Thank you for your interest in the PCI ToolKit®, a service sold to banks, acquirers and payment processors (ISOs). Merchants should contact their processor or banking relationship for instructions. If you represent a bank, acquirer or payments processor, fill out the form to schedule your demo.

Jensen Beach, FL-April 15, 2010- CSRSI, a leading electronics payments consulting firm, proudly announced several new enhancements to their PCI ToolKit® web application at a Client Appreciation Dinner for 60 clients attending the Electronic Transaction Association’s Annual Meeting and Expo in Las Vegas April 14th. The dinner, held at Smith & Wollensky’s restaurant, highlighted a new look and feel and a more user-friendly interface for its survey-based system for merchants to complete their required annual Self-Assessment Questionnaire as mandated by the PCI Standards Council.

The PCI ToolKit® is a broadly used web-based, comprehensive system for merchants processing credit cards to become compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Introduced in 2005, the ToolKit also provides an interface to CSRSI’s clients composed of member banks, payment processors and ISOs to administer oversight of merchants’ progress.

Ross Federgreen, one of CSRSI’s founders, in appreciation of the moment, summed up the milestone event: “We continue to listen to our clients’ feedback and incorporate their requests for advancements in our development stages. We’re thrilled to see how many of our long term client/friends were present to show their confidence in and support of the PCI ToolKit®, representing many well-known member banks, processors and ISOs.

About CSRSI

CSRSI provides electronic payment consultation and management. Our areas of focus include PCI, PII (personally identifiable information), risk, liability, compliance, systems selection and vendor selection. Our expertise includes merchant services, ACH, SWIFT, IBAN and all other electronic formats. For more information, visit www.csrsi.com.

For further information, contact: jcarroza@csrsi.com.

Twitter: @pcitoolkit

Twitter: @csrsi

The report – which is offered free until the end of January – also says that companies adopting PCI-DSS compliance can save up to 45% on their costs by adopting a best practice strategy.

The study, which is billed as providing year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI-DSS , found that adopting a best-in-class approach can halve a company’s compliance costs.

On top of this, the report notes that best-in-class companies can divert the PCI-DSS compliance savings into other areas, such as sustainable programs and continuous improvement.

According to the research firm, best-in-class companies were found to have reduced their deficiencies related to PCI-DSS compliance by 7.5% on a year-over-year basis, when compared to `laggards.’

The conclusions of the security analysis show how companies can reduce the scope of their PCI-DSS compliance, as well as `map and adapt’ to better security practices.

One of the most interesting conclusions of the report is the need for managers to assign clear ownership of the PCI-DSS issues and so achieve better PCI-DSS efficiencies.

Source: Infosecurity Magazine

• Card replacement costs now averaging about $4 per item
• Compliance fines now ranging from about $5,000 to $50,000
  per event for a small merchant (III, IV)
• Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants
• Additional fines for actual fraudulent utilization of stolen PAN varies

Case Study:

• A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.
• The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.
• The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.

Replacement Cost                 $ 5,000

Compliance Fine                   $ 12,500

Forensic Examination            $ 25,000

Card Utilization Fines $ 74,398.47

TOTAL $116,898.47

• The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.
• The merchant filed for protection under bankruptcy
• The amounts due were assessed to the ISO by the acquirer.
• Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.
• ISO sustained a financial loss of $189,354.45

Study: Maine Bureau of Financial Institutions January 2009

Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions

TJX

52 Institutions

64,825 Accounts

$485,000 Recovery*

Hannaford

71 Institutions

243.599 Accounts

$4,500,000 Recovery*

*Recovery cost: investigation, communication, reissuance and net fraud

Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.

Phase I – January 1, 2008

Acquirers must not board new merchants that use known vulnerable payment applications. Furthermore, VNPs and agents must not certify new applications to their platforms that are known vulnerable payment applications. A list of vulnerable payment applications is updated quarterly and is available on Visa Online at www.us.visaonline.com/us_riskmgmt/cisp.


Phase I will deter vendors from introducing new vulnerable payment applications into the payment system, and will reinforce acquirer compliance efforts by preventing merchants from migrating from one acquirer to another in an attempt to avoid upgrading a vulnerable payment application.

Phase II – July 1, 2008

VNPs and agents must only certify new payment applications to their platforms that are PABPcompliant. A list of payment applications that have been validated against Visa’s PABP is available at www.visa.com/pabp.


Phase II promotes the use of payment applications that adhere to PABP and support merchant PCI DSS compliance. This phase will also further prevent vendors from introducing new vulnerable payment applications into the payment system.

Phase III – October 1, 2008

Acquirers must only board new Level 3 and Level 4 merchants that are PCI DSS compliant or utilize PABP-compliant applications. PABP does not apply to applications developed for inhouse use only or to hardware terminals.


Phase III mitigates acquirer risk associated with boarding new merchants that are not PCI DSS compliant or that rely on payment applications that are not PABP-compliant. Further, Phase III reinforces acquirer compliance efforts by preventing merchants from migrating from one acquirer to another in an attempt to avoid compliance requirements.

Phase IV – October 1, 2009

VNPs and agents must decertify all known vulnerable payment applications, including those published on Visa’s quarterly list of vulnerable payment applications. As future vulnerable payment applications are identified, VNPs and agents must decertify these applications within 12 months.
Phase IV is intended to eliminate the continued use of vulnerable payment applications by acquirers, merchants and agents within the payment system.

Phase V – July 1, 2010

Acquirers must ensure their merchants and agents use only PABP-compliant applications. A list of payment applications that have been validated against Visa’s PABP is available at www.visa.com/pabp.


Phase V mandates the use of payment applications that support PCI DSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as  PABP-compliant. It is important to note that the deadline for Phase V is aligned with the Triple Data Encryption Standard (TDES) usage mandate for all point-of-sale (POS) PIN-entry devices (PEDs) to be using TDES to protect PINs. Additionally, all attended POS PEDs must be evaluated by a Visa-recognized laboratory and approved by Visa prior to this same date.

Vulnerable Payment Applications

As a result of an increasing number of merchant compromises, Visa has identified that certain payment applications are designed to store prohibited data, including full magnetic-stripe, CVV2 or PIN data, subsequent to transaction authorization. Storage of these data elements is in violation of the PCI DSS and Visa U.S.A. Inc. Operating Regulations. Hackers are targeting merchants and agents using vulnerable payment applications and exploiting vulnerabilities to find this data. It is critical for acquirers to ensure that their merchants and agents do not use payment applications known to retain prohibited data elements and to take corrective actions to address any identified deficiencies. Acquirers, merchants and agents should ask all of their payment application vendors, resellers or system integrators to confirm that software versions used do not store magnetic-stripe, CVV2 or PIN data.


Recently, Visa alerted acquirers of an updated list of vulnerable payment applications that retain prohibited data. Visa will continue to proactively alert acquirers as vulnerable payment applications are identified. The vulnerable payment application list is available on Visa Online at www.us.visaonline.com/us_riskmgmt/cisp.

Summary

To enforce the payment application security mandates, Visa will continue to identify payment applications used by Level 1 and 2 merchants through the PCI Compliance Acceleration Program, monitor acquirers’ Level 4 merchant compliance plans and determine payment applications certified by VNPs. Visa may also consider a compromised entity’s use of vulnerable payment applications or PABP-validated applications in fine and ADCR determinations.


Visa will continue to work with all key stakeholders — acquirers, processors, merchants, agents and payment application vendors — to raise security awareness and promote the use of payment  applications validated against the PABP. In many cases, acquirers, processors and agents have indicated that they already have more aggressive plans in place to support these mandates. It is critical for acquirers and processors to begin integrating these mandates into their processes. Acquirers should also revisit their Level 4 merchant compliance plans and adjust accordingly to support these  candates. In an effort to mitigate the risk of compromise, acquirers must take prompt action to ensure that merchants and agents discontinue use of vulnerable payment applications and begin moving merchants and agents toward using only PABP-compliant applications.


For more information on Visa’s PABP, please visit http://www.visa.com/pabp. Questions about this bulletin may be directed to CISP@visa.com. For the complete VBR, Visa acquirers may refer to the Visa Business Review article, “Visa Announces New Payment Application Security Mandates,” October 2007; Issue 07100902.


© 2007 Visa Inc., all rights reserved.


CISP BULLETIN – 102307

Listed below are Visa
key dates including data security mandates and reporting deadlines.

*Note: this timeframe
applies to newly identified Level 1 and Level 2 merchants late 2007
and early 2008

**Note: this timeframe applies to newly identified Level 1 and Level
2 merchants late 2008 and early 2009

Source: http://usa.visa.com/merchants/risk_management/cisp_key_dates.html

MYTH 1: I DO NOT HAVE TO BE COMPLIANT

This is untrue. Every merchant who in any manner accepts, handles, stores or transmits credit card information must be compliant. This extends to all merchants regardless of the type of credit card environment they are in. There are no exceptions for merchants who are in the card present environment.

MYTH 2: IF I HAVE PENETRATION SCANS I AM COMPLIANT

This is untrue. Penetration scans or vulnerability scans represent a small fraction of the requirements. Having penetration scans done is important but it is not all that is required. The merchant must complete the 75 questions that make up the annual self-assessment questionnaire (SAQ).

MYTH 3: FOR THE SAQ I CAN JUST ANSWER YES TO PASS.

This is untrue. You should only answer yes if you both understand the question and have the documented evidence that the answer should be yes. Fabricating yes answers is both inappropriate and opens the merchant to severe penalties including loss of credit card privileges.

MYTH 4: NO ONE WILL EVER LOOK AT MY ANSWERS TO THE SELF-ASSESSMENT QUESTIONAIRE

This is untrue. As part of the requirements for PCI compliance each merchant must file the SAQ with his or her acquirer. If a merchant is compromised, risk rated, randomly audited or for other reasons the response to the SAQ will be examined.

MYTH 5: ALL I NEED TO DO IS TO GET MY PENETRATION SCAN COMPLETED.

This is untrue.  It is vitally important to examine the results of the penetration scans and note findings. Each abnormal finding must be addressed regardless of which of the four levels from informational to severe is listed. Severe findings must be remediate within 30 days.

MYTH 6: IF MY SOFTWARE OR TERMINAL IS COMPLIANT THAN I AM COMPLIANT.

This is untrue. Every merchant to answer the questions of the SAQ correctly and honestly must have written policies, procedures and auditable logs. There are significant physical security requirements that are required as well which must be met. Compliant software and terminals arecritical but not the entire answer.

MYTH 7: IT CAN’T HAPPEN TO ME.

This is untrue security breaches happen everywhere and can happen to anyone at anytime.

MYTH 8: ALL SECURITY BREACHES OCCUR FROM EXTERNAL SOURCES.

This is untrue over 90% of security breaches occur because of employees are others with internal access to the merchant.

MYTH 9: MY PROCESSOR IS RESPONSIBLE FOR THE FINES SO WHY SHOULD I CARE.

This is untrue. The merchant is ultimately responsible for all financial fines and penalties. This can be up to $25,000 per month per event.

MYTH 10: I CAN DO THE SAQ MYSELF

This is true but no one should. The 75 questions on the SAQ are complicated and complex to answer them requires a detailed understanding of the meaning and intent of each of the questions.

With the above said it is incumbent for the MLS and or ISO to have a detailed understanding of PCI. The fact needs to be strongly emphasized to each merchant that they must comply with the PCI. Failure to do this can lead to civil penalties, criminal prosecution and loss of credit card accepting privileges.

The payment brands have spent considerable sums attempting to educate the merchant population. A number of resources are available to assist you in helping the merchant achieve compliance. The Green Sheet has published a number of articles addressing these issues. In addition each of the payment brands have information on their web sites defining the requirements and the various categories of merchants.

We strongly recommend that each merchant obtain qualified assistance in achieving PCI DSS compliance. Knowledge of PCI and what it really takes to be compliant will help you the ISO or MLS maintain, retain and obtain merchants.