Your questions answered – Proactive Security Service & DSM
Non-compliant customers
If your letter identifies you as being non-compliant with PCI DSS, then this section is for you.
About your PCI DSS compliance
Why have you sent me this letter?
1. To remind you that you need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS)
2. To tell you how we can help you become compliant, and
3. To let you know about changes to our Data Security Manager (DSM) fee and non-compliance charges.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of card scheme requirements designed to help protect you and your customers from fraud. Compliance with the PCI DSS, is a mandatory industry requirement for all businesses that store, process, transmit and/or accept payment by cards, whether this is manually or electronically. And as a Barclaycard customer, you’ve agreed to comply with the standard when you signed your Merchant Agreement with us.
For more information about PCI DSS and how to comply, visit our PCI DSS Help & Support page.
Why do I have to comply with PCI DSS?
Criminal techniques used to illegally access and use card data are becoming more and more sophisticated; compliance with the PCI DSS helps to protect against this type of criminal activity. If the card data you hold is accessed and/or used fraudulently, you may lose customer trust, loyalty and business, which in turn could impact your turnover and brand reputation.
In addition, the Card Schemes may impose financial penalties if your data is breached. These penalties can be significant.
For more information about PCI DSS and how to comply, visit our PCI DSS Help & Support page.
About the new Proactive Security Service (PSS)
What will the Proactive Security Service give me?
The Proactive Security Service (PSS) gives you a dedicated point of contact to help you achieve and maintain compliance with the PCI DSS requirements. You’ll receive reminders about tasks to complete to help you maintain a compliant status, as well as access to a number of cybersecurity tools that can help boost your data security.
Find out more about what you get with the PSS service.
Why are you registering me to a service I didn’t sign up for?
Our records currently show that your merchant account is non-compliant with the PCI DSS. As a result, we’ve pre-registered you for access to the Proactive Security Service (PSS), which we believe is the best way to help you get compliant, and reduce your costs.
We’re giving you advance notice of this pre-registration in case you want to opt out, which you can choose to do at any time.
The PSS will provide a dedicated security manager to help you through your journey to becoming compliant, and gives you 12 months to become compliant before we’ll re-introduce non-compliance charges to your account. Find out more about what you get with the PSS service.
What if I don’t want to use the Proactive Security Service?
You can choose to opt-out of the Proactive Security Service, at any time and inform us of this decision by calling 0330 058 3940. However, you’ll still need to achieve PCI DSS compliance, and let us know when you’ve done so.
If you choose to Opt Out of PSS, and don’t already have access to our standard self-assessment service on the Data Security Manager (DSM) portal, we’ll open a DSM account for you. DSM1 gives you a Self-Assessment Questionnaire (SAQ) to complete online. Please note that you’ll be charged a monthly Data Security Manager fee of £4.80 in addition to a monthly non-compliance charge of £25. The monthly Non-Compliance charge will be applied to your account until you have achieved a compliant status.
If you’d rather use a third party PCI DSS Assessor, you’ll still need a DSM account so you can upload your Attestation of Compliance (AOC) or completed SAQ. Once a valid AOC or SAQ has been uploaded, we’ll stop the DSM fee and any PCI DSS non-compliance charges you may be incurring. However, please be aware that the cost of using a third party Assessor may be higher than the fees you would pay for either the Proactive Security Service or Data Security Manager.
Put simply, with PSS you’ll pay £15 per outlet per month for a service that will support you achieving and maintaining a compliant status, and you won’t have to pay the £25 non-compliance charge for 12 months. With DSM, you’ll pay £4.80 per attestation point3, plus £25 non-compliance per outlet, each month until you report your compliance to us.
A member of our Proactive Security Service Team will call you to talk to you about the service and help you achieve a compliant status.
Can you tell me more about the Proactive Security Service?
Find out more about what you get with the PSS service. Or speak to a specialist by calling our Proactive Security Service Team on 0330 058 3940.
About the fees and charges
What am I getting for my £4.80 a month?
The Data Security Manager online portal allows you to self-assess and report your compliance. It also provides you with a way to update information about your card data environment at any time, reminding you to re-assess if you need to.
What do I get for £15 a month on the Proactive Security Service?
As well as a dedicated point of contact to help you navigate through your PCI DSS compliance journey, you’ll also have access to a number of cybersecurity tools to help you protect your business.
And don’t forget, you won’t be charged a non-compliance fee for the first 12 months, while you’re working towards meeting PCI DSS requirements and achieving a compliant status.
How is the Proactive Security Service fee applied?
This is an annual fee but we split it over 12 months to make it easier to manage. It’s fixed at £15 per month, per outlet.
Why do I have to pay for the Proactive Security Service, even after I’ve achieved compliance?
The majority of PCI DSS self-assessment services available at the moment are charged as a one-off fee, however, we’ve chosen to spread the cost of our PSS fee over 12 months. And, even when you’ve achieved a compliant status, the service will help you to maintain that status – giving you access to cybersecurity tools and reminding you when tasks are due.
How is the monthly non-compliance charge applied?
The monthly non-compliance charge of £25 will be charged for each of your outlets, until your Attestation Point3 is compliant. Your Attestation Point is the level at which you report your compliance - either one single account for all of your outlets, or individual accounts for each.
Why has the monthly non-compliance charge changed?
Any changes you see to your non-compliance charge and DSM fee are the result of a review to ensure that what we charge covers the costs of providing the services, and to bring charges in line with market rates.
How our Proactive Security Service can help you
Our PSS (Proactive Security Service) provides a dedicated point of contact to guide you through everything you’ll need to report your compliance with the PCI DSS every year.
This leaflet gives you all the information you need about the benefits of our PSS to your business.
Opting out of the Proactive Security Service
If you don’t want to use the PSS service or you’d rather use our Data Security Manager, please find out how to opt out in the letter we sent you.
How do the two services compare?
To see the differences between the PSS and DSM, please read this leaflet.
Do I have to join PSS or DSM?
Under the terms of your merchant agreement with us, you’ve committed to maintain compliance with the PCI DSS, in order that we all fulfil our obligations to the Card Schemes. We’ve set up these two services to help you do just that.
However, if you’d rather use the services of another PCI DSS assessor or Qualified Security Assessor (QSA), of course you can do so.
To find out more about your options, please read this leaflet.
Compliant customers
If your letter identifies you as already being compliant with PCI DSS, then this section is for you.
About your PCI DSS compliance
Why have you sent me this letter?
We need to tell you about changes to the fees you pay for our Data Security Manager (DSM) service – which you use to complete your annual Self-Assessment Questionnaire (SAQ) and attest your compliance with the Standard.
And, although you’re currently compliant with the PCI DSS, we also need to tell you about some changes to our non-compliance charges. These won’t impact you unless you allow your compliance to expire, or if something in your business changes, which may invalidate your status.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of card scheme requirements designed to help protect you and your customers from fraud. Compliance with the Payment Card Industry Data Security Standard, or PCI DSS, is a mandatory industry requirement for all businesses that store, process, transmit and/or accept payment by cards whether this be manually or electronically. Merchant adherence with the PCI DSS standard requirements is an expectation of all Acquirers from their customers.
Why do I have to comply with PCI DSS?
Criminal techniques used to illegally access and use card data are becoming more and more sophisticated; compliance with the PCI DSS helps to protect against this type of criminal activity. If the card data you hold is accessed and/or used fraudulently, you may lose customer trust, loyalty and business, which in turn could impact your turnover and brand reputation.
In addition, the Card Schemes may impose financial penalties if your data is breached. These penalties can be significant.
For more information about PCI DSS and how to comply, visit our PCI DSS Help & Support page.
What happens if I don’t renew my compliant status?
As part of the terms and conditions of your Merchant Agreement with us, you’ve already agreed to achieve and maintain your compliant status.
If you don’t renew your compliant status when it expires, we’ll charge you a monthly non-compliance charge of £25 to each of the outlets under your Attestation Point3 (also known as Associated Outlets).
Will you remind me when my compliance is due to expire?
Yes. The Data Security Manager team will send you an email or letter 60 days before your compliance expires asking you to log into the Data Security Manager (DSM) portal and complete a new Self-Assessment Questionnaire. The letter or email will also tell you how you can contact the team if you have any questions.
About Data Security Manager (DSM)
What am I getting for my £4.80 a month?
The Data Security Manager online portal1 allows you to self-assess and report your compliance. It also provides you with a way to update information about your card data environment at any time, reminding you to re-assess if you need to.
The service provides access to quarterly Approved Scanning Vendor scans if these are appropriate for your business. It also prompts you, via email, when there’s a task you need to complete in order to maintain or renew your status.
Help desk support is available via the online live chat feature or by telephone, on 0800 015 9518.
Why do I have to pay, even after I’ve achieved compliance?
If you would rather use the services of a third party PCI DSS Assessor, you would still need your Data Security Manager account so you can upload your Attestation of Compliance (AOC) or completed SAQ. Once a valid AOC or SAQ has been uploaded, we’d stop the DSM fee and any PCI DSS non-compliance charges you may be incurring. However, please be aware that the cost of using a third party Assessor may be significantly higher than the fees you pay for either the Proactive Security Service or Data Security Manager.
Can you tell me more about Data Security Manager?
This leaflet has all the information you’ll need about services and options.
More information / Contact
For more information, the following resources may be of use:
Beginner’s guide to PCI DSS
PCI DSS information hub
Official PCI Security Standards Council website
Or you can find more information and contact details in this leaflet.
References
1 - Minimum browser requirements; to access the DSM you’ll need to have the latest versions of Internet Explorer, Firefox, Safari, Chrome or Adobe. If you don’t have access to the internet, please call the Data Security Helpdesk on 0800 015 9518
2 - Call charges and information.
Calls to 0800 and 0808 numbers are free from UK land lines and personal mobiles, otherwise call charges may apply. Calls to 03 numbers use free plan minutes if available; otherwise they cost the same as calls to 01/02 prefix numbers. Please check with your service provider.
To maintain a quality service we may monitor or record phone calls.
3 - “Attestation Point” refers to the level at which you report your compliance, i.e. one single attestation for a number of outlets or an individual attestation for each outlet.