Home >
- - Information zone >
    - - Fraud and Security advice >
        
        PCI DSS >
        
        what do I need to do?

What do you need to do?

Actions taken will depend on the category of merchant and level of risk assessed. The table below shows how the merchant is defined for PCI DSS:

Merchant Definition	Criteria
Level 1	All merchants, including electronic commerce merchants, with more than 6 million total Visa or MasterCard transactions annually. All merchants that have experienced an account compromise i.e. where an unauthorised person obtains access to any Cardholder data or such data is lost. Any merchant that Visa or MasterCard, at its sole discretion, determines should meet Level 1 merchant requirements.
Level 2	All merchants with annual transactions between 1 and 6 million for Visa or Mastercard.
Level 3	All merchants with annual e-commerce transactions between 20,000 and 1 million for Visa or MasterCard.
Level 4	All other merchants that do not fall into the levels above.

All merchants falling into Level 1 must undertake an independent assessment carried out by an approved Assessor.

Other businesses may choose between Independent Assessment and Self-Assessment. A full list of Security Assessors can be found at PCI Security Standards Council or Visa Europe.

Level 4 Merchants

Barclaycard Business has engaged SecurityMetrics as:

A preferred supplier for PCI DSS Compliance Assistance for all level 4’s who choose to enrol for their services.
Central Reporting on Compliance - All Merchant level 4’s, whether enrolled with SecurityMetrics or not are required to submit their PCI DSS compliance evidence to SecurityMetrics for reporting purposes.

Should you decide to enrol with SecurityMetrics for Compliance Assistance, please select Barclaycard Business when prompted.

If you choose not to enrol with SecurityMetrics please would you notify them of your compliance status by email to BarclaycardPCI@SecurityMetrics.com you will need to attach your completed questionnaire or Executive summary and scan certificate (if applicable) as proof of your compliance.

You may also contact SecurityMetrics on 0844 5611662 to enrol.

Please note:

SecurityMetrics provide free advice regarding whether or not a scan is required and which questionnaire needs to be completed. To do this SecurityMetrics will ask questions to understand the card processing situation and any internet connectivity the Merchant may have.
Any technical support offered by SecurityMetrics, to help Merchants complete Self Assessment Questionnaires, is at a preferential rate to Barclaycard Business Merchants; it is not a free service.

Find out more on what is required from each merchant to validate compliance.

Third Parties that Store, Transmit or Process Your Card Holder Data

You must ensure that any third party, who stores, handles or processes your Card holder Data complies with PCI DSS. This includes payment service providers or data storage providers.

PCI DSS requires you to be compliant, therefore your service providers (where card payment data is transmitted or stored on your behalf) also needs to be compliant. For example: Resellers, Till vendors, EPOS vendors, Software Application suppliers, Payment Service Providers, Payment Processing Bureaus, Data Storage providers, Web hosting providers, Shopping cart providers and Software vendors.

Miscellaneous Third Parties Agents

Service Providers employed by you have an obligation that the service they provide meets PCI DSS requirements and its compliance status is kept up to date. This will involve security questionnaires, visits from security assessors and port scanning.

Find out more on the steps required to ensure you and any third parties you have engaged meet PCI DSS.

If you have any questions why not try searching our Frequently asked question facility.

Frequently asked questions about PCI DSS