Shredding Standards: What is a PCI DSS Level 1 Service Provider and Why Does It Matter?

When you’re looking to outsource shredding, there are many things you need to consider. One of the most important things is the shredding service provider’s accreditations and certifications.

Responsible shredding service providers will have proven accreditations for keeping your confidential materials secure before, during and also after the shredding has taken place. Some of the most important certifications you should look out for are ISO 9001:2015 incorporating EN 15713 and BS7858, ISO 14001:2015 and also PCI DSS Level 1 Service Provider certification. We’ve already explained the importance of ISO 9001:2015 incorporating EN 15713, but PCI DSS Level 1 is equally as important when it comes to keeping your card payment data safe.

So, what is a PCI DSS Level 1 Service Provider?

The Security Standards Council developed the Payment Card Industry Data Security Standard (PCI DSS) to enhance cardholder data security, encouraging the adoption of consistent data security measures globally.

To be a PCI DSS Level 1 Service Provider – which is the highest level a business can achieve – strict criteria must be met to ensure card and payment information is safeguarded every step of the customer’s journey.

What criteria does a shredding service provider have to meet to achieve PCI DSS Level 1 Service Provider certification?

There are 12 PCI DSS security requirements that businesses have to adhere to in order to achieve PCI DSS compliance*. We explain these requirements below.

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel.

To become a PCI DSS Level 1 Service Provider, these security systems must be assessed annually by a Qualified Security Assessor.

At Shred Station, we go above and beyond these requirements by meeting all of the above, plus regularly training and testing our staff with a PCI DSS Knowledge test.

Why should PCI DSS Level 1 Service Provider certification matter to you?

Ensuring your suppliers have PCI DSS Level 1 Service Provider certification is important. This is because it provides proof that all measures are in place to reduce the risk of debit and credit card data loss or theft.

We are pleased to say we recently renewed our PCI DSS Level 1 Service Provider certification for another year. You can see all of our accreditation certificates on our accreditations page.

Shred Station is proud to be a certified PCI DSS Level 1 Service Provider

Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.


*This information is correct at the time of publication, 04/02/2021. More details can be found on the PCI security standards website and in the PCI security standards quick reference guide.