Fast-Track PCI DSS Compliance with Secureframe

  • February 02, 2022

Emily Bonnie

Senior Content Marketing Manager at Secureframe

Secureframe’s mission is to help every organization build trust with their customers by communicating a strong security posture. The fastest way to lose customer trust is by mishandling their data, which is why we are hyper-focused on making it easy for companies of any size to pre-emptively identify risks and live up to the most rigorous global compliance standards. 

To date, we have helped hundreds of companies receive clean SOC 2 and ISO 27001 reports and we are constantly adding new frameworks. Last year we added HIPAA compliance and today, we’re excited to announce our support of the Payment Card Industry Data Security Standard Report on Compliance (PCI-RoC). With this new offering, merchants and service providers who process, store, or transmit credit card data can achieve and maintain PCI DSS compliance faster and with less manual work.

What is PCI DSS? 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by Visa, MasterCard, JCB International, Discover, and American Express. PCI DSS applies to any organization that accepts, processes, or transmits payment information. 

Created in 2004, PCI DSS compliance is regarded as the best way to secure confidential transaction data from theft or fraud and build trust with customers. The framework currently consists of 6 prime objectives, 12 requirements, and approximately 300+ controls. 

List of PCI DSS Requirements

What is a PCI-RoC?

A RoC, or Report on Compliance, details how an organization’s security posture, environment, and systems protect cardholder data. It’s the product of an onsite audit and control review performed by a qualified security assessor (QSA). Reports are valid for one year and must be renewed with annual audits. 

Along with an annual audit, all merchants and service providers are required to perform a quarterly external network scan (also known as an ASV scan) and complete the Attestation of Compliance (AoC) form. 

External network scans must be performed by a PCI Approved Scanning Vendor (ASV) on a quarterly basis. ASVs perform vulnerability scans to uncover malware and other threats to the network. 

PCI Attestation of Compliance (AoC) is a form that merchants and service providers use to attest to their compliance with PCI DSS requirements. This written statement is completed by a qualified security assessor verifying that your organization has completed the PCI assessment and is deemed compliant. 

Does your organization qualify for PCI-RoC? 

There are two types of PCI DSS compliance: one for merchants, and one for service providers. 

  • Merchants are organizations that accept card payments in exchange for goods and services. 
  • Service providers are organizations that process cardholder data on behalf of another company. 

There are also multiple levels of PCI DSS compliance based on the number of credit, debit, and prepaid card transactions processed annually.

PCI DSS Levels based on type of organization and number of transactions per year

PCI-RoC applies to Merchant Level 1 and Service Provider Level 1 organizations. So, you qualify for PCI-RoC if you are:

  1. PCI DSS Merchant Level 1 - Your organization accepts card payments in exchange for goods and services AND processes over 6 million transactions per year 
  2. PCI DSS Service Provider Level 1 - Your organization processes cardholder data on behalf of another company AND processes over 300 thousand transactions per year

Automate your PCI-RoC 

We’re excited to announce the release of our newest framework, which simplifies the PCI-RoC process while delivering best-in-class security for cardholder data. If your company processes, stores, or transmits credit card information, and you’d be classified as a Level 1 merchant or service provider, you can now protect customer data and become PCI compliant with Secureframe. 

With Secureframe helping you with your audit, you will:

Create your PCI privacy and security policies

Select from over 40+ policy templates, adapt them to your company, and publish to your employees for review.

Train your employees about PCI and secure coding best practices

Track that your team has completed their PCI security awareness training and accepted policies through one dashboard.

Automate PCI Evidence Collection

Collect evidence and maintain compliance with PCI’s 300+ requirements. Easily check for security gaps with our automated reporting.

Evaluate and monitor PCI Controls

Continuously monitor your PCI controls to ensure you’re protecting cardholder data using our 125+ integrations

Ready to get started?

Take the guesswork out of PCI-RoC, get expert guidance at every step, and streamline the compliance process with Secureframe.

If you’re interested in becoming PCI DSS compliant, schedule a demo to learn more.