Payment card industry (PCI) compliance

Organizations that accept credit or debit card payments—as well as third parties that can affect the security of an entity’s cardholder data environment—must comply with PCI Security Standards Council (SSC) requirements. Non-compliance carries numerous risks, including fines, higher transaction fees, reputational harm and a loss of banking relationships.

Establishing and maintaining compliance can be complex and daunting. RSM’s PCI services, such as Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV) and Secure Software Lifecycle (Secure SLC), help businesses achieve compliance through a variety of methods.

Does PCI compliance apply to my organization?

Any business that stores, processes, accesses, or transmits payment cards or payment card data as a merchant or service provider is required to comply with PCI standards. Compliance significantly reduces the risk of consumers’ payment card data being compromised by cyberattacks.

Getting started

Navigating the array of requirements for compliance with PCI standards can be difficult. Our dedicated team can help your business develop and implement a plan to achieve and maintain consistent PCI compliance.

The RSM approach

RSM’s PCI services are multifaceted, but we begin by asking you to describe the changes you believe your company needs and the most efficient approach to making them. Our team conducts a thorough analysis of your current business and technical account data processes against the applicable PCI standard and then develops recommendations for improvements.

Our key PCI services include the following:

PCI advisory services

: Our team will review your current PCI compliance program and highlight the risks associated with non-compliance. This process includes analysis of factual matters and considers alternative solutions regarding scope reduction to optimize PCI compliance processes across the organization. The team will consist of individuals with the specific skills, knowledge and experience to support your unique PCI compliance needs.

: Our team helps your organization evaluate your current security posture against the latest PCI DSS requirements. Through a structured assessment process, we identify compliance gaps across systems, processes and documentation that store, process or transmit cardholder data. We provide high-level recommendations and strategic remediation roadmaps to address deficiencies and strengthen your PCI program.

This service includes scoping validation, interviews with key personnel, and review of technical and policy artifacts to align your environment with PCI DSS expectations. Final deliverables include an internal-use readiness report and executive presentation, designed to prepare your organization for formal PCI assessments.

: Our virtual ISA service provides access to seasoned PCI professionals who act as an extension of your internal team. We guide and support your PCI compliance journey by offering detailed insights, strategic recommendations and hands-on assistance tailored to your environment.

Whether you're navigating scope reduction, implementing controls or preparing for assessments, the virtual ISA keeps you aligned with PCI DSS requirements. It’s a flexible and cost-effective way to maintain continual compliance without the overhead of a full-time internal resource. Our virtual ISA team brings deep experience and industry-recognized credentials to help you manage risk and meet evolving standards confidently.

: RSM offers specialized consulting services, providing subject matter professionals and tailored solutions to address identified PCI compliance gaps.

: The PCI DSS 4.0.1 standard includes expanded risk analysis requirements to evaluate the frequency of performing periodic controls and assess the inherent risks of hardware and software technologies in use. If applicable, the analysis also evaluates the risks associated with customized encryption controls. RSM will help your organization develop and analyze your risk posture to meet these new requirements.

: Our team guides you on maintaining and improving your PCI compliance program throughout the year and helps you define key milestones to eliminate rework later. In addition, PCI merchants and service providers are required to conduct quarterly reviews to confirm that personnel are following security practices and operational procedures. Our QSAs can help you establish a process to meet that requirement and will work with you to support compliance efforts throughout the organization.

: The RSM SCORE program supports your organization through the entire PCI compliance lifecycle to help you build repeatable, consistent processes for achieving and maintaining compliance. This methodology is intended to be cyclical, as moving through the phases promotes program maturity and transitions compliance efforts to a more managed, automated and measurable state. In addition, routinely validating scope and aligning organizational components can help you identify new opportunities for optimization. This approach is scalable for organizations of any size, compliance footprint and maturity level.

PCI SCORE phases include:

S – Scope evaluation: The PCI DSS calls for scope evaluation on an annual basis. We can help you understand how and where you process, transmit and store credit card data, as well as how connected systems may affect the scope of your PCI compliance. The scope evaluation will give you a better understanding of what your PCI assessment will entail, which Self-Assessment Questionnaire will apply, and whether you are required to complete a Report on Compliance.

C – Collaborative remediation: We identify gaps, help reduce their scope and advise you on remediation strategies, working with your team to support efficiency and consistency.

O – Organizational alignment: This phase is essential to maintaining a mature PCI program. The goal is to remove organizational silos and create cohesiveness across business functions. To this end, our team provides input on roles and responsibilities, and helps you outline an overarching compliance strategy encompassing your entire regulatory footprint (e.g., PCI standards, privacy regulations, and other federal and state laws).

R – Reporting compliance: In addition to helping you report initial compliance, we guide you in establishing a process to maintain and monitor compliance on an ongoing basis. We assist with developing internal reporting and oversight to establish a strong compliance reporting framework. We also help you lay the foundation for continual compliance, such as using dashboards for ongoing monitoring and consistent validation of controls.

E – Evolving maturity: The final SCORE phase involves cultivating the ability to demonstrate compliance at any time of year and adapt to evolving hardware, software and business requirements. This may include leveraging a governance, risk management, and compliance integration or an audit management solution to automate and centralize responses to regulatory compliance requests. These efforts help to integrate compliance into routine business processes and continually mature your compliance program.

While these services are all available individually, many of our clients utilize multiple services to ensure they meet or exceed minimum compliance requirements.

PCI assessment services

PCI DSS Report on Compliance (ROC)

We perform a formal, independent validation of your organization’s adherence to the PCI DSS. Led by a QSA, this service includes a comprehensive review of your cardholder data environment, evaluating the people, processes and technologies that affect payment card data security. The engagement culminates in the delivery of a PCI ROC and Attestation of Compliance (AOC), which can be submitted to acquiring banks, card brands or customers to demonstrate compliance.

Our assessors follow the most current version of the PCI DSS and tailor the process to your business model, establishing clarity, accuracy and actionable insights throughout the assessment. Whether you operate a single environment or manage complex, multi-entity infrastructures, our ROC services help you meet regulatory expectations and build trust with stakeholders.

PCI DSS Self-Assessment Questionnaire (SAQ)

As a part of the PCI DSS, you conduct a self-assessment internally to determine your organization’s ability to protect account data. Depending on acquirer/processor contractual obligations, Level 2 to 4 merchants may be required to submit a PCI SAQ to their acquirer/processor, and service providers may be required to submit their AOC to customers. Our QSAs can assist in preparing your SAQ and AOC or independently validate your ability to protect account data.

PCI Secure SLC ROC assessment

Our certified assessors can thoroughly review your organization’s software development lifecycle. The assessment covers the documented policies, procedures and standards that developers follow throughout the software’s lifecycle, from project start through operational deployment, implementation and maintenance. This independent validation of PCI Secure SLC compliance leads to the issuance of an ROC and an AOC, as well as submission to the PCI SSC. Upon accepting those documents, the PCI SSC lists the Secure SLC-qualified vendor on the SSC’s website as a resource for merchants, service providers and acquirers.

Cybersecurity testing

: As a certified ASV, we offer both full-service and self-service options tailored to your operational needs to meet the PCI DSS requirements for external vulnerability scans of your internet-facing systems. Full-service scans are conducted by our PCI professionals using industry-standard tools, with detailed reports that include pass/fail status and remediation guidance. Self-service clients receive portal access for unlimited scanning and quarterly attestation support. These scans help validate your compliance posture and protect cardholder data from external threats.

: Our PCI penetration testing services provide a comprehensive evaluation of your cardholder data environment through network, application and segmentation testing. Our team identifies exploitable vulnerabilities and misconfigurations across internal and external systems, simulating real-world attack scenarios to validate PCI DSS controls. Segmentation testing enables out-of-scope systems to be properly isolated, reducing compliance scope and risk exposure. All testing aligns with PCI DSS v4.0.1 requirements and industry standards, delivering actionable insights to strengthen your security posture and support audit readiness.

: Our internal vulnerability scanning service identifies system-based weaknesses across your cardholder data environment through automated scans and deep analysis. These scans are performed quarterly using commercial and open-source tools to assess servers, workstations and network devices. We provide detailed reports that map technical risks to business functions and offer actionable remediation recommendations. Advanced testing includes manual validation to reduce false positives and deliver accurate results. This service supports PCI DSS compliance and strengthens your internal security posture.

Recent insights from our cybersecurity professionals

Curated content to keep you informed

See all risk, fraud and cybersecurity insights

Additional insights and solutions to achieve your organization’s goals

Experience the power of being understood

Connect with our risk, fraud and cybersecurity professionals today.

Contact RSM today

Featured solution

Penetration testing

Identify how attackers will exploit your company’s weaknesses with pen-testing services.

Ready to understand your vulnerabilities?

THE POWER OF BEING UNDERSTOOD

ASSURANCE | TAX | CONSULTING

RSM Canada LLP is a limited liability partnership that provides public accounting services and is the Canadian member firm of RSM International, a global network of independent assurance, tax and consulting firms. RSM Canada Consulting LP is a limited partnership that provides consulting services and is an affiliate of RSM US LLP, a member firm of RSM International. The member firms of RSM International collaborate to provide services to global clients but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmcanada.com/about for more information regarding RSM Canada and RSM International.

Technology alliance platforms

Featured technologies

Platform user insights and resources

About RSM

Experience RSM

Spotlight on culture

Work with us