At Data Protection People, we have all the in-house expertise to help you meet PCI requirements. Contact our team to start your compliance journey.
If you process, store or transmit cardholder data for another business, you must demonstrate your compliance with the PCI DSS every year, without fail. Our experienced Qualified Service Assessors (QSAs) will determine your service provider level and help support your audit and compliance reporting.
With this peace of mind, we’ll help you navigate the complexities of PCI DSS, minimise your risks and ensure your business maintains a secure payment environment. We’ll support you throughout your PCI journey, from initial assessment to ongoing compliance, so you can focus on your core operations with confidence.
Our QSAs provide tailored services to help you achieve and maintain compliance. For Level 1 and 2 service providers, we can assist with:
We’ll help you navigate PCI compliance with confidence, implementing measures to secure cardholder data and protect you from financial risk.
Compliance exists for a reason: to keep your business protected, customers safe and data secure. With PCI compliance, you achieve this as standard and demonstrate your commitment to secure payment processing.
Our QSAs have an extensive track record of successful PCI DSS assessments. We provide expert guidance to remediate vulnerabilities and ensure you demonstrate an ongoing commitment to information security.
We bring extensive experience in information security and data protection, going beyond PCI DSS. As a GDPR consultancy, we can help you establish a comprehensive security setup that protects cardholder data and ensures compliance with multiple standards.
Our PCI DSS services are tailored to your specific needs. We offer comprehensive support, from scope assessment and gap analysis to audit preparation and remediation, ensuring efficient and effective compliance.
PCI DSS stands for the Payment Card Industry Data Security Standard. This standard includes requirements to ensure that businesses that process, store or transmit cardholder data (CHD) maintain a secure payment environment. By complying, you’ll mitigate the risk of card fraud and data breaches, which helps build trust with your customers.
Yes. Service providers with access to cardholder data or control over a customer’s cardholder data environment (CDE) must meet PCI DSS requirements.
While PCI compliance is not legally required like the GDPR, it is mandatory in contracts with card issuers like Visa, MasterCard and American Express. These payment brands and other acquiring banks will determine whether a service provider is required to validate their compliance.
Your requirements as a service provider depend on your level.
Level 1 service providers must have a Qualified Service Assessor (QSA) or Internal Security Assessor (ISA) conduct a Report on Compliance (RoC) and Attestation of Compliance (AOC). An Approved Scanning Vendor (ASV) must also complete an external vulnerability scan to validate compliance with the PCI.
Level 2 service providers need to complete a Self-Assessment Questionnaire (SAQ) and an ASV scan.
PCI DSS compliance ensures that you are taking the necessary security measures to protect cardholder data (CHD) from theft and fraud. Mitigating this risk keeps CHD safe, strengthens your credibility and avoids the financial penalties of non-compliance.
Yes, Level 1 service providers must complete their Report on Compliance (RoC) yearly, and Level 2 providers must complete a Self-Assessment Questionnaire (SAQ) at the same frequency.
ASV scans should be done every three months. PCI compliance is not a tick-box exercise – service providers need to maintain it all year round.
A service provider is a business directly involved in processing, storing, or transmitting cardholder data on behalf of another entity. Examples include payment gateways, payment service providers (PSPs) and independent sales organisations (ISOs).
Service providers also include those with services that control or could impact CHD security. This includes managed service providers that offer managed firewalls, IDS and hosting.
While merchants have four compliance levels, service providers only have two levels split by their yearly transaction volume.
Level 1 service providers transmit, process, or store more than 300,000 transactions per year, while Level 2 service providers have fewer than 300,000 transactions.
Service providers can demonstrate that they meet PCI DSS requirements by conducting annual audits of their cardholder data environment (CDE).
Level 1 service providers must have an ISA or QSA, like Data Protection People, to complete a Report on Compliance (RoC). They will also need a vulnerability scan from an ASV.
Level 2 service providers can validate their PCI compliance through a Self-Assessment Questionnaire (SAQ) and ASV scan
According to the PCI DSS, a merchant is a business that accepts card payments for goods or services. These include retailers, supermarkets and wholesalers. Service providers process, store or transmit cardholder data (CHD) on behalf of another entity, such as a merchant.
Organisations that fail to comply with the PCI DSS could be fined between £4,000 and £80,000 per month ($5,000 to $100,000 in USD). The penalty will depend on the company’s size and the scope of the breach.
If the cardholder data contains personally identifiable information (PII), a breach or theft will also violate the UK GDPR. The Information Commissioner’s Office (ICO) can fine you up to £17.5 million or 4% of your global annual turnover, whichever is larger.
Whether you’re a Level 1 or 2 service provider, our QSAs can support your organisation on all its compliance needs. Speak to our experts today to learn more about our PCI DSS services.
