Barclaycard has issued the following positioning statement regarding the Barclaycard Risk Reduction Programme and it’s relationship with the PCI DSS and participating card schemes (Visa, Mastercard, Amex).
If you’re a Barclaycard merchant participating in the BRRP, this positioning statement may be of interest to you. If you’d like to find our more about the BRRP, you should contact Barclaycard directly. Further information from www.barclaycard.co.uk/pcidss
Here’s the statement in full.
The Barclaycard Risk Reduction Programme (BRRP) is a prioritised risk-based based methodology designed to assist merchants in attaining or maintaining PCI DSS compliance within the context of their wider risk mitigation and governance requirements. All Card Scheme requirements and reporting needs with regard to PCI DSS compliance remain a stipulated requirement of all merchants participating in the programme.
The BRRP enforces the full intent of each PCI DSS requirements as there is a desired goal to have consistent implementation of PCI standards across the globe. The BRRP is aimed at merchants as a means of reducing risk in the quickest manner when on their journey towards full compliance. This approach can be used to aid the completion of the PCI SSC Prioritized Approach, as required by the Card Schemes and relevant mandates and continues to require quarterly progress according to existing card scheme requirements.
The BRRP does not remove the obligation of merchants to ensure that particular PCI DSS requirements will be eventually “in place”. In addition, the BRRP methodology is in line with the recent PCI SSC guidelines on Risk Assessment https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf.
Therefore merchants on the BRRP that are multi-acquired/ multi-scheme will continue to report according to existing requirements (milestone approach, as delivered by the GRC tool), and in addition, for Barclaycard only, will also report quarterly on risk reduction activities.
As ever, please contact us if you have any questions regarding the above.
Or, where do I register with Visa Europe once I’ve received my completed ROC?
So you’re a service provider, you’ve been assessed by a QSA, and now you want some recognition in the form of a public listing on Visa Europe’s list of compliant service providers, or on the new Visa merchant agent listing web site.
But which route is appropriate?
The first thing to know is that Visa Europe classifies service providers as “agents”. An agent is further classified as follows:
- A member agent, providing services directly to a Visa Europe Member (who would be an acquiring bank or other payment processor, for example). Such services might include statement printing, card personalisation, or payment acquiring.
- A merchant agent, providing services directly to merchants. These services might include payment page hosting, web hosting or call centre services.
Most service providers will fit broadly in to one of the above categories. However, if you’re offering both member and merchant services, then you’re both a member agent and a merchant agent. All of your services will have been assessed, and you can therefore register as both a member and a merchant agent.
A reminder too, that this discussion relates to Visa Europe only. The same may apply to other Visa organisations, but I can’t confirm that. Secondly, other card brands such as Mastercard have different terminology and registration processes.
Now you know what kind of agent you are, how do you register?
- Member agents. To register, speak with your client and get in touch with the person responsible for card brand liaison. Your client should be able to sponsor you as a member agent by submittring a form to Visa Europe. Once sponsorship is in place, ask your QSA to submit your ROC, AOC and Attestation of Scope (the QSA will have this) to Visa Europe. Once the documents are accepted, you’ll be included within the PDF on the Visa Europe web site.
- Merchant agents. Register your details at the merchant agents registration web site. You’ll need your ROC, your signed AOC and a signed Attestation of Scope document from your QSA. Complete the on-line registration details, accept the T & C’s, and upload your documents. All being well, your details will appear on the merchant agent listing web site shortly thereafter. Note that Visa Europe may charge you for listing.
I hope that’s clarified things for you as a service provider. In the past, with only one way for service providers to be listed (on the Visa Europe PDF document), there was confusion when attempting to find a Visa Member to sponsor merchant agent service providers. In these cases, no member/agent relationship was in place, making it difficult if not impossible for many organisations to make themselves known to Visa Europe.
This update concerns Level 1 Service Providers (member agents).
We just had an update from Visa Europe regarding the final cut-off dates for the December web listing. Normally, this is the 15th of the month (for listing during the same month).
However, to accommodate the Christmas holidays, the cut-off for December will be Friday 7th December. So, you’ll need to ensure that your QSA has submitted your documentation on or before the 7th December.
If you’re a service provider, this message will certainly be of interest to you.
As many of you will know, the process of registering as an agent is an important step in being recognised by Visa Europe as a PCI compliant service provider. Historically, this has meant finding an existing Visa member organisation (such as an Acquirer) to sponsor your registration. That’s not always been possible, especially where there’s no Acquirer relationship in place.
A new Visa web site, https://www.visamerchantagents.com/ is now available for you to self-register. We strongly recommend all (Level 1 or Level 2) service providers take a look at the new registration site and consider registration if they’ve not already done so.