Becoming PCI DSS compliance

How do I become PCI DSS compliant?

Attesting your compliance

Regardless of how you become compliant, everyone must attest to Barclaycard that they are compliant with PCI DSS. Log in to our online portal where you'll find more details of what you need to tell us. You then have three options:

1. Attest via Data Security Manager (DSM) - you'll need to complete the questionnaire online

2. If you decide you'd like to upgrade to our Proactive Security Service (PSS), call the team on 0330 0583 940 and they'll be happy to help

3. If you're not using Barclaycard to be compliant with PCI DSS, then upload your exisitng compliance documents on the DSM online portal. These are:

  • Your signed and completed self-assessment form 
  • Or a signed attestation of compliance
  • If you have both documents, then we need to see both

If you choose to become compliant through a third-party supplier then you'll still need to let us know through the DSM portal, otherwise you'll be charged a non-compliance fee of £25 per month per outlet. 

Staying compliant

Proving you’re compliant is just the start. Maintaining compliance means staying on top of any changes in your business. Some things to consider are:

New employees - have they been trained to look after customers' data?

Software updates - have all critical software patches been updated as recommended by your software supplier?

Taking payments - are you offering a new way to pay e.g. online?

New premises - are you taking payments in another location too?

Security arrangements – have these changed?

Any changes in your business will mean you need to re-attest your compliance for things such as taking online payments etc. 

Keeping it compliant day-to-day

  • To meet industry standards and be sure that you’re looking after your customers’ data securely, you need to follow certain steps – these depend on your business type and particular industry standards.

Protect the data environment:

  • Take all the steps you can to safeguard data
  • Use antivirus software - and keep it up to date

Protect data access:

  • Don't use supplier defaults for system passwords and other security parameters
  • Restrict access to data to a need-to-know basis
  • Restrict physical access to cardholder data
  • Assign a unique ID to everyone with computer access

Need more help?

You’ll find more information about the standard and how to report and maintain compliance on the PCI Security Standards Council website