If you need to speak to an advisor you can call us on:
0800 161 5350
Monday - Friday 9am - 5pm
|Level||Types of businesses||Example of actions required for compliance|
If you are a level three or four merchant you must use the Barclaycard Data Security Manager portal to either:
1. Upload a Self-assessment Questionnaire (SAQ) that has been validated by a qualified Security Assessor (QSA) each year
2. Complete the online profile and follow up steps to complete your Self-assessment and compliance validation each year
If as part of your compliance validation, you are required to run quarterly vulnerability scans, they must be conducted by an Approved Scan Vendor (ASV);
this can be done using the Barclaycard Data Security Manager service. To see a list of ASVs, visit the PCI Security Standards Council and search for ‘approved scanning vendors’.
If you use another ASV you must upload the technical report demonstrating a pass status each quarter.
PCI DSS (Payment Card Industry Data Security Standard) compliance is a framework which helps companies protect their customers’ cardholder data from theft or misuse. Here are six goals to help you, and your business, achieve it.
There are 12 requirements that make up PCI DSS compliance. They’re all designed to protect consumer cardholder account data during all aspects of storage transmission and processing throughout the card payment industry.
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
It’s an important decision, selecting the right Qualified Security Assessor (QSA) to help you become PCI DSS compliant. You should feel confident that they have the knowledge and expertise to get the job done. Their job is to help you:
Our dedicated team will help you manage fraud from an investigation, compliance and relationship perspective.
We constantly strive to deliver innovative and practical ways to help businesses fight fraud, reduce their data security risks and meet their compliance obligations with the Payment Card Industry Data Security Standard (PCI DSS).
We’ve listened to our merchants and looked at how we can improve the efficiency and effectiveness of the services we provide to help merchants manage and maintain their PCI DSS compliance. Our research led us to develop Data Security Manager, a ‘smart’ online Portal1. It provides smaller merchants with all the tools and resources they need to help reach and maintain PCI DSS compliance, fully inclusive of vulnerability scanning requirements.
This tool provides a quick and easy way of managing your PCI DSS compliance. It guides you through the validation requirements, and expert assistance is available, which can help protect you from the risks of a data compromise and the associated costs and penalties that could result.
Please note that SecurityMetrics, the organisation we formerly used to manage and report our merchants’ PCI DSS compliance, is no longer our preferred security partner.
A fee will be charged for Data Security Manager which will be based on your specific business. Further detail on the types of costs are provided below.
To find out more about the range of services that Data Security Manager can offer, please call our Data Security Helpdesk on 0844 811 0089 (lines open Mon-Fri 8am-8pm, and 9am-12 noon on Saturdays).
There’s no straight answer to how much it costs to become PCI DSS compliant. You’ll find numerous estimates from industry leaders, but the specific cost for your business will probably be different. It will depend on the security measures you have in place at the moment and how much they need to change for you to become compliant.
PCI DSS costs typically fall into three categories:
The changes your business makes impact beyond PCI DSS compliance. Improvements to the security and efficiency of your IT system should be attributed to bottom line infrastructure costs as opposed to a PCI DSS entry.
The total cost for these upgrades will vary from business to business depending on the size, scope and setup of the organisation. The typical expense for PCI DSS validation includes:
While it may seem expensive to meet and maintain compliance, the cost and time associated with recovering from a data breach is far greater. Not complying jeopardises profitability as well as the reputation of your business and future sales.
The cost of a breach can be up to 20 times that of PCI DSS compliance. In the last five years, the cost of a data breach has risen by 68% to £79 per record1. For a large organisation, the total cost can easily run into the millions and even result in bankruptcy.1Symantec Press Release March 20, 2012
Not only is it important for your business to be compliant. Any third party suppliers you work with should be as well. Do they process, store or transmit cardholder data – directly or indirectly – or provide services that could have an impact upon the security of cardholder data? If so, the PCI DSS extends to them too and affects your status as well.
If you’re a third party supplier or a business that works with third party agents, here are the steps that need to be taken to ensure everyone plays their part to protect payment card data from fraudulent use.
Do you purchase payment applications that are specifically designed to store, process or transmit cardholder data? You must do so using applications that are accredited as compliant with the PA-DSS. These are known as validated applications. The current list of validated applications is maintained and available from the
Visit Visa's website for downloads & resources
Opens a new window
Only approved accredited organisations can help you become PCI DSS compliant. That's why we recommend you use a Qualified Security Assessor, when you are ready to proceed.
Here's a selection of learning PCI DSS materials:
Barclaycard teleconference presentations
Payment Security Account Data Compromise (ADC) PDF (558KB)
Payment Security teleconference Third Party Management PDF (684KB)
PCI DSS Compliance Validation Options PDF (633KB)
Contact Centres and the PCI DSS
PCI & the Contact Centre. The Acquirer Perspective PDF (715KB)
Mobile payment acceptance security advice
Download the paper PDF (153KB)
See a video of the presentation given to the European Information Security Summit 2014
Opens a new window
OWASP guide to handling e-commerce payments
Visit their online guide
Opens a new window
pens a new windowProcessing telephone payments securely
Processing telephone payments securely PDF (1.99 MB)
Processing online card payments securely
Processing online card payments securely PDF (5.97 MB)
Financial fraud issues and fraud prevention advice
Visit the financial fraud action website
Merchant data breach case studies
Level 2 Retailer data breach PDF (415KB)
Level 4 Ecomm Merchant data breach PDF (318KB)
PCI SSC Small Merchant Safer Payments guidance
Visit the PCI Security Standards website
Guide to safe payments
Guide to safe payments PDF (8.87 MB)