Keeping cardholder data safe to ensure industry compliance
We are putting new solutions and processes in place to meet the latest Payment Card Industry standards. These will prevent the misuse of cardholder information, reducing the likelihood of potential credit or debit card theft, fraud and security breaches.
The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements that applies across the retail sector. It’s not unique to Post Office branches - every merchant or service provider that stores, processes and transmits cardholder data needs to meet the PCI DSS to carry out secure card transactions. The standard was developed by the PCI Security Standard Council, which was formed by the five major card companies - Mastercard, American Express, Visa, JCB and Discover.
The standard not only protects your customers but also protects Post Office from potential financial loss and reputational damage. Not complying with the standard can also result in higher processing charges from our acquiring banks (which enable the acceptance and processing of card payments) and potentially being prevented from taking card payments.
New transaction process and PCI audit
A new process for banking and payment transactions is rolling out as part of meeting the PCI DSS that ensures cardholder data is encrypted at the point of entry on the PIN pad (known as point to point encryption). You may recall an engineer previously visited your branch to swap out the PIN pad(s) for devices containing upgraded software – this was to make sure all your PIN pads are ready for this new process.
We started introducing the new process on a rolling basis from January. This will continue during February and March. If your branch doesn’t have the new process in place yet, please look out for communications about this and the date your branch will go live.
Once any Horizon entries have been made by the person serving, the customer will need to follow the instructions on the customer-side PIN pad. For non-chip cards, the customer may need to swipe their card on the PIN pad. For cards with a chip, the customer may need to insert their card into the PIN pad, possibly followed by their PIN if required, to conclude the transaction. This flow is widely used in retail these days so many customers will already be familiar with it.
Customers who are making a cash withdrawal or cash deposit banking transaction with a swipe card will therefore swipe their banking card (not change giving cards) on the customer side PIN pad, rather than the card being swiped behind the counter.
PCI DSS requires that the customer is in complete control of their card at all times, which is why customers with swipe cards will need to swipe their card on the customer PIN pad for cash deposit and cash withdrawals, instead of it being passed behind the counter. For full details about the transaction process, please see the Branch Focus article with your go live date.
Branch audits are a key part of achieving overall PCI compliance. An external auditor will assess 60 randomly selected branches in the coming months and any type and size of branch could be audited. We will share more information about the audits soon, and it will be an annual audit in future.
Other changes already introduced
We have already made some changes in Post Office branches and support centres to meet PCI DSS:
- We introduced a monthly checklist for all branches to complete to show the PIN pads have been regularly checked for any signs of tampering or skimming devices being present, plus updated guidance on what to look for when doing the checks.
- We now obscure the long card number (PAN) on screens and receipts so the PAN is no longer displayed in full on the screen or on receipts – now, only the last four digits are seen, for example ************3440. If branches still have certain receipts from before this was introduced (1 August 2020) that still show the long PAN, they should be destroyed.
- Our customer support centre uses a PCI DSS compliant solution for taking card payments over the phone. For example, making sure the card number is never seen by anyone other than the customer.
Thank you for your ongoing support. We’ll keep you posted about PCI related changes, so please look out for more information.