Keeping cardholder data safe to ensure industry compliance

Keeping cardholder data safe to ensure industry compliance

We are putting new solutions and processes in place to meet the latest Payment Card Industry standards. These will prevent the misuse of cardholder information, reducing the likelihood of potential credit or debit card theft, fraud and security breaches.

The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements that applies across the retail sector. It’s not unique to Post Office branches - every merchant or service provider that stores, processes and transmits cardholder data needs to meet the PCI DSS to carry out secure card transactions. The standard was developed by the PCI Security Standard Council, which was formed by the five major card companies - Mastercard, American Express, Visa, JCB and Discover.

The standard not only protects your customers but also protects Post Office from potential financial loss and reputational damage. Not complying with the standard can also result in higher processing charges from our acquiring banks (which enable the acceptance and processing of card payments) and potentially being prevented from taking card payments.

New transaction process and PCI audit
A new process for banking and payment transactions will be rolling out as part of meeting the PCI DSS that ensures cardholder data is encrypted at the point of entry on the PIN pad (known as point to point encryption). You may recall an engineer previously visited your branch to swap out the PIN pad(s) for devices containing upgraded software – this was to make sure all your PIN pads are ready for this new process.

The customer will present their card followed by their PIN if required – this is widely used in retail these days so many customers will already be familiar with it. PCI DSS requires that the customer is in complete control of their card at all times, which means the card doesn’t pass behind the counter - swiping a card behind the counter will no longer be supported when a customer carries out a banking or payment transaction.

We’re currently piloting the new process in a small number of branches and we will take their feedback on board when we roll this out to the rest of the network. Please look out for communications about the new process and the date your branch will go live – this is planned to start from mid-September on a rolling basis across several weeks.

Branch audits are a key part of achieving overall PCI compliance. An external auditor will assess 60 randomly selected branches and any type and size of branch could be audited once they are live with the new process. We will share more information about the audits soon, and it will be an annual audit in future.

Changes already introduced

We have already made some changes in Post Office branches and support centres to meet PCI DSS:

  • We introduced a monthly checklist for all branches to complete to show the PIN pads have been regularly checked for any signs of tampering or skimming devices being present, plus updated guidance on what to look for when doing the checks.
  • We now obscure the long card number (PAN) on screens and receipts so the PAN is no longer displayed in full on the screen or on receipts – now, only the last four digits are seen, for example ************3440. If branches still have certain receipts from before this was introduced (1 August 2020) that still show the long PAN, they should be destroyed.
  • Our customer support centre uses a PCI DSS compliant solution for taking card payments over the phone. For example, making sure the card number is never seen by anyone other than the customer.

Thank you for your ongoing support. We’ll keep you posted about these PCI related changes, so please look out for more information in the coming weeks.