grocery - food - Grandflame Ltd

More documents

Recommendations

Info

Page 12 August 2010 Email: <strong>grocery</strong>@flame1.com THE INTERVIEW - BARCLAYCARD Tel: 01923 272960 BARCLAYCARD LEADING THE WAY IN SECURE PAYMENTS AND PCI DSS COMPLIANCE I n 1966, Barclaycard launched the UK’s first credit card with just over one million cardholders, and went on to produce the first all-purpose credit card in Europe. Today, Barclaycard is one of the world’s largest payment businesses, providing credit cards for consumers and corporate clients and enabling retailers to take card payments. Barclaycard has 10.4 million UK customers, and one in five credit cards in the UK in its portfolio, and is expanding rapidly as a global cards and lending business with 10.7 million non-UK customers. Following the introduction of the new Payment Card Industry Data Security Standard (PCI DSS), Barclaycard is actively providing key payment security advice to new or existing merchants who trade over the phone or online, and are developing a range of further guidance to provide greater detail on this and other related issues. Neira Jones, Head of the Payment Security Team, Global Payment Acceptance at Barclaycard, spoke to The Grocery Trader. The Grocery Trader – First of all, Neira, what does your role as Head of the Payment Security Team cover Barclaycard’s Global Payment Acceptance operation accepts payments through our card terminals and infrastructure, and equivalent on-line networks. I lead the Payment Security team: our remit is to help Barclaycard’s portfolio of merchants and retailers comply with security standards such as PCI DSS and offer support, advice and education on reducing card fraud. I am personally involved in getting the message across to major retailers and smaller merchants alike, working with Matt Martin, Payment Security Compliance Operations Manager and his team. GT – How do you support retailers We are in touch with merchants and retailers through regular personal contact, mailings, speeches at conferences and seminars and a resources portal that readers can find via their browser with the key words “PCI DSS.” We launched this site in February 2009: since then it has consistently remained number three in web searches, behind the PCI Security Standards Council’s (PCI SSC) own site and Wikipedia’s PCI DSS entry. You can also access this site directly at www.barclaycard.co.uk/pcidss GT - Before we talk about PCI DSS and the latest developments in payment card security, who owns Barclaycard Barclaycard is a trading name of Barclays Bank PLC. It is still part of Barclays, and has been based in Northampton since its inception in 1966. GT – What different Barclaycards are available Barclaycard offer a wide product range – at any time from eight to ten different types of card are available. We have products for bank transfers, purchase deals and low interest rates, and cards for people with no previous credit history. We accept one in two credit applications. We work to conservative credit limits and have a ‘low and grow’ approach. GT - How many Barclaycard contactless cards are in use Across the Barclays group there are around eight million cards with contactless functionality. GT – What proportion of UK card transactions involve Barclaycard Barclaycard has 17-18% of the UK credit card market and is one of the UK’s larger credit card brands. Barclaycard has become synonymous with card payments: people tend to say “stick it on the Barclaycard.” GT – What is the relationship between Barclaycard and Visa What does each of you do in card payment processing Barclaycard is the acquiring bank and processes payments on behalf of the merchant (retailer). We have an acquiring licence granted by the Visa card scheme, of which we are members. When a customer puts their card in the retailer’s terminal and validates it with their PIN, it goes through the store’s system to Barclaycard, who process the payment and pass it to Visa and then to the cardholder’s issuing bank, who validate it and send authorisation back to the terminal - all in a matter of seconds! GT – In non-technical terms, what does the new Payment Card Industry Data Security Standard (PCI DSS) require retailers to do PCI DSS requires retailers to protect all cardholder information in their possession. There are some myths about the standard, that it’s complex and onerous, but in fact it offers very simple fraud mitigation guidelines. If an organisation has some basic security measures in place, PCI DSS compliance should be easy. You wouldn’t dream of not virus-protecting a PC or not brushing your teeth. Card fraud is a disease, and we’re trying to protect consumers and retailers: prevention is always far better than cure (and much less expensive!) GT – Under PCI DSS what are the retailer’s responsibilities for protecting cardholder data PCI DSS is a set of six goals attached to 12 principles, as set out on the PCI Security Standards website (www.pcisecuritystandards.org/index.shtml) and the Barclaycard web site www.barclaycard.co.uk/pcidss. Any organisation that processes and transmits or stores cardholder information has to comply with the PCI Data Security Standard. GT - What are the requirements for call centres and on-line operations to comply with PCI DSS Compliance in call centres has been a hot topic for the last six months, specifically the protection of sensitive authentication data, such as the card verification value consisting of the three printed numbers above the signature block on the card. You must not retain this data after transactions are authorised. Most compromises involve retention of sensitive card data. GT – What’s the position about call centres recording calls If they record calls, businesses end up holding large volumes of data. The PCI SSC issued FAQs on the subject, but confusion in the industry still remained! We felt we needed to do some clarifying of our own, hence our white paper ‘Processing telephone payments securely,’ published in April and available online on our website. We’ve had tremendous feedback, and have co-branded our guidelines with Visa Europe, and included guidelines for call centre managers. The PCI Security Standards Council has recently adopted our white paper, which is the ultimate recognition. GT – How big a problem is card fraud The latest UK Cards Association figures (March 2010) show a tremendous reduction in card fraud overall, but problems still remain in cardholder not present (CNP) environments. The priority is to reduce fraud in these remote channels, so we published another white paper, ‘Processing on-line payments securely,’ again in April. This offers advice and guidance to merchants processing on-line, or thinking of doing so. It looks at the risks and responsibilities and gives advice in plain English. As with the first white paper, we are talking to Visa Europe and the PCI SSC about adopting its recommendations. Neira Jones, Head of the Payment Security Team, Global Payment Acceptance at Barclaycard. GT – What’s different about your approach We’re managing PCI DSS in a payment security context as opposed to a tick box exercise. Merchants previously saw this as a painful necessity, but for us it’s paid off and we’ve seen a drastic reduction in payment compromises. GT - When does the Payment Card Industry Data Security Standard come into effect What was Barclaycard’s role in developing it PCI DSS came into effect in June 2004 and applies worldwide, but different parts of the world have been implementing it at different speeds. As Visa members, we were involved globally since the start. Barclaycard has been a major contributor to developing the standard in Europe in the last two years through our involvement in the Standards Council, of which Paul Cook, MD for Barclaycard Global Payment Acceptance, is a Board of Advisors member. GT – How does Barclaycard work with UK retailers to ensure they are PCI DSS compliant What support do you provide to address payment security issues We are actively involved with specific retailers and have extensive programmes for smaller merchants. We provide online portals and telephone support. For all merchants we offer tools to help compliance. We don’t audit our customers’ compliance ourselves but work with accredited organisations, the Qualified Security Assessors (QSAs). These are accredited and licensed as auditors by the PCI Security Standards Council, and their individual consultants are relicensed every year. The QSA’s provide us with independent reports on merchants. GT – How have you been communicating with retailers and their call centres about PCI DSS Payment security is a non-competitive issue. At Barclaycard we have been working day and night to provide guidance: we have publicised it at industry events, put documents on the web and helped retailers communicate to their internal staff, and also passed guidance onto organisations who aren’t Barclaycard customers. GT - Can you summarise the payment security guidelines you are providing to merchants who trade over the phone or online The fundamental principles for cardholder not present security are straightforward. First, if you don’t need to keep cardholder information, don’t. If you hold information, you must protect it. If a call centre doesn’t need to record calls, they shouldn’t. Second, embed a security culture early on: check that staff are aware of their responsibilities and that your suppliers are vetted (simple measures such as checking who is authorised to access sensitive systems Is this list kept upto-date to avoid the “disgruntled employee scenario”) Don’t write card details on Post- It notes and leave them lying around. Revising processes with such simple measures as not indexing customer files by credit card number gives many wins, for little or no investment. Similarly, when trading face-toface, check the people who come to inspect you are genuine: ensure that they are legitimate engineers and your card terminals are what they purport to be! GT – Do retailers need to change their card payment processing hardware or software to comply with PCI DSS It depends: if retailers are using third parties’ payment applications, and these don’t meet the standard, they’re at risk. It’s very important that if you engage a third party to provide, for example, a shopping card or payment application, they must comply. The merchant should request evidence in the form of a compliance report from Qualified Security Assessors. Hardware and software might need to be changed – retailers need up to date antivirus software to protect the perimeter of their organisation. Updating firewalls and so on should be part of information security governance, as should upgrading systems. It involves spending money, but protects organisations and customers. GT – Chip and PIN has done much to eliminate in-store card fraud in the last few years. What are the biggest payment security challenges for retailers now As we’ve said, it’s all to do with cardholder not present, so essentially the challenges concern online shopping, mail order and telephone order. We’re also actively promoting risk mitigation technologies such as tokenisation, and 3D Secure, implemented by Visa as “Verified by Visa” and by MasterCard as SecureCode. GT - If consumers pay on-line or by phone with a Barclaycard, what protection does the consumer have How does this protection differ from other payment cards There are different protections, such as 3D Secure. All Barclaycard customers have 100% protection subject to keeping some really basic rules. We don’t believe in overcomplicating things. Most banks have similar fraud guarantees, involving taking basic precautions. GT – As contactless payment cards are increasingly adopted in the UK, what do you see as their biggest security problems Contactless isn’t a particularly big fraud threat: transactions tend to be relatively low value, capped at £15, so don’t attract fraudsters. Cards can also be cancelled if lost or stolen. We see contactless being as safe as cash, if not more so. GT – Which particular people in a retail organisation are involved, or need to be involved, with PCI DSS and card payment security Because PCI DSS is technical, it tends to be dumped on IT people, but it should be part of the corporate governance framework. The standard invariably involves cultural change as businesses must deploy security measures addressing staff behaviour, access to buildings and information. Everyone from the CEO and HR Director to store managers and people on cash tills needs briefing and training at different levels. You need to make it real for them, with down to earth guidelines. GT - Payment security is not only an IT problem, it’s about the culture. How does Barclaycard work with an organisation to change their culture We advocate taking steps to ensure that for example someone can’t come into a call BARCLAYCARD TEL: O844 8116666 WWW.BARCLAYCARD.CO.UK/PCIDSS
August 2010 Page 13 Tel: 01923 272960 THE INTERVIEW - BARCLAYCARD Email: <strong>grocery</strong>@flame1.com world would be a better place. Businesses should always seek advice from their acquiring bank. tact, or email pciguide@barclaycard.co.uk. We usually respond in 48 hours with advice and guidance. centre to work for a few days, obtain the numbers they need to enable them to dial up from outside, listen into calls and write down account details and then use them. Also, in buildings with swipe card access, you need to make sure that people aren’t inadvertently causing security problems by being polite, holding the door open and overriding it. Ultimately all we can do is educate people. Temps’ security log-on credentials may still be ‘live’ after they leave. We also have drawn up joint guidelines with Visa on default and shared credentials, which should be avoided wherever possible. GT – The major supermarkets also provide financial services to consumers. The FSA has introduced UK legislation requiring some companies to record and store phone conversations in a range of situations. What are these situations There are various ‘legitimate’ situations that have FSA guidelines, where you must record calls to avoid miss-selling. Generally, these concern financial products requiring statutory documentation. If looked at closely, PCI DSS and the FSA regulations don’t actually clash. GT - Doesn’t recording card details and other particulars in these calls contravene the Payment Card Industry Data Security Standard, which says card details cannot be kept after payment authorisation How do you resolve that in best practice Recording card details per se is not against regulations, but if you record them you must protect them in a particular way. There may be requirements for encryption or masking technologies, depending on the nature of the data being retained: it’s our belief that organisations would do well to apply the protection supplied under PCI DSS across the board, and if they did so the GT – The major supermarkets have already invested considerably, and continue to do so in both IT and security. What happens if they don’t achieve PCI DSS compliance As the acquiring bank we’re here to help reduce the risk of card fraud. We assess the risk and look at the measures in place. If organisations can’t meet the standard for any reason, compliance may mean major investment in compensating controls, written in conjunction with Qualified Security Assessors. Some 40% of our customers in the corporate space rely on compensatory controls approved by Barclaycard, which ensure the residual risk after implementation is at a satisfactory level. GT – If someone reading this is worried about any of these points in their business, who should they call The first call should be to their acquiring bank. Barclaycard merchants should talk to their Barclaycard team con- GT - How far towards achieving PCI DSS compliance do you think UK retailing in general has got In the corporate space, over half the retailers are in shape: the rest have varying distances to go. GT – Finally, I gather you are developing a range of further guidance on PCI DSS compliance and related issues. What areas will this cover Our next set of guidelines will include further advice about third party providers such as shopping carts and more details about processing online payments securely. Visa Europe have also just published the first set of guidelines on tokenisation, which we support (essentially convert card information into a “token”), which will be of use to businesses needing to retain customer transaction information, for example for loyalty marketing. We will be publishing further guidance every couple of months, including case studies on named retailers. UNIVERSITY OF ST ANDREWS A SUCCESSFUL JOURNEY TO PCI DSS COMPLIANCE S t Andrews, founded in 1413, is Scotland's first university and the third oldest in the English speaking world. Over six centuries it has established a reputation as one of Europe's leading and most distinctive centres for teaching and research. As the planning for their 600th Anniversary celebrations gets underway, they are now contemplating and planning for a future worthy of their past, whilst taking time to reflect on the changing environment they inhabit, on the role of universities in the digital age and a globalised economy. Dr Louise Richardson, Principal and Vice-Chancellor, explains: “as teachers we will reflect on how best to prepare our students to respond to the ethical and practical dilemmas posed by the dizzying pace of technological change. As an institution, we will reflect on how best to position ourselves to compete in a global market without losing our essential local character” THE IMPORTANCE OF RELIABLE AND FLEXIBLE PAYMENT METHODS Eric Gillespie, Finance Operations Director, says: “Our current student body comprises around 7,500 students of which some 5,000 are undergraduates, including several hundred visiting students. The majority of our students are from the UK but almost 30% come from international backgrounds and altogether represent over 100 countries. The university has a responsibility to provide consistently flexible and reliable payment methods. All payments are essentially made online through the WPM Education (WPM) system for tuition and accommodation fees, sports centre subscriptions, library charges and print credits. Selecting partners that share our vision is essential to our success.” WHY WE CHOSE BARCLAYCARD Eric Gillespie, who has been with the organisation for 25 years, explains his needs and reasons for choosing Barclaycard and WPM as a preferred suppliers. “We are responsible for providing our students with quick, easy and efficient methods of payment, which ultimately impacts on our own service levels. We need to ensure that our students and staff are provided with the best possible standard of service across the university.” “Barclaycard has a long standing reputation for providing top level card payment processing services and thought leadership in supporting businesses with the Payment Card Industry Data Security Standard (PCI DSS). WPM was one of the first European e– payment service providers to achieve enterprise–wide PCI DSS accreditation back in 2008 and provides online payment services to over 90 UK universities and colleges. The University of St Andrews looked to both organisations for assistance in the development and deployment of their payment systems and enterprise security policies.” BENEFITS TO THE UNIVERSITY Since implementing WPM and Barclaycard’s card payment processing services, the university has witnessed substantial benefits. These include: • Ease of administration: management information tools allow treasury and finance staff to access details about transactions on request, quickly and efficiently. • Increased customer service: WPM Education’s bespoke online payment solutions improve customer service and increase efficiency in a way that is easy to implement with minimal impact on staff. • Increased revenue and improved cash flow: WPM provides the university with the tools to expand their product and service offering whilst dramatically reducing the costs associated with processing payments online. • Barclaycard’s ability to deal with queries promptly, their helpfulness and flexibility has clearly demonstrated their ethos as a supportive acquiring bank. • The dedicated support of a personal Relationship Manager, in addition to day to day assistance from Barclaycard’s client support and Payment Security teams. KEEPING CARD PAYMENTS SECURE With over 45% of payments taken by card, The University of St Andrews needs to be confident that payments are processed in a timely, responsible and secure way. In addition, The University of St Andrews decided to stop offering Direct Debits in favour of recurring transactions because of the greater flexibility and control that these offer. Furthermore, and because of The University of St Andrews’ international recognition, 66% of online transactions now support Dynamic Currency Conversion (DCC), benefiting The University of St Andrews and students alike. IMPRESSIVE CUSTOMER SERVICE The University of St Andrews has been impressed not only with Barclaycard’s highlevel of experience in card payment processing and payment security, but also with their high level of customer service and their constant endeavour to always to provide a solution. As Eric Gillespie explains: “Being one of the first organisations to implement Software as a Service (SaaS) jointly with WPM and Barclaycard, the PCI DSS journey did not start as an easy one. The support that Barclaycard provided with the development of our security policy was invaluable and their work in partnership with WPM led to the recognition that the SaaS model, as deployed by WPM, was recognised in the industry, leading to The University of St Andrews (and all WPM customers) not being asked to perform network vulnerability scans, thus simplifying their compliance efforts.” “The benefits we enjoy as a result of using WPM and Barclaycard’s payment processing systems, combined with the high standard of service provided, make them the ideal payment partners. Barclaycard and WPM are always proactive, continually helping us to enhance our payment offering, and ensuring our compliance with industry standards.” Eric Gillespie concludes: “Barclaycard and WPM really understand the issues faced by organisations operating in the education sector, and have a firm grasp of the challenges we face. Barclaycard has been immensely helpful in making sure that our card payment services meet strict industry standards such as PCI DSS (Payment Card Industry Data Security Standard), which in turn means that we can continue to provide safe and secure payment services for our students. I would thoroughly recommend both Barclaycard and WPM to anyone looking for a similar service in the education sector. We believe that all organisations should be security conscious and protect the information entrusted to them.” Neira Jones, Head of Payment Security, Barclaycard comments: “The onus is continually on organisations to provide high levels of security to their customers. Becoming PCI DSS compliant and embedding an information security culture within an organisation will give businesses a competitive edge over other organisations and in the coming months we will be working with more of our clients to assist them in reaching compliance standards as well as deploying new technologies that help secure the payment value chain.” BARCLAYCARD TEL: O844 8116666 WWW.BARCLAYCARD.CO.UK/PCIDSS
Page 1 and 2: THE PUBLICATION FOR THE MULTIPLE GR
Page 3 and 4: August 2010 Page 3 Tel: 01923 27296
Page 11: August 2010 Page 11 Tel: 01923 2729
Page 23: August 2010 Page 23 Tel: 01923 2729

grocery - food - Grandflame Ltd

Create successful ePaper yourself

Delete template?

Save as template?