Compliance powerhouse welcomes ISOs

Since 1999, payment and data privacy consultancy CSRSI, The Payment Advisors, has advised government agencies, multinational corporations, financial institutions and ISOs on how to reduce the costs of acquiring, protect against fraud, and maximize data security and compliance. Over 1,750 consulting jobs later, the company is evolving - and so is its mission. In January 2012, CSRSI added a doing-business-as moniker, CSR, which stands for Compliance Solutions and Resources.

"We started out with the name CSRSI, and that originally stood for Cost Savings Reduction Specialists Inc.," said company founder Ross Federgreen. "As time marched on, we really became very focused on consultative compliance audits."

But Federgreen found that clients sometimes had a difficult time remembering the name. The new, simplified name more accurately reflects the company's core competencies as consultants and resource providers, Federgreen noted.

"We have a consultative side, which has been the traditional side of the company, as well as a mass-market production side where we provide compliance solutions for a significant number of merchants, whether it's the PCI ToolKit or the CSR Breach Reporting ToolKit," he said.

CSR has several other products under development, including the HIPAA (Health Insurance Portability and Accountability Act) Hitech ToolKit. "These are all compliance solutions on a consultative basis," Federgreen added. "They're all resources, so we thought the name tied in well to where we are, what we're doing and what we want to do in the future."

Consultants with experience

As a consultant, Federgreen has a substantial pedigree, having served as an advisor to the United States Senate, the U.S. Agency for International Development and numerous multinational corporations. He has also consulted for The Rockefeller Foundation and management advisory firm McKinsey & Co., and is among an elite group who carry a governmental sub-specialization rating, meaning he possesses in-depth knowledge of federal statutes pertaining to sets of procedures and protocols for interfacing with the government and for the government to operate internally.

"I have bridged the political-economic advisory role for 30 years, and it's been one large continuum," Federgreen said. A majority of his early consultative work focused on the traditional payments space, ranging from requests for proposals from large acquirer entities to cross-border, cross-national payment solutions.

Federgreen works in tandem with Rick Heroux - the only business partner Federgreen has ever had. As company President, Heroux oversees corporate operations and product development. He has also advised hundreds of businesses - from Fortune 100s to startups - on payment cost performance, Payment Card Industry (PCI) Data Security Standard (DSS) compliance, alternative payments and fraud prevention management.

Federgreen said that at this point, CSR does little to no consulting for clients below $25 to $50 million in annual revenue. "Most of our clients are in the hundreds of millions or more," he said. Consulting expertise for these clients includes multilateral payment system design, integration and cost; risk and regulatory compliance; and data security for domestic, foreign and cross-border entities.

But smaller merchants also benefit from CSR. In 2005, the company developed its PCI ToolKit for large processors. That kit was ultimately distributed to the small merchant population and continues to be enhanced.

"We have four CIPPs [Certified Information Privacy Professionals] in our organization, so we're fully certified to provide these services, and we sell them to our ISOs," Federgreen said. Internally, CSR has approximately 25 to 30 individuals assembled into teams to deal with specific needs of clients and specific sets of performance criteria. Federgreen plans to extend the on-demand team model as CSR expands.

A variety of tool kits

CSR offers its compliance products on a software-as-a-service basis. Its flagship product, the PCI ToolKit, serves approximately 30,000 to 40,000 merchants each month. The soft launch of the CSR Breach Reporting ToolKit was expected to conclude in January 2012, with a formal launch shortly thereafter.

"The PCI ToolKit is unique in that it is a survey type of system that is not standard SAQ [self assessment questionnaire] by any stretch of the imagination," Federgreen said. "It provides merchants with a very sophisticated survey set of questions.

"And then from those answers, they'll get a specific set of tasks that they need to complete before they can become compliant. So, really, it's gap analysis for their remediation schedule. Then we also do all the brand reporting associated with it."

In addition to automating the SAQ process, PCI ToolKit assists merchants with quarterly network security scans as mandated by the PCI DSS. The system is approved scanning vendor (ASV) agnostic, which means clients can contract with the ASV of their choice.

According to Federgreen, there are five PCI regulated data types: date of birth, Social Security number, driver's license number, credit and debit card number, and automated clearing house routing number. To help merchants comply with data breach reporting requirements, CSR's system provides a single point for clients to make the initial call once a breach has been detected.

"We report that information to all of the appropriate parties at the federal, state, local levels and to the brand as required based upon what data was stolen," Federgreen said. "They are under a very significant timeline to report the breach ... and usually don't have the business bandwidth to do it."

A key benefit in reselling the breach reporting tool kit is that it doesn't require ownership of the merchant identification number, Federgreen noted. "We have a lot of resellers who are actually selling it outside of their own merchant population because with the PCI ToolKit, obviously, they need to own or control the merchant ID number," he said. "That is absolutely not true with the CSR Breach Reporting ToolKit."

CSR's soon-to-be released HIPAA Hitech ToolKit product will draw upon the same survey technique used in its PCI ToolKit to guide health care providers through the steps involved in medical records compliance as required by law.

The 'five percent factor'

Aligning with a company well versed in compliance has been reassuring for Merchant Services Inc. "I do not see that [level of competency] with every product vendor that I come across," said Nathan Jurczyk, Vice President at MSI.

"We use their product for the vast majority of merchants as long as it's the right fit. They're a very appropriate fit for your standard brick-and-mortar and midsized businesses. It's a good quality product that delivers results. We bundle it with our master package of services."

In working with thousands of merchant businesses, Jurczyk has observed that a certain number inevitably fall outside traditional models. "You always have that 5 percent factor," he said. "Those are the folks that can be incredibly difficult to walk through PCI compliance. That's where I've found CSR to be invaluable."

To address the disparate needs of merchants across the spectrum, CSR segments its services, providing formal privacy consultations to large merchants, while smaller merchants receive its Tier 2 services based on their level of progress in the compliance process.

"Number one, there is some percentage of merchants who want us to come in early on, review the data elements they have, look at the lifecycle of those data elements and then advise them what the proper handling and match them with that," Federgreen said. "That's a growing part of our portfolio." He added that the second type of merchant typically calls upon CSR to examine specific back patterns and advise them accordingly.

CSR also has a growing population of merchants victimized by breaches that ask CSR to put on its "forensic hat" and "advise them of the areas of privacy that were violated, what may have happened, and, most importantly, what the rules and requirements are for data subject notification," Federgreen noted.

Two-way education

Federgreen said most merchants, regardless of size, have reservations about the compliance process, especially about advisers that deliver mediocre service - an unfortunate but all-too-common occurrence. "They engage with someone and they don't get complete answers," he said. "They don't stay with them over time."

Federgreen noted that this doesn't happen at CSR, where follow-through is imperative. He estimated that 85 percent of CSR's clients are ongoing. "We're all about education and learning," he said. "That's true in everything we do."

Federgreen said mass-market distribution of CSR's products through ISO channels has made its online compliance solutions affordable to a majority of the merchant population, and he added it clearly generates revenue.

He pointed out that with the commoditization of the interchange side of the business, income from the service side has become more important for the economic well-being of CSR's partners, and CSR is fully cognizant of that.

"The message I'd like to deliver is that we have great, proven products, are very proud of what we've accomplished, but we want to do more," Federgreen said. "We want to hear from people because I think they're the ones that generate the interesting ideas. If somebody has the question, usually 9 out of 10 other people have something similar, too, that they're concerned about. That's been our mantra."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.