How we are keeping customer cardholder data safe

How we are keeping customer cardholder data safe

We are putting new solutions and processes in place to meet the latest Payment Card Industry standards. These will prevent the misuse of cardholder information, reducing the likelihood of potential credit or debit card theft, fraud and security breaches.

The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements that every merchant or service provider that stores, processes and transmits cardholder data, needs to meet to carry out secure card transactions. The standard was developed by the PCI Security Standard Council, which was formed by the five major card companies - Mastercard, American Express, Visa, JCB and Discover.

The standard not only protects your customers but also protects Post Office from potential financial loss. Not complying with the standard can also result in higher processing charges from the card companies and could mean Post Office being prevented from taking card payments.

We have already made some changes to the way Post Office branches and support centres work:

  • Obscuring PANs on screens and receipts. In August we introduced a change to Horizon so the long card numbers (PANs) are no longer displayed in full on the screen or on receipts – now, only the last four digits are seen, for example ************3440.
  • Telephony payments. Our customer support centre now uses a new PCI DSS compliant solution for taking card payments over the telephone. For example, when a cheque that was paid over the counter bounces, the customer support team can take a card payment from the customer securely over the phone by the customer keying in their card details on the phone keypad, so the card number is never seen by anyone other than the customer.
  • PIN pad upgrade. You may recall engineers have visited branches to swap out the PIN pads for devices with upgraded software. The branch network PIN pads are now ready for secure PCI ‘Point to Point Encryption’ payments. The payments will be encrypted at the point the PIN is entered, so cardholder data will no longer pass through the Horizon system and subsequent Post Office back office systems.

It is important we meet our PCI DSS compliance obligations and there will be some essential changes in branches and to internal processes. For example, in branch in the near future we will be asking you to check the security of the PIN pads regularly to ensure they have not been tampered with, and also to dispose of receipts retained in branch for some products that may still contain full card numbers (PANs).

We’ll keep you posted about these PCI related changes and what we would like you to do nearer the time, so please look out for more information in the coming weeks and months.