In order to protect against increasingly sophisticated cyber threats, it is essential that organisations implement measures to help secure the information they process, including customers’ and other stakeholders’ payment card information. The Payment Card Industry Data Security Standard (PCI DSS) is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and cardholder data from being compromised or stolen.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard designed to ensure that all organisations that process, store or transmit cardholder data maintain a secure environment. It aims to protect cardholder data from fraud and security breaches as it is processed, stored and transmitted.
How do I know if I need to comply with PCI DSS and how do I comply?
If you are an organisation which handles large volumes of transactions, your compliance must be assessed by an independent Qualified Security Assessor Company (QSAC). PCI DSS compliance must be assessed on an annual basis. Organisations handling smaller volumes can demonstrate compliance via a self-assessment questionnaire (SAQ).
What Could Happen if your Organisation Doesn’t Comply with PCI DSS??
Non-compliance with the PCI DSS can have severe consequences for an organisation. A number of penalties can be imposed if you do not comply, including monthly penalties until compliance is achieved and increased payment card transaction fees. In the most serious cases, your organisation’s contract with its bank can become void, and your ability to take card payments withdrawn.
Compliance with the PCI DSS is also considered due diligence under the Data Protection Act (2018), and the UK’s privacy regulator, the Information Commissioner’s Office (ICO), has fined organisations for non-compliance with the PCI DSS following card data breaches.
Speak to a PCI DSS Expert
Our consultants have worked with hundreds of different companies across a wide range of industries including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations.
Get in touch with our PCI DSS experts today to find out more.
Ensure your organisation is PCI DSS compliant with URM’s consultancy and assessment services
Penetration Testing & Vulnerability Scanning
Penetration testing is the authorised simulation of a cyber attack on an organisation to establish the effectiveness of its defences, and how much damage a malicious actor could inflict. Vulnerability scanning is a (usually automated) assessment of a system or network, also conducted to identify vulnerabilities in an organisation’s environment.
Regular pen testing and vulnerability scanning are both requirements for PCI DSS compliance. They allow you to proactively identify weaknesses in your card data environment (CDE) and its defences before they are maliciously exploited. As an Approved Scanning Vendor (ASV) by the Payment Card Industry Security Standards Council (PCI SSC) and a CREST-accredited organisation, URM is ideally placed to help you meet the PCI DSS scanning and pen testing requirements.
Scope Reduction
The PCI SSC defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.”
URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.
Gap Analysis
A PCI DSS gap analysis is an assessment of your current cardholder processing activities against the requirements of the Standard, in order to establish where there are ‘gaps’ in your compliance.
Often the first step in any PCI DSS compliance project, the outputs of URM’s gap analysis will inform any remedial work required, and provide a clear roadmap to compliance with and certification against the Standard.
PCI DSS Implementation and Remediation
Once the most appropriate assessment scope has been identified and a gap analysis conducted, URM’s Qualified Security Assessor (QSA) can guide and support any implementation and remediation activities necessary to enable you to achieve and maintain compliance. Our PCI DSS consultants will help you meet the requirements of the Standard effectively and pragmatically, always remaining aware of your organisation’s unique needs.
Assessment and Auditing
URM’s PCI DSS audit services include:
- QSA-led PCI Report on Compliance (ROC)
- QSA Supported SAQs
- Supporting SAQs
- Pre-audit Readiness Assessment
Why URM for PCI DSS Compliance?
Track record and experience
URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations in gaining PCI DSS compliance. Our consultants have worked with hundreds of different companies across a wide range of industries, including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations. So, whatever your PCI DSS needs are, URM will be able to provide a QSA who understands your organisation and can offer the best advice and guidance to help you achieve compliance.
Pragmatic Approach
All of URMs QSAs pride themselves on their pragmatic approach to both compliance and assessments and will work with you to find the most appropriate and sensible way for you to meet the requirements of the PCI DSS.
Webinars & Events
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
URM’s webinar will focus on providing you with hints and tips on how to address some of the more challenging requirements coming to life in March 2025
URM’s webinar is aimed at providing valuable advice and guidance on preparing you for a successful transition to PCI DSS v4.0
In this webinar, URM will focus on the more challenging requirements including Multi-Factor Authentication (MFA), eCommerce Payment Page Scripts, ASV Scans.
PCI DSS FAQs
Which payment cards are in scope of the PCI DSS?
The payment cards which are covered by the PCI DSS are any debit, credit, or pre-paid cards branded with one of the following 5 major payment brands:
- American Express
- Discover
- JCB
- MasterCard
- Visa
What is the difference between a PCI DSS merchant and service provider?
A merchant is any entity that accepts payment cards bearing the logos of American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services. A service provider is an entity which isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.
Can you outsource all payment functions in order to avoid the need to be PCI DSS compliant?
While you can outsource everything to do with PCI DSS, you still need to be compliant as, ultimately, you’re responsible for ensuring those card transactions are secure. It is your responsibility to ensure the third parties you outsource to are compliant with the Standard.
What is a PCI DSS RoC?
Level 1 merchants and service providers and those who have suffered data breaches are required to be assessed by a third party QSA organisation. The end product of the assessment is an ROC, which is an abbreviation for a Report on Compliance document. This is a very detailed document which assesses the merchant’s or service provider’s compliance with all the relevant PCI DSS’ requirements.
PCI SSC Announces Changes to the SAQ A
URM’s blog explains the recent update to PCI DSS SAQ-A that has resulted in the removal of 2 new v4 requirements & the additon of new eligibility criteria.
URM’s blog explores how AI can impact PCI DSS compliance, both in terms of the benefits it can provide and the challenges it may present.
URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.
URM’s blog drills down into the PCI DSS v4.0 requirements around forced password changes, with a particular focus on the addition of zero-trust architecture.