Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What is PCI DSS? A Guide on How to Comply

In order to protect against increasingly sophisticated cyber threats, it is essential that organisations implement measures to help secure the information they process, including customers’ and other stakeholders’ payment card information.  The Payment Card Industry Data Security Standard (PCI DSS) is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and cardholder data from being compromised or stolen.

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard designed to ensure that all organisations that process, store or transmit cardholder data maintain a secure environment.  It aims to protect cardholder data from fraud and security breaches as it is processed, stored and transmitted.

How do I know if I need to comply with PCI DSS and how do I comply?

If you are an organisation which handles large volumes of transactions, your compliance must be assessed by an independent Qualified Security Assessor Company (QSAC).  PCI DSS compliance must be assessed on an annual basis. Organisations handling smaller volumes can demonstrate compliance via a self-assessment questionnaire (SAQ).

What Could Happen if your Organisation Doesn’t Comply with PCI DSS??

Non-compliance with the PCI DSS can have severe consequences for an organisation.  A number of penalties can be imposed if you do not comply, including monthly penalties until compliance is achieved and increased payment card transaction fees.  In the most serious cases, your organisation’s contract with its bank can become void, and your ability to take card payments withdrawn.  

Compliance with the PCI DSS is also considered due diligence under the Data Protection Act (2018), and the UK’s privacy regulator, the Information Commissioner’s Office (ICO), has fined organisations for non-compliance with the PCI DSS following card data breaches.

Speak to a PCI DSS Expert

Our consultants have worked with hundreds of different companies across a wide range of industries including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations. 

Get in touch with our PCI DSS experts today to find out more.

Contact Us

Ensure your organisation is PCI DSS compliant with URM’s consultancy and assessment services

Penetration Testing & Vulnerability Scanning

Penetration testing is the authorised simulation of a cyber attack on an organisation to establish the effectiveness of its defences, and how much damage a malicious actor could inflict. Vulnerability scanning is a (usually automated) assessment of a system or network, also conducted to identify vulnerabilities in an organisation’s environment.

Regular pen testing and vulnerability scanning are both requirements for PCI DSS compliance. They allow you to proactively identify weaknesses in your card data environment (CDE) and its defences before they are maliciously exploited.  As an Approved Scanning Vendor (ASV) by the Payment Card Industry Security Standards Council (PCI SSC) and a CREST-accredited organisation, URM is ideally placed to help you meet the PCI DSS scanning and pen testing requirements.

Learn more about PCI DSS penetration testing

Scope Reduction

The PCI SSC defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.”

URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.

Find out more about PCI DSS scope reduction

Gap Analysis

A PCI DSS gap analysis is an assessment of your current cardholder processing activities against the requirements of the Standard, in order to establish where there are ‘gaps’ in your compliance.

Often the first step in any PCI DSS compliance project, the outputs of URM’s gap analysis will inform any remedial work required, and provide a clear roadmap to compliance with and certification against the Standard.

PCI DSS gap analysis service

PCI DSS Implementation and Remediation

Once the most appropriate assessment scope has been identified and a gap analysis conducted, URM’s Qualified Security Assessor (QSA) can guide and support any implementation and remediation activities necessary to enable you to achieve and maintain compliance. Our PCI DSS consultants will help you meet the requirements of the Standard effectively and pragmatically, always remaining aware of your organisation’s unique needs.

URM’S PCI implementation and remediation activities

Assessment and Auditing

URM’s PCI DSS audit services include:

  • QSA-led PCI Report on Compliance (ROC)
  • QSA Supported SAQs
  • Supporting SAQs
  • Pre-audit Readiness Assessment
Learn more about PCI DSS assessment and auditing

Why URM for PCI DSS Compliance?

Track record and experience

URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations in gaining PCI DSS compliance. Our consultants have worked with hundreds of different companies across a wide range of industries, including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations.  So, whatever your PCI DSS needs are, URM will be able to provide a QSA who understands your organisation and can offer the best advice and guidance to help you achieve compliance.

Pragmatic Approach

All of URMs QSAs pride themselves on their pragmatic approach to both compliance and assessments and will work with you to find the most appropriate and sensible way for you to meet the requirements of the PCI DSS.

PCI DSS consultancy services

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

WebinarPCI DSS v4 Deadline Looming

URM’s webinar will focus on providing you with hints and tips on how to address some of the more challenging requirements coming to life in March 2025

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarTransitioning to PCI DSS v4.0

URM’s webinar is aimed at providing valuable advice and guidance on preparing you for a successful transition to PCI DSS v4.0

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarAre You Ready for PCI DSS v4.0?

In this webinar, URM will focus on the more challenging requirements including Multi-Factor Authentication (MFA), eCommerce Payment Page Scripts, ASV Scans.

Read more
Listen to recording
USB stick, Padlock, Keys

PCI DSS FAQs

Which payment cards are in scope of the PCI DSS?

The payment cards which are covered by the PCI DSS are any debit, credit, or pre-paid cards branded with one of the following 5 major payment brands:

  • American Express
  • Discover
  • JCB
  • MasterCard
  • Visa

What is the difference between a PCI DSS merchant and service provider?

A merchant is any entity that accepts payment cards bearing the logos of American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services.  A service provider is an entity which isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.

Can you outsource all payment functions in order to avoid the need to be PCI DSS compliant?

While you can outsource everything to do with PCI DSS, you still need to be compliant as, ultimately, you’re responsible for ensuring those card transactions are secure.  It is your responsibility to ensure the third parties you outsource to are compliant with the Standard.

What is a PCI DSS RoC?

Level 1 merchants and service providers and those who have suffered data breaches are required to be assessed by a third party QSA organisation. The end product of the assessment is an ROC, which is an abbreviation for a Report on Compliance document. This is a very detailed document which assesses the merchant’s or service provider’s compliance with all the relevant PCI DSS’ requirements.

Read more
Information Security FAQPCI DSS FAQ

Speak to a PCI DSS expert

URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations in gaining PCI DSS compliance.

Speak to one of our experts for more information on how we can help you gaining compliance. Simply call 0118 206 5410 or request a call back using the form below.

PCI DSS v4.0: Targeted Risk Analysis

Published On
4/6/2024

URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.

Read more
Thumbnail of the Blog Illustration
Information Security
Published On
3/6/2024
PCI DSS v4.0: Forced Password Changes and Zero Trust Architecture

URM’s blog drills down into the PCI DSS v4.0 requirements around forced password changes, with a particular focus on the addition of zero-trust architecture.

Read more
Thumbnail of the Blog Illustration
Information Security
Published On
11/4/2024
PCI DSS v4.0: Network Security Controls

URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.

Read more
Thumbnail of the Blog Illustration
Information Security
Published On
22/3/2024
Common Questions When Preparing to Transition to PCI DSS v4.0

URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.

Read more
"
After a bad experience with a previous provider, we looked to URM for QSA support. The URM QSA we have worked with is phenomenal, and considerably better than our previous QSAs. My team enjoy working with him, and find him to be extremely credible and effective. Whenever we have asked our QSA and account manager whether additional work is required outside of the annual cycle, there has never been a hard sell of any of URM’s services, and instead offer advice based on our compliance requirements and business needs. Our URM QSA always consults with the aim of making compliance as straightforward as possible, and pointed us towards a way of significantly minimising and streamlining our assessment scope that neither we nor our previous PCI DSS consultancy provider had considered.
CISO at University of Surrey