Blog
PCI Audit
What is it like working with SecurityMetrics on PCI Compliance?

What is it like working with SecurityMetrics on PCI Compliance?

What is it like working with SecurityMetrics? SecurityMetrics’ central objective is to help companies secure their data, not just meet compliance standards. We love working with organizations who have that same vision for security.

Updated
November 13, 2023
Posted
October 18, 2023
Cybersecurity
PCI
What is it like working with SecurityMetrics on PCI Compliance?

Before delving into the process of working with SecurityMetrics, let’s begin with some background information on us.

  • We are one of only a handful of companies worldwide certified by the PCI Council to conduct all major PCI compliance validations.
  • We have tested over 1 million systems for data security and compliance as an Approved Scanning Vendor, Qualified Security Assessor, and Certified Forensic Investigator.
  • Our employees hold certifications like Certified Information Systems Security Professional (CISSP), PCI Forensic Investigator (PFI), Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV), Payment Application Qualified Security Assessor (PA-QSA),Software Security Framework (SSF) Assessor, and Point-to-Point Encryption Qualified Security Assessor (P2PE QSA).
  • We have the largest in-house call center in the payments industry and take over 135,000 calls each month.

SecurityMetrics’ central objective is to help companies secure their data, not just meet compliance standards. This is why we hold our tools, training, and support to a higher, more thorough standard of performance and service. We love working with organizations who have that same vision for security.

What is the process of working with SecurityMetrics on a PCI Assessment for the first time?

If you are a level 1-2 merchant or service provider, your process will look something like this:

Pre-Assessment

One Year Before

Before you sign a contract, you will want to plan your path to compliance by determining what your specific needs are and what potential products can address them.

  • Engage with a Qualified Security Assessor (QSA) for an assessment
  • Confirm your merchant or service provider level with the card brands

9 Months Before

  • Start the initial gap process with your QSA
  • Review your 3rd party providers' attestation documentation and responsibility matrices
  • Check to see if they current and accurate

6 Months Before

  • Confirm that your policies/procedures are in place and updated
  • Schedule your penetration test
  • Begin ASV scans

3 Months Before

  • Obtain up-to-date network and card flow diagrams
  • Review evidence request list
  • Schedule your onsite visit
  • Determine what internal personnel need to be involved in the onsite visit for the assessment and arrange for personnel to either attend or be available

1 Month Before

  • Finalize all travel arrangements for people involved in the onsite assessment

Two Weeks Before

  • Verify all relevant parties are available for the onsite visit
  • Double-check that visitors cannot access sensitive areas
  • Ensure that managers/supervisors are informed of:
    • Date assessor will be onsite
    • What access assessor may need
    • Any documentation required
  • Obtain an agenda from your assessor
  • Share the agenda with all involved parties

Onsite Assessment

1-3 Weeks Onsite

  • The Onsite Assessment includes validation and documentation in order to produce a Report on Compliance (ROC).
  • Project coordinator and audit lead will work together to identify onsite dates to complete PCI DSS assessment
    • Sampling may be needed
  • Go over steps to compliance with your QSA

Post Assessment

30 Days After (Remediation)

  • During this phase, your QSA works with you to determine what remediation needs to be done to ensure compliance.
  • QSA identifies compliance gaps and puts them in the audit portal
    • Merchant works with QSA to understand finding and what evidence will be needed to close the finding
  • Once remediation is finished, the merchant can upload the requested evidence to the audit portal for review

30-45 Days After (Report Delivery)

You will receive a report on your audit describing the process and outcome.

After all remediation work is finished, Audit Lead will release the completed SAQ D and AOC with the report

Ongoing

An essential step of PCI compliance is an ongoing effort to maintain your environment and avoid situations that cause a higher compliance burden.

To ensure continued PCI compliance:

  • Update security policies
  • Anytime you change the way you store, process or transmit cardholder data, update your policies to reflect the changes
  • Reach out to your QSA for assistance with your environment or changes
  • Train your employees
  • Inform new and current staff members how to correctly handle card data
  • Update your SAQ if things change
  • Update and resubmit your SAQ if anything in your card processing environment changes
  • Run external vulnerability scans
  • Run scans at least quarterly
  • Run scans every time you make a network change
  • Verify you understand where your credit card data is stored
  • Ensure all your credit card data is encrypted
  • Identify unencrypted card data with card discovery tools

That’s it! You will be able to keep track of each step of this process through your portal so that you will always know what you have accomplished and what you still need to do.

If you are a small merchant that needs to validate compliance for your acquiring bank, your process will look something like this:

  • You will be notified by your merchant processor that you will need to complete your PCI compliance through SecurityMetrics
  • We will give you access to a portal that will help you determine your compliance needs and allow you to keep track of your compliance, see what tasks you have completed, what tasks you still need to complete, and report your status to your merchant processor. Through this process you will have access to our 24/7 support team.
  • You will be a part of an email campaign that will send you status updates about your compliance, as well as information to guide you through each step of your compliance process.

FAQs

What happens when clients reach PCI compliance?

If you get an onsite assessment, a ROC will be submitted for you.

If you submit a Self-Assessment Questionnaire (SAQ),, a compliance certificate will be assigned and their compliance status will be reported to their merchant processor.

What if I am a merchant who doesn’t reach PCI compliance?

In addition to opening yourself up to being hacked, some merchant processors face fees for non-compliance.

However, we will work with you until you become compliant.

What resources do we offer to help our clients?

Our strong belief in the value and significance of cybersecurity has driven us to create numerous free resources that organizations can utilize for training and educational purposes.

These resources include:

  • PCI Guide: Our award-winning PCI Guide is an exceptional and comprehensive resource that offers insights and guidance for getting started with PCI compliance.
  • HIPAA Guide: Our award-winning HIPAA Guide is an outstanding resource that provides valuable insights and guidance on getting started with HIPAA compliance.
  • Webinars: Every webinar is recorded, allowing you to access the information even if you were unable to attend it live.
  • Blog: One of the most robust in the industry, our blog offers a wealth of valuable information and insights on various cybersecurity topics.
  • Podcast: Our podcast offers highly informative and accessible information from industry experts for a wide range of listeners.
  • News channel: Our news channel is regularly updated, bringing you the most recent and biggest cybersecurity news stories.
  • Learning Center: The learning center is full of checklists, white papers and data sheets that are free to download.
  • Academy: Academy is a free workforce training program that teaches the basics of cybersecurity.

What options do you have for support?

To help you reach your PCI compliance we have award-winning support that includes:

  • 24/7 Call center
  • 24/7 Help Desk Support
  • 24/7 SAQ and Scan Technical Support
  • 24/7 Chat
  • Account manager/representative
  • Learning resources (Listed at the top)

Conclusion

Getting PCI compliant and creating a secure environment is of utmost importance to us, and we will help you until you become compliant. All of our QSA’s are passionate about what they do and are happy to help you with your questions and concerns about compliance and security.

Join thousands of security professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get Quote for PCI Compliance

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000