From PCI DSS and GDPR compliance to penetration testing, we’ve got you covered so you can have peace of mind.
Industry regulators update their regulations and legal obligations on a regular basis, and for some businesses, it can be hard to keep up.
Compliance is about making sure companies and their employees comply with existing national and international laws. The main aim of compliance is to avoid, or quickly identify, any illegal activity, and ensure appropriate action is taken. Compliant companies demonstrate that they are reputable and respect the interests of their shareholders.
General Data Protection Regulation (GDPR)
GDPR governs how organisations process and use personal data to provide consumers with greater protection. GDPR affects every aspect of your business, from how you build your customer database, to how you market your products. Non-compliance can result in a significant fine of up to £18 million, or 4% of annual global turnover, whichever is greater.
Under GDPR, if your business handles personal data, you must be able to:
- Prove that you have permission to hold it
- Be able to show what it is being used for
- Demonstrate how it is being protected
- Provide individuals with access and the ability to review, amend or challenge data processing practices.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment.
Payment security is essential for every business that stores, processes or transmits cardholder data.
Unauthorised financial fraud losses totalled over £1.3 billion in 2021, according to UK Finance’s Annual Fraud Report. *insert link*. While PCI DSS is not law, a cardholder data breach is also a GDPR breach, which carries significant punishment.
PCI DSS provides specific, actionable guidance on protecting cardholder data, for businesses of all types and sizes. The guidance covers several steps for compliance:
- Install and maintain a firewall to protect data
- Change any vendor-supplied default passwords as soon as is reasonably practicable
- Encrypt transmissions of cardholder data
- Use, and regularly update anti-virus software
- Maintain security systems and applications
- Implement strong access control measures
- Regularly monitor and test networks, including access to network resources.
Penetration testing, or pen testing, is a core tool for analysing the security of your IT systems.
Penetration tests are a good way to identify the level of technical risks from software or hardware in your environment. A well-scoped pen test can help to give you confidence that the products and security controls tested have been configured in line with good practices, and that there are no known vulnerabilities in the tested components, at the time the test was carried out.