HSBC, PCI DSS and their plain English ‘help’ lines!


Don’t get me wrong I am an HSBC fan. I’ve always banked with them and their help on a day to day basis at personal account, branch level has always been nigh on faultless. Readers of this blog will recall my overwhelming gratitude to their travel helpline last year when I found myself in desperate need of medical assistance while on holiday, and again, my experience was faultless.

It does not make me happy, therefore, to ask why then, are there such huge chasms of lacking customer support where it is most needed, within the merchant services department?

Almost a year ago I received a letter informing me that all the card issuers were demanding that online and offline merchants be PCI DSS compliant to cover you against hackers. It was yet another process to go through, and I dealt with a company in Utah, a company who HSBC say you can use but who they can’t recommend…yet whose only number at the time seemed to be the ‘for further information call’ number. Many other online retailers I know had NOT received this notification from their banks, other more cynnical types saw it as a classic white elephant, money spinning made-up form of compliance!

It all seemed rather childish to me to say ‘we can’t recommend’, yet, at the same time, be the only further point of contact on the subject. How does all that red tape, pseudo-legalise, mumbo jumbo work, eh?

Last year, once I’d contacted my local Business Link to find out what the score was, and to their credit, while not knowing did their absolute best to find out the answer, I did bite the bullet and called the Utah company. I had even been into the merchant branch and asked who I could speak to about it and nobody had a clue. I digress, anyway, I got half way through the process and the guy at the other end asked me to hold while he checked a detail. 15 mins later and his not having returned I hung up. I called back and explained that I was half way through the compliance interveiw when the guy in effect hung up….and get this, they couldn’t start the process again because it was already underway and the guy had not hung up, he’d clocked off for the day and wouldn’t be back in work for two days and that nobody else could take up the call!!!! You couldn’t write it.

Anyway I said I’d call back and then just started again with another guy who was a darling.

15 minutes later I was compliant.

This morning I received another letter from HSBC telling me I MUST become PCI DSS compliant as if my current compliant status has somehow escaped them. If not then I’d be charged this, that and the other for not being – and charged on a monthly basis.

I called them to let them know my current status and to see if the letter was just a standard letter or something to which I ought to respond, and having passed through a series of annoying ‘for all other enquiries press 6 then 3’ steps, I finally spoke to a human. Said human did not have English as her first language. And this is where it all falls down for me. It beggars belief to me to send people what amounts to a threatening letter with a contact number (which for the record was also wrongly printed on the letter) and then put you through to someone who clearly has not the foggiest idea what you’re talking about. I stated that I’d been through the process last year and as a result receive quarterly email confirmations that my compliance is up to date. To wit the response, “You’re having trouble receiving email updates from the PCI DSS”.

No – I just wanted to know if I have to tell you again that I am already compliant or if you already know. Was the letter just a standard mailing or need I respond?

And in the end she said to ignore the letter. One more point, I asked, “I intend to add PayPal to the site in the near future. Will this affect my existing PCI DSS compliance or do I need to start again?”

And then I had the most difficult to follow, inane answer, so much so that I’m none the wiser now. I can’t share my merchant number with PayPal – I said that wasn’t what I was asking. I can’t use my merchant number for PayPal – I said that wasn’t what I was asking. I asked again if I need to go through the whole compliance procedure again and she just said I needed to contact PayPal to arrange.

And then I just gave up because it’s clear that the person was not with me and I was left with no alternative than to hang up in disbelief shouting at a blank receiver – why can’t you just understand plain English?????

Even more irksome, if it’s so bloody mandatory why then, when you search PCI DSS on their own merchant services area online are ‘no items found’? The only place I found, which did not come up on the search button, was the online version of the card users newsletter.

I find it wholly unacceptable to send demanding letters, hinting at legal action, describing a nightmare scenario, hinting at fines for non conformance and basically putting the fear of god into anyone who doesn’t understand the situation fully and to pay lipservice to extending a hand of help when it’s just left me more bewildered, confused and two hours down on my day’s work. Should I just charge it back to them?

Not for the first time I am disgusted by the situation.

I wonder how many ebayers are PCI DSS compliant and who is chasing them? Answers on a postcard!

I think, HSBC, with all due respect to your staff who must be sick and tired of being shouted at, that a helpline staffed by people who know what the hell they are talking about is long overdue. If you are going to make demands of your customers, at least meet them half way and provide a dedicated line…..whose CORRECT number is stated on your letter…staffed by those who have a sufficiently good command of English so as not to invoke rage-like reactions from your customers!


Tags: , , , ,

8 Responses to “HSBC, PCI DSS and their plain English ‘help’ lines!”

  1. ali Says:

    I have had this letter too, having been told last year it was no applicable as I use a 3rd party processor, I too have had no help on the phone. I am at a loss as to what I have to do. Thumbs down to HSBC – the bank itself has been fine, the secure epayment service is appaulling.

  2. sallyedmundson Says:

    Hi Ali

    Yes it’s very disconcertin indeed. I have to say my experience with the secure epayment has been very good it’s just the PCI DSS stuff which drives me to distraction.

    I don’t mind having to comply with anything, if it’s all in both mine and the customer’s interest then I have no quarrel but I take huge exception to being sent something with a helpline which is of no help!

    I know a couple of other online retailers who bank with other banks, neither of whom have been sent anything other than an advisory note stating that the compliance is out there if they wish to take advantage.

    It does make me beg the question which global bank issues the highest number of credit/debit card….or does HSBC have an added interest in the company whom they do/don’t recommend.

    I doubt we’ll ever know the answer but glad I’m not the only one.

  3. Cally Robson Says:

    Hi Sally
    What are the chances of that!
    I Googled “HSBC DCI PSS compliance” having received a letter from them a few days ago, and your post came up on the first page of Google.

    Shows what a nicely optimised site you have. 🙂

    Anyway, I use Sagepay on my site to process payments. I still haven’t managed to uncover whether this means Sagepay compliance covers this off or if i still have to supply certification.

    Good luck w your DCI PSS. If i find out anything useful, i’ll let you know.
    PS Still get to talk to you by phone some time.


  4. sallyedmundson Says:

    Hi Cally

    Yes we really must talk. How very ironic that our paths should cross again due to this!

    Thanks for the comment.


  5. Simon Says:

    Sally, Cally, Ali (and any other Merchants needing help)

    Having been through this process myself a few years ago, it can be most frustrating trying to get the help you need. Here are a few pointers:

    1. Fill in a SAQ (Self Assessment Questionaire) available from the PCI SSC website. This comes in 4 types (A,B,C or D) and you fill in the one that is appropriate to your business.

    2. If you are non-compliant, or in any doubt about your compliance when filling in the SAQ, get in touch with an industry specialist, the better ones will be happy to help you rather than hang up on you. A good QSA is your best bet, this is their area of expertise. QSA’s can be found at the PCI SSC website too, choose wisely.

    3. Once you are in a position to attest to your compliance, send in the signed SAQ (and any further supporting information as necessary) to your aquiring bank.

    4. Stay compliant and repeat 1, 2 and 3 every year.

    Kind regards and best wishes to you all,


  6. Richard Says:

    Seems like a sort of phishing scam. Today I received a letter from Security Metrics telling me that as my company was not PCI compliant we would get a £20 a month charge.

    I wrote back with a copy of the letter they sent 3 months ago saying we were PCI compliant for the next 12 months.

    Then later I called their number, which is sort of part of their scam I reckon. After waiting on hold on 08xx number for a while I got them to tell me that I was compliant and that there must be some mistake at their end, but nothing (yet) in writing to confirm this correction from the previous written notice threatening surcharges.

    I suspect that there is some combination of incompetence and willful overzealous distribution of this bogus message, and that I am one of thousands getting spammed with these erroneous ransom demands.

    Like some nasty spam scam, sending emails is zero cost and you only need a small percentage to fall for it and you get a good return on your efforts.

    • sallyedmundson Says:

      Thanks for the comment, Richard. I totally sympathise but to give Security Metrics some credit, when I had a similar reminder…having also been compliant relatively recently, it then came to light that as my payment method with HSBC had changed so had my merchant number so while my site was still compliant, because I had a new merchant number it looked like I’d never gone through the process….it’s all so galling….let’s not even get started about trying to tell HSBC I have a new address… this space!

  7. Sebastian Says:

    Just had a letter telling me that i am not compliant even though I sent my compliance details in last June. However it seems, and dont remember seeing this anywhere, i have to send scan results in quarterly. I have now also checked back on my SecureEpayment bills and indeed I have been charged £20 a month for the last 6 months for none compliance!

    Never got an email or letter warning me and when I speak to HSBC they refer me to Security Metrics, I feel that its all a bit too cozy between HSBC and Security Metrics as they offer the compliance checking and reporting for HSBC and also try and sell their services to their customers.

    Anyway I would highly recommend that everyone boycotts Security Metrics as i found easy and free way to comply.

    go to

    Register and then you have free access to McAfee PCI Compliance, which will take you through a compliance questionnaire and perform a scan that generates the report you need.

    All free

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: