What is PCI DSS?
Any organisation that stores, processes, transmits, or could affect the security of payment card data needs to make sure it keeps that data safe. Payment Card Industry Data Security Standard (PCI DSS) sets out 12 requirements, each made up of multiple controls, that organisations should implement to make sure they have appropriate cyber security in place to protect customer data. Some small organisations can self-certify but larger organisations will need external assurance from a QSA company such as Gemserv that they meet the standard in order to meet their contractual obligations to their suppliers and partners.
All organisations that process card data need to comply with PCI DSS.
PCI DSS is changing. You can continue to comply with version 3.2.1 until 31 March 2024, but version 4 is already available. Our experienced consultants can help you maintain your certification and understand what changes you will need to implement to get ready for version 4.
Expert Qualified Security Assessors (QSAs)
Our team of five QSAs helps a wide range of organisations to achieve and maintain PCI DSS compliance. Our clients include household name retailers and insurers as well as smaller organisations. Gemserv’s team is led by Mark Railton who has over 15 years’ experience of implementing PCI DSS for organisations in Tiers One to Four, from Version One onwards. Mark has built a team of QSAs who benefit from his wealth of knowledge.
PCI DSS Requirements
Networking Security
This control requires you to install and maintain a firewall and make sure you test it thoroughly including testing network connections and ensuring connections to untrusted networks are restricted. You may also need to implement other controls depending on the risks associated with your processing. We will check that your firewall meets the requirements and secures the data.
System Security and Builds
You will need to change any vendor-supplied default passwords and security settings, including ensuring any unnecessary services are disabled and removing unnecessary functionality. We will check that your systems set ups comply with the standard.
Protect stored data
You will need to protect any cardholder data you store, including ensuring you erase it when no longer needed and limit what you store to only what is necessary. You may also need to implement other controls based on the risks associated your processing activities. We will check that your data protections meet the requirements.
Encryption during transmission
You will need to ensure that cardholder data is protected when it is transmitted over public networks such as via email and online chat systems. We will check that your staff do not share unprotected data via these kinds of channels.
Anti-Malware
You will need to install and regularly update anti-virus software, including performing and documenting regular system scans. We will check that your anti-virus is appropriate, up to date and that it is being used and maintained appropriately.
Systems Development and Change Management
You will need to implement an information security management system (ISMS) to ensure your cyber security practices continuously improve. We will review your approach against our knowledge of best practices and the cyber threat environment to ensure it is fit for purpose.
Access controls
You will need to ensure that access permissions are appropriate, including implementing a suitable approach to role-based access controls and user privileges. We will review your approach and ensure it meets the requirements.
User authentication
You will need to ensure that all individuals have user IDs so that there is a way to authenticate and validate who is responsible for actions in respect of cardholder data. This will include maintaining records of events including access to cardholder data and changes to records. We will review your approach and ensure it meets the requirements.
Access monitoring
You will need to maintain appropriate records for audit purposes, such as events logs, and processes to review the logs for suspicious activity. You may need other controls depending on the risks associated with your processing. We will ensure your approach meets requirements.
Testing
You will need to implement a test plan to ensure that controls are working as intended. This includes controls such as vulnerability scans, asset inventories and other controls. We will ensure your test plan is appropriate to manage your risks.
Information security policy
You will need to write and maintain an information security policy that explains your organisation’s approach to information security and the roles and responsibilities assigned throughout your organisation. We will ensure your policy is appropriate and that your team members understand it and follow it.
Get in touch
If you would like to know more about our work, or would like to speak with one of our experts, please complete our contact us form.