Payment card industry (PCI) compliance

We perform this assessment following the PCI DSS to independently determine your ability to protect account data. Level 1 merchants (those with 6 million transactions or more per year) must submit a PCI ROC and Attestation of Compliance (AoC) completed by a QSA annually to their acquiring bank and card brands.

You conduct the PCI DSS self-assessment internally to determine your organization’s ability to protect account data. Depending on acquirer/processor contractual obligations, Level 2 to 4 merchants may be required to submit a PCI SAQ to their acquirer/processor, and service providers may be required to submit their AoC to customers. Our QSAs can assist in preparing your SAQ and AoC or independently validate your ability to protect account data.

As an ASV, we identify the known network, operating system, web application, and server exploits and vulnerabilities on specified internet-enabled devices and applications using automated tools following the latest ASV program guide. Once we identify these issues, we can assist you in remediating them.

This process helps determine your readiness for a compliance assessment against version 3.2.1 of the DSS and identifies key compliance gaps. The project results in steps required to achieve compliance and to understand how to maintain compliance with PCI security compliance obligations.

On March 31, 2022, the PCI SSC released version 4.0 of the DSS. The new version of the standard defines the latest requirements for compliance for organizations that store, process, transmit, or can affect the security of credit/debit card account data. The current version of PCI DSS v.3.2.1 will remain active until it is retired on March 31, 2024, to provide time for organizations to understand the changes in version 4.0 and implement any necessary updates. We can provide the tools and information needed to manage the impact of these changes. A PCI DSS 4.0 readiness assessment will help you identify your organization’s compliance gaps against the new requirements.

The new PCI DSS 4.0 standard includes expanded risk analysis requirements to evaluate the frequency of performing periodic controls and assess the inherent risk of hardware and software technologies in use. Additionally, and if applicable, it evaluates the risks associated with customized encryption controls. RSM will help your organization develop and analyze your risk posture to meet these new requirements.

These annual internal and external networks-and application-level tests required by the PCI DSS assess your current security controls to determine the actionable impact of an attacker gaining access to your CDE.

Our team provides continual guidance on maintaining and improving your PCI compliance programs, enabling you to monitor your compliance throughout the year and define key milestones to eliminate rework later. In addition,PCI merchants or service providers are required to conduct quarterly reviews to confirm that personnel are following security practices and operational procedures. Our QSAs can help you establish a process to meet the quarterly requirement and will work with you to ensure your compliance efforts are supported throughout the organization.

This process helps determine your readiness for a compliance assessment against the PCI SSF, a collection of standards for the secure design and development of payment software. Our SSF assessors will review the people, processes, and technologies that are part of your organization’s payment software and evaluate if they meet the PCI Secure Software Lifecycle (Secure SLC) or Secure Software Standard.

Our certified assessors will review your organization’s software development life cycle. The assessment covers the documented policies, procedures, and standards that developers follow throughout the software’s life cycle from project start through operational deployment, implementation, and maintenance. This independent validation of PCI SLC compliance leads to the issuance of a ROC and AoC, as well as submission to the PCI SSC. Once accepted, the PCI SSC lists the Secure SLC-qualified vendor on the SSC’s website as a resource for merchants, service providers, and acquirers.

Our team tests your organization’s PCI-related payment software against the Secure Software Standard to validate that the software is protecting payment transactions and data. This independent validation of PCI SSF compliance leads to the issuance of an ROV and Attestation of Validation (AOV) submitted to the PCI SSC for review, acceptance, and certification. Once accepted, the PCI SSC lists the validated payment software on the SSC’s website as a resource for merchants, service providers, and acquirers.

This service addresses the security requirements for entities that accept, process, or transmit payment card personal identification numbers (PINs). The PCI PIN Security Standard details the necessary requirements and testing procedures to securely manage, process and transmit PIN data at ATMs and point-of-sale terminals. Our QPA team provides advisory and validation services for entities required to comply with this standard and issues a compliant ROC and AoC.

This service provides your organization with subject matter professionals to assist with remediation actions targeted to close any identified compliance gaps with any PCI standards.

Our team will advise you on your PCI compliance program and the risks associated with noncompliance. This will include analysis of factual matters and considering alternative solutions regarding scope reduction and optimizing PCI compliance processes across the organization. The team will consist of individuals with suitable skills, knowledge, and experience to support your unique PCI compliance needs.

Often data breaches happen because organizations do not have an accurate inventory of sensitive data, or sensitive data was stored outside of the protected environment intentionally or unwittingly by employees or attackers. Our data discovery services do top-down and bottom-up searches for sensitive card data so that your organization can protect all sensitive data.

This program supports your organization through the entire PCI compliance life cycle to help you build repeatable, consistent processes for achieving and maintaining compliance. This methodology is intended to be cyclical, as moving through the phases promotes program maturity and transitions compliance efforts to a more managed, automated, and measurable state. In addition, routinely validating scope and aligning organizational components can help you identify new opportunities for optimization. This approach is scalable for organizations of any size, compliance footprint, and maturity level.

The PCI SCORE phases consist of the following:

S – Scope evaluation:The PCI DSS calls for scope evaluation on an annual basis. We can help you understand how and where you process, transmit and store credit card data, as well as how connected systems may affect the scope of your PCI compliance. The scope evaluation will give you a better understanding of what your PCI assessment will entail, which SAQ will apply, or whether you are required to complete a ROC.

C – Collaborative remediation: We identify gaps, help reduce the scope and advise on remediation strategies. By collaborating with your team, we can pursue an efficient and consistent remediation effort.

O – Organizational alignment: This phase is essential to maintaining a mature PCI program. The goal is to remove organizational silos and create cohesiveness across business functions. To this end, our team provides input on roles and responsibilities. It also helps you outline an overarching compliance strategy encompassing your entire regulatory footprint (e.g., PCI standards, privacy regulations, and other federal and state laws).

R – Reporting compliance: In addition to helping you report initial compliance, we help you establish a process to maintain and monitor compliance on an ongoing basis. We assist with developing internal reporting and oversight to ensure a strong compliance reporting framework. We also help you lay the foundation for continual compliance, such as using dashboards for ongoing monitoring and consistent validation of controls.

E – Evolving maturity: The final SCORE phase involves cultivating the ability to demonstrate compliance at any time of year and adapt to evolving hardware, software, and business requirements. This may include leveraging a governance, risk management, and compliance integration or an audit management solution to automate and centralize responses to regulatory compliance requests. These efforts help to integrate compliance into routine business processes and continually mature your compliance program.