What is PCI DSS?
All organisations that process card data need to comply with PCI DSS.
PCI DSS is changing. You can continue to comply with version 3.2.1 until 31 March 2024, but version 4 is already available. Our experienced consultants can help you maintain your certification and understand what changes you will need to implement to get ready for version 4.
Expert Qualified Security Assessors (QSAs)
PCI DSS Requirements
This control requires you to install and maintain a firewall and make sure you test it thoroughly including testing network connections and ensuring connections to untrusted networks are restricted. You may also need to implement other controls depending on the risks associated with your processing. We will check that your firewall meets the requirements and secures the data.
System Security and Builds
You will need to change any vendor-supplied default passwords and security settings, including ensuring any unnecessary services are disabled and removing unnecessary functionality. We will check that your systems set ups comply with the standard.
Protect stored data
You will need to protect any cardholder data you store, including ensuring you erase it when no longer needed and limit what you store to only what is necessary. You may also need to implement other controls based on the risks associated your processing activities. We will check that your data protections meet the requirements.
Encryption during transmission
You will need to ensure that cardholder data is protected when it is transmitted over public networks such as via email and online chat systems. We will check that your staff do not share unprotected data via these kinds of channels.
You will need to install and regularly update anti-virus software, including performing and documenting regular system scans. We will check that your anti-virus is appropriate, up to date and that it is being used and maintained appropriately.
Systems Development and Change Management
You will need to implement an information security management system (ISMS) to ensure your cyber security practices continuously improve. We will review your approach against our knowledge of best practices and the cyber threat environment to ensure it is fit for purpose.
You will need to ensure that access permissions are appropriate, including implementing a suitable approach to role-based access controls and user privileges. We will review your approach and ensure it meets the requirements.
You will need to ensure that all individuals have user IDs so that there is a way to authenticate and validate who is responsible for actions in respect of cardholder data. This will include maintaining records of events including access to cardholder data and changes to records. We will review your approach and ensure it meets the requirements.
You will need to maintain appropriate records for audit purposes, such as events logs, and processes to review the logs for suspicious activity. You may need other controls depending on the risks associated with your processing. We will ensure your approach meets requirements.
You will need to implement a test plan to ensure that controls are working as intended. This includes controls such as vulnerability scans, asset inventories and other controls. We will ensure your test plan is appropriate to manage your risks.
Information security policy
You will need to write and maintain an information security policy that explains your organisation’s approach to information security and the roles and responsibilities assigned throughout your organisation. We will ensure your policy is appropriate and that your team members understand it and follow it.
SPS (formerly Swisspost Solutions)