Contact Us

Contact Us

Please get in touch using the form below

I prefer to be contacted by:
View our privacy policy
Learn how to validate the effectiveness of your cyber security controls. Join our webinar on September 8th.


How to meet the latest payment card industry data security standards

If your business processes card transactions, protecting this highly sensitive information should be a high priority. Failure to introduce and maintain appropriate payment security standards could result in your organisation receiving significant fines and suffering serious reputational damage.

However, putting in place the range of controls needed to achieve compliance with the latest Payment Card Industry Data Security Standards (PCI DSS) can place a strain on your organisation.

As a leading provider of managed security and assessment services, Redscan can help your organisation to understand and implement the technical and operational controls needed to fulfil PCI requirements.

A montage of compliance related security images


What is PCI DSS?

The PCI DSS is a minimum set of technical and organisational requirements designed to help businesses protect customers’ cardholder data against fraud through robust payment security.

All organisations that accept or process credit card payments are required to undertake an annual PCI DSS audit of security controls and processes, covering areas of data security such as retention, encryption, physical security, authentication and access management.

PCI DSS is enforced by the founding members of the PCI Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. Organisations deemed to fall short of required payment security standards, or those who are not working towards achieving compliance, are liable to receive a fine.


Who does PCI DSS apply to?

The PCI DSS applies to all organisations that store, process and transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Examples of these types of organisations include merchants, processors, acquirers, issuers, and service providers.

Organisations that outsource payment operations are responsible for ensuring that all account data processed is suitably protected by contracted third parties.


PCI DSS frequently asked questions

What cardholder data is protected?

PCI DSS applies to all organisations, such as merchants and service providers, that store, process and transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Cardholder data includes: Primary Account Number, Cardholder Name, expiration date and service code.

Sensitive authentication data includes full track data (magnetic stripe data or equivalent on a chip) and CAV, CVC, CVV and CID numbers, PINS and PIN blocks.

Can cardholder data be stored?

Under PCI DSS, merchants and service providers are permitted to store cardholder data. Subject to specific usage and protection requirements, some acquirers may permit sensitive authentication data to be stored but only prior to payment authorisation.

What is within the scope of a PCI DSS assessment?

The PCI DSS security requirements apply to all system components included in or connected to an organisation’s cardholder data environment (CDE). The CDE encompasses all people, processes and technologies that store, process, or transmit cardholder and sensitive authentication data.

PCI DSS can apply across the whole of an organisation, or to a subset of it if the CDE has been correctly compartmentalised. System components in scope include network devices, servers, computing devices, and applications.

What’s the difference between merchants and service providers?

A merchant is defined as any entity that accepts payment cards from any of the five founding members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

A service provider, on the other hand, is a business entity that is not a payment brand and is directly involved in the processing, storage, or transmission of cardholder data. If an organisation provides a service that involves only the provision of public network access, such as a telecommunications company providing a communication link, the organisation is not considered a service provider.

Note: Where a merchant stores, processes or transmits cardholder data on behalf of other merchants or services providers, it can also be a service provider.


PCI requirements

The PCI DSS version 3.2 encompasses six key objectives, split across a set of 12 requirements.

Key PCI DSS requirements:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management programme
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Our Services

Our award-winning services

Redscan’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.

ThreatDetect MDR

Managed Detection and Response

Award-winning support to rapidly detect and respond to the latest threats 24/7

Read more

Assessment Services

Specialist engagements to uncover and address hidden cyber security risks

Read more
A person choosing from a range of Managed Security Services

Managed Security Services

Expert help to manage and monitor your choice of security technologies

Read more

Get in touch regarding PCI DSS

We’d be happy to answer any questions you have.

Two Redscan team members analysing cyber security intelligence


I prefer to be contacted by:
View our privacy policy


Discover our latest content and resources

From the blog
From the blog Case studies Latest news
5th August 2020
INTERPOL assessment of Covid-19 impact shows cybercriminals shift focus from small to large organisations
INTERPOL has identified that COVID-19 has led to a significant change in focus by cybercriminals from individuals and small businesses to government, major corporations and critical infrastructure.  It has also stated that a further increase in cybercrime is very likely in the near future.    
4th August 2020
Covid-19 pandemic led to an increase in cyber-attacks for most UK organisations
Recent research has identified that 92% of organisations in the UK saw an increase in cyber-attacks due to Covid-19. The three top challenges were: identifying new personal computing devices on the network, overloaded VPN capacity issues and increased security risks from video conferencing.
28th July 2020
State of security across universities FoI report
We sent FoI requests to 134 UK universities to understand how well prepared they are to protect staff, students and vital research against cyber threats. The results painted a mixed picture. Read our report here.
20th July 2020
UK is the second most targeted country for “serious” cyber-attacks
New research suggests that the UK is the second most targeted country for “serious” cyber-attacks, defined as ones which target government agencies, defence and high-tech companies.