In this guide, you’ll learn the following (click to scroll to that section):
If you’re taking card payments, you’ve already committed to ensuring your systems and policies are secure to the Payment Card Industry Data Security Standard. (For more background on PCI DSS and why it’s important, read our guide: What is PCI DSS?)
Different businesses will need to comply with different levels of PCI DSS, depending on the volume of transactions they process. This is called a ‘merchant level’, and the definitions of these levels are outlined below.
Please also note that we list some examples of how merchants can comply, but their individual needs will have specific requirements set out by a ‘PCI Security Standards Council (SSC) accredited Qualified Security Assessor’.
What qualifies a merchant as level 1?
How can level 1 merchants comply?
What qualifies a merchant as level 2?
Any merchant processing one to six million payment card transactions a year.
How can level 2 merchants comply?
What qualifies a merchant as level 3?
Any merchant processing 20,000 to one million payment card online transactions per year.
How can level 3 merchants comply?
Barclaycard offer two services for PCI level 3 and 4 customers to manage PCI DSS compliance reporting: the basic self-service package called Data Security Manager (DSM); or the premier 'hand-held' service package called Proactive Security Service (PSS).
Here’s how the process works:
If you’re required to run quarterly vulnerability scans as part of your compliance validation, the scans must be conducted by an Approved Scan Vendor (ASV). This can be done using either the Barclaycard Data Security Manager (DSM) service or Proactive Security Service (PSS). Or if you prefer, you can use an ASV listed with the PCI security standards organisation (see below for details). If you use another ASV, you must upload the technical report which demonstrates a ‘Pass’ status to the DSM portal each quarter.
What qualifies a merchant as level 4?
How can level 4 merchants comply?
Barclaycard offer two services for PCI level 3 and 4 customers to manage PCI DSS compliance reporting: the basic self-service package called Data Security Manager (DSM); or the premier 'hand-held' service package called Proactive Security Service (PSS).
Here’s how the process works:
If you’re required to run quarterly vulnerability scans as part of your compliance validation, the scans must be conducted by an Approved Scan Vendor (ASV). This can be done using either the Barclaycard Data Security Manager (DSM) service or Proactive Security Service (PSS). Or if you prefer, you can use an ASV listed with the PCI security standards organisation (see below for details). If you use another ASV, you must upload the technical report which demonstrates a ‘Pass’ status to the DSM portal each quarter.
There are twelve general requirements that form the PCI Data Security Standard (taken from the PCI SSC website):
Build and maintain a secure network and systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security for all personnel
After profiling your payment environment, your compliance assessor will give you specific actions you need to take, all of which will be based around these twelve principles.
Barclaycard customers enjoy these benefits:
Data Security Manager is our online portal1 which provides level 3 and 4 merchants with all the tools and resources they need to be able to report their PCI DSS compliance each year.
* ‘Attestation point’ refers to the level at which you report your compliance, i.e. one single attestation for a number of outlets or an individual attestation for each outlet
For help with using Data Security Manager, contact the DSM Help Desk either by using the online live chat feature at barclaycard.co.uk/dsm, or by calling 0844 811 0089 (Mon–Fri, 8am–8pm, and Sat 9am–12pm).
1 To use DSM, the Minimum browser requirement: Microsoft Internet Explorer 8, Firefox 4.0 and Safari 5.0 and above. Flash Versions: Adobe Flash Player 8 and above or Adobe Flash Player Plugin for Firefox. The Data Security portal is an online service. If you do not have access to the internet, please call the Data Security Helpdesk on 0844 811 0089.
PSS provides a dedicated point of contact to guide you through everything you’ll need to report your compliance with the PCI DSS every year; from correctly profiling your business to ensure the relevant SAQ is completed, to reminding you every time you need to take action to maintain your compliant status.
If any weaknesses in your cardholder data environment are discovered during your conversations with the PSS team, you’ll receive advice on the essential steps to remedy the situation quickly and efficiently in order to comply with the PCI DSS.
The service has been designed to save you time and effort and provide ongoing support with every PCI DSS related task, every year.
In addition, this service is packed with cybersecurity tools to help you strengthen your data environment and go further towards maintaining that all-important compliant status.
To find out more about how Barclaycard’s Proactive Security Service can help you, call 0330 058 3940 (Mon–Fri, 8am–8pm, and Sat 9am–12pm).
To use the Proactive Security Service, your operating system must be a version currently supported by Microsoft (i.e. Windows), Apple (i.e. Mac OS) or Google (i.e. Android mobile). Please phone 0330 058 3940 to verify suitability.
Unfortunately, there’s no simple answer to how much it costs to become compliant with the PCI DSS. It all depends on the security you have in place at the moment, and how much it needs to change for you to become compliant.
PCI DSS compliance costs typically fall into three categories:
Complying with PCI DSS isn’t just about ticking boxes. Any changes you make in order to comply also mean you’re upgrading the security and efficiency of your systems, so you can attribute these to your bottom line as infrastructure costs, as opposed to a PCI DSS entry.
The total cost for these upgrades will vary depending on the size, scope and setup of your organisation. Typical expenses for PCI DSS validation would be:
On-site audits
These are mandatory for Level 1 merchants, or merchants who have been compromised. An on-site audit needs to be performed by a Qualified Security Assessor (QSA), or a qualified internal assessor. This could cost upwards of £10,000.
The final cost depends on how much work the QSA has to do, and whether you have the right level of information security resources in house.
Self-Assessment Questionnaires (SAQs)
At Barclaycard, we require all Self-Assessment Questionnaires to be validated by a QSA. For Level 3 or 4 merchants, you can use Barclaycard Data Security Manager or Proactive Security Service to validate your compliance online.
If you’re a Barclaycard customer and you want to use a different supplier for your self-assessment, you will still need to prove your compliance by logging into Barclaycard Data Security Manager and uploading your completed SAQ or signed Attestation of Compliance (we can’t accept paper or emailed copies).
Network vulnerability scans
Network vulnerability scans need to be done by an Approved Scanning Vendor. These tend to cost around £100 per external facing IP address.
Customers using Barclaycard Data Security Manager or Proactive Security Service get scans for up to 10 IP addresses included in their monthly management fee.
While it may seem expensive and painful to become PCI DSS compliant, a data breach can cost far more than the cost of compliance. Sometimes costs can run into the millions, and even result in bankruptcy. Not to mention the potential damage to your organisation’s reputation.
It’s not just your business that needs to be PCI DSS compliant. If any third party suppliers handle your cardholder data, they also have to comply with PCI DSS.
Ask yourself this:
If the answer to either of these questions is yes, the PCI DSS also extends to these suppliers. So if any third party suppliers aren’t proven to be compliant, and there’s a data breach involving your customers’ cardholder data, you will share responsibility for any damages. That’s why it’s important to only work with PCI DSS-compliant suppliers.
Third parties may include those that supply:
If you buy payment applications which store, process or transmit cardholder data, they must be compliant with the Payment Applications Data Security Standard. You can see a list of these officially validated applications on the PCI SCC website.
If you still have questions, please visit our payment security FAQs page.
Next up, we recommend reading How to deal with a data security breach.