented in even more simpler terms. Greater detail is provided for merchants taking the longer SAQ D allowing workarounds. Overall version 2.0 creates a better experience for bank, payment processor and merchant.

About CSRSI

Reducing risk and liability are core competencies for this consulting team of advocates knowledgeable in privacy legislation, compliance, detecting and protecting personally identifiable information.

In over 1750+ engagements since 1999, CSRSI provides guidance in electronic payments, PCI compliance and security of personal data to companies and institutions. For more information, visit csrsi.com.

Federgreen will moderate Regulatory Update, Part 1: Interchange outlining a status of the Durbin Amendment with commentary on the practical effects and implications on acquiring businesses.

Brady will join the Regulatory Update, Part 2: Market Landscape panel, discussing the new IRS reporting requirements, levy rights on merchants, US Treasury/FINCEN compliance, US Anti-Money Laundering and new data security and breach requirements. Commentary will follow on the challenges presented and response by acquiring community and the ETA.

The Challenges of PCI Compliance panel will also be moderated by Federgreen covering reasonable expectations for these programs, handling merchant resistance, avoiding attrition and a discussion on selection of PCI Compliance vendors.

“We always enjoy the give and take of discussions on compliance topics that affect the payments industry and their merchants. These are interesting times with many forces from Federal, state, judicial and regulatory directions causing bank, acquirers, processors and merchants all alike to make significant changes in how they do business and how they strategize for the future.”

Federgreen has personally completed compliance, risk mitigation and liability engagements for companies ranging from the Fortune 100 to start-ups.  His experience includes the hospitality, grocery, e-Commerce and self-storage industries.

Author of over 100 articles appearing in professional and trade journals like Transaction Trends, The Bottom Line, Inside Self-Storage, Grocery Headquarters, Federgreen has authored critical white papers on transaction security compliance and currently serves on the Advisory Board to the “Green Sheet” and is section editor for payments for Inside Self-Storage Magazine.

Brady’s compliance expertise in data protection extends from MasterCard International and as Compliance Officer for EVO Merchant Services. He provides a regulatory perspective to CSRSI clients.

About CSRSI

Reducing risk and liability are core competencies for this consulting team of advocates knowledgeable in privacy legislation, compliance, detecting and protecting personally identifiable information.

In over 1750+ engagements since 1999, CSRSI provides guidance in electronic payments, PCI compliance and security of personal data to companies and institutions. For more information, visit csrsi.com.

By Mark Brady and Ross Federgreen

The Dodd-Frank Wall Street Reform and Consumer Protection Act, signed by President Obama on July 21, 2010, is now the law of the land. Included in the act is the Durbin Amendment, a provision in the final bill aimed at debit card interchange fees and other issues to increase competition in payment processing.

Section 1075 of the Act (“Reasonable Fees for Rules and Payment”) offers implications for acquirers and issuers. The Federal Reserve Board still has to write specific rules for implementing the new regulation; the devil will be in the details. The following discusses some of the major points of Section 1075 and provides our take at this point in time. Issuers must provide costs to justify debit interchange rates.

Section 1075 states that “the amount of any interchange transaction fee that an issuer may receive or charge with respect to an electronic debit transaction shall be reasonable and proportional to the cost incurred by the issuer.” This is the most far-reaching piece of Section 1075. Experts predict electronic debit may surpass cash in the next few years. According to the National Retail Federation, merchants pay approximately $20 billion annually in fees for accepting debit cards. American Banker’s PaymentSource.com estimates that if debit fees are cut by 50 percent, $4.15 billion in interchange fees for Visa Inc. issuers and $1.45 billion for MasterCard Worldwide issuers would be eliminated. As such, the stakes are significant.

Several years ago MasterCard and Visa justified interchange rates, at least in part, on a cost basis. They now promote their product based on value. For example, in January 2010, The New York Times reported that, according to Visa, merchants’ cost for accepting debit hasn’t gone down because the cards provide greater value than they did previously and that merchant acceptance has doubled in the last 10 years, so the costs of accepting debit cannot be too onerous.

The article also quoted Elizabeth Buse, Visa’s Group Executive, International, who said the fees are “not a cost-based calculation but a value-based calculation” and William M. Sheedy, Visa’s President for the Americas, who said, “Debit has become so mainstream, some of the people who have benefited have lost sight of what their business model was, what their cost structure was.”

The Fed is requiring issuers to provide information biannually on costs “in connection with the authorization, clearance or settlement of electronic debit transactions.” It further stipulates that “costs incurred by an issuer which are not specific to a particular electronic debit transaction shall not be considered.”

Fed can allow adjustments for issuer fraud costs

Section 1075 states that the Fed may allow for “an adjustment to the fee amount received by an issuer if such adjustment is reasonably necessary to make allowance for costs incurred by the issuer in preventing fraud in relation to electronic debit transactions.”

Given that fraud rates for signature debit are much higher than for PIN debit, it will be interesting to see how issuers and the Fed deal with that aspect of the law. Will the Fed address the issuer promotion of signature debit versus PIN debit due to higher fraud rates for signature? Or will the Fed disallow a portion of signature debit fraud from issuer’s cost calculations?

Also, Section 1075 states “any fraud-related adjustment of the issuer … takes into account any fraud-related reimbursements (including amounts from chargebacks) received from consumers, merchants or payment card networks in relation to electronic debit transactions.” This appears to say fraud-related chargebacks issuers return to merchants (and are not successfully represented back to issuers) must be removed from the issuers’ interchange cost workups. Many fraud related chargebacks are not returnable to issuers per MasterCard and Visa rules. Will the Fed require issuers to eliminate these chargebacks from their cost workups?

Finally, the law allows issuers to include data security costs in their fraud calculations. While issuers certainly incur costs for data security, it is the acquiring side of the business that is responsible for data security breaches. These acquiring costs include reimbursement to issuers for new card reissuance in the event of data security breaches. Will the Fed consider these acquiring data security costs in the issuer interchange cost calculations?

The cost data will provide the Fed significant information about this market – information issuers may not be happy to provide. In 2009 the Government Accountability Office requested some of these costs and had a difficult time obtaining this information.

The Fed intends to prescribe the new regulations no later than nine months after the law was signed. This means the new interchange rates will probably be determined in the first quarter of 2011 or early second quarter.

Regulation is limited to the largest U.S. banks

Section 1075 states that the regulations will not apply to any issuer that, together with its affiliates, has assets of less than $10 billion. As such, most U.S. banks will be exempt from Dodd-Frank, even with their affiliates included. How will these banks react to their exemption? How will it affect their merchant business? Will they be helped or hurt?

Government programs are exempt

Governments appear to have exempted themselves from the interchange transaction fee regulation for “a debit card or general-use prepaid card that has been provided to a person pursuant to a federal, state or local government-administered payment program.” The U.S. government was obviously concerned about the debit card issuing impact on its own government card programs.

Issuer network fee increases are restricted

The regulators appear to be concerned that the card companies will substitute increased network fees for interchange rate decreases. As such, the Fed will “prescribe regulations to ensure that a network fee is not used to directly or indirectly compensate an issuer with respect to an electronic debit transaction, and a network fee is not used to circumvent or evade the restrictions of the regulation.”

Also, issuers may not restrict the number of payment card networks on which an electronic debit transaction may be processed. This may help MasterCard, which trails Visa significantly in debit card transaction volume. Concern also exists among issuers that the United States will further pressure MasterCard and Visa to lower network fees.

Merchants can set minimum or maximum amounts for credit card transactions

The law allows merchants to establish minimum and maximum dollar values for credit card transactions: “A payment card network shall not, directly or through any agent, processor, or licensed member of the network, by contract, requirement, condition, penalty, or otherwise, inhibit the ability … to set a minimum or maximum dollar value for the acceptance of credit cards.” Merchants may not differentiate between issuers or between payment card networks, and the minimum dollar value may not exceed $10.

Minimums at the POS are much more pervasive than maximums and are bound to confuse merchants, as the new rule does not apply to debit card transactions. Many transactions under $10 involve signature debit cards. Clerks at the POS are going to have a difficult time distinguishing between debit and credit cards; they will understandably think the $10 minimum applies to all cards. It’s bound to result in confusion at the cash register.

The regulation also allows maximum limits to be set by merchants, specifically citing “institutions of higher education.” Colleges and universities have been among the most likely entities to set maximums. Again, maximums may not differentiate between issuers or between payment card networks and apply to credit card transactions only.

Merchants’ ability to establish discounts is expanded

The regulation stipulates that networks may not “inhibit the ability of any person to provide a discount or in-kind incentive for payment by the use of cash, checks, debit cards or credit cards to the extent that – the discount does not differentiate on the basis of the issuer or the payment card network.” The discount must be applied to the advertised price of the item or service. As such, a “card price” cannot be added to the regular price of an item in the form of a surcharge.

The card brands and issuers appear to have given up little here, except that merchants can now offer a discount for, say, PIN debit. As the MasterCard and Visa rules are now written, discounts for cash are allowed under these conditions. These cash discounts have been common in gas stations for several years.

It’s difficult to predict whether the new discount provisions will be utilized by a significant number of merchants, especially small merchants. Many big-box and wholesale or warehouse merchants do not offer discounts for entering a PIN at the POS, but they make sure a PIN pad is right in front of the customer at checkout.

MasterCard, Visa and card issuers may have successfully avoided repeating their Australian experience several years ago when courts in that country allowed merchants to surcharge transactions. Over the next several months, as the Fed issues drafts of the new regulations, there will be more to say about the Dodd-Frank Act and it’s implications for the major card brands, issuers and acquirers.

Stay tuned.

Thank you for your interest in the PCI ToolKit®, a service sold to banks, acquirers and payment processors (ISOs). Merchants should contact their processor or banking relationship for instructions. If you represent a bank, acquirer or payments processor, fill out the form to schedule your demo.

Jensen Beach, FL-April 15, 2010- CSRSI, a leading electronics payments consulting firm, proudly announced several new enhancements to their PCI ToolKit® web application at a Client Appreciation Dinner for 60 clients attending the Electronic Transaction Association’s Annual Meeting and Expo in Las Vegas April 14th. The dinner, held at Smith & Wollensky’s restaurant, highlighted a new look and feel and a more user-friendly interface for its survey-based system for merchants to complete their required annual Self-Assessment Questionnaire as mandated by the PCI Standards Council.

The PCI ToolKit® is a broadly used web-based, comprehensive system for merchants processing credit cards to become compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Introduced in 2005, the ToolKit also provides an interface to CSRSI’s clients composed of member banks, payment processors and ISOs to administer oversight of merchants’ progress.

Ross Federgreen, one of CSRSI’s founders, in appreciation of the moment, summed up the milestone event: “We continue to listen to our clients’ feedback and incorporate their requests for advancements in our development stages. We’re thrilled to see how many of our long term client/friends were present to show their confidence in and support of the PCI ToolKit®, representing many well-known member banks, processors and ISOs.

About CSRSI

CSRSI provides electronic payment consultation and management. Our areas of focus include PCI, PII (personally identifiable information), risk, liability, compliance, systems selection and vendor selection. Our expertise includes merchant services, ACH, SWIFT, IBAN and all other electronic formats. For more information, visit www.csrsi.com.

For further information, contact: jcarroza@csrsi.com.

Twitter: @pcitoolkit

Twitter: @csrsi

The report – which is offered free until the end of January – also says that companies adopting PCI-DSS compliance can save up to 45% on their costs by adopting a best practice strategy.

The study, which is billed as providing year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI-DSS , found that adopting a best-in-class approach can halve a company’s compliance costs.

On top of this, the report notes that best-in-class companies can divert the PCI-DSS compliance savings into other areas, such as sustainable programs and continuous improvement.

According to the research firm, best-in-class companies were found to have reduced their deficiencies related to PCI-DSS compliance by 7.5% on a year-over-year basis, when compared to `laggards.’

The conclusions of the security analysis show how companies can reduce the scope of their PCI-DSS compliance, as well as `map and adapt’ to better security practices.

One of the most interesting conclusions of the report is the need for managers to assign clear ownership of the PCI-DSS issues and so achieve better PCI-DSS efficiencies.

Source: Infosecurity Magazine

• Card replacement costs now averaging about $4 per item
• Compliance fines now ranging from about $5,000 to $50,000
  per event for a small merchant (III, IV)
• Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants
• Additional fines for actual fraudulent utilization of stolen PAN varies

Case Study:

• A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.
• The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.
• The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.

Replacement Cost                 $ 5,000

Compliance Fine                   $ 12,500

Forensic Examination            $ 25,000

Card Utilization Fines $ 74,398.47

TOTAL $116,898.47

• The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.
• The merchant filed for protection under bankruptcy
• The amounts due were assessed to the ISO by the acquirer.
• Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.
• ISO sustained a financial loss of $189,354.45

Study: Maine Bureau of Financial Institutions January 2009

Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions

TJX

52 Institutions

64,825 Accounts

$485,000 Recovery*

Hannaford

71 Institutions

243.599 Accounts

$4,500,000 Recovery*

*Recovery cost: investigation, communication, reissuance and net fraud

Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.

Phase I – January 1, 2008

Acquirers must not board new merchants that use known vulnerable payment applications. Furthermore, VNPs and agents must not certify new applications to their platforms that are known vulnerable payment applications. A list of vulnerable payment applications is updated quarterly and is available on Visa Online at www.us.visaonline.com/us_riskmgmt/cisp.


Phase I will deter vendors from introducing new vulnerable payment applications into the payment system, and will reinforce acquirer compliance efforts by preventing merchants from migrating from one acquirer to another in an attempt to avoid upgrading a vulnerable payment application.

Phase II – July 1, 2008

VNPs and agents must only certify new payment applications to their platforms that are PABPcompliant. A list of payment applications that have been validated against Visa’s PABP is available at www.visa.com/pabp.


Phase II promotes the use of payment applications that adhere to PABP and support merchant PCI DSS compliance. This phase will also further prevent vendors from introducing new vulnerable payment applications into the payment system.

Phase III – October 1, 2008

Acquirers must only board new Level 3 and Level 4 merchants that are PCI DSS compliant or utilize PABP-compliant applications. PABP does not apply to applications developed for inhouse use only or to hardware terminals.


Phase III mitigates acquirer risk associated with boarding new merchants that are not PCI DSS compliant or that rely on payment applications that are not PABP-compliant. Further, Phase III reinforces acquirer compliance efforts by preventing merchants from migrating from one acquirer to another in an attempt to avoid compliance requirements.

Phase IV – October 1, 2009

VNPs and agents must decertify all known vulnerable payment applications, including those published on Visa’s quarterly list of vulnerable payment applications. As future vulnerable payment applications are identified, VNPs and agents must decertify these applications within 12 months.
Phase IV is intended to eliminate the continued use of vulnerable payment applications by acquirers, merchants and agents within the payment system.

Phase V – July 1, 2010

Acquirers must ensure their merchants and agents use only PABP-compliant applications. A list of payment applications that have been validated against Visa’s PABP is available at www.visa.com/pabp.


Phase V mandates the use of payment applications that support PCI DSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as  PABP-compliant. It is important to note that the deadline for Phase V is aligned with the Triple Data Encryption Standard (TDES) usage mandate for all point-of-sale (POS) PIN-entry devices (PEDs) to be using TDES to protect PINs. Additionally, all attended POS PEDs must be evaluated by a Visa-recognized laboratory and approved by Visa prior to this same date.

Vulnerable Payment Applications

As a result of an increasing number of merchant compromises, Visa has identified that certain payment applications are designed to store prohibited data, including full magnetic-stripe, CVV2 or PIN data, subsequent to transaction authorization. Storage of these data elements is in violation of the PCI DSS and Visa U.S.A. Inc. Operating Regulations. Hackers are targeting merchants and agents using vulnerable payment applications and exploiting vulnerabilities to find this data. It is critical for acquirers to ensure that their merchants and agents do not use payment applications known to retain prohibited data elements and to take corrective actions to address any identified deficiencies. Acquirers, merchants and agents should ask all of their payment application vendors, resellers or system integrators to confirm that software versions used do not store magnetic-stripe, CVV2 or PIN data.


Recently, Visa alerted acquirers of an updated list of vulnerable payment applications that retain prohibited data. Visa will continue to proactively alert acquirers as vulnerable payment applications are identified. The vulnerable payment application list is available on Visa Online at www.us.visaonline.com/us_riskmgmt/cisp.

Summary

To enforce the payment application security mandates, Visa will continue to identify payment applications used by Level 1 and 2 merchants through the PCI Compliance Acceleration Program, monitor acquirers’ Level 4 merchant compliance plans and determine payment applications certified by VNPs. Visa may also consider a compromised entity’s use of vulnerable payment applications or PABP-validated applications in fine and ADCR determinations.


Visa will continue to work with all key stakeholders — acquirers, processors, merchants, agents and payment application vendors — to raise security awareness and promote the use of payment  applications validated against the PABP. In many cases, acquirers, processors and agents have indicated that they already have more aggressive plans in place to support these mandates. It is critical for acquirers and processors to begin integrating these mandates into their processes. Acquirers should also revisit their Level 4 merchant compliance plans and adjust accordingly to support these  candates. In an effort to mitigate the risk of compromise, acquirers must take prompt action to ensure that merchants and agents discontinue use of vulnerable payment applications and begin moving merchants and agents toward using only PABP-compliant applications.


For more information on Visa’s PABP, please visit http://www.visa.com/pabp. Questions about this bulletin may be directed to CISP@visa.com. For the complete VBR, Visa acquirers may refer to the Visa Business Review article, “Visa Announces New Payment Application Security Mandates,” October 2007; Issue 07100902.


© 2007 Visa Inc., all rights reserved.


CISP BULLETIN – 102307