PCI DSS Compliance and Certification Solutions
Companies using our PCI DSS solutions
Our Approach
Merchants and service providers can show they meet PCI DSS requirements by auditing their CDE (cardholder data environment) against the Standard’s applicable requirements.
The type of audit you must undergo, and your exact PCI compliance requirements will vary depending on your merchant or service provider level. This level is based on the number of card transactions processed per year.
Generally, the criteria applied will be based on those set by Visa and Mastercard, the predominant payment card brands.
GRC Solutions can support your PCI DSS compliance project at all stages, from scoping and gap analysis to penetration testing and help completing an RoC (Report on Compliance).
The types of audit are:
PCI DSS Consultancy
We provide independent PCI DSS consultancy services to all organisations that store, process or transmit cardholder data. We can support you across the full compliance lifecycle, from initial scoping and assessment through to validation, remediation and ongoing compliance management.
Our consultants work with organisations of all sizes and levels of maturity. We can help you understand your PCI DSS obligations, reduce scope where appropriate, assess existing controls and address gaps in a practical and proportionate way. Where required, we can also support formal compliance validation and reporting.
Our services can be tailored to your environment, risk profile and operational constraints, with a focus on clarity, efficiency and sustainable compliance.
To discuss your PCI DSS requirements and how we could support you, contact our team today.
PCI DSS penetration testing
Our PCI Penetration Testing service helps you spot vulnerabilities across the systems that store, process or transmit cardholder data, before criminals can exploit them. The test is designed to support PCI DSS Requirement 11.4 and provides clear evidence that your network is being properly secured, segmented and monitored.
PCI DSS training and staff awareness
We provide PCI DSS training and staff awareness services to help you build and maintain an appropriate level of understanding across your organisation. We can support general awareness for employees who handle or interact with cardholder data, as well as more in-depth training for teams with specific operational or technical responsibilities.
To discuss your PCI DSS training or staff awareness requirements, contact our team today.
PCI DSS Documentation Toolkit
The GRC Solutions PCI DSS Documentation Toolkit provides an extensive list of policies and forms appropriate for the PCI DSS. It also includes a set of project management tools, such as a document checker, a gap analysis tool and several other resources to help with the implementation of your PCI project.
Speak to an Expert
As a PCI Qualified Security Assessor (QSA), we provide end-to-end support to help you meet PCI DSS v4.0 requirements with confidence. From scoping and gap analysis to completing SAQs and Reports on Compliance (RoCs), our experts guide you through every step of the process. Complete the form below and we’ll help you reduce risk, avoid delays, and achieve PCI compliance efficiently and correctly the first time.
PCI DSS FAQ
Get answers to the most common questions and find out how we can help you manage your PCI compliance programme.
Any business that processes, stores or transmits payment card data must comply with the PCI DSS. If your organisation has outsourced all payments to a service provider, it is likely that they manage compliance on your behalf.
The self-assessment questionnaire (SAQ) you need to complete depends on the method you use to take card payments and how you process payment card data.
Some organisations (usually those that process a very large number of transactions, or that have recently suffered a data breach) must undergo an external audit to validate their compliance instead of using an SAQ.
If you are not sure which SAQ you need to complete, contact us for advice.
RoCs are issued after an external audit as evidence of an organisation’s PCI DSS compliance status. RoCs (and the associated audits) are generally required for organisations that process a very large number of transactions and cannot use an SAQ, or organisations that have recently suffered a data breach.
If your SAQ is deemed to be compliant by a Qualified Security Assessor (QSA), you will receive an AoC. The AoC is evidence of your organisation’s PCI DSS compliance for the specified period.
The amount of time it takes to comply with the PCI DSS will depend on the size of your organisation, your budget, and your existing payment infrastructure. Most small-to-medium enterprises (SMEs) with reasonable maturity levels can achieve compliance within six months if backed by expert support. Larger organisations with mature payment security infrastructure can generally expect to achieve compliance within one year, depending on resource availability.
If your organisation is approaching PCI DSS compliance for the first time, our PCI DSS Gap Analysis provides a clear roadmap and bespoke expert advice on your best route forward.
You should ask to see your supplier’s AoC and/or RoC, as applicable. These documents are formal statements of compliance based on assessment of the supplier’s SAQ and/or audit.