grocery - food - Grandflame Ltd
grocery - food - Grandflame Ltd
grocery - food - Grandflame Ltd
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Page 12 August 2010<br />
Email: <strong>grocery</strong>@flame1.com THE INTERVIEW - BARCLAYCARD<br />
Tel: 01923 272960<br />
BARCLAYCARD<br />
LEADING THE WAY IN SECURE PAYMENTS AND PCI DSS COMPLIANCE<br />
I<br />
n 1966, Barclaycard launched the<br />
UK’s first credit card with just over<br />
one million cardholders, and went<br />
on to produce the first all-purpose credit<br />
card in Europe. Today, Barclaycard is one<br />
of the world’s largest payment businesses,<br />
providing credit cards for consumers and<br />
corporate clients and enabling retailers to<br />
take card payments. Barclaycard has 10.4<br />
million UK customers, and one in five<br />
credit cards in the UK in its portfolio, and<br />
is expanding rapidly as a global cards and<br />
lending business with 10.7 million non-UK<br />
customers.<br />
Following the introduction of the new<br />
Payment Card Industry Data Security<br />
Standard (PCI DSS), Barclaycard is actively<br />
providing key payment security advice to<br />
new or existing merchants who trade over<br />
the phone or online, and are developing a<br />
range of further guidance to provide greater<br />
detail on this and other related issues. Neira<br />
Jones, Head of the Payment Security Team,<br />
Global Payment Acceptance at Barclaycard,<br />
spoke to The Grocery Trader.<br />
The Grocery Trader – First of all, Neira,<br />
what does your role as Head of the<br />
Payment Security Team cover<br />
Barclaycard’s Global Payment<br />
Acceptance operation accepts payments<br />
through our card terminals and infrastructure,<br />
and equivalent on-line networks. I lead<br />
the Payment Security team: our remit is to<br />
help Barclaycard’s portfolio of merchants<br />
and retailers comply with security standards<br />
such as PCI DSS and offer support,<br />
advice and education on reducing card<br />
fraud. I am personally involved in getting<br />
the message across to major retailers and<br />
smaller merchants alike, working with Matt<br />
Martin, Payment Security Compliance<br />
Operations Manager and his team.<br />
GT – How do you support retailers<br />
We are in touch with merchants and<br />
retailers through regular personal contact,<br />
mailings, speeches at conferences and seminars<br />
and a resources portal that readers<br />
can find via their browser with the key<br />
words “PCI DSS.” We launched this site in<br />
February 2009: since then it has consistently<br />
remained number three in web<br />
searches, behind the PCI Security<br />
Standards Council’s (PCI SSC) own site<br />
and Wikipedia’s PCI DSS entry. You can<br />
also access this site directly at<br />
www.barclaycard.co.uk/pcidss<br />
GT - Before we talk about PCI DSS and<br />
the latest developments in payment card<br />
security, who owns Barclaycard<br />
Barclaycard is a trading name of<br />
Barclays Bank PLC. It is still part of<br />
Barclays, and has been based in<br />
Northampton since its inception in 1966.<br />
GT – What different Barclaycards are<br />
available<br />
Barclaycard offer a wide product range –<br />
at any time from eight to ten different types<br />
of card are available. We have products for<br />
bank transfers, purchase deals and low<br />
interest rates, and cards for people with no<br />
previous credit history. We accept one in<br />
two credit applications. We work to conservative<br />
credit limits and have a ‘low and<br />
grow’ approach.<br />
GT - How many Barclaycard contactless<br />
cards are in use<br />
Across the Barclays group there are<br />
around eight million cards with contactless<br />
functionality.<br />
GT – What proportion of UK card transactions<br />
involve Barclaycard<br />
Barclaycard has 17-18% of the UK credit<br />
card market and is one of the UK’s larger<br />
credit card brands. Barclaycard has become<br />
synonymous with card payments: people<br />
tend to say “stick it on the Barclaycard.”<br />
GT – What is the relationship between<br />
Barclaycard and Visa What does each of<br />
you do in card payment processing<br />
Barclaycard is the acquiring bank and<br />
processes payments on behalf of the merchant<br />
(retailer). We have an acquiring<br />
licence granted by the Visa card scheme, of<br />
which we are members. When a customer<br />
puts their card in the retailer’s terminal and<br />
validates it with their PIN, it goes through<br />
the store’s system to Barclaycard, who<br />
process the payment and pass it to Visa<br />
and then to the cardholder’s issuing bank,<br />
who validate it and send authorisation back<br />
to the terminal - all in a matter of seconds!<br />
GT – In non-technical terms, what does<br />
the new Payment Card Industry Data<br />
Security Standard (PCI DSS) require<br />
retailers to do<br />
PCI DSS requires retailers to protect all<br />
cardholder information in their possession.<br />
There are some myths about the standard,<br />
that it’s complex and onerous, but in fact it<br />
offers very simple fraud mitigation guidelines.<br />
If an organisation has some basic<br />
security measures in place, PCI DSS compliance<br />
should be easy. You wouldn’t dream of<br />
not virus-protecting a PC or not brushing<br />
your teeth. Card fraud is a disease, and<br />
we’re trying to protect consumers and<br />
retailers: prevention is always far better<br />
than cure (and much less expensive!)<br />
GT – Under PCI DSS what are the<br />
retailer’s responsibilities for protecting<br />
cardholder data<br />
PCI DSS is a set of six goals attached to<br />
12 principles, as set out on the<br />
PCI Security Standards website<br />
(www.pcisecuritystandards.org/index.shtml)<br />
and the Barclaycard web site<br />
www.barclaycard.co.uk/pcidss. Any organisation<br />
that processes and transmits or<br />
stores cardholder information has to<br />
comply with the PCI Data Security<br />
Standard.<br />
GT - What are the requirements for call<br />
centres and on-line operations to comply<br />
with PCI DSS<br />
Compliance in call centres has been a<br />
hot topic for the last six months, specifically<br />
the protection of sensitive<br />
authentication data, such as the card verification<br />
value consisting of the three<br />
printed numbers above the signature block<br />
on the card. You must not retain this data<br />
after transactions are authorised. Most<br />
compromises involve retention of sensitive<br />
card data.<br />
GT – What’s the position about call<br />
centres recording calls<br />
If they record calls, businesses end up<br />
holding large volumes of data. The PCI SSC<br />
issued FAQs on the subject, but confusion<br />
in the industry still remained! We felt we<br />
needed to do some clarifying of our own,<br />
hence our white paper ‘Processing telephone<br />
payments securely,’ published in<br />
April and available online on our website.<br />
We’ve had tremendous feedback, and have<br />
co-branded our guidelines with Visa<br />
Europe, and included guidelines for call<br />
centre managers. The PCI Security<br />
Standards Council has recently adopted<br />
our white paper, which is the ultimate<br />
recognition.<br />
GT – How big a problem is card fraud<br />
The latest UK Cards Association figures<br />
(March 2010) show a tremendous<br />
reduction in card fraud overall, but problems<br />
still remain in cardholder not present<br />
(CNP) environments. The priority is to<br />
reduce fraud in these remote channels, so<br />
we published another white paper,<br />
‘Processing on-line payments securely,’<br />
again in April. This offers advice and guidance<br />
to merchants processing on-line, or<br />
thinking of doing so. It looks at the risks<br />
and responsibilities and gives advice in<br />
plain English. As with the first white<br />
paper, we are talking to Visa Europe and<br />
the PCI SSC about adopting its recommendations.<br />
Neira Jones, Head of the Payment Security Team, Global Payment Acceptance at Barclaycard.<br />
GT – What’s different about your<br />
approach<br />
We’re managing PCI DSS in a payment<br />
security context as opposed to a tick box<br />
exercise. Merchants previously saw this as<br />
a painful necessity, but for us it’s paid off<br />
and we’ve seen a drastic reduction in payment<br />
compromises.<br />
GT - When does the Payment Card<br />
Industry Data Security Standard come into<br />
effect What was Barclaycard’s role in<br />
developing it<br />
PCI DSS came into effect in June 2004<br />
and applies worldwide, but different parts<br />
of the world have been implementing it at<br />
different speeds. As Visa members, we<br />
were involved globally since the start.<br />
Barclaycard has been a major contributor to<br />
developing the standard in Europe in the<br />
last two years through our involvement in<br />
the Standards Council, of which Paul Cook,<br />
MD for Barclaycard Global Payment<br />
Acceptance, is a Board of Advisors member.<br />
GT – How does Barclaycard work with<br />
UK retailers to ensure they are PCI DSS<br />
compliant What support do you provide<br />
to address payment security issues<br />
We are actively involved with specific<br />
retailers and have extensive programmes for<br />
smaller merchants. We provide online portals<br />
and telephone support. For all<br />
merchants we offer tools to help compliance.<br />
We don’t audit our customers’ compliance<br />
ourselves but work with accredited organisations,<br />
the Qualified Security Assessors<br />
(QSAs). These are accredited and licensed<br />
as auditors by the PCI Security Standards<br />
Council, and their individual consultants are<br />
relicensed every year. The QSA’s provide us<br />
with independent reports on merchants.<br />
GT – How have you been communicating<br />
with retailers and their call centres<br />
about PCI DSS<br />
Payment security is a non-competitive<br />
issue. At Barclaycard we have been working<br />
day and night to provide guidance: we have<br />
publicised it at industry events, put documents<br />
on the web and helped retailers<br />
communicate to their internal staff, and<br />
also passed guidance onto organisations<br />
who aren’t Barclaycard customers.<br />
GT - Can you summarise the payment<br />
security guidelines you are providing to<br />
merchants who trade over the phone or<br />
online<br />
The fundamental principles for cardholder<br />
not present security are straightforward.<br />
First, if you don’t need to keep cardholder<br />
information, don’t. If you hold information,<br />
you must protect it. If a call centre doesn’t<br />
need to record calls, they shouldn’t. Second,<br />
embed a security culture early on: check that<br />
staff are aware of their responsibilities and<br />
that your suppliers are vetted (simple measures<br />
such as checking who is authorised to<br />
access sensitive systems Is this list kept upto-date<br />
to avoid the “disgruntled employee<br />
scenario”) Don’t write card details on Post-<br />
It notes and leave them lying around.<br />
Revising processes with such simple measures<br />
as not indexing customer files by credit<br />
card number gives many wins, for little or no<br />
investment. Similarly, when trading face-toface,<br />
check the people who come to inspect<br />
you are genuine: ensure that they are legitimate<br />
engineers and your card terminals are<br />
what they purport to be!<br />
GT – Do retailers need to change their<br />
card payment processing hardware or software<br />
to comply with PCI DSS<br />
It depends: if retailers are using third<br />
parties’ payment applications, and these<br />
don’t meet the standard, they’re at risk. It’s<br />
very important that if you engage a third<br />
party to provide, for example, a shopping<br />
card or payment application, they must<br />
comply. The merchant should request evidence<br />
in the form of a compliance report<br />
from Qualified Security Assessors.<br />
Hardware and software might need to be<br />
changed – retailers need up to date antivirus<br />
software to protect the perimeter of<br />
their organisation. Updating firewalls and<br />
so on should be part of information security<br />
governance, as should upgrading systems.<br />
It involves spending money, but protects<br />
organisations and customers.<br />
GT – Chip and PIN has done much to<br />
eliminate in-store card fraud in the last<br />
few years. What are the biggest payment<br />
security challenges for retailers now<br />
As we’ve said, it’s all to do with cardholder<br />
not present, so essentially the<br />
challenges concern online shopping, mail<br />
order and telephone order. We’re also<br />
actively promoting risk mitigation technologies<br />
such as tokenisation, and 3D Secure,<br />
implemented by Visa as “Verified by Visa”<br />
and by MasterCard as SecureCode.<br />
GT - If consumers pay on-line or by<br />
phone with a Barclaycard, what protection<br />
does the consumer have How does this<br />
protection differ from other payment<br />
cards<br />
There are different protections, such as<br />
3D Secure. All Barclaycard customers have<br />
100% protection subject to keeping some<br />
really basic rules. We don’t believe in overcomplicating<br />
things. Most banks have<br />
similar fraud guarantees, involving taking<br />
basic precautions.<br />
GT – As contactless payment cards<br />
are increasingly adopted in the UK, what<br />
do you see as their biggest security<br />
problems<br />
Contactless isn’t a particularly big fraud<br />
threat: transactions tend to be relatively<br />
low value, capped at £15, so don’t attract<br />
fraudsters. Cards can also be cancelled if<br />
lost or stolen. We see contactless being as<br />
safe as cash, if not more so.<br />
GT – Which particular people in a retail<br />
organisation are involved, or need to be<br />
involved, with PCI DSS and card payment<br />
security<br />
Because PCI DSS is technical, it tends to<br />
be dumped on IT people, but it should be<br />
part of the corporate governance framework.<br />
The standard invariably involves<br />
cultural change as businesses must deploy<br />
security measures addressing staff behaviour,<br />
access to buildings and information.<br />
Everyone from the CEO and HR Director<br />
to store managers and people on cash tills<br />
needs briefing and training at different<br />
levels. You need to make it real for them,<br />
with down to earth guidelines.<br />
GT - Payment security is not only an IT<br />
problem, it’s about the culture. How does<br />
Barclaycard work with an organisation to<br />
change their culture<br />
We advocate taking steps to ensure that<br />
for example someone can’t come into a call<br />
BARCLAYCARD TEL: O844 8116666 WWW.BARCLAYCARD.CO.UK/PCIDSS