Retail / Commerce

Self-Assessing? Preparing for a Third-Party Audit?

Whether you're unsure what "Level 1" means, just received a letter from your acquiring bank about completing a SAQ, or aren't certain where your cardholder data resides—let alone how to comply with PCI DSS standards—our PCI DSS Gap Analysis engagement is designed to help.

We work with customers to identify their current state, define their scope, and measure the distance to full compliance. Our reports go beyond surface-level assessments, providing not just a clear picture of your compliance gaps, but also strategic guidance on how to prioritize remediation efforts and create an actionable roadmap forward.

With deep experience serving retail merchants, healthcare clients, energy cooperatives, third-party service providers, and other organizations handling payment card data, we help build a strong compliance foundation and partner with you on the journey toward greater security and regulatory adherence.

‍

Your PCI Compliance Partner Since 2012

Third-party PCI DSS reporting doesn't have to be overwhelming. For more than ten years, we've helped organizations like yours achieve and maintain compliance through comprehensive Reports on Compliance (ROCs) and Attestations of Compliance (AOCs) that meet Payment Card Industry Data Security Standards—currently Version 4.0.1. Our track record spans assessments across diverse industries, giving us insight into the unique challenges different organizations face in protecting cardholder data.

What sets us apart is our team's combination of breadth and depth. Every Qualified Security Assessor (QSA) on our team brings not only PCI DSS certification and expertise, but also substantial hands-on technical knowledge in network architecture and cybersecurity. This dual expertise means we don't just check boxes—we understand how your systems actually work and how the standard applies to your specific environment.

When you ask how your Interactive Voice Response (IVR) system impacts the scope of your cardholder data environment (CDE), we can evaluate your architecture and provide clear guidance. When you need to understand what approach will satisfy Requirement 11's segmentation testing most effectively for your network design, we can provide examples of practical solutions that balance security and operational efficiency. And when you're uncertain about the level of detail required in policies and procedures throughout the PCI DSS framework, we can share examples from our experience and point to industry best practices that satisfy assessors while remaining practical for day-to-day operations.

We're here to address your specific compliance needs with practical, informed solutions—serving as trusted advisors who help you navigate the complexities of PCI DSS with confidence.

PERIGON360: Compliance Engine

Our Perigon360 platform gives customers visibility into key audit statuses, metrics, and controls, allowing insight into the dynamics of the report status. Meaningful charts and graphs give you the information you need to be informed on your project status and answer questions that plague clients on every yearly audit.

Remote Site Reporting (RSR's)

Do you ever wonder how your remote locations figure into your compliance journey? We don’t wonder, we find out and we have a way to represent each of these locations, and compliance elements, with trends, in our Location Audit Report. Whether it’s wifi standards, card processing terminals, or door locks and cameras, we identify your points of defense, areas of weakness, and make connections based on trends. Audit history shows year-over-year improvement with tailored results based on your vertical.

‍

Solidify your information security program through the consistent execution of applicable security & compliance tasks.

PCI DSS 4.0 includes a number of tasks that are required to be performed following a defined cadence. Depending on the scope of your organizations cardholder data environment (CDE), some or all of the following must be performed:

PCI DSS Tasks to be performed at least Quarterly

Wireless Access Testing | Testing, detection, and identification of authorized and unauthorized wireless access points occurs at least once every three months.

Internal Vulnerability Scans | Internal vulnerability scans are performed at least every three months.

External Vulnerability Scans | External vulnerability scans are performed at least every three months.

PCI DSS Tasks to be performed at least every Six Months

Firewall Configurations Review | Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.

PCI DSS Tasks to be performed at least Annually

Penetration Testing | External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

Segmentation Testing | If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls at least once every 12 months and after any changes to segmentation controls/methods.

Risk Assessment | Risks to the cardholder data environment are formally identified, evaluated, and managed.

Security Awareness Training | Security awareness education is an ongoing activity.

Incident Response Training and Plan Review | At least once every 12 months, the security incident response plan is reviewed and the content is updated as needed and tested, including all elements in Requirement 12.10.1.

Contextual Security Solutions can assist your organization with these tasks, keeping you on track with your compliance initiatives.