Transactis

Background

Transactis is a secure electronic billing and payment solution for businesses of all sizes. An aspect of being secure is complying with the Payment Card Industry Data Security Standard (PCI DSS), which includes an annual onsite audit by a Qualified Security Assessor (QSA). The problem their Chief Compliance Officer, John Norment, faced was finding a QSA that could meet deadlines and communicate clearly.

“SecurityMetrics really came through for us. They picked up the ball that had been seriously dropped by our prior QSA. They were very responsive to our time-sensitive needs. Their personnel were very knowledgeable, professional, and communicated and planned effectively. They accomplished the assessment on time. Thanks to their expertise, we have an even deeper and more comprehensive assurance of our security.”
John Norment
Chief Compliance Officer

Challenges You Faced With PCI Compliance

• Previous QSA established schedules/timelines which they failed to meet. Even more challenging was their assurance that they would meet the new (delayed) timelines which they also failed to meet which resulted in us missing certain deadlines relating to our PCI Compliant status and their failure to meet their contractual obligations.
• Previous QSA’s project manager failed to communicate exactly what was required of us, created an audit schedule that they did not follow, and provided inaccurate updates on status of our Report on Compliance.
• Previous QSA contracted with us to be a subject matter expert throughout the year to help us to be and maintain our PCI compliance, however, due to undisclosed personnel issues within the QSA, they were unable to meet their commitments.

Resolving Challenges With SecurityMetrics

• SecurityMetrics clearly communicated the schedule, where we were in the process, what was needed from us to keep progressing, and expectations of when each task would be completed.
• SecurityMetrics clearly communicated the evidence, diagrams, policies and procedures, and deliverables we needed to provide to make the audit go more smoothly.
• SecurityMetrics QSA conducted a more thorough assessment than our previous QSA, and had a better understanding of PCI scope, requirements, compensating controls, and security in general.

Goals Achieved Working With SecurityMetrics

• Able to get senior management buy-in to accelerated actions to ensure security and compliance.
• Received a completed Report on Compliance in advance of our extension date.
• Assurance that we have a secure cardholder data environment.
• Have an even deeper understanding of PCI and how
  it applies to our business.
• Found a true ongoing partner in security and compliance, not just an auditor.
• Demonstrated that with proper personnel and commitment, the Report could be done in the time required by us, in contradiction to the previous QSA that refused to commit to any definite timeline.