Payment card industry (PCI) compliance

Helping you comply with the payment card industry data security standard

Organizations that accept credit or debit cards as a form of payment must comply with requirements set by the Payment Card Industry (PCI) Security Standards Council. Noncompliance carries numerous risks, including fines, higher transaction fees, reputational harm and a loss of banking relationships.

Ensuring compliance can be complex and daunting. RSM’s PCI services help businesses achieve and maintain compliance through a variety of methods. These include gap assessments and penetration testing, as well as vulnerability assessments against your cardholder data (CHD) environment, which RSM is authorized to perform as a PCI-approved scanning vendor.

Does PCI compliance apply to my organization?

Any business that stores, processes, accesses or transmits payment cards or payment card data as a merchant or service provider is required to comply with PCI standards. Compliance significantly reduces the risk of consumers’ CHD being compromised by cyberattacks.

The RSM approach

RSM’s PCI services are multifaceted, but we always begin by asking you to describe the changes you believe your company needs and the most efficient approach to making them. Our team begins the process with a thorough analysis of your business’s current cardholder data (CHD) procedures, and then develops recommendations for improvements. Our key services include:

: In this step we identify known network, operating system, web application, and server exploits and vulnerabilities on specified internet-enabled devices and applications by using automated tools in accordance with the PCI data security standard (DSS). Once these issues are identified, we can assist you in remediating them.

: This process helps determine your readiness for a compliance assessment against version 3.2.1 of the DSS and identifies key compliance gaps. The project results in steps required to achieve compliance and to understand how to maintain compliance with payment card industry security compliance obligations.

: On March 31, 2022, the PCI Security Standards Council released the much-anticipated version 4.0 of the DSS. The new version of the standard defines the latest requirements for compliance for organizations that store, process, transmit or can impact the security of credit/debit card account data. To provide organizations time to understand the changes in version 4.0 and implement any updates needed, the current version of PCI DSS 3.2.1, will remain active for two years until it is retired on March 31, 2024. We can provide the tools and information needed to manage the impact of these changes. A PCI DSS 4.0 readiness assessment will help you identify your organization’s compliance gaps against the new requirements.

: The new standard includes expanded risk analysis requirements to evaluate the frequency of performing periodic controls and assess the inherent risk of hardware and software technologies in use. Additionally, and if applicable, it evaluates the risks associated with customized and encryption controls. RSM will help your organization develop and analyze your risk posture to meet these new requirements.

: We perform this assessment in accordance with the PCI DSS to determine your ability to protect CHD. Level 1 merchants (those with 6 million transactions or more per year) are required to submit to the Security Standards Council a PCI ROC completed by a qualified security assessor (QSA) on an annual basis.

: After completion of the PCI DSS, you conduct PCI SAQ internally to determine your organization’s ability to protect CHD. Depending on acquirer/processor contractual obligations, Level 2 to 4 merchants may be required to submit to the Security Standards Council a PCI SAQ, which our QSAs will assist in preparing.

: Our team provides continual guidance on maintaining and improving your PCI compliance programs, enabling you to monitor your compliance throughout the year and define key milestones to eliminate rework later. In addition, PCI merchant or service providers are required to conduct quarterly reviews to confirm that personnel are following security practices and operational procedures. Our QSAs can help you establish a process to meet the quarterly requirement and will work with you to ensure your compliance efforts are supported throughout the organization.

: The PCI software security framework is a collection of standards for the secure design and development of payment software. Our independent validation process certifies your payment software, along with the software life-cycle management practices used in its development, with the Security Standards Council.

: This service addresses the security requirements for entities that accept, process or transmit payment card personal identification numbers (PINs). The PCI PIN security standard provides requirements and testing procedures for the secure management, processing and transmission of PIN data at ATMs and point-of-sale terminals. Our team provides advisory and validation services for entities required to comply with this standard.

: These annual internal and external network and application-level tests required by the PCI DSS assess your current security controls to determine the actionable impact from an attacker gaining access to your cardholder data environment.

: This program supports your organization through the entire PCI compliance life cycle to help you build repeatable, consistent processes for achieving and maintaining compliance. This methodology is intended to be cyclical, as moving through the phases promotes program maturity and transitions compliance efforts to a more managed, automated and measurable state. In addition, routinely validating scope and aligning organizational components can help you identify new opportunities for optimization. This approach is scalable for organizations of any size, compliance footprint and maturity level.

The PCI SCORE phases include:

S – Scope evaluation: The PCI standards call for scope evaluation on an annual basis. We can help you understand how and where you process, transmit and store credit card data, as well as how connected systems may affect the scope of your PCI attestation. The scope evaluation will give you a better understanding of what your PCI assessment will entail and which SAQ will apply, or whether you are required to complete an ROC.

C – Collaborative remediation: We identify gaps, help reduce scope and provide advice around remediation strategies. By collaborating with your team, we can pursue an efficient and consistent remediation effort.

O – Organizational alignment: This phase is essential to maintaining a mature PCI program. The goal is to remove organizational silos and create cohesiveness across business functions. Toward this end, our team provides input on roles and responsibilities and helps you outline an overarching compliance strategy that encompasses your entire regulatory footprint (e.g., PCI standards, privacy regulations and other federal and state laws).

R – Reporting compliance: In addition to helping you report initial compliance, we help you establish a process to maintain and monitor compliance on an ongoing basis. We assist with developing internal reporting and oversight to ensure a strong compliance reporting framework. We also help you lay the foundation for continual compliance, such as using dashboards for ongoing monitoring and consistent validation of controls.

E – Evolving maturity: The final SCORE phase involves cultivating the ability to demonstrate compliance at any time of year and adapt to evolving hardware, software and business requirements. This may include leveraging a governance, risk management and compliance integration or an audit management solution to automate and centralize responses to regulatory compliance requests. These efforts help to integrate compliance into routine business processes and continually mature your compliance program.

While these services are all available individually, many of our clients utilize multiple services to ensure they meet or exceed minimum compliance requirements.

Next steps

Navigating the array of requirements for compliance with PCI standards can be difficult and daunting. Our dedicated team can help ensure that your business has a plan going forward to achieve and maintain consistent PCI compliance. Contact RSM today to allow us to help you determine which services will most benefit your business.

Recent insights from our cybersecurity professionals

Curated content to keep you informed

See all risk, fraud and cybersecurity insights

Additional insights and solutions to achieve your organization’s goals

Experience the power of being understood

Connect with our risk, fraud and cybersecurity professionals today.

Contact RSM today

Stay up to date on what matters most to your business.

Let us know your personal preferences for topics, industries and services to start receiving RSM updates in your inbox. Get the most from insights, events and offers from our team of first-choice advisors.

Subscribe now >

THE POWER OF BEING UNDERSTOOD

ASSURANCE | TAX | CONSULTING

RSM Canada LLP is a limited liability partnership that provides public accounting services and is the Canadian member firm of RSM International, a global network of independent assurance, tax and consulting firms. RSM Canada Consulting LP is a limited partnership that provides consulting services and is an affiliate of RSM US LLP, a member firm of RSM International. The member firms of RSM International collaborate to provide services to global clients but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmcanada.com/about for more information regarding RSM Canada and RSM International.

Strategic technology alliances

Featured technologies

Platform user insights and resources

About RSM

Experience RSM

Spotlight on culture

Work with us