In 1966, Barclaycard launched the UK’s first credit card with just over one million cardholders, and went on to produce the first all-purpose credit card in Europe. Today, Barclaycard is one of the world’s largest payment businesses, providing credit cards for consumers and corporate clients and enabling retailers to take card payments. Barclaycard has 11.1 million UK customers, and one in five credit cards in the UK in its portfolio, and is expanding rapidly as a global cards and lending business with 10.5 million non-UK customers.
Following the introduction of the new Payment Card Industry Data Security Standard (PCI DSS), Barclaycard is actively providing key payment security advice to new or existing merchants who trade over the phone or online, and are developing a range of further guidance to provide greater detail on this and other related issues. Neira Jones, Head of the Payment Security Team, Global Payment Acceptance at Barclaycard, spoke to The Grocery Trader.
The Grocery Trader – First of all, Neira, what does your role as Head of the Payment Security Team cover?
Barclaycard’s Global Payment Acceptance operation accepts payments through our card terminals and infrastructure, and equivalent on-line networks. I lead the Payment Security team: our remit is to help Barclaycard’s portfolio of merchants and retailers comply with security standards such as PCI DSS and offer support, advice and education on reducing card fraud. I am personally involved in getting the message across to major retailers and smaller merchants alike, working with Matt Martin, Payment Security Compliance Operations Manager and his team.
GT – How do you support retailers?
We are in touch with merchants and retailers through regular personal contact, mailings, speeches at conferences and seminars and a resources portal that readers can find via their browser with the key words “PCI DSS.” We launched this site in February 2009: since then it has consistently remained number three in web searches, behind the PCI Security Standards Council’s (PCI SSC) own site and Wikipedia’s PCI DSS entry. You can also access this site directly at www.barclaycard.co.uk/pcidss
GT – Before we talk about PCI DSS and the latest developments in payment card security, who owns Barclaycard?
Barclaycard is a trading name of Barclays Bank PLC. It is still part of Barclays, and has been based in Northampton since its inception in 1966.
GT – What different Barclaycards are available?
Barclaycard offer a wide product range – at any time from eight to ten different types of card are available. We have products for bank transfers, purchase deals and low interest rates, and cards for people with no previous credit history. We accept one in two credit applications. We work to conservative credit limits and have a ‘low and grow’ approach.
GT – How many Barclaycard contactless cards are in use?
Across the Barclays group there are around eight million cards with contactless functionality.
GT – What proportion of UK card transactions involve Barclaycard?
Barclaycard has 17-18% of the UK credit card market and is one of the UK’s larger credit card brands. Barclaycard has become synonymous with card payments: people tend to say “stick it on the Barclaycard.”
GT – What is the relationship between Barclaycard and Visa? What does each of you do in card payment processing?
Barclaycard is the acquiring bank and processes payments on behalf of the merchant (retailer). We have an acquiring licence granted by the Visa card scheme, of which we are members. When a customer puts their card in the retailer’s terminal and validates it with their PIN, it goes through the store’s system to Barclaycard, who process the payment and pass it to Visa and then to the cardholder’s issuing bank, who validate it and send authorisation back to the terminal – all in a matter of seconds!
GT – In non-technical terms, what does the new Payment Card Industry Data Security Standard (PCI DSS) require retailers to do?
PCI DSS requires retailers to protect all cardholder information in their possession. There are some myths about the standard, that it’s complex and onerous, but in fact it offers very simple fraud mitigation guidelines. If an organisation has some basic security measures in place, PCI DSS compliance should be easy. You wouldn’t dream of not virus-protecting a PC or not brushing your teeth. Card fraud is a disease, and we’re trying to protect consumers and retailers: prevention is always far better than cure (and much less expensive!)
GT – Under PCI DSS what are the retailer’s responsibilities for protecting cardholder data?
PCI DSS is a set of six goals attached to 12 principles, as set out on the PCI Security Standards website (www.pcisecuritystandards.org/index.shtml) and the Barclaycard web site www.barclaycard.co.uk/pcidss. Any organisation that processes and transmits or stores cardholder information has to comply with the PCI Data Security Standard.
GT – What are the requirements for call centres and on-line operations to comply with PCI DSS?
Compliance in call centres has been a hot topic for the last six months, specifically the protection of sensitive authentication data, such as the card verification value consisting of the three printed numbers above the signature block on the card. You must not retain this data after transactions are authorised. Most compromises involve retention of sensitive card data.
GT – What’s the position about call centres recording calls?
If they record calls, businesses end up holding large volumes of data. The PCI SSC issued FAQs on the subject, but confusion in the industry still remained! We felt we needed to do some clarifying of our own, hence our white paper ‘Processing telephone payments securely,’ published in April and available online on our website. We’ve had tremendous feedback, and have co-branded our guidelines with Visa Europe, and included guidelines for call centre managers. The PCI Security Standards Council has recently adopted our white paper, which is the ultimate recognition.
GT – How big a problem is card fraud?
The latest UK Cards Association figures (March 2010) show a tremendous reduction in card fraud overall, but problems still remain in cardholder not present (CNP) environments. The priority is to reduce fraud in these remote channels, so we published another white paper, ‘Processing on-line payments securely,’ again in April. This offers advice and guidance to merchants processing on-line, or thinking of doing so. It looks at the risks and responsibilities and gives advice in plain English. As with the first white paper, we are talking to Visa Europe and the PCI SSC about adopting its recommendations.
GT – What’s different about your approach?
We’re managing PCI DSS in a payment security context as opposed to a tick box exercise. Merchants previously saw this as a painful necessity, but for us it’s paid off and we’ve seen a drastic reduction in payment compromises.
GT – When does the Payment Card Industry Data Security Standard come into effect? What was Barclaycard’s role in developing it?
PCI DSS came into effect in June 2004 and applies worldwide, but different parts of the world have been implementing it at different speeds. As Visa members, we were involved globally since the start. Barclaycard has been a major contributor to developing the standard in Europe in the last two years through our involvement in the Standards Council, of which Paul Cook, MD for Barclaycard Global Payment Acceptance, is a Board of Advisors member.
GT – How does Barclaycard work with UK retailers to ensure they are PCI DSS compliant? What support do you provide to address payment security issues?
We are actively involved with specific retailers and have extensive programmes for smaller merchants. We provide online portals and telephone support. For all merchants we offer tools to help compliance. We don’t audit our customers’ compliance ourselves but work with accredited organisations, the Qualified Security Assessors (QSAs). These are accredited and licensed as auditors by the PCI Security Standards Council, and their individual consultants are relicensed every year. The QSA’s provide us with independent reports on merchants.
GT – How have you been communicating with retailers and their call centres about PCI DSS?
Payment security is a non-competitive issue. At Barclaycard we have been working day and night to provide guidance: we have publicised it at industry events, put documents on the web and helped retailers communicate to their internal staff, and also passed guidance onto organisations who aren’t Barclaycard customers.
GT – Can you summarise the payment security guidelines you are providing to merchants who trade over the phone or online?
The fundamental principles for cardholder not present security are straightforward. First, if you don’t need to keep cardholder information, don’t. If you hold information, you must protect it. If a call centre doesn’t need to record calls, they shouldn’t. Second, embed a security culture early on: check that staff are aware of their responsibilities and that your suppliers are vetted (simple measures such as checking who is authorised to access sensitive systems? Is this list kept up-to-date to avoid the “disgruntled employee scenario”?) Don’t write card details on Post-It notes and leave them lying around. Revising processes with such simple measures as not indexing customer files by credit card number gives many wins, for little or no investment. Similarly, when trading face-to-face, check the people who come to inspect you are genuine: ensure that they are legitimate engineers and your card terminals are what they purport to be!
GT – Do retailers need to change their card payment processing hardware or software to comply with PCI DSS?
It depends: if retailers are using third parties’ payment applications, and these don’t meet the standard, they’re at risk. It’s very important that if you engage a third party to provide, for example, a shopping card or payment application, they must comply. The merchant should request evidence in the form of a compliance report from Qualified Security Assessors.
Hardware and software might need to be changed – retailers need up to date anti-virus software to protect the perimeter of their organisation. Updating firewalls and so on should be part of information security governance, as should upgrading systems. It involves spending money, but protects organisations and customers.
GT – Chip and PIN has done much to eliminate in-store card fraud in the last few years. What are the biggest payment security challenges for retailers now?
As we’ve said, it’s all to do with cardholder not present, so essentially the challenges concern online shopping, mail order and telephone order. We’re also actively promoting risk mitigation technologies such as tokenisation, and 3D Secure, implemented by Visa as “Verified by Visa” and by MasterCard as SecureCode.
GT – If consumers pay on-line or by phone with a Barclaycard, what protection does the consumer have? How does this protection differ from other payment cards?
There are different protections, such as 3D Secure. All Barclaycard customers have 100% protection subject to keeping some really basic rules. We don’t believe in overcomplicating things. Most banks have similar fraud guarantees, involving taking basic precautions.
GT – As contactless payment cards are increasingly adopted in the UK, what do you see as their biggest security problems?
Contactless isn’t a particularly big fraud threat: transactions tend to be relatively low value, capped at £15, so don’t attract fraudsters. Cards can also be cancelled if lost or stolen. We see contactless being as safe as cash, if not more so.
GT – Which particular people in a retail organisation are involved, or need to be involved, with PCI DSS and card payment security?
Because PCI DSS is technical, it tends to be dumped on IT people, but it should be part of the corporate governance framework. The standard invariably involves cultural change as businesses must deploy security measures addressing staff behaviour, access to buildings and information.
Everyone from the CEO and HR Director to store managers and people on cash tills needs briefing and training at different levels. You need to make it real for them, with down to earth guidelines.
GT – Payment security is not only an IT problem, it’s about the culture. How does Barclaycard work with an organisation to change their culture?
We advocate taking steps to ensure that for example someone can’t come into a call centre to work for a few days, obtain the numbers they need to enable them to dial up from outside, listen into calls and write down account details and then use them. Also, in buildings with swipe card access, you need to make sure that people aren’t inadvertently causing security problems by being polite, holding the door open and overriding it.
Ultimately all we can do is educate people. Temps’ security log-on credentials may still be ‘live’ after they leave. We also have drawn up joint guidelines with Visa on default and shared credentials, which should be avoided wherever possible.
GT – The major supermarkets also provide financial services to consumers. The FSA has introduced UK legislation requiring some companies to record and store phone conversations in a range of situations. What are these situations?
There are various ‘legitimate’ situations that have FSA guidelines, where you must record calls to avoid miss-selling. Generally, these concern financial products requiring statutory documentation. If looked at closely, PCI DSS and the FSA regulations don’t actually clash.
GT – Doesn’t recording card details and other particulars in these calls contravene the Payment Card Industry Data Security Standard, which says card details cannot be kept after payment authorisation? How do you resolve that in best practice?
Recording card details per se is not against regulations, but if you record them you must protect them in a particular way. There may be requirements for encryption or masking technologies, depending on the nature of the data being retained: it’s our belief that organisations would do well to apply the protection supplied under PCI DSS across the board, and if they did so the world would be a better place. Businesses should always seek advice from their acquiring bank.
GT – The major supermarkets have already invested considerably, and continue to do so in both IT and security. What happens if they don’t achieve PCI DSS compliance?
As the acquiring bank we’re here to help reduce the risk of card fraud. We assess the risk and look at the measures in place. If organisations can’t meet the standard for any reason, compliance may mean major investment in compensating controls, written in conjunction with Qualified Security Assessors. Some 40% of our customers in the corporate space rely on compensatory controls approved by Barclaycard, which ensure the residual risk after implementation is at a satisfactory level.
GT – If someone reading this is worried about any of these points in their business, who should they call?
The first call should be to their acquiring bank. Barclaycard merchants should talk to their Barclaycard team contact, or email firstname.lastname@example.org. We usually respond in 48 hours with advice and guidance.
GT – How far towards achieving PCI DSS compliance do you think UK retailing in general has got?
In the corporate space, over half the retailers are in shape: the rest have varying distances to go.
GT – Finally, I gather you are developing a range of further guidance on PCI DSS compliance and related issues. What areas will this cover?
Our next set of guidelines will include further advice about third party providers such as shopping carts and more details about processing online payments securely. Visa Europe have also just published the first set of guidelines on tokenisation, which we support (essentially convert card information into a “token”), which will be of use to businesses needing to retain customer transaction information, for example for loyalty marketing. We will be publishing further guidance every couple of months, including case studies on named retailers.
Tel: O844 8116666