Back

Who We Are

Meet The Team

Awards And Certificates

Annual Reports

Responsible Business

Blogs

Turning Point: What do the PMs net zero announcements really mean for heat?

View All

Case Studies

ePrivacy for a Major High Street Bank

View All

Upcoming Events

International Cyber Expo 2023

View All

Webinars

Opportunities

View All

Close

Press enter to search

Payment Card Data Security | A padlock on top of bank cards, mobile phone and keyboard.Payment Card Data Security | A padlock on top of bank cards, mobile phone and keyboard.

Payment Card Industry Data Security Standard

We work in collaboration with clients and their suppliers to provide a robust and independent assessment to protect against potential risks, including annual Payment Card Industry Data Security Standard (PCI DSS) Audits.

What is PCI DSS?

Any organisation that stores, processes, transmits, or could affect the security of payment card data needs to make sure it keeps that data safe. Payment Card Industry Data Security Standard (PCI DSS) sets out 12 requirements, each made up of multiple controls, that organisations should implement to make sure they have appropriate cyber security in place to protect customer data. Some small organisations can self-certify but larger organisations will need external assurance from a QSA company such as Gemserv that they meet the standard in order to meet their contractual obligations to their suppliers and partners.
Payment Card Data Security | A person holds a credit card above a silver laptop

All organisations that process card data need to comply with PCI DSS.

PCI DSS is changing. You can continue to comply with version 3.2.1 until 31 March 2024, but version 4 is already available. Our experienced consultants can help you maintain your certification and understand what changes you will need to implement to get ready for version 4.

Visit the PCI Security Council's website

Expert Qualified Security Assessors (QSAs)

Our team of five QSAs helps a wide range of organisations to achieve and maintain PCI DSS compliance. Our clients include household name retailers and insurers as well as smaller organisations. Gemserv’s team is led by Mark Railton who has over 15 years’ experience of implementing PCI DSS for organisations in Tiers One to Four, from Version One onwards. Mark has built a team of QSAs who benefit from his wealth of knowledge.
View Mark Railton's Bio

Your Annual PCI DSS Check - How the service works

  • People holding mobile phones
  • Man sitting in front of two computer screens with headset on

  • Step 1

    Get in touch to discuss your PCI DSS requirements. Have a no obligation chat about your requirements and what our process would look like for you. We can then advise you of the resources that are likely to be required to get you ready for your assessment.

  • Step 2

    Your QSA will work with you to schedule a gap analysis to establish your current position and provide you with your remediation plan to get ready for your full assessment. This remediation plan will be presented in a report and your consultant will meet with you to discuss it and answer any questions.

  • Step 3

    Your QSA will support you as you work through your remediation plan, explaining the requirements as you decide how to tackle your remediation plan. We will make sure you have all the information you need as you get ready for your formal assessment.

  • Step 4

    We will then carry out the formal assessment. We expect that you will have no difficulty achieving your attestation of compliance. Your attestation will be provided to you after your successful assessment. In the unlikely event of a problem, we will provide an updated remediation plan and schedule a revisit to complete the assessment.

  • Step 5

    Your PCI DSS certification needs to be renewed every year. Your QSA will ensure that you are aware of any updates and will contact you in good time to make sure you are ready for your reassessment. We will also be available to advise you on any PCI DSS implications for processing changes you make throughout the year.

    PCI DSS Requirements

    Cyber Threat Detection

    Networking Security

    This control requires you to install and maintain a firewall and make sure you test it thoroughly including testing network connections and ensuring connections to untrusted networks are restricted. You may also need to implement other controls depending on the risks associated with your processing. We will check that your firewall meets the requirements and secures the data.

    System Security and Builds

    You will need to change any vendor-supplied default passwords and security settings, including ensuring any unnecessary services are disabled and removing unnecessary functionality. We will check that your systems set ups comply with the standard.

    Protect stored data

    You will need to protect any cardholder data you store, including ensuring you erase it when no longer needed and limit what you store to only what is necessary. You may also need to implement other controls based on the risks associated your processing activities. We will check that your data protections meet the requirements.

    Encryption during transmission

    You will need to ensure that cardholder data is protected when it is transmitted over public networks such as via email and online chat systems. We will check that your staff do not share unprotected data via these kinds of channels.

    Anti-Malware

    You will need to install and regularly update anti-virus software, including performing and documenting regular system scans. We will check that your anti-virus is appropriate, up to date and that it is being used and maintained appropriately.

    Systems Development and Change Management

    You will need to implement an information security management system (ISMS) to ensure your cyber security practices continuously improve. We will review your approach against our knowledge of best practices and the cyber threat environment to ensure it is fit for purpose.

    Access controls

    You will need to ensure that access permissions are appropriate, including implementing a suitable approach to role-based access controls and user privileges. We will review your approach and ensure it meets the requirements.

    User authentication

    You will need to ensure that all individuals have user IDs so that there is a way to authenticate and validate who is responsible for actions in respect of cardholder data. This will include maintaining records of events including access to cardholder data and changes to records. We will review your approach and ensure it meets the requirements.

    Access monitoring

    You will need to maintain appropriate records for audit purposes, such as events logs, and processes to review the logs for suspicious activity. You may need other controls depending on the risks associated with your processing. We will ensure your approach meets requirements.

    Testing

    You will need to implement a test plan to ensure that controls are working as intended. This includes controls such as vulnerability scans, asset inventories and other controls. We will ensure your test plan is appropriate to manage your risks.

    Information security policy

    You will need to write and maintain an information security policy that explains your organisation’s approach to information security and the roles and responsibilities assigned throughout your organisation. We will ensure your policy is appropriate and that your team members understand it and follow it.

    Award Celebration

    Awards and Certificates

    We are certified to many industry standards and have been recognised for our commitment to our people.

    Find Out More

    Get in touch

    If you would like to know more about our work, or would like to speak with one of our experts, please complete our contact us form.

    Contact Us

    Our other cyber security service offerings

    • Someone on a laptop with graphs being projected

      Cyber Business Strategy & Framework

      Helping develop a robust cyber business strategy.

    • Risk Management

      Building a better approach to risk.

    • Third Party Assurance

      Providing confidence in the suppliers you work with.

    • Business Continuity

      Helping make sure you could cope in a crisis.

    • Man in a call centre with computers monitoring data.

      Incident Exercises & Training

      Comprehensive solutions to mitigate the impact of cyber incidents and protect your organisation's valuable assets.