PCI-C

PCI-DSS Compliance

A one-stop solution for ongoing PCI-DSS compliance. Illumant prepares your SAQs and AOCs, addresses ASV scanning, and performs all required vulnerability assessments, penetration tests, and wireless scans — remotely via supplied appliance.

Why PCI is hard to do alone

PCI-DSS compliance involves obscure documentation, fast-moving versioning (v3.2.1 → v4.0.1), and technical assessment activities that fall outside most internal teams' core competency or bandwidth. Misclassify your merchant level, miss a segmentation test, or skip a quarterly scan and you risk fines, processor escalation, and — in the worst case — a forensic investigation after a breach.

Illumant's PCI-C service guides you through compliance as painlessly as possible. We determine the requirements that actually apply to you based on transaction volume, channel, and partner relationships, then own the recurring testing calendar so you don't have to.

Picking the right SAQ

We help you select and complete the appropriate self-assessment questionnaire and prepare any necessary Attestations of Compliance.

SAQ A

Card-not-present merchants that fully outsource cardholder data handling to PCI-DSS validated third parties.

SAQ A-EP

E-commerce merchants whose websites don't directly receive cardholder data but can affect transaction security.

SAQ B / B-IP

Merchants using only imprint machines, dial-out terminals, or standalone IP-connected payment terminals.

SAQ C / C-VT

Merchants with payment application systems connected to the Internet, or virtual terminals on a dedicated workstation.

SAQ D

All other merchants and service providers — the most comprehensive questionnaire.

SAQ P2PE

Merchants using only PCI-listed point-to-point encryption devices in a validated solution.

Ongoing testing — handled

Quarterly ASV scanning

Approved Scanning Vendor scans of all internet-facing systems in the cardholder data environment. Illumant has relationships with best-of-breed ASVs and will set up scans if you don't already have a vendor.

Quarterly internal vulnerability assessment

Authenticated and unauthenticated scanning of the internal CDE — performed remotely via on-site appliance to minimize disruption.

Annual external & internal penetration testing

Manual penetration testing against the CDE — perimeter, segmentation validation, and exploitable internal paths to cardholder data.

Quarterly wireless assessment

Detection of rogue and misconfigured wireless access points connected to the CDE.

Segmentation testing

Annual (and after any change) testing to confirm that systems out of scope cannot reach the CDE.

Highlights

Enumeration of client-specific PCI requirements (merchant level, channel, partners)
Preparation of annual SAQs and Attestations of Compliance (AOCs)
Coordination of quarterly ASV scans
Quarterly internal vulnerability assessments via supplied appliance
Annual external/internal penetration testing of the CDE
Quarterly wireless security assessment for rogue APs
Remediation management to achieve and maintain compliance
Free retesting and validation
Updates to or initial development of PCI policies and procedures

Targets

Cardholder data and PAN storage
Cardholder data environment (CDE)
In-scope servers, firewalls, routers, switches, workstations
Network segmentation boundaries
Payment gateways, virtual terminals, point-of-sale
Wireless networks adjacent to the CDE
Policies, procedures, and training records

Related security assessments

What we typically pair with PCI-DSS.

PSA

Ready to start a conversation?

Talk to a senior consultant — we'll scope an engagement that fits your environment.

Get a Quote →