I spoke to them on Thursday last week (19th Feb) after many (quite threatening manner) emails with deadlines attached.

I was given 3 options by them.

1st.
Pay them to complete and submit a PCI questionaire on my behalf.

2nd.
Download, complete and submit a 17 page questionaire myself (Was informed that it was quite complex and could struggle to complete).

3rd.
Do nothing and risk losing my merchant account with Barclays and this was a high probability as it was a condition of contract with Barclays.

Having followed/taken part in the recent forum discussions I was well equipped to argue that as we did not capture/hold/store any details and used Actinic Payments as our PSP therefore we were already PCI compliant but they insisted every merchant operating online and even those retailers having just a chip and pin machine for over the counter sales must meet their (Security Metrics) guidelines.

Said I would ring them back, but the whole saga is very confusing and you get the same feeling that you get with double glazing salesmen that they aren't being totally honest.

I have not decided what to do next and my gut feeling is if Barclays are using such questionable techiques to force retailers to do something that isn't actually required I would prefer to swap banks.

Chris,

I am more than happy to forward on all my emails to you (if useful) as they are pretty in your face and say that whatever you decide you must contact Security Metrics therefore forcing you into what I would describe as a trap, you have to speak to someone, who's sole purpose is to sell their product.

Thanks for tackling this one, Chris.

I rang BMS this morning to ask about PCI compliance. There is an option in the telephone menu for this topic; it routes you through to SecurityMetrics

The man from SM advised me I was a Type A merchant and I could do one of two things:
1. Fill in the compliance form from www.pcisecuritystandards.org (and presumably send it in as outlined in the BMMS email).
2. Get them (SM) to do this for me. When pressed, he said this service would cost £11.95

He did say there was only 11 questions on the Type A form. I've had a quick look at it and it doesn't look too bad. There don't seem to be any IT-related questions on it (that's when things get tough on the PCI forms)

I have two clients using HSBC as a PSP and they are getting the same correspondence from SM.

I had letters from HSBC regarding their "special deal" with SM too. Made one phone call, which went unanswered to SM, so left long message telling them to leave me alone as I have already completed the self-assessment questionnaire and in any case I use a PSP which is PCI compliant. Haven't heard anything since.

It seems to me that Barclays, HSBC and possibly others have no idea how we work and have had the wool pulled well and truly over their eyes by the likes of SM. Just adds to my lack of respect for anything that has the word bank attached to it.

No, this is just Barclays as the acquiring bank and not the PSPs. Goz's post said that HSBC were the PSP.

In our case HSBC is also the acquiring bank.

It's interesting in that barclays and hsbc use the same psp software so that may be why they ate both In bed with sm.

Oops. I was wrong there. Apologies for misreading your post.

Using Protx & BMS but still told we need Security Metrics

We have filled in and submitted all their questionnaires but are still being told we need to be PCI compliant - tested by Security Metrics - this costs us over £175 per year and they change the rules so frequently my hosting provider is having a hard time keeping up.

We'd love to get rid of this cost if it is unnecessary but we need to keep our BMS account. We told BMS and SM at the beginning we took no card details ourselves and everything went through Protx but they both insisted

Jane

It's interesting that sm are changing the rules frequestly as the guidelines say that changes would be infrequent is every 12 to 18 months

As ChrisB says if you use Protx your compliance is covered by them - unless you take phone orders.

I suspect at the mo you are one of the countless victims of SM. SM are very keen on complicating the matter, IMO just to fleece you and countless others of your hard earned cash.


It is nigh on impossible for a shared hosting server to be compliant, all you need is for a client to upload an insecure script and bobs your uncle your 1/4s compliance is gone.

Just got another SM email (a week after my deadline expired) this time with no deadline, quite bizarre as this is how the first of our 5 previous emails from SM started and the 3,4 & 5 had deadlines on.

Have spoken to Security Metrics this morning. They informed me that if we accept orders by telephone we are required to complete Self Assessment Questionnaire 'C' (38 questions) to gain compliance. We are also required to have our network scanned periodically to ensure that the machine(s) that we use to enter card details (when processing telephone orders through PROTX VSP Terminal or Actinic Payments) are secure.

Alan... Your website says you accept orders by phone. If you accept credit card orders by phone then surely you're at least Type C...

We don't and thought it said we don't. I shall check and improve the wording. Thanks for the heads-up.