What is PCI DSS Compliance?DO I need to comply with PCI DSS?PCI DSS Non-Complianceconsultancy and assessment servicesWhy URM for PCI DSS Compliance?Webinars & EventsPCI DSS FAQs
PCI DSS Consultancy Services
URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.
In order to protect against increasingly sophisticated cyber threats, it is essential that organisations implement measures to help secure the information they process, including customers’ and other stakeholders’ payment card information. The Payment Card Industry Data Security Standard (PCI DSS) is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and cardholder data from being compromised or stolen.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard designed to ensure that all organisations that process, store or transmit cardholder data maintain a secure environment. It aims to protect cardholder data from fraud and security breaches as it is processed, stored and transmitted.
If you are an organisation which handles large volumes of transactions, your compliance must be assessed by an independent Qualified Security Assessor Company (QSAC). PCI DSS compliance must be assessed on an annual basis. Organisations handling smaller volumes can demonstrate compliance via a self-assessment questionnaire (SAQ).
Non-compliance with the PCI DSS can have severe consequences for an organisation. A number of penalties can be imposed if you do not comply, including monthly penalties until compliance is achieved and increased payment card transaction fees. In the most serious cases, your organisation’s contract with its bank can become void, and your ability to take card payments withdrawn.
Compliance with the PCI DSS is also considered due diligence under the Data Protection Act (2018), and the UK’s privacy regulator, the Information Commissioner’s Office (ICO), has fined organisations for non-compliance with the PCI DSS following card data breaches.
Our consultants have worked with hundreds of different companies across a wide range of industries including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations.
Get in touch with our PCI DSS experts today to find out more.
Penetration testing is the authorised simulation of a cyber attack on an organisation to establish the effectiveness of its defences, and how much damage a malicious actor could inflict. Vulnerability scanning is a (usually automated) assessment of a system or network, also conducted to identify vulnerabilities in an organisation’s environment.
Regular pen testing and vulnerability scanning are both requirements for PCI DSS compliance. They allow you to proactively identify weaknesses in your card data environment (CDE) and its defences before they are maliciously exploited. As an Approved Scanning Vendor (ASV) by the Payment Card Industry Security Standards Council (PCI SSC) and a CREST-accredited organisation, URM is ideally placed to help you meet the PCI DSS scanning and pen testing requirements.
The PCI SSC defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.”
URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.
A PCI DSS gap analysis is an assessment of your current cardholder processing activities against the requirements of the Standard, in order to establish where there are ‘gaps’ in your compliance.
Often the first step in any PCI DSS compliance project, the outputs of URM’s gap analysis will inform any remedial work required, and provide a clear roadmap to compliance with and certification against the Standard.
Once the most appropriate assessment scope has been identified and a gap analysis conducted, URM’s Qualified Security Assessor (QSA) can guide and support any implementation and remediation activities necessary to enable you to achieve and maintain compliance. Our PCI DSS consultants will help you meet the requirements of the Standard effectively and pragmatically, always remaining aware of your organisation’s unique needs.
URM’s PCI DSS audit services include:
URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations in gaining PCI DSS compliance. Our consultants have worked with hundreds of different companies across a wide range of industries, including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations. So, whatever your PCI DSS needs are, URM will be able to provide a QSA who understands your organisation and can offer the best advice and guidance to help you achieve compliance.
All of URMs QSAs pride themselves on their pragmatic approach to both compliance and assessments and will work with you to find the most appropriate and sensible way for you to meet the requirements of the PCI DSS.
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
URM’s webinar will focus on providing you with hints and tips on how to address some of the more challenging requirements coming to life in March 2025
URM’s webinar is aimed at providing valuable advice and guidance on preparing you for a successful transition to PCI DSS v4.0
In this webinar, URM will focus on the more challenging requirements including Multi-Factor Authentication (MFA), eCommerce Payment Page Scripts, ASV Scans.
The payment cards which are covered by the PCI DSS are any debit, credit, or pre-paid cards branded with one of the following 5 major payment brands:
A merchant is any entity that accepts payment cards bearing the logos of American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services. A service provider is an entity which isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.
While you can outsource everything to do with PCI DSS, you still need to be compliant as, ultimately, you’re responsible for ensuring those card transactions are secure. It is your responsibility to ensure the third parties you outsource to are compliant with the Standard.
Level 1 merchants and service providers and those who have suffered data breaches are required to be assessed by a third party QSA organisation. The end product of the assessment is an ROC, which is an abbreviation for a Report on Compliance document. This is a very detailed document which assesses the merchant’s or service provider’s compliance with all the relevant PCI DSS’ requirements.
URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.
URM’s blog drills down into the PCI DSS v4.0 requirements around forced password changes, with a particular focus on the addition of zero-trust architecture.
URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.
URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.