PCI compliance: Barron McCann urges retailers to check all service providers meet security requirements


Retailers are being urged to check that their service providers, who install, exchange or return defective devices to the manufacturer on the retailer’s behalf, have the necessary security agreements in place to ahead of an audit.

It is common knowledge that a merchant/retailer has to be PCI compliant for the banks and card companies and that they need to be able to demonstrate this following new legislation over the last few years. However, many don’t realise that it is wise to ensure that their service providers have security agreements in place too, claims information security expert at Barron McCann.

According to the retail IT service specialist, any service provider that has access to a retailer’s devices, from maintenance and repairs to disposal, must ensure they have appropriate security procedures in place.

ISO 27001:2013 is the highest level of security management system that a company can have, although it is not common amongst the vast majority of suppliers.

Following work on government projects, Barron McCann is one such supplier that has opted to have the ISO 27001:2005 certification, soon to be upgraded to :2013.

Graham Thornton, information security manager at Barron McCann, said: “Due to the nature of our work, this particular certification covers the provision of servicing, service replacement, technical support and decommissioning of IT equipment. This is in force throughout the entire company and provides our retail customers with the confidence that information security measures are in place.

“All our engineers have security procedures they need to comply with when they exchange devices as well as procedures to assess/monitor if it’s been tampered with. The fact that a supplier of services has the necessary information security accreditation in their own right goes a long way to satisfy any would be auditor that the retailer’s third party suppliers have the necessary credentials.”