Anyone else with Barclay card had this email?

[voyage]

Hi

I am always very wary of emails claiming to be from the bank but this one seems genuine or am I just slipping up? If you could explain if I am missing something it would be appreciated.

"Important Payment Security Information

You need to be compliant with the Payment Card Industry Data Security Standard

Dear Sir/Madam

Barclaycard understands the requirements of the Payment Card Industry Data Security Standard (PCI DSS) can be demanding and have therefore partnered with SecurityMetrics, a US based specialist security organisation. They can provide a free needs-based assessment of your compliance requirements, and if you choose to enrol with them they offer an expert 24hr technical support service to help you achieve and maintain compliance (note that a specially discounted annual fee is available from only 11.99GBP if no scans are required).

Please note that you are required to advise SecurityMetrics of your compliance status and to submit all your compliance documentation to them, whether you choose to enrol for their chargeable services or not by November 2, 2011.

To contact SecurityMetrics please call 0844 561 1662* (lines open 9am to Midnight, Monday to Friday) or you can visit their website at www.securitymetrics.com

Need help or advice?

At Barclaycard we do everything we can to help our merchants achieve and maintain PCI DSS compliance, not only to help protect you and your customers from the risks of fraud, but also from the financial penalties you could face if your customers' card holder information is compromised and you were found not to be compliant with the PCI Data Security Standard.

For further information and advice regarding PCI DSS compliance please visit our website at www.barclaycard.co.uk/pcidss

For full details of the PCI Data Security Standard please visit www.pcisecuritystandards.org or www.barclaycard.co.uk/pcidss


Yours faithfully,


Neira Jones
Head of Payment Security
Barclaycard Global Payment Acceptance"

 

[FreelanceSoftwareDeveloper]

http://ask.barclaycard.co.uk/business/allfaqs/1_fraud_security/validation

Seems genuine but would've thought you'd get something in the post.

I'm pretty sure their (Security Metrics) UK address is the same as Barclaycard Head Office, I used to work next door at TI.

 

[voyage]

Thank you for a reply, I think I will give barclaycard a ring as it still isn't 100% clear.

 

[EDRIAT]

It's genuine.... assuming you have a merchant number issued by Barclays Merchant Services.

I've had such a merchant number for years and have been dealing with Security Metrics for something like the last two... they perform a whole host of tests on your website, office network (from an external intrusion perspective), the payment gateway you use (if applicable) and ask you to complete a comprehensive questionnaire verifying the existence of numerous company policies and procedures that you are required to have in place in order to be (and remain) PCI DSS compliant.

If you haven't already followed this procedure through with a company such as Security Metrics you are not PCI DSS compliant, the penalties for which (if a fraudulent transaction were to get through etc) can be severe... in addition, you'll be paying a surcharge on a per-transaction basis for each and every non PCI DSS compliant transaction you process.

All that said, I found the requirements of being PCI DSS compliant and the entirely un-user-friendly Security Metrics processes I had to go through, an utter pain the the rear end.

Laughably, some of the questions on the questionnaire didn't in any way apply to a small, virtually one-man-band company... when I pointed out to them that I couldn't possibly answer them, I was advised to answer the questions on a theoretical basis... e.g. if the questions did apply, would I agree to comply with the request being made.

We therefore achieved PCI DSS compliance on an almost entirely theoretical basis.

Hardly the security focused approach they claim to be championing.

It is though, a necessary evil.

 

[Dollybean]

We had the same email (numerous times) along with letters in the post signed off by the same person, so it's genuine if you're a BMS merchant. A simple reminder that we needed to pay to complete the annual theory test would have sufficed, but instead we were bombarded with emails/letters telling us we were not compliant (we were - just coming up for renewal) and threatening all sorts. There's no way round it if you're processing card payments.

I find all the threats of fines/additional charges etc quite farcical (although the additional charges are beyond a joke if you don't comply - a license for them to print money and nothing else from what I can see). Just read an article which I've posted about separately regarding the Lush hacking fiasco. Ensuring our customers are protected is of course of the utmost importance and we would ensure this was the case even without all this rubbish, but when a big retailer gets a mere slap on the wrist for a fail of that magnitude (not forgetting TK Max and others) it destroys all credibility the scheme is trying to project.

I'm afraid we're all just piggies in the middle, so have to suck it up.

 

[voyage]

I have sagepay on the website that is why I have a barclay card merchant number. Any problems with this? Never heard of this before and obviously want to do everything correct to ensure customer safety

 

[Dollybean]

I have sagepay on the website that is why I have a barclay card merchant number. Any problems with this? Never heard of this before and obviously want to do everything correct to ensure customer safety

As you are using a PCI compliant payment processor you are compliant from the ecommerce point of view. However, that doesn't get you out of paying to fill in the annual theory test (ahem, self assessment questionnaire). You will be assumed to be non-compliant until you do this and they will ramp up the pressure/threats/additional fees until you fill in the form. I think the fee through BMS/Security Metrics is £11.99 and you can call SM and they will hand hold you through filling it in on-line.

If you're taking MOTO payments (Mail Order/Telephone Orders) things start getting a bit more complicated with system scans and the fees start going up - although these are also subsidised I believe through BMS. As we were taking so few telephone orders/payments, the costs/time involved in this additional layer of red tape would wipe out all profit on those few orders so we stopped offering payment over the phone at our last renewal. Perhaps others can advise you further on this if you need to do this.

We've only had one customer complaining that this was age discrimination as some customers didn't trust paying on-line (thanks media for your scare stories and accurate reporting!). She was actually a very nice lady and I understood her frustration totally as we would still like to offer this as a service, but it's just no longer cost effective to do so. When I explained to her that the scheme is "for her protection" and we were equally being discriminated against as our telephone transactions were very low (and there is no sliding scale on charges to comply) she correctly diverted her anger in the right direction, then we had a good yarn about the weather and she placed her order on-line.

We therefore achieved PCI DSS compliance on an almost entirely theoretical basis.

Aint that the truth!

 

[webstore]

There's some really useful practical information on PCI DSS Compliance at sagepay.com/pci-dss-compliance

For example if you were to go for Form or Server Integration where you / your server does not get to see/ pass credit details, then all you need is to complete an "Online self-assessment questionnaire" for PCI DSS Compliance which costs with SagePay £72 pa.

Where your site/server actually accepts credit card details before these being passed to the third party payment gateway then you will need Security Metrics vulnerability scanning and audits, monthly or quarterly.

 

[The Secret Campaigner]

Have you thought about going to The PCI Security Standards Council website, finding out which SAQ (Self Assessment Questionnaire) is applicable to your business, filling it in and sending it to your merchant provider?

It is completely free.

I wonder why your bank didnt tell you this :|

 

[cody44]

Security Metrics work on behalf of Barclaycard for making merchants within Barclaycard Compliant.

What they dont tell you is that Security Metrics are partners with Barclaycard and they will ask for a nominal fee £11.99 to complete the form. You can go directly to the security metrics website and download the application form and complete it and send it back to them. By doing this you will not have to pay the fee - If security metrics tell you otherwise - take it up with Barclaycard.

Check out the information on the barclaycard website and read the three tabs (links) on the page. If your not compliant then barclaycard will be hitting you with a monthly charged called pci dss non compliant charge.

http://www.barclaycard.co.uk/business/accepting-payments/pci-dss/

Hope this helps

Mark

 

[voyage]

Thanks guys your knowledge and experience is really appreciated.
I have had a look on our monthly statement and we are being charged 0.098% on every transaction because we are non complaint.
After speaking to someone at Security Metrics it left me a little annoyed/worried they basically tried selling me the £11.99 option but would much rather do the self assessment.
As we have a B&M does this complicate things? Also for orders over the phone how are we meant to manage this because this is the only time we handle card details.

 

[cody44]

If you are taking payment thru sagepay you may have an epdq account with barclays and security metrics will request a scan (Ie if its online payments). If your taking payments only thru a PDQ Machine you will be able to complete the form yourself and send it back, saving you the £11.99. Its very much like an MOT and will be needed again the following year. Speaking to Security Metrics they will have it in their interest to squeeze the money from you. If indeed you have an epdq account speak to Barclaycard epdq dept direct they are more likely to put you in the right direction and will be more helpful. Their number is 0844 822 2099. They are not american !!!!!!! as with Security Metrics.

 

[voyage]

I was a bit puzzled by the american guy.
Thank you very much for posting up Barclaycard's Number. So from what I understand I will have to pay the £11.99 because I have a B&M shop and a online website and the payment gateways on there are PAYPAL and SAGEPAY.
I took a look at the self assessment and that also does not seem simple.