When you’re looking to outsource the destruction of your confidential material, there are many things you should consider. One of the most important things is the shredding service provider’s accreditations and certifications.
Any responsible shredding service provider will be fully accredited to keep your confidential materials secure, before, during and also after the shredding has taken place. Some of the essential certifications you should look out for as a starting point are ISO 9001:2015 incorporating EN 15713 and BS7858, ISO 14001:2015 and also PCI DSS Level 1 Service Provider certification. We’ve already explained the importance of ISO 9001:2015 incorporating EN 15713, but PCI DSS Level 1 is equally as important when it comes to keeping your card payment data secure.
So, what is a PCI DSS Level 1 Service Provider?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the Security Standards Council to enhance cardholder data security, encouraging the adoption of consistent data security measures globally.
To be a PCI DSS Level 1 Service Provider – which is the highest level a business can achieve – strict criteria must be met to ensure card and payment information is safeguarded every step of the customer’s journey.
What criteria does a shredding service provider have to meet to achieve PCI DSS Level 1 Service Provider certification?
There are 12 PCI DSS security requirements that businesses have to adhere to in order to achieve PCI DSS compliance*. These are outlined below.
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel.
To become a PCI DSS Level 1 Service Provider, these security systems must be assessed annually by a Qualified Security Assessor.
At Shred Station, we go above and beyond these requirements by meeting all of the above, plus regularly training and testing our staff with a PCI DSS Knowledge test.
Why should PCI DSS Level 1 Service Provider certification matter to you?
Ensuring your suppliers have PCI DSS Level 1 Service Provider certification is important because it provides proof that all measures have been taken to reduce the risk of debit and credit card data loss or theft.
We are pleased to say we recently renewed our PCI DSS Level 1 Service Provider certification for another year. You can see all of our accreditation certificates by visiting our accreditations page.
Sign up to our newsletter here to be alerted about new blog articles, data protection advice, and Shred Station news.
*This information is correct at the time of publication, 04/02/2021. Further details can be found on the PCI security standards website and in the PCI security standards quick reference guide.