Ask Barclaycard Business

Payment Card Industry Data Security Standard (PCI DSS)

PCI - Security Standards Council - Participating Organisation

Requirements

Security on your level

If you are not already complying with PCI DSS, you may need to change your processes, applications and security procedures. Here's what all merchants involved in storing, processing or transmitting cardholder data must do:

All merchants with an e-commerce presence

If your cardholder data infrastructure is connected to the internet, you may have to complete (and pass) quarterly Network Scans (one per external IP address connected to the cardholder data environment), which have to be validated by an Approved Scanning Vendor (ASV). You may be using a compliant payment service provider but you may not have implemented their solution in a compliant way. Again, you can take advantage of the special terms we have negotiated with SecurityMetrics. Alternatively, you can find a list of approved ASVs on the PCI SSC site at https://www.pcisecuritystandards.org/pdfs/asv_report.html

Level 1 merchants only

You must perform an onsite security audit. A Qualified Security Assessor must validate this and provide you with a Report on Compliance (ROC).

Level 2, 3 & 4 merchants

You must complete a Self Assessment Questionnaire. There are four types of these. For details on each, see https://www.pcisecuritystandards.org/saq/instructions.shtml

You can find instructions for completing the SAQ as well as the SAQs (v1.2 A, B, C and D) on the PCI SSC site at https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

(please note, SAQ v1.1 are no longer valid since 1st January 2009)

Level 4 Merchants:

If you are unsure which SAQ to complete, our accredited partner, SecurityMetrics, a US based company with substantial technical expertise, can help you select the most appropriate one, free of charge. You can call them on 0844 561 1662 (Lo Call rate, see footnote*) from 09.00am to midnight Mon- Fri.

We have also agreed preferential terms with SecurityMetrics to offer further assistance with the actual completion of your SAQ and should you choose to use this a charge of £11.99 will apply. To enrol for this service, please use SecurityMetrics at http://www.securitymetrics.com

Alternatively, you can complete the SAQ yourself, but we recommend that you contact a Qualified Security Assessor (QSA) to help you with this activity. A list of QSAs can be found by visiting https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

As a Level 4 merchant, whether you enrol with SecurityMetrics for their technical services or just want to notify them of your compliance status, please notify them at pci.barclaycard@securitymetrics.com

* Calls may be monitored or recorded to maintain high levels of security and quality of service. For BT business customers, calls to 0844 561 numbers will cost no more than 5p per minute, min call charge 5.9p (current at December 2008). The price on non-BT phone lines may be different.

Summary of requirements for all merchants

LEVEL PCI DSS VALIDATION REQUIREMENTS
1 Annual on-site security assessment
Quarterly network scan (if e-commerce)
2 Annual self-assessment questionnaire
Quarterly network scan (if e-commerce)
3 Annual self-assessment questionnaire
Quarterly network scan (if e-commerce)
4 Annual self-assessment questionnaire
Quarterly Network scan recommended (dependent on whether Cardholder Data is captured, stored or transmitted by the Merchants Infrastructure or Service Providers) (if e-commerce)

To understand the requirements for a Self Assessment Questionnaire, please visit: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

back

© Barclaycard Business 2008