Payment Card Industry (PCI) Compliance

Whether you are new to the PCI DSS process, need help completing a Self-Assessment Questionnaire (SAQ) or are required to go through a third party audit, Contextual Security is your trusted partner.

Contextual Security is a PCI Qualified Security Assessor Company (QSAC) recognized by the PCI Security Standards Council. We provide a full suite of services to assist our clients in meeting and maintaining PCI compliance at all levels. Our QSAs, which are all dedicated internal employees (never subcontracted), have extensive experience working with a variety of organizations of all sizes. Our clients include large retailers, ecommerce organizations, service providers, energy cooperatives and others.


Contextual Security offers highly-trained QSAs, deep roots in PCI compliance and a proprietary platform that gives you unique insight into your organization’s security and compliance initiatives.

Our illumino platform allows you to have 24/7 visibility into the audit process. illumino was developed out of a need to eliminate the frustrations our customers have experienced during the audit process where issues or gaps in compliance were not communicated effectively. The illumino platform gives organizations the ability to quickly identify the status (Compliant, Not Compliant, Remediating, etc.) of each control/sub-control within the PCI DSS. By making this information readily available, there are no surprises.

We encourage our clients to stay engaged with our QSA’s on a regular basis (e.g. monthly, bi-weekly, weekly calls) throughout the audit. This constant communication reduces any last minute compliance “gotcha’s” that can arise.

Contextual Security doesn’t come onsite for a week for an initial review, then disappear for three months. That is a recipe for disaster. We stay involved throughout the year to help you meet your organization’s goals.

Contextual Security is your trusted security and compliance partner. 

Contextual Security has extensive experience in conducting PCI DSS audits across a variety of industries and we know one size does not fit all.

The compliance challenges a major healthcare provider faces are significantly different that those of a convenience store chain, for example. And the approach to PCI DSS an ecommerce merchant has is typically much different than that of a power cooperative. We offer tailored solutions and processes to better suit our clients across diverse industry types.

Retail Organizations
The cardholder data environment (CDE) commonly spans across many locations, some of which are never visited by the security and compliance team. For these clients, we have tools that provide instant access and visibility into the compliance process at their retail locations. These tools assist organizations in getting a head start on areas that need remediation and are helpful in communicating issues with other stakeholders or departments.

Healthcare Industry
Contextual Security’s experience with both PCI and HIPAA compliance makes us the go-to choice for many healthcare organizations. Whether you simply collect payments via a swipe terminal connected to a phone line or you have integrated payment acceptance into your practice management software, we have you covered. Our knowledge of the HIPAA Security Rule (and the updated guidance found within the HIPAA Audit Protocol) means we can quickly identify areas where existing policies, procedures and guidelines can assist in meeting the PCI DSS requirements.

Electric Cooperatives have unique security and compliance challenges. Contextual Security helps cooperatives navigate the threats and vulnerabilities to their key systems and applications through routine security assessments, while also helping them tackle – and ultimately achieve – PCI compliance. Our experience within this industry makes our experts some of the most sought-after thought-leaders with groups like EnergySec, the North Carolina Association of Electrical Contractors (NCAEC) and the Texas Electric Cooperative.

Contextual Security’s PCI DSS engagements are specifically tailored to your organizations needs and requirements.

Some of the services we offer are:

PCI DSS Scoping Assessment
Designed for those organizations that are tackling PCI DSS compliance or the first time, our PCI DSS Scoping Assessment solution can be used to assist stakeholders in establishing the scope of their CDE, determining areas where scope can be reduced through segmentation, and identifying the applicable controls within the PCI DSS that they must adhere to.

Virtual PCI DSS Consultant
Contextual Security’s PCI General Consulting offering is ideal for organizations who are interested in having a standard PCI DSS QSA available throughout the year for regular (e.g. weekly, monthly, quarterly) or ad-hoc (e.g. on-demand) meetings to address requirement questions and provide guidance on how changes within the organization could impact their overall compliance. The QSA also keeps you up to date on upcoming changes to the PCI DSS.

PCI Independent Third Party Audit
As a QSAC, Contextual Security is authorized by the PCI Security Standards Counsel to perform Level 1 third party PCI DSS audits resulting in an Attestation of Compliance (AOC) and Report of Compliance (ROC), or simply a gap analysis. Our roster of experienced QSA’s works with merchants and service providers across all industry sectors and understands the challenges associated with each.

PCI Risk Assessment
Contextual Security assists organizations in conducting annual risk assessments, as required by PCI DSS 3.2 control 12.2. Our PCI Risk Assessments allow organizations to focus explicitly on their cardholder data and quickly identify risks and threats that may not be identified through other security related assessments (e.g. Vulnerability Assessments).

PCI Penetration Test
Our PCI Penetration Tests are conducted in accordance with and in support of PCI DSS 3.2 Requirement 11.3. Specifically, our approach is standards-based, includes penetration testing from both inside and outside of the cardholder data environment (CDE), includes testing to validate segmentation and scope-reduction controls, and includes both application-layer and network layer tests.

Contextual Security provides formal deliverables for each of our PCI DSS tasks:

  • Gap Analysis Report
  • Report of Compliance
  • Attestation of Compliance
  • PCI Risk Assessment Report
  • PCI Penetration Test Report

In addition, Contextual Security includes, as part of each engagement, an out brief call to discuss the findings and answer any questions your organization may have.

Please contact one of our Enterprise Consultants for a free sample report.

“Having used different IT GRC products in past, we feel Contextual Security’s “illumino” has allowed us to better organize and simplify the numerous compliance controls along with roles and responsibilities to better organize and complete our audit requirements. With it’s any access platform, we can use this data anywhere-anytime to provide scheduled controls and evidence of those in a central tool, making us more consistent and productive. The fact we no longer wait to see reports and results or audits – now they are available as they are completed, almost in “real time”. The result is a less stressful completion and final delivery of Reports on Compliance, without the anxiety of not knowing or feeling incomplete. It’s refreshing to use a product that is built and understood by a team that not simply understands compliance, but is active and experts in security testing. I no longer dwell or doubt our ROC date goals, because of Contextual Security and ‘Illumino’.”

Energy industry executive

“Due to numerous high profile data breaches, the board of directors of a large non-profit hospital became concerned about how they handle credit cards. After some internal discussions, hospital employees concluded that the hospital’s systems were adequately protected; however, their board insisted that they also undergo an audit. That’s when the hospital started taking a closer look at what their systems were doing and is also when they discovered that there’s more to their systems and business processes than they originally understood. In addition, there were already projects underway that would impact the network architecture and could have a significant impact on compliance objectives if there was a lack of proper consideration given for the intricacies of PCI compliance. Therefore, the hospital sought expert council from outside professionals that operate in payment card compliance. Through a collaborative effort between hospital executives, various departments of their operations staff, and third-party vendors, Contextual Security Solutions was able to effectively identify their compliance goals and suggest remediation activities that greatly reduced the hospital’s PCI scope, costs, and risks. As the hospital’s technology environment continues to evolve, Contextual Security Solutions continues to provide expert advice to ensure the hospital is adequately protected and compliant with the latest PCI standards. The hospital has made national headlines hundreds of times over the years for the miracles and accomplishments their doctors and patients achieve. It’s a true testament to how this hospital desires to operate, and we’re not only proud that none of this national attention has been the result of a payment card data breach, we’re committed to keeping it that way!

Healthcare industry executive