Data/Cyber/Cloud Security, Privacy, Website Security, Data Encryption, Malware/Viruses, Open Source Intelligence, Cyber Defence, Data Breaches, Travel Reviews & Photos
You would have noticed from my past posts I am not a fan of the Home Office to put it mildly. A few months ago, my wife got a new (non-UK) passport with a new name and under Home Office rules you are required to notify them within 90 days.

Very swiftly I filled out what I thought was the right online form and paid them £38.20. This figure sounded fair to me till it said you need an appointment with Sopra Steria, one of the governments many profiting outsourcers. £139 was the cheapest appointment and they sell extras like luxury lounges & special assistance.

There is no choice but to pay £139-£400 plus optional extras and all they do is take your photo again, scan fingerprints and take a copy of your new passport. £139 is very excessive for a five-minute appointment in my view.

Three weeks past and the Home Office emailed saying we do not understand your application. Perhaps I used the wrong form. I replied explaining what we wanted and another 2-3 weeks past. Another email came saying the same thing and I replied with the same reply as before. Below is the reply:

“From: FHR2
Sent: Wednesday, July 19, 2023
To: xxxxxxxxxxx
Subject: UAN xxxx-xxxxxxxxxxxxx
Dear Mrs xxxxxxxxxxxxxxxxx,
Thank you for your quick response.
Because you have selected no to changes in personal details on the form you have been charged an incorrect fee.
The fee for this type of application is £180.20, We require a top up payment of £142.00.
I have attached a payment sheet to be completed and returned to this email address by 2nd August 2023.
Yours sincerely,
Kaye xxxxxx
FLRM AO Caseworker
Marriage and Family | Visa, Status and Information Services
Customer Services Group | UK Visas and Immigration”

Perhaps it is a scam? No; DKIM, SPF of the email and meta data of the below DOCX was the Home Office’s.

Swiftly I replied back, saying can I call you to take payment or do a bank transfer. No was the reply. Cheque or credit card emailed only. Of course, I mentioned to them this goes against PCI-DSS rules. What is PCI-DSS? Payment Card Industry Data Security Standard. In plain English, international requirements set by PCI Security Standards Council - they regulate card handling globally. Think of it as GDPR for credit/debit card storage and processing.

“Do not store cardholder data unless there is a legitimate business need; truncate or mask cardholder data if full PAN is not needed and do not send PAN in unencrypted emails, instant messages, chats, etc.” - taken from Also storing CVV can be problematic.

What did I do? With no cheque book, not wanting to go to the bank, post the cheque and wait one week plus for processing I somewhat did what I should not have done. We have an online bank account which is very rarely used. I transferred £142 into it, generated a new digital credit card, sent them the DOCX over email, waited for a pending transaction and deleted the digital credit card. Days later the new BRP was posted.

Home Office, this leaves me with two questions. 1. Why does it cost £139 (outsourcer), £38.20 (your fee #1) and £142 (your fee #2) to print off a new BRP which probably costs £5 to print? 2. Why in 2023 are you still requesting credit cards over standard email?