COP28: Taking sustainability to new shores

View All

Case Studies

Hydrogen UK: Supporting the industry in the large-scale commercialisation of hydrogen

View All

Upcoming Events

The Distributed Energy Show

View All


Improving Heat Network Efficiency in the South West

View All

Payment Card Data Security | A padlock on top of bank cards, mobile phone and keyboard.Payment Card Data Security | A padlock on top of bank cards, mobile phone and keyboard.

Payment Card Industry Data Security Standard

We work in collaboration with clients and their suppliers to provide a robust and independent assessment to protect against potential risks, including annual Payment Card Industry Data Security Standard (PCI DSS) Audits.

What is PCI DSS?

Any organisation that stores, processes, transmits, or could affect the security of payment card data needs to make sure it keeps that data safe. Payment Card Industry Data Security Standard (PCI DSS) sets out 12 requirements, each made up of multiple controls, that organisations should implement to make sure they have appropriate cyber security in place to protect customer data. Some small organisations can self-certify but larger organisations will need external assurance from a QSA company such as Gemserv that they meet the standard in order to meet their contractual obligations to their suppliers and partners.

Payment Card Data Security | A person holds a credit card above a silver laptop

All organisations that process card data need to comply with PCI DSS.

PCI DSS is changing. You can continue to comply with version 3.2.1 until 31 March 2024, but version 4 is already available. Our experienced consultants can help you maintain your certification and understand what changes you will need to implement to get ready for version 4.

Expert Qualified Security Assessors (QSAs)

Our team of five QSAs helps a wide range of organisations to achieve and maintain PCI DSS compliance. Our clients include household name retailers and insurers as well as smaller organisations. Gemserv’s team is led by Mark Railton who has over 15 years’ experience of implementing PCI DSS for organisations in Tiers One to Four, from Version One onwards. Mark has built a team of QSAs who benefit from his wealth of knowledge.

PCI DSS Requirements

Cyber Threat Detection

Networking Security

This control requires you to install and maintain a firewall and make sure you test it thoroughly including testing network connections and ensuring connections to untrusted networks are restricted. You may also need to implement other controls depending on the risks associated with your processing. We will check that your firewall meets the requirements and secures the data.

System Security and Builds

You will need to change any vendor-supplied default passwords and security settings, including ensuring any unnecessary services are disabled and removing unnecessary functionality. We will check that your systems set ups comply with the standard.

Protect stored data

You will need to protect any cardholder data you store, including ensuring you erase it when no longer needed and limit what you store to only what is necessary. You may also need to implement other controls based on the risks associated your processing activities. We will check that your data protections meet the requirements.

Encryption during transmission

You will need to ensure that cardholder data is protected when it is transmitted over public networks such as via email and online chat systems. We will check that your staff do not share unprotected data via these kinds of channels.


You will need to install and regularly update anti-virus software, including performing and documenting regular system scans. We will check that your anti-virus is appropriate, up to date and that it is being used and maintained appropriately.

Systems Development and Change Management

You will need to implement an information security management system (ISMS) to ensure your cyber security practices continuously improve. We will review your approach against our knowledge of best practices and the cyber threat environment to ensure it is fit for purpose.

Access controls

You will need to ensure that access permissions are appropriate, including implementing a suitable approach to role-based access controls and user privileges. We will review your approach and ensure it meets the requirements.

User authentication

You will need to ensure that all individuals have user IDs so that there is a way to authenticate and validate who is responsible for actions in respect of cardholder data. This will include maintaining records of events including access to cardholder data and changes to records. We will review your approach and ensure it meets the requirements.

Access monitoring

You will need to maintain appropriate records for audit purposes, such as events logs, and processes to review the logs for suspicious activity. You may need other controls depending on the risks associated with your processing. We will ensure your approach meets requirements.


You will need to implement a test plan to ensure that controls are working as intended. This includes controls such as vulnerability scans, asset inventories and other controls. We will ensure your test plan is appropriate to manage your risks.

Information security policy

You will need to write and maintain an information security policy that explains your organisation’s approach to information security and the roles and responsibilities assigned throughout your organisation. We will ensure your policy is appropriate and that your team members understand it and follow it.

Get in touch

If you would like to know more about our work, or would like to speak with one of our experts, please complete our contact us form.

Contact Us

Our other cyber security service offerings

  • Someone on a laptop with graphs being projected

    Cyber Business Strategy & Framework

    Helping develop a robust cyber business strategy.

  • Risk Management

    Building a better approach to risk.

  • Third Party Assurance

    Providing confidence in the suppliers you work with.

  • Business Continuity

    Helping make sure you could cope in a crisis.

  • Man in a call centre with computers monitoring data.

    Incident Exercises & Training

    Comprehensive solutions to mitigate the impact of cyber incidents and protect your organisation's valuable assets.