A hostile environment: payments, the PCI DSS and UK digital businesses
I’ve written in the past about how to avoid hefty charges for the task of checking a few checkboxes when completing your PCI DSS SAQ A. I have been following this process for the last few years without problems. After all, my business never touches a card number. We (and our servers) never see a card number as card payments are taken on a payment page hosted on a Level One Certified PSP here in the UK – Sage Pay. Therefore we fully comply with the requirements for completing SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced.
Enter Barclaycard Data Security Manager
In November I received a letter from Barclaycard – our merchant account provider – stating that from now on I would have to use the Barclaycard Data Security Manager to comply with the PCI DSS.
“Now here’s the good news. We’ve created Barclaycard Data Security Manager, a new programme which helps make it easier for your business to meet PCI DSS requirements.
That’s nice … but perhaps not,
“… There will be a small charge of £5.80 for this service which will be applied to your statement every month.”
I phoned Barclaycard and explained that, as in the past, I would complete my own SAQ A and upload it as we do not take or store any cardholder data and therefore our compliance requirements are very simple. I was told that I could not do this. I either needed to pay another QSA and upload validated documents, or go via the Barclaycard Data Security Manager at a cost of £5.80 per month on to of all the other charges we have to pay to process each payment.
We are already doing the sensible thing by NOT taking card data
I have spent years advising clients that if they can avoid processing card data themselves – and therefore needing to comply with PCI DSS at a higher level – then that is the way to proceed. In my opinion the banks should be making it as easy and inexpensive as possible for people to go that route. If you NEVER see a customer card number and those numbers are NEVER transmitted or stored on your servers then compliance should be a case of stating you do not store or transmit card data and giving the name of your Level 1 certified PSP. That is what SAQ A is intended for.
The banks should be lining up to encourage people down that route and away from storing or processing card data, even via a PSP API, as it is there that there are more chances for dodgy code or poor security practices to enable card data to be compromised.
Back to Barclaycard
Naturally I was going to argue this. I emailed Barclaycard to ask why I needed to pay to tell them I didn’t store card data. I would publish the replies here however Barclaycard have informed me that if I do I am breaching their terms and conditions, I was open about the fact I was not only interested in the answers to these questions for myself – but in order to advise other people. So I shall explain the official line of Barclaycard based on publicly accessible documents.
The line from Barclaycard on PCI DSS self-assessment is that merchants were completing their forms incorrectly and therefore “in unnecessary danger of security breaches and card scheme fines”. This line is detailed in the Barclaycard FAQ, I don’t want to use Barclaycard Data Security Manager online service; where can I get a PCI DSS Self-Assessment Questionnaire (SAQ) from?
When I pressed Barclaycard they simply repeated the above information, in addition referring to a 2010 Visa alert which is something of a strawman as the issue raised would have more to do with the PSP than the merchant in terms of them providing a method for the merchant to identify that they are indeed the server they expect to be talking to. All the recent PSPs I have encountered have such methods in place.
They also inferred that due to the fact a PSP will also usually offer a “virtual terminal”, a web page where a merchant can go to enter phone orders, they may have other compliance issues. The fact remains that businesses selling services or digital products typically do not use a virtual terminal. Surely all we need to do is indicate that we never take card payments in any way other than via the PSP Payment Page?
We have to put up and shut up
If we want to continue processing payments via Barclaycard there is little we can do other than pay their fee and go through the charade of completing their form and being charged for the privilege.
If we ever had our hands on customer card data, even just by way of taking that number over the phone or it being on our servers prior to an API request being made to a third party then I would agree, it should be verified as to how we were keeping that data secure. However, like the majority of businesses like ours we never, ever see or have access to a card number. My argument is that there should be simplified compliance for people who can guarantee that is always the case, as an incentive to outsource complex security requirements to companies who are better placed to deal with them.
Transmitting Card Data, Stripe vs traditional PSPs
This all gets even more strange if we take a look at Stripe. We thought of switching to Stripe but they don’t do true multi-currency. However I’m also a little confused about how they are enabling customers to bypass the PCI DSS as it does appear that a company using Stripe is at the least equivalent to one using a traditional PSP pay page and it could be argued that they are in fact transmitting card data.
The document Navigating PCI DSS states that,
“PCI DSS applies wherever account data is stored, processed or transmitted.”
Using our Level One Certified PSP payment page we neither store, process nor transmit card data. It never touches our server or a page hosted on our server. Nor is any code that enables the transmission of card data linked to our server.
My question isn’t whether Stripe is a secure way to take payment or not, or more or less secure than a PSP payment page. The only reason businesses using Stripe and businesses with an acquiring bank and PSP are treated differently – as far as I can see – is because if you have an acquiring bank they can tell you to pay whatever they feel like telling you to pay and you have no option but to pay it.
Could the PSPs put pressure on here?
Stripe seem to be managing to collect and process payments without every customer needing to complete an SAQ. Could other PSPs not do the same? Digital businesses do not need virtual terminals or the ability to take phone orders. If the PSPs offered a digital business only type of account could they put pressure on the banks to allow customers using that service to be flagged compliant by the acquirer?
This would seem to be to the benefit of the traditional PSP companies. If services like Stripe are managing to bypass compliance for their customers they are making it a much more compelling option to go with them. Especially if the acquiring banks are to start charging payment page only customers for compliance, as this makes the relative cost of Stripe (which is slightly higher than PSP/bank once you are at scale) seem a better option.
Is using Stripe a ticking time bomb?
Please add your thoughts
I don’t know the answers to these questions. I may have things wrong – the lack of transparency in this area means that you really only get to see the bits of the picture revealed by the companies you deal with. So the only way to get a full picture is if enough of us share what we know. My immediate future sees me continuing to use Sage Pay and Barclaycard and paying what I am told to pay, but I would love to see this whole area clarified for all of us selling digital products. At the moment I feel that the whole area of payments is pretty hostile and opaque to UK businesses, and in my experience – despite the arrival of Stripe – getting worse, rather than better.
If you know anymore about any part of this puzzle please comment below. I will reiterate that what I am describing here is only those integrations that would normally allow the merchant to complete the self assessment SAQ A, and the fact that acquiring banks are now pressing their customers for additional fees to indicate compliance.