PCI Compliance

We understand that can be a complex and sensitive responsibility. We are here to help you understand and achieve your PCI DSS certification, so you can not only increase your security level but also strengthen the trust of your valued customers. Let us guide you to your PCI DSS certification.

Contact us

PCI DSS 4.0

Do you store, process, or transmit credit card data? If so, you are required to comply with the requirements of the globally applicable Payment Card Industry Data Security Standard (PCI DSS). PCI DSS consists of many technical and organizational security measures, all aimed at providing the highest level of security for the processing and storage of credit card information.

From March 2024, the PCI Security Standards Council (PCI SSC) requires you to validate according to PCI DSS v4.0, the most significant update of the credit card data security standard so far, which will replace the version of PCI DSS v3.2.1.

An alignment and thus further development of existing processes based on the requirements of PCI DSS v4.0 usually requires a well-considered implementation project. Our experts will be happy to conduct a gap analysis alongside the assessment to check your environments, documents, and processes for non-compliance with PCI DSS v4.0, and present a validation plan.

Credit cards on a laptop keyboard

How we support you

As PCI QSA, Fortytwo Security is qualified to conduct (pre-)audits and to provide consulting to companies that are looking to achieve, maintain, or prove PCI compliance. Our consultants will help you to identify gaps in processes, review and suggest practical remediation solutions, and provide additional resources if you have limited resources or skills to do the work in-house.

We offer a full range of PCI DSS services, including penetration testing, vulnerability scanning (ASV), and QSA audit support. Our services consist of:

Fortytwo Security arrow logo

ASV scanning

For external scanning of ASV vulnerabilities, an approved scan provider certified by PCI SSC (PCI Security Standard Council) is required. Fortytwo is certified to use Qualys as an approved scan provider.

Fortytwo Security arrow logo

Remediation assistance

Support and guidance to address and rectify identified issues, deficiencies, or non-compliance with audit findings. Remediation assistance aims to help you take corrective actions to mitigate risks, improve processes, and achieve compliance.

Fortytwo Security arrow logo

Remote validation project

If required, we can conduct compliance audits, assessments, or inspections remotely to ensure adherence to regulatory requirements, industry standards, or organizational policies. This can involve reviewing documentation, conducting interviews, and performing remote audits using virtual collaboration tools.

Fortytwo Security arrow logo

Policy and Procedure assistance

Guidance and support to develop, review, or enhance policies, procedures, and internal controls in response to audit findings or compliance requirements. Our assistance is aimed at helping you establish clear, effective, and compliant policies and procedures that align with regulatory requirements, industry standards, and best practices.

Fortytwo Security arrow logo

Continuous Compliance service

Reduce your PCI DSS audit time and expense. Our PCI DSS continuous compliance service is subscription-based. It offers an attractive and effective method of validating PCI-DSS and having access to a QSA during the annual cycle. You are guided through the periodic tasks, to help you to keep track of them and that they are available during the compliance period to deal with any issues or questions that come up. Our Continuous Compliance program will be adjusted to your organization’s specific needs.

Fortytwo Security arrow logo

PCI DSS workshops tailored to your needs

How well does your team understand security risks? Our Security Awareness workshops combine theory and expertise to deliver training that is informative and compelling. The objective is for employees to recognize the value of different types of information, understand the risks to this information, and behave proactively to protect it in their everyday work. Our workshops can be tailored to the level of IT knowledge that is needed.

Fortytwo Security arrow logo

PCI Pentesting and segmentation tests

For PCI compliance, an annual Internal and External Pentest for both merchants and service providers is required. And, segmentation tests, annual for merchants and semi-annual for service providers. Our pentesters have extensive experience in performing PCI penetration tests (internal and external) and internal vulnerability analysis.

Fortytwo Security arrow logo

Self-Assessment Questionnaire (SAQ) assistance and ROC report writing

SAQ assistance involves helping you to understand the requirements of the SAQ relevant to your specific payment processing environment, guiding you through the completion of the questionnaire, and providing recommendations for achieving compliance.

Fortytwo Security arrow logo

Guidance throughout the PCI project

Comprehensive support and expertise to help organizations achieve and maintain PCI DSS compliance.

Why become
PCI compliant?

Fortytwo Security arrow logo

Avoid fines

Being compliant may provide a safety net against hefty fines and rigorous requirements if your organization is breached.

Fortytwo Security arrow logo

Authority

The PCI DSS SSC seeks to create an equal level playing field among its entities and merchants. Be part of the growing group of entities that ensures cardholder data security.

Fortytwo Security arrow logo

Integration

Legislation such as the General Data Protection Regulation (GDPR) requires accountability for personal data. PCI DSS is one of the paths that can be chosen towards compliance.

Fortytwo Security arrow logo

Constant
improvement

The PCI DSS puts a framework in place that encourages regular review and process improvements.

Fortytwo Security arrow logo

Safeguard
sensitive data

Cybercriminals target companies with high-value data. Prepare your company against cyber-attacks.

Fortytwo Security arrow logo

Maintain trust
and reputation

PCI DSS is among the strongest certifications on information security. Ensure that your organization safeguards its reputation and trust.

How we work

Our PCI DSS compliance service is a detailed look at your organization from the Payment Card Industry perspective. Our PCI DSS assessment comprises a cycle involving four distinct phases that lead to PCI DSS compliance. Here are the following 4-phases:

01

Scope analysis

During this phase, the scope and reach of the project is determined. Together with all stakeholders, we review PCI DSS and the steps needed to become compliant. An inventory is made of documents such as your policies and procedures, application information, installation manuals, test reports, and source-code reviews. The scoping phase is executed using the OpenScoping toolkit, which defines an objective framework for setting the scope.

02

Pre-audit

During this phase, we identify the possible problem areas of PCI DSS and create a roadmap to compliance. We will request a relevant documentation of your systems, technical details of your network configuration, and relevant documents that describe your business processes.

03

Remediation

In the remediation phase, all remedial actions are defined, penetration testing is done and evidence for compliance readiness is collected. We provide a detailed report of issues stating your compliance status and any remediation needs. Together we will fix areas of non-compliance and perform the retesting process.

04

Audit

The onsite PCI DSS Audit is where we meet your team and sample systems to gather accurate information to satisfy PCI DSS compliance. The evidence and the full SAQ are checked. If a Report on Compliance (RoC) is needed, the full audit will be performed. During this phase, the Attestation of Compliance (AOC) is generated.

An office with PCI DSS workers.

FAQ

Completely new requirements in version 4.0 were given the suffix "future-dated", which gives organizations time beyond the transition period to complete necessary implementations.

Until March 31, 2025, these requirements are considered best practices and are optional during that time.

After March 31, 2025, these requirements will be considered mandatory and must be fully addressed as part of future PCI DSS certifications.

Any organization that handles payment card data, including merchants, service providers, and financial institutions, must comply with PCI DSS requirements. Compliance is mandated by payment card networks such as Visa, Mastercard, American Express, Discover, and JCB.

To prepare for a PCI DSS audit, organizations should familiarize themselves with the requirements of the standard, conduct a gap analysis to identify areas of non-compliance, implement necessary security controls and procedures, and document evidence of compliance.

Yes, PCI DSS compliance requires organizations to undergo annual audits to assess their adherence to security standards and validate their compliance status. Additionally, ongoing monitoring and periodic assessments may be necessary to maintain compliance throughout the year.

Non-compliance with PCI DSS can have serious consequences, including financial penalties, fines, legal liabilities, reputational damage, loss of business opportunities, and suspension or termination of payment card processing privileges by card networks.