Barclay PCI DSS application form

arfur · 22 Oct 2009 at 13:42

has anyone else had to file this form for Barclay card PCI DSS? apparently its a required document to prove that as a business we are secure taking payments.

They will charge to help fill out the document or we can do it for free ourselves without their help, however the document is written in such away that we dont stand a chance for example -

Part 2c Transaction processing
Payment application in use [ ] Payment application version [ ] - WTF is this about

no info or anything seems like another way to print money to me same as the goverments CRB checks.

Ukadder · 22 Oct 2009 at 13:55

Is the payment application not the PDQ/ePDQ if you use them? and the version simply the version of that application?

I've filled in one, lucky for us we don't store card details within the business so it's a fair bit more simple! If you do store card details I believe you have to register the PCI DSS as it will need to be tested to make sure you're systems are secure.

growse · 22 Oct 2009 at 14:06

If you do have to be PCI compliant, filling out the form is the least of your worries. If you're not storing CC numbers, I don't believe there's a requirement to be PCI certified?

arfur · 22 Oct 2009 at 14:07

the only thing we store are printed PDQ slips from all the transactions.

growse · 22 Oct 2009 at 14:26

arfur said:
the only thing we store are printed PDQ slips from all the transactions.

Reading more about it, PCI seems to apply if you either hold or handle CC numbers.

I agree with UKadder, just put in the service you pass the CC details to for transaction handling.

philjohn · 22 Oct 2009 at 20:38

growse said:
If you do have to be PCI compliant, filling out the form is the least of your worries. If you're not storing CC numbers, I don't believe there's a requirement to be PCI certified?

no, you are in scope if at any point you collect CC details, even if you do not store it and simply transmit it to a payment processor (such as SagePay or PayPOint) immediately.

What's even worse is the PA-DSS which means any e-commerce vendors who sell their product needs to caugh up in the region of £20,000 each year to a QSA to get their product verified as compliant - and that's on top of the yearly listing fee that goes to the PCI people so you can be shown as being compliant in their database.

It's a great big mess and is VISA and MasterCard simply shifting the cost of 'security' (because it's not, I've heard of companies who've passed a level 1 on-site PCI audit have still allegedly been comprimised after that process) onto the merchant and ultimately onto Mr and Mrs Joe Q Public.

To the OP: Are you an e-commerce site (online shop) or do you take credit cards in a bricks-and-mortar store?

growse · 22 Oct 2009 at 21:26

Fair enough - my bad.