PCI DSS

(Payment Card Industry Data Security Standards)

 

ADVICE TO MEMBERS (July 2008)

 

ABA advice to members of the ABA group with Barclaycard Merchant Services (BMS) was to return the pro-forma to BMS having ticked the box to say that they would undertake a Self-Assessment of their business, before the deadline of 30^th April 2008.

 

The ABA advice is now that, for those merchants with fewer than 20,000 card sales per year - most members, presumably, who do not store any credit card information on their computers, completing the self-assessment form and preparing a policy statement on information security will fulfil the requirements of the Credit Card and Merchant Service Providers.  Please note:

 

The Self-Assessment Questionnaire (SAQ)

In February the PCI Standards Council published revised self-assessment questionnaires.  The forms for small businesses who don’t store credit card details on their computers and don’t take card details over the internet via shopping baskets etc are now much simpler and easier to complete than the previous ones.  For most members the “Self-Assessment Questionnaire B / version 1.1 / February 2008” is the one to go for.  No website screening/certification is necessary anymore.  The new forms can be downloaded from the pcisecuritystandards.org website. 

 

www.pcisecuritystandards.org/saq/instructions.shtml

 

Validation type 2 may be used if you only use imprint machines, retain only paper records, do not transmit CC information over telephone lines or the internet and do not store CC data on your computer.

Validation type 3 may be used if you use stand-alone CC terminals not connected to the internet or your computer, you do not store CC data on your computer and you retain only paper records.

 

The ABA office has prepared an Information Security Policy Statement which is available to help members to prepare their own.

 

Members who opt for self-assessment may be contacted by BMS to confirm that they understand their responsibilities.

 

The deadline for compliance was 30^th April 2008.

 

Those members who wish to continue storing credit card information on their computers are advised to register with SecurityMetrics, who offer a service that includes annual assessment, network scans and completion of returns to BMS.  BMS say that this is “simple”.  Your Secretary found even the procedure for registering with SecurityMetrics full of almost impenetrable IT gobbledegook….