Organizations that accept credit or debit card payments—as well as third parties that can affect the security of an entity’s cardholder data environment—must comply with PCI Security Standards Council (SSC) requirements. Non-compliance carries numerous risks, including fines, higher transaction fees, reputational harm and a loss of banking relationships.

Establishing and maintaining compliance can be complex and daunting. RSM’s PCI services, such as Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV) and Secure Software Lifecycle (Secure SLC), help businesses achieve compliance through a variety of methods.

Does PCI compliance apply to my organization?

Any business that stores, processes, accesses, or transmits payment cards or payment card data as a merchant or service provider is required to comply with PCI standards. Compliance significantly reduces the risk of consumers’ payment card data being compromised by cyberattacks.

Getting started

Navigating the array of requirements for compliance with PCI standards can be difficult. Our dedicated team can help your business develop and implement a plan to achieve and maintain consistent PCI compliance.


The RSM approach

RSM’s PCI services are multifaceted, but we begin by asking you to describe the changes you believe your company needs and the most efficient approach to making them. Our team conducts a thorough analysis of your current business and technical account data processes against the applicable PCI standard and then develops recommendations for improvements.

Our key PCI services include the following:

PCI advisory services

Our team will review your current PCI compliance program and highlight the risks associated with non-compliance. This process includes analysis of factual matters and considers alternative solutions regarding scope reduction to optimize PCI compliance processes across the organization. The team will consist of individuals with the specific skills, knowledge and experience to support your unique PCI compliance needs.

While these services are all available individually, many of our clients utilize multiple services to ensure they meet or exceed minimum compliance requirements.


PCI assessment services

PCI DSS Report on Compliance (ROC)

We perform a formal, independent validation of your organization’s adherence to the PCI DSS. Led by a QSA, this service includes a comprehensive review of your cardholder data environment, evaluating the people, processes and technologies that affect payment card data security. The engagement culminates in the delivery of a PCI ROC and Attestation of Compliance (AOC), which can be submitted to acquiring banks, card brands or customers to demonstrate compliance. 

Our assessors follow the most current version of the PCI DSS and tailor the process to your business model, establishing clarity, accuracy and actionable insights throughout the assessment. Whether you operate a single environment or manage complex, multi-entity infrastructures, our ROC services help you meet regulatory expectations and build trust with stakeholders.

PCI DSS Self-Assessment Questionnaire (SAQ)

As a part of the PCI DSS, you conduct a self-assessment internally to determine your organization’s ability to protect account data. Depending on acquirer/processor contractual obligations, Level 2 to 4 merchants may be required to submit a PCI SAQ to their acquirer/processor, and service providers may be required to submit their AOC to customers. Our QSAs can assist in preparing your SAQ and AOC or independently validate your ability to protect account data.

PCI Secure SLC ROC assessment

Our certified assessors can thoroughly review your organization’s software development lifecycle. The assessment covers the documented policies, procedures and standards that developers follow throughout the software’s lifecycle, from project start through operational deployment, implementation and maintenance. This independent validation of PCI Secure SLC compliance leads to the issuance of an ROC and an AOC, as well as submission to the PCI SSC. Upon accepting those documents, the PCI SSC lists the Secure SLC-qualified vendor on the SSC’s website as a resource for merchants, service providers and acquirers.

We perform a formal, independent validation of your organization’s adherence to the PCI DSS. Led by a QSA, this service includes a comprehensive review of your cardholder data environment, evaluating the people, processes and technologies that affect payment card data security. The engagement culminates in the delivery of a PCI ROC and Attestation of Compliance (AOC), which can be submitted to acquiring banks, card brands or customers to demonstrate compliance. 

Our assessors follow the most current version of the PCI DSS and tailor the process to your business model, establishing clarity, accuracy and actionable insights throughout the assessment. Whether you operate a single environment or manage complex, multi-entity infrastructures, our ROC services help you meet regulatory expectations and build trust with stakeholders.

As a part of the PCI DSS, you conduct a self-assessment internally to determine your organization’s ability to protect account data. Depending on acquirer/processor contractual obligations, Level 2 to 4 merchants may be required to submit a PCI SAQ to their acquirer/processor, and service providers may be required to submit their AOC to customers. Our QSAs can assist in preparing your SAQ and AOC or independently validate your ability to protect account data.

Our certified assessors can thoroughly review your organization’s software development lifecycle. The assessment covers the documented policies, procedures and standards that developers follow throughout the software’s lifecycle, from project start through operational deployment, implementation and maintenance. This independent validation of PCI Secure SLC compliance leads to the issuance of an ROC and an AOC, as well as submission to the PCI SSC. Upon accepting those documents, the PCI SSC lists the Secure SLC-qualified vendor on the SSC’s website as a resource for merchants, service providers and acquirers.


Cybersecurity testing

As a certified ASV, we offer both full-service and self-service options tailored to your operational needs to meet the PCI DSS requirements for external vulnerability scans of your internet-facing systems. Full-service scans are conducted by our PCI professionals using industry-standard tools, with detailed reports that include pass/fail status and remediation guidance. Self-service clients receive portal access for unlimited scanning and quarterly attestation support. These scans help validate your compliance posture and protect cardholder data from external threats.

Recent insights from our cybersecurity professionals

Curated content to keep you informed

Additional insights and solutions to achieve your organization’s goals

Experience the power of being understood
Connect with our risk, fraud and cybersecurity professionals today.

Featured solution

Penetration testing

Identify how attackers will exploit your company’s weaknesses with pen-testing services.