Payment Card Industry (PCI) compliance services

Maintain compliance and mitigate risk with PCI compliance services, including gap, vulnerability, RoC and quarterly review assessments.

Any organization that accepts cards as a form of payment or provides services to merchants in the areas of transmission, storage or processing of credit card data must comply with the standards of the Payment Card Industry (PCI) Security Standards Council. Noncompliance can have damaging effects, such as fines, higher transaction fees, loss of banking relationships and reputational harm in the wake of data breaches. Though they may be aware of the obligation, many organizations may not know their current PCI status or may not understand how best to implement a PCI program and remain in compliance.

RSM’s PCI compliance services address all aspects of PCI, including:

PCI Approved Scanning Vendor (ASV) vulnerability assessment. ASV vulnerability assessments identify known network, operating system, web application and server exploits and vulnerabilities with the use of automated tools in accordance with PCI Data Security Standards requirements. Without knowing what vulnerabilities are present, it is impossible to remediate or mitigate them. Our assessment brings an organization’s knowledge of its vulnerabilities from unknown to known. RSM is a certified PCI ASV authorized to perform these assessments.

PCI compliant penetration testing. This testing determines if possible vulnerabilities in internet-facing and internal applications and systems jeopardize cardholder data security.

PCI gap assessment. A gap assessment helps you to determine your readiness for an on-site Report on Compliance (RoC) assessment by identifying key areas of weakness and noncompliance. The project results in steps needed to achieve compliance and to understand how to maintain compliance with evolving security compliance obligations.

PCI Report on Compliance and Attestation of Compliance (RoC/AoC). PCI compliance is a contractual requirement for organizations that accept payment by credit card. Level 1 merchants are required to submit a PCI RoC/AoC to verify whether required policies, procedures and controls are in place. The RoC/AoC must be completed by a Qualified Security Assessor (QSA) on an annual basis to verify compliance with relevant controls. RSM’s consultants are QSA certified and can complete the RoC/AoC for clients.

PCI service provider quarterly review. Starting in 2018, PCI service providers must conduct quarterly reviews to confirm personnel are following security policies and operational procedures. This RSM service enables providers to establish a process to meet the quarterly requirement. RSM’s QSAs work with you to confirm that your compliance efforts are supported throughout the organization. The review also identifies where you need to take corrective measures.

Recommended Insights

PCI compliance diligence is a must for franchisors and franchisees


PCI compliance diligence is a must for franchisors and franchisees

What must franchisors do to ensure franchisees are providing proper PCI security in their stores, restaurants and other businesses?

  • Matt Franko
  • |
  • August 13, 2018


PCI proves large ROI on security investment

RSM builds a repeatable PCI program for a hospitality organization, saving them at least $1.2 million in penalties. Learn more.

  • March 01, 2018


PCI gap and business process flow

RSM provides remediation strategy for large, multinational corporation by identifying control gaps related to PCI compliance. Learn more.

  • March 01, 2018


PCI DSS version 3.2: How will it impact your organization?

Learn how new PCI DSS guidelines reflect emerging threats and new technologies, and how changes may affect your business processes.

  • November 14, 2016

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.