Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that effects any organization who accepts, processes, stores or transmits credit card information. Within the PCI DSS regulation there are 12 requirements that can be applied to an organization based off their status as either a merchant or service provider. At CCSI we can make this process more streamlined, assist with policy/procedure work, remediation of improvements, gap assessments and working with our partnered QSA’s to make sure your organization achieves compliance.

Key Benefits

  • Trusted advisor review of your PCI posture and determination of any gaps
  • Remediation work on findings from our analysis or via one of your other trusted QSA’s
  • Work with CCSI and our trusted QSA partners to complete your ROC
  • Review of the organization and assistance with filing for an SAQ
  • Guidance on meeting all regulatory compliance standards for PCI

Our Approach

Being PCI compliant is a continuous effort that needs to continue throughout the year. This isn’t something that can be completed once and needs to become part of your organization’s security culture. Our approach at CCSI is to assess, report, and remediate when it comes to helping our clients achieve PCI compliance. As a trusted voice in achieving and maintaining best practices with the security controls of PCI we assist clients by guiding them towards passing an assessment as efficiently and securely as possible.


Depending on the number of credit cards a company is handling will determine the PCI Compliance Level and guide efforts and requirements for compliance. This level will determine the assessment that needs to be performed:

Level 1

Merchants processing over 6 million card transactions per year

Organizations within “Compliance Level 1” will need to work with a Qualified Security Assessor to have an onsite assessment occur. During this assessment the client will receive a Report on Compliance “ROC” after a successful audit. CCSI is able to introduce these clients to our partnered QSA’s to start and review this assessment. Clients will also need to have an Approved Scan Vendor “ASV” to validate their external range for vulnerabilities that CCSI can assist with.

Level 2 - 4

Merchants processing 6 million to fewer than 20,000 transactions per year.

Organizations within “Compliance Levels 2 – 4” will need to fulfill an annual Self-Assessment Questionnaire (SAQ) to validate your security controls. By answering honestly, and with assistance, can limit issues in the future if a breach was to occur within your card holder environment. The Approved Scan Vendor “ASV” assessment to validate external ranges still applies to organizations filing an SAQ and CCSI can assist with this directly.

Purchase from Our OGS Contract

Visit our State Contract Page for more information

PCI Gap Analysis

Performing a PCI Gap Analysis is a preemptive way to determine if you’re ready for a PCI assessment. CCSI can perform in-depth analysis of your overall card holder environment and determine if there are gaps within the 12 security requirements being mandated by the regulation. All areas of your environment will be reviewed and can be used as a baseline as you continue to grow your organization and get ready for an audit so there isn’t an issue achieving your “ROC” for the annual assessment.

What Deliverables do I receive?

  • Gap assessment of the 12 security controls of the PCI DSS scope
  • PCI liaison to QSA’s to work with them to achieve compliance with your team
  • Review of all policy and procedures to determine proper PCI coverage
  • Penetration testing based off your PCI zone and standard methodology
  • ASV scan guidance of the in scope applications and networks
  • Review of vulnerabilities and remediation work on any findings

To find out more, contact us today.