PSTI

Product Security and Telecommunications Infrastructure

The Product Security and Telecommunications Infrastructure (PSTI) Act is a security regime that requires manufacturers and distributors of consumer-connected products in the UK (like smartphones and broadband routers) to take action to ensure their products are more secure against cyber attacks.

The Act came into effect on 29th April 2024 and sets a new security standard that manufacturers must meet to protect consumers against threats, such as data breaches and fraud.   

What are the new security standards and how are Three complying?

1. No default passwords

Consumer-connectable products in the UK must not be sold with default passwords. We are ensuring that Three branded products have passwords that are either unique per product or defined by the product user.

2. Vulnerability reporting

We will make customers aware of where they can report security issues with Three’s connectable products – these are mostly home or mobile broadband products. We have a dedicated email address for reporting security concerns for these products. For security concerns with devices from other brands, like Apple and Samsung, please report vulnerabilities to them directly via their own websites. 

3. Statements of Compliance

Consumer-connectable products in the UK must only be supplied when accompanied by a Statement of Compliance. We are ensuring that all connectable products made and sold by us have a Statement of Compliance and will let you know where you can find a copy online – see Find your Statement of Compliance below.

4. Minimum security update periods

We must publish the minimum support period for which security updates will be provided for relevant products. This information will be contained in the Statement of Compliance for all connectible products, as well as on our website for Three branded products.

Find your Statement of Compliance

Click on the brand links below to find your statement.

Reporting cyber security issues

If you have a security concern with your phone, tablet, or wearable, please contact the manufacturer directly.

To report a cyber security issue with a connectable Three product, send an email to psti@three.co.uk and include:

  • A description of the issue
  • The name and model number of your device
  • Your name and contact details

You should receive an automated response acknowledging receipt of your email within 24 hours, and regular status updates until the resolution of your reported issue. For any other consumer-connectable products, please visit the relevant manufacturer’s website.