Announcement

Collapse
No announcement yet.

PCI DSS Compliance and Barclays

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PCI DSS Compliance and Barclays

    I am now in contact with the PCI DSS Programme Director at Barclays.

    Please can as many Barclays merchants as possible comment here on any experience they have with Security Metrics in the last three months. As I understand it, some changes were made a few months ago, so only recent experience is relevant.

    Please can you explain:

    - the date or approximate date of the discussions that you had

    - what you were advised by Security Metrics and in particular what you were advised if you told them you used a PCI DSS compliant PSP and did not capture card details at your site

    Once we have the information, I can go back to Barclays and ensure there are no mis-understandings among the parties.

    My own understanding remains that if you use a PCI DSS compliant PSP and do not capture card details at your site, compliance is provided by your PSP.

    Chris Barling
    CEO, Actinic

    #2
    I spoke to them on Thursday last week (19th Feb) after many (quite threatening manner) emails with deadlines attached.

    I was given 3 options by them.

    1st.
    Pay them to complete and submit a PCI questionaire on my behalf.

    2nd.
    Download, complete and submit a 17 page questionaire myself (Was informed that it was quite complex and could struggle to complete).

    3rd.
    Do nothing and risk losing my merchant account with Barclays and this was a high probability as it was a condition of contract with Barclays.

    Having followed/taken part in the recent forum discussions I was well equipped to argue that as we did not capture/hold/store any details and used Actinic Payments as our PSP therefore we were already PCI compliant but they insisted every merchant operating online and even those retailers having just a chip and pin machine for over the counter sales must meet their (Security Metrics) guidelines.

    Said I would ring them back, but the whole saga is very confusing and you get the same feeling that you get with double glazing salesmen that they aren't being totally honest.

    I have not decided what to do next and my gut feeling is if Barclays are using such questionable techiques to force retailers to do something that isn't actually required I would prefer to swap banks.

    Chris,

    I am more than happy to forward on all my emails to you (if useful) as they are pretty in your face and say that whatever you decide you must contact Security Metrics therefore forcing you into what I would describe as a trap, you have to speak to someone, who's sole purpose is to sell their product.
    www.parklifeclothes.co.uk

    Parklife, Whitby

    Diesel, Converse, Crocs, Quiksilver, Miss Sixty, Scotch & Soda, Bench, Levi's, Kickers

    Comment


      #3
      Thanks for tackling this one, Chris.

      I rang BMS this morning to ask about PCI compliance. There is an option in the telephone menu for this topic; it routes you through to SecurityMetrics

      The man from SM advised me I was a Type A merchant and I could do one of two things:
      1. Fill in the compliance form from www.pcisecuritystandards.org (and presumably send it in as outlined in the BMMS email).
      2. Get them (SM) to do this for me. When pressed, he said this service would cost £11.95

      He did say there was only 11 questions on the Type A form. I've had a quick look at it and it doesn't look too bad. There don't seem to be any IT-related questions on it (that's when things get tough on the PCI forms)

      Comment


        #4
        I have two clients using HSBC as a PSP and they are getting the same correspondence from SM.
        Elysium:Online - Official Accredited SellerDeck Partner
        SellerDeck Design, Build, Hosting & Promotion
        Based in rural Northants

        Comment


          #5
          Originally posted by Goz View Post
          I have two clients using HSBC as a PSP and they are getting the same correspondence from SM.
          I had letters from HSBC regarding their "special deal" with SM too. Made one phone call, which went unanswered to SM, so left long message telling them to leave me alone as I have already completed the self-assessment questionnaire and in any case I use a PSP which is PCI compliant. Haven't heard anything since.

          It seems to me that Barclays, HSBC and possibly others have no idea how we work and have had the wool pulled well and truly over their eyes by the likes of SM. Just adds to my lack of respect for anything that has the word bank attached to it.
          Last edited by cbarling; 25-Feb-2009, 12:00 PM. Reason: Just a minor tweak, to keep in community guidelines
          Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

          Comment


            #6
            Originally posted by guccij View Post
            It seems to me that Barclays, HSBC and possibly others have no idea how we work
            No, this is just Barclays as the acquiring bank and not the PSPs. Goz's post said that HSBC were the PSP.

            Comment


              #7
              Originally posted by acompton View Post
              No, this is just Barclays as the acquiring bank and not the PSPs. Goz's post said that HSBC were the PSP.
              In our case HSBC is also the acquiring bank.
              Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

              Comment


                #8
                It's interesting in that barclays and hsbc use the same psp software so that may be why they ate both In bed with sm.

                Comment


                  #9
                  Originally posted by guccij View Post
                  In our case HSBC is also the acquiring bank.
                  Oops. I was wrong there. Apologies for misreading your post.

                  Comment


                    #10
                    Using Protx & BMS but still told we need Security Metrics

                    We have filled in and submitted all their questionnaires but are still being told we need to be PCI compliant - tested by Security Metrics - this costs us over £175 per year and they change the rules so frequently my hosting provider is having a hard time keeping up.

                    We'd love to get rid of this cost if it is unnecessary but we need to keep our BMS account. We told BMS and SM at the beginning we took no card details ourselves and everything went through Protx but they both insisted

                    Jane
                    Jane

                    Comment


                      #11
                      It's interesting that sm are changing the rules frequestly as the guidelines say that changes would be infrequent is every 12 to 18 months

                      Comment


                        #12
                        We'd love to get rid of this cost if it is unnecessary but we need to keep our BMS account. We told BMS and SM at the beginning we took no card details ourselves and everything went through Protx but they both insisted
                        As ChrisB says if you use Protx your compliance is covered by them - unless you take phone orders.

                        I suspect at the mo you are one of the countless victims of SM. SM are very keen on complicating the matter, IMO just to fleece you and countless others of your hard earned cash.


                        It's interesting that sm are changing the rules frequestly as the guidelines say that changes would be infrequent is every 12 to 18 months
                        It is nigh on impossible for a shared hosting server to be compliant, all you need is for a client to upload an insecure script and bobs your uncle your 1/4s compliance is gone.

                        Comment


                          #13
                          Just got another SM email (a week after my deadline expired) this time with no deadline, quite bizarre as this is how the first of our 5 previous emails from SM started and the 3,4 & 5 had deadlines on.
                          www.parklifeclothes.co.uk

                          Parklife, Whitby

                          Diesel, Converse, Crocs, Quiksilver, Miss Sixty, Scotch & Soda, Bench, Levi's, Kickers

                          Comment


                            #14
                            Have spoken to Security Metrics this morning. They informed me that if we accept orders by telephone we are required to complete Self Assessment Questionnaire 'C' (38 questions) to gain compliance. We are also required to have our network scanned periodically to ensure that the machine(s) that we use to enter card details (when processing telephone orders through PROTX VSP Terminal or Actinic Payments) are secure.

                            Originally posted by acompton View Post
                            The man from SM advised me I was a Type A merchant...
                            Alan... Your website says you accept orders by phone. If you accept credit card orders by phone then surely you're at least Type C...

                            Comment


                              #15
                              Originally posted by domino View Post
                              Alan... Your website says you accept orders by phone
                              We don't and thought it said we don't. I shall check and improve the wording. Thanks for the heads-up.

                              Comment

                              Working...
                              X