We understand that can be a complex and sensitive responsibility. We are here to help you understand and achieve your PCI DSS certification, so you can not only increase your security level but also strengthen the trust of your valued customers. Let us guide you to your PCI DSS certification.
Contact us
Do you store, process, or transmit credit card data? If so, you are required to comply with the requirements of the globally applicable Payment Card Industry Data Security Standard (PCI DSS). PCI DSS consists of many technical and organizational security measures, all aimed at providing the highest level of security for the processing and storage of credit card information.
From March 2024, the PCI Security Standards Council (PCI SSC) requires you to validate according to PCI DSS v4.0, the most significant update of the credit card data security standard so far, which will replace the version of PCI DSS v3.2.1.
An alignment and thus further development of existing processes based on the requirements of PCI DSS v4.0 usually requires a well-considered implementation project. Our experts will be happy to conduct a gap analysis alongside the assessment to check your environments, documents, and processes for non-compliance with PCI DSS v4.0, and present a validation plan.
As PCI QSA, Fortytwo Security is qualified to conduct (pre-)audits and to provide consulting to companies that are looking to achieve, maintain, or prove PCI compliance. Our consultants will help you to identify gaps in processes, review and suggest practical remediation solutions, and provide additional resources if you have limited resources or skills to do the work in-house.
We offer a full range of PCI DSS services, including penetration testing, vulnerability scanning (ASV), and QSA audit support. Our services consist of:
For external scanning of ASV vulnerabilities, an approved scan provider certified by PCI SSC (PCI Security Standard Council) is required. Fortytwo is certified to use Qualys as an approved scan provider.
Support and guidance to address and rectify identified issues, deficiencies, or non-compliance with audit findings. Remediation assistance aims to help you take corrective actions to mitigate risks, improve processes, and achieve compliance.
If required, we can conduct compliance audits, assessments, or inspections remotely to ensure adherence to regulatory requirements, industry standards, or organizational policies. This can involve reviewing documentation, conducting interviews, and performing remote audits using virtual collaboration tools.
Guidance and support to develop, review, or enhance policies, procedures, and internal controls in response to audit findings or compliance requirements. Our assistance is aimed at helping you establish clear, effective, and compliant policies and procedures that align with regulatory requirements, industry standards, and best practices.
Reduce your PCI DSS audit time and expense. Our PCI DSS continuous compliance service is subscription-based. It offers an attractive and effective method of validating PCI-DSS and having access to a QSA during the annual cycle. You are guided through the periodic tasks, to help you to keep track of them and that they are available during the compliance period to deal with any issues or questions that come up. Our Continuous Compliance program will be adjusted to your organization’s specific needs.
How well does your team understand security risks? Our Security Awareness workshops combine theory and expertise to deliver training that is informative and compelling. The objective is for employees to recognize the value of different types of information, understand the risks to this information, and behave proactively to protect it in their everyday work. Our workshops can be tailored to the level of IT knowledge that is needed.
For PCI compliance, an annual Internal and External Pentest for both merchants and service providers is required. And, segmentation tests, annual for merchants and semi-annual for service providers. Our pentesters have extensive experience in performing PCI penetration tests (internal and external) and internal vulnerability analysis.
SAQ assistance involves helping you to understand the requirements of the SAQ relevant to your specific payment processing environment, guiding you through the completion of the questionnaire, and providing recommendations for achieving compliance.
Comprehensive support and expertise to help organizations achieve and maintain PCI DSS compliance.
“We greatly appreciate the years of dedication and commitment of our PCI DSS auditor. His in-depth technical knowledge and valuable advice have taken our organization to the next level. Thank you for the excellent cooperation and continued support!”
Geert, Munckhof Group
"Working with Fortytwo has been a great experience. Their service is excellent, with knowledgeable and flexible staff who are always ready to help. Make sure you get there early as their popularity means they can get busy at times."
Remco, Airtrade
"Fortytwo has been our partner since our inception. Its team is composed of great professionals and good people, which guarantees excellence in our business.”
Vicente, PayByCall
“Fortytwo engineers are flexible and very knowledgeable. They understand that one size does not fit all. I recommend their personalized service to any company!”
Thierry, Vendo
Avoid fines
Being compliant may provide a safety net against hefty fines and rigorous requirements if your organization is breached.
Authority
The PCI DSS SSC seeks to create an equal level playing field among its entities and merchants. Be part of the growing group of entities that ensures cardholder data security.
Integration
Legislation such as the General Data Protection Regulation (GDPR) requires accountability for personal data. PCI DSS is one of the paths that can be chosen towards compliance.
Constant
improvement
The PCI DSS puts a framework in place that encourages regular review and process improvements.
Safeguard
sensitive data
Cybercriminals target companies with high-value data. Prepare your company against cyber-attacks.
Maintain trust
and reputation
PCI DSS is among the strongest certifications on information security. Ensure that your organization safeguards its reputation and trust.
Our PCI DSS compliance service is a detailed look at your organization from the Payment Card Industry perspective. Our PCI DSS assessment comprises a cycle involving four distinct phases that lead to PCI DSS compliance. Here are the following 4-phases:
During this phase, the scope and reach of the project is determined. Together with all stakeholders, we review PCI DSS and the steps needed to become compliant. An inventory is made of documents such as your policies and procedures, application information, installation manuals, test reports, and source-code reviews. The scoping phase is executed using the OpenScoping toolkit, which defines an objective framework for setting the scope.
During this phase, we identify the possible problem areas of PCI DSS and create a roadmap to compliance. We will request a relevant documentation of your systems, technical details of your network configuration, and relevant documents that describe your business processes.
In the remediation phase, all remedial actions are defined, penetration testing is done and evidence for compliance readiness is collected. We provide a detailed report of issues stating your compliance status and any remediation needs. Together we will fix areas of non-compliance and perform the retesting process.
The onsite PCI DSS Audit is where we meet your team and sample systems to gather accurate information to satisfy PCI DSS compliance. The evidence and the full SAQ are checked. If a Report on Compliance (RoC) is needed, the full audit will be performed. During this phase, the Attestation of Compliance (AOC) is generated.
Completely new requirements in version 4.0 were given the suffix "future-dated", which gives organizations time beyond the transition period to complete necessary implementations.
Until March 31, 2025, these requirements are considered best practices and are optional during that time.
After March 31, 2025, these requirements will be considered mandatory and must be fully addressed as part of future PCI DSS certifications.
Any organization that handles payment card data, including merchants, service providers, and financial institutions, must comply with PCI DSS requirements. Compliance is mandated by payment card networks such as Visa, Mastercard, American Express, Discover, and JCB.
To prepare for a PCI DSS audit, organizations should familiarize themselves with the requirements of the standard, conduct a gap analysis to identify areas of non-compliance, implement necessary security controls and procedures, and document evidence of compliance.
Yes, PCI DSS compliance requires organizations to undergo annual audits to assess their adherence to security standards and validate their compliance status. Additionally, ongoing monitoring and periodic assessments may be necessary to maintain compliance throughout the year.
Non-compliance with PCI DSS can have serious consequences, including financial penalties, fines, legal liabilities, reputational damage, loss of business opportunities, and suspension or termination of payment card processing privileges by card networks.