The Rental Vehicle Security Scheme code of practice
Published 7 April 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/rental-vehicle-security-scheme-rvss-code-of-practice/the-rental-vehicle-security-scheme-code-of-practice
This guidance explains the Rental Vehicle Security Scheme (RVSS) code of practice and how to apply it across different rental models. It sets out voluntary best practice for rental vehicle operators that aims to reduce the risk of rental vehicles being used in terrorist attacks by promoting a strong security culture across the vehicle rental industry.
Following the RVSS code of practice is not a legal requirement, but the Department for Transport (DfT) recommends it to protect your customers, staff and business from security risks.
Benefits of following the RVSS code of practice
The RVSS code of practice has been developed in collaboration with government departments, the police and industry stakeholders to mitigate the risk of rental vehicles being used in terrorist attacks.
Following this guidance helps reduce security risks and can improve your organisation’s reputation. By adhering to its code of practice, you will:
-
help keep the public safe from vehicle attacks
-
make it harder for rental vehicles to be used in attacks
-
deter potential attackers from using vehicles from your fleet
-
improve your organisation’s security culture and reduce the risk of crime
-
strengthen your professional reputation and corporate social responsibility (CSR) credentials
-
get access to current government security advice and campaigns
How to follow this guidance
To meet the recommended standards, apply the security measures outlined by the RVSS code of practice into action every day:
-
create and regularly update a security delivery plan that shows how you are meeting the requirements
-
make sure your business follows the relevant code(s) of practice in its daily operations
You should also consider and apply the RVSS code of practice when:
-
designing policies and processes
-
onboarding and training staff
-
conducting regular internal audits
-
responding to incidents or security alerts
Developing a security delivery plan
Complete a security delivery plan before adopting the relevant code of practice.
Your plan shows how your organisation will meet RVSS code of practice requirements and embed security in day-to-day operations by:
-
explaining how you will put in place and manage security measures
-
identifying risks and the actions that will be taken to reduce them
-
assigning responsibilities, timelines and resources
The code of practice
The table below explains the RVSS code of practice requirements depending on your business model. For full details see the codes of practice in full.
Table 1: RVSS code of practice requirements
| Requirement | Applies to |
|---|---|
| Recognised security contacts | All models |
| Electronic payments only | All models |
| Staff training (including counter-terrorism awareness and fraud prevention) | All models |
| Engage with law enforcement | All models |
| Data protection and GDPR compliance | All models |
| Consistent security standards across operating models | All models |
| Verify driver licence and identity at vehicle handover | Face-to-face rentals |
| Apply extra checks for commercial vehicle hires | Face-to-face rentals |
| Fit security technologies (immobilisers, trackers) | Face-to-face rentals |
| Remove company liveries before resale | Face-to-face rentals, Car clubs |
| Initial registration checks (selfie + license or DVLA share code) | Car clubs, Peer-to-peer |
| Review customer identity | Car clubs (every 12 months), Peer-to-peer (annually) |
| Verify both host and guest IDs | Peer-to-peer |
| Highlight risks of key collection boxes and recommend secure solutions | Peer-to-peer |
Security delivery plans
What a security plan is
A security plan is a strategic document that sets out how your company will implement and manage security measures to protect assets, systems and data. It should include the actions, timelines, responsibilities, resources and technologies needed to meet the RVSS code of practice.
How to create your security delivery plan
See the GOV.UK page for this guidance for a template that you can use to create your security delivery plan.
Your security plan will show how you plan to:
-
meet (or plan to meet) each requirement
-
record gaps
-
carry out actions
-
authorise sign off
Keep the completed plan for future reference.
Use the National Protective Security Authority (NPSA) guidance on risk assessment and mitigating risks as well as ProtectUK’s risk management process to help create your plan.
How to meet the requirements
This section explains how to meet the requirements in the RVSS code of practice. Use it alongside the table to understand what each requirement means in practice.
Governance and roles
Appoint a recognised security contact (RSC) and, where practical, a deputy. Make sure they fulfil their responsibilities by:
-
acting as the main point of contact with DfT and law enforcement and relevant national security bodies
-
sharing security material and keep staff training up-to-date
-
making sure staff complete checks as outlined in the code of practice
-
making sure liveries are removed from fleet vehicles prior to disposal
Customer verification and payments
Secure payments and identity checks by:
-
accepting electronic payments only
-
record payment card details and require PIN authorisation where possible
-
adapting procedures for third-party payments and ensuring a payment card is provided for verification
-
checking the licence photo matches the person renting the vehicle and record the driver number correctly
-
using digital checks for online bookings to reconcile licence and payment card information
For detailed guidance on secure identity checks, see identity proofing and verification of an individual.
Staff training and suspicious behaviour
Make sure staff can recognise and respond to suspicious behaviour by:
-
providing up-to-date counter-terrorism guidance
-
training staff in verification procedures and encouraging vigilance
-
giving clear instructions for assessing customer needs and spotting inconsistencies or suspicious behaviour
-
setting up an escalation process for reporting concerns and explaining when to contact law enforcement authorities
-
supporting government counter-terrorism campaigns, such the ACT campaign and displaying logos where practical
Free training is available to help staff stay alert and report concerns, including ACT Awareness e-learning and SCAN – See, Check and Notify can support this.
Vehicle security and technologies
Use security technologies to protect your fleet by:
-
fitting security equipment when renewing fleets
-
choosing technologies based on risk assessment and available options
-
cooperating with law enforcement on use of security technologies
Data protection and lawful information sharing
Handle personal data securely and share it only when lawful by:
-
training staff on the Data Protection Act (DPA) and the General Data Protection Regulations (GDPR)
-
sharing data including rental and customer scheme information with law enforcement upon request and only when there is a lawful basis and ensure all decisions are documented in accordance with data protection requirements
-
keep records of any data shared with law enforcement
For GDPR training and awareness, see ICO guidance on accountability and governance.
Commercial vehicle checks
Apply extra checks when hiring out commercial vehicles by:
-
asking security questions for hires without an operator’s licence
-
before hiring out large commercial vehicles, checking operator licences using the official Find lorry and bus operators service
-
questioning the purpose for light commercial vehicle hires
-
using the DVLA share code process to verify driver license details
Branding and disposal
Remove liveries before vehicles are sold or disposed of:
-
remove branding before onward sale
-
confirm completion if removal is done by a third party
Additional guidance for car club and peer-to-peer
Apply these measures as per the relevant code of practice outlined in table 1:
-
apply consistent security measures across all models
-
complete initial registration checks using selfie and licence (checked for any discrepancies by a trained employee and/or by the use of proprietary software) or DVLA share code
-
review customer ID at least every 12 months
-
use secure, tamper-evident key collection boxes, change codes regularly and keep locations discreet
Embedding a security culture
Build a strong security culture across your organisation by:
-
training staff during recruitment
-
defining suspicious behaviour and providing examples
-
encouraging prompt reporting and verification
Free cyber security training is available from the National Cyber Security Centre and OpenLearn.
Risk-management support and free-to-use training
The NPSA offer additional helpful resources that may support you in following the requirements of the RVSS code of practice including information on personal security risk assessments (PDF) and how to assess your security culture.
Training and information is also available in the form of ACT Awareness e-learning, SCAN – See, Check and Notify and cyber security courses from NCSC.
The codes of practice in full
The code of practice as it applies to each business model in the vehicle rental sector, is detailed below.
Where used, the term customer refers to a person using the service to rent a vehicle.
Face-to-face commercial rentals code of practice
1) Appoint a recognised security contact (RSC) and (where practical) a deputy.
2) Only accept electronic forms of payment.
3) When ‘handing over’ vehicles to customers undertake driver licence verification checks.
4) Train staff to identify and report suspicious behaviours.
5) Support law enforcement counter terrorism and communications campaigns.
6) Share data and information with law enforcement agencies where it can be done so lawfully and consistent with data protection requirements.
7) Based on assessment of risk and available vehicle technologies, the company should ensure that appropriate security equipment is fitted to vehicles.
8) When ‘handing over’ commercial vehicles to customers, additional security checks should be undertaken.
9) The code recommends that company liveries are removed prior to onwards sale of vehicles.
10) Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) 2018. The company will ensure staff have sufficient training in regard to the DPA and GDPR.
Car club code of practice
1) Ensure a recognised security contact at a senior level of the organisation has overall responsibility for operating in a secure way.
2) Ensure that similar levels of security are maintained across the different business models your organisation operates.
3) Train all staff to identify behaviours that the organisation understands to be suspicious and provide them with a robust means of reporting their concerns to senior managers.
4) The organisation should actively engage with law enforcement and counter-terrorism policing including communication campaigns.
5) Only accept electronic forms of payment and ensure any refunds are paid to the card used to make the original transaction.
6) Comply with all data regulations (GDPR) and share data with law enforcement when asked to.
7) Initial registration should use either the ‘selfie and driving licence’ process (checked for any discrepancies by a trained employee and/or by the use of proprietary software) or the DVLA’s share code.
8) All initial sign-up checks and verifications should be completed before any access to vehicles is given.
9) After the initial sign-up process is completed a review of customer ID should be undertaken at least every 12 months.
10) The removal of liveries prior to the onward sale of vehicles is strongly recommended.
Peer-to-peer code of practice
1) Ensure a recognised security contact at a senior level of the organisation has overall responsibility for operating in a secure way.
2) Ensure that similar levels of security are maintained across the different business models your organisation operates.
3) Train all staff to identify behaviours that the organisation understands to be suspicious and provide them with a robust means of reporting their concerns to senior managers.
4) The organisation should actively engage with law enforcement and counter-terrorism policing including communication campaigns.
5) Only accept electronic forms of payment and ensure any refunds are paid to the card used to make the original transaction.
6) Comply with all data regulations (GDPR) and share data with law enforcement when requested to do so.
7) Initial registration should check both the guest and host ID using either the ‘selfie and driving licence’ process (checked for any discrepancies by a trained employee and/or by the use of proprietary software) or the DVLA’s share code.
8) All initial sign-up checks and verifications should be completed before any access to vehicles is given.
9) After the initial sign-up process is completed a review of active customer ID should be undertaken at least every 12 months – an ‘active customer’ is defined as a P2P customer who has used the service within the previous 12-month period.
10) Highlight to hosts the potential risks associated with the use of a ‘key collection box’.