ChatGPT: Opportunities and Privacy Issues

View All

Case Studies

Street Fleet help Hiremech to electrify 25% of their fleet

View All

Upcoming Events

edie Awards 2023

View All


Green skills - next steps for policy, and priorities for education and training, businesses and the workforce

View All

Payment Card Data Security | A padlock on top of bank cards, mobile phone and keyboard.Payment Card Data Security | A padlock on top of bank cards, mobile phone and keyboard.

Payment Card Industry Data Security Standard

We work in collaboration with clients and their suppliers to provide a robust and independent assessment to protect against potential risks, including annual Payment Card Industry Data Security Standard (PCI DSS) Audits.

What is PCI DSS?

Any organisation that stores, processes, transmits, or could affect the security of payment card data needs to make sure it keeps that data safe. Payment Card Industry Data Security Standard (PCI DSS) sets out 12 requirements, each made up of multiple controls, that organisations should implement to make sure they have appropriate cyber security in place to protect customer data. Some small organisations can self-certify but larger organisations will need external assurance from a QSA company such as Gemserv that they meet the standard in order to meet their contractual obligations to their suppliers and partners.
Payment Card Data Security | A person holds a credit card above a silver laptop

All organisations that process card data need to comply with PCI DSS.

PCI DSS is changing. You can continue to comply with version 3.2.1 until 31 March 2024, but version 4 is already available. Our experienced consultants can help you maintain your certification and understand what changes you will need to implement to get ready for version 4.

Expert Qualified Security Assessors (QSAs)

Our team of five QSAs helps a wide range of organisations to achieve and maintain PCI DSS compliance. Our clients include household name retailers and insurers as well as smaller organisations. Gemserv’s team is led by Mark Railton who has over 15 years’ experience of implementing PCI DSS for organisations in Tiers One to Four, from Version One onwards. Mark has built a team of QSAs who benefit from his wealth of knowledge.
View Mark Railton's Bio

PCI DSS Requirements

Threat Detection

Networking Security

This control requires you to install and maintain a firewall and make sure you test it thoroughly including testing network connections and ensuring connections to untrusted networks are restricted. You may also need to implement other controls depending on the risks associated with your processing. We will check that your firewall meets the requirements and secures the data.

System Security and Builds

You will need to change any vendor-supplied default passwords and security settings, including ensuring any unnecessary services are disabled and removing unnecessary functionality. We will check that your systems set ups comply with the standard.

Protect stored data

You will need to protect any cardholder data you store, including ensuring you erase it when no longer needed and limit what you store to only what is necessary. You may also need to implement other controls based on the risks associated your processing activities. We will check that your data protections meet the requirements.

Encryption during transmission

You will need to ensure that cardholder data is protected when it is transmitted over public networks such as via email and online chat systems. We will check that your staff do not share unprotected data via these kinds of channels.


You will need to install and regularly update anti-virus software, including performing and documenting regular system scans. We will check that your anti-virus is appropriate, up to date and that it is being used and maintained appropriately.

Systems Development and Change Management

You will need to implement an information security management system (ISMS) to ensure your cyber security practices continuously improve. We will review your approach against our knowledge of best practices and the cyber threat environment to ensure it is fit for purpose.

Access controls

You will need to ensure that access permissions are appropriate, including implementing a suitable approach to role-based access controls and user privileges. We will review your approach and ensure it meets the requirements.

User authentication

You will need to ensure that all individuals have user IDs so that there is a way to authenticate and validate who is responsible for actions in respect of cardholder data. This will include maintaining records of events including access to cardholder data and changes to records. We will review your approach and ensure it meets the requirements.

Access monitoring

You will need to maintain appropriate records for audit purposes, such as events logs, and processes to review the logs for suspicious activity. You may need other controls depending on the risks associated with your processing. We will ensure your approach meets requirements.


You will need to implement a test plan to ensure that controls are working as intended. This includes controls such as vulnerability scans, asset inventories and other controls. We will ensure your test plan is appropriate to manage your risks.

Information security policy

You will need to write and maintain an information security policy that explains your organisation’s approach to information security and the roles and responsibilities assigned throughout your organisation. We will ensure your policy is appropriate and that your team members understand it and follow it.

Our Capabilities

  • Someone charging an EV

    Sustainable Transport

    We are an expert provider of professional services enabling the Clean Transport revolution for all market actors.

  • Capabilities_Cyber-Security_600-350

    Cyber Security

    Proactive approach to protection.

  • Consultancy

    Our expert consultancy services help businesses make the right decisions and gain competitive advantage.

  • Data, Analytics & AI

    Data is at the heart of an organisation’s digital transformation. We can help you overcome challenges to deliver the right data to support your business.

  • Data Protection, Security & Risk

    We are an expert provider of professional services enabling the data revolution. We help businesses gain a competitive advantage through building trust with their consumers in handling data.

  • Digital Transformation

    We use the power of data and technology to create meaningful business change. For good.

  • Cabling, circuits in gold


    Our services help establish and maintain innovative market arrangements to enable change and ensure everyone can compete on a level playing field.

  • Project & Programme Management

    We provide professional services enabling the transformation of industries. Using our insight we work collaboratively with stakeholders to ensure complex markets work for everyone ...

  • Procurement & Commercial

    We provide strategic procurement and supply chain management services and will work with you to deliver value throughout your procurement and contract management activities.

  • Scheme Management

    We design, develop and manage assurance schemes for some of the most significant industry initiatives including smart metering and retail market entry.

  • Strategy

    We support organisations with their strategy formulation and implementation, helping them achieve their vision.

  • Testing & Assurance

    Our professional services help organisations develop robust processes to meet regulatory and best practice standards. We also help clients prepare for key changes to existing mar ...