ExpoIT’s Payment Card Industry (PCI) Compliance Services

Solid Security begins with knowing. Excels by doing.

In partnership with Contextual Security, a PCI Qualified Security Assessor Company (QSAC) who is recognized by the PCI Security Standards Council, we provide a full suite of services to assist our clients in meeting and maintaining PCI compliance year after year. Our QSAs, which are all dedicated employees (never subcontracted), have extensive experience working with a variety of organizations of all sizes. Our clients include large retailers, ecommerce organizations, service providers and energy cooperatives, to name a few.

Whether you are part of an organization that’s new to the PCI DSS and are trying to get a handle on how it applies to your systems and applications, one that’s just needing help completing their Self-Assessment Questionnaire (SAQ), or one that is required to go through a third party audit, Contextual Security can be your trusted partner.


As a PCI Qualified Security Assessor Company (QSAC), together we can provide a full suite of services to assist our clients in meeting and maintaining their compliance with the Payment Card Industry Data Security Standard (PCI DSS) year after year. Whether its conducting a PCI DSS audit resulting in a Attestation of Compliance (A.O.C)/Report of Compliance (R.O.C.)/Self-Assessment Questionnaire (S.A.Q.), assisting customers with specific individual requirements found within the PCI DSS (e.g. Annual Penetration Test, Quarterly Scanning, Firewall & Router Configuration Reviews, Web Application Assessments, etc.), or simply providing PCI consulting for clients who are just now beginning to tackle compliance for the first time, Contextual Security consultants have you covered.

In addition, our proprietary illumino platform allows those responsible for the organizations compliance initiatives to have 24/7 visibilities into the audits progress. Our illumino platform was developed out of a need to eliminate the disconnects and frustrations our customers have seen with other compliance consultancies, where issues or gaps in compliance were either not communicated effectively or not until it was too late. The illumino platform gives organizations the ability to quickly identify the status (Compliant, Not Compliant, Remediating, etc.) of each control/sub-control within the PCI DSS, including the information that was relied upon by the QSA to make the status determination. By making this information available 24/7, there are no surprises!

Lastly, expoIT encourages our customers and partners to stay engaged with our QSA’s on a regular basis (e.g. monthly, bi-weekly, weekly calls) throughout the audit. This constant communication is aimed to reduce any last minute compliance gotcha’s that can arise in those organizations that are continuously refining their processes and procedures to better serve their customers.


Together we have extensive experience in conducting PCI DSS audits across a multitude of industries. As with anything, one size does not fit all. The challenges a major healthcare provider may have with PCI DSS compliance in most cases are significantly different that those of an organization that operates convenience stores. Also, the approach to PCI DSS an ecommerce merchant will have is typically going to be different that of a power cooperative. That’s why we’ve tailored our offerings to better suite our clients across diverse industry types.

Retail Organizations

With respect to Retail Organizations, the cardholder data environment (CDE) commonly spans across many locations and environments, some of which may never be visited by those responsible for their security and compliance. For these clients, we have developed tools, as part of our audit process, that provide our clients with instant access and visibility into the security and compliance posture of their retail locations. The tools can assist organizations in getting a head start on any areas needing remediation and can be helpful in communicating issues with other stakeholders or departments that could impact the organizations PCI DSS compliance.

Healthcare Industry

We have assisted a number of healthcare organizations navigate and ultimately gain compliance with the PCI DSS. Whether you simply collect payments via a swipe terminal connected to a phone line, or you have integrated payment acceptance into you practice management software, expoIT has you covered. In addition, due to our experience with the HIPAA Security Rule (and the updated guidance found within the HIPAA Audit Protocol), we can quickly identify areas where existing policies, procedures and guidelines can assist in meeting the PCI DSS requirements, or vice versa.

Energy Cooperatives

In addition to helping Electric Cooperatives navigate the threats and vulnerabilities to their key systems and applications through routine security assessments, we have been a key partner in helping them tackle and ultimately achieve compliance with the PCI DSS. Our experience within this industry is also evident by their frequent participation with groups like EnergySec, NCAEC, TEC, to name a few.


As with all of our services, expoIT PCI DSS engagements are specifically tailored to your organizations needs and requirements.

PCI DSS Scoping Assessment – Designed for those organizations that are tackling PCI DSS compliance or the first time, our PCI DSS Scoping Assessment solution can be used to assist stakeholders in establishing the scope of their cardholder data environment (CDE), determining areas where scope can be reduced through segmentation, and identifying the applicable controls within the PCI DSS that they must adhere to.

Virtual PCI DSS ConsultantContextual Security’s PCI General Consulting offering was created for organizations who are interested in having a PCI DSS QSA available throughout the year for regular (e.g. weekly, monthly, quarterly) or ad-hoc (e.g. on-demand) meetings to address requirement questions, provide guidance on how changes within the organization could impact their overall compliance, as well as keep them up to date on upcoming changes to the PCI DSS (e.g. changes from 3.1 to 3.2).

PCI Independent Third Party Audit – As a QSAC, Contextual Security is authorized by the PCI Security Standards Counsel to perform Level 1 third party PCI DSS audits resulting in an Attestation of Compliance (AOC) and Report of Compliance (ROC), or simply a gap analysis. Our roster of experienced QSA’s has worked with merchants and service providers across all industry sectors and understands the challenges associated with each.

PCI Risk AssessmentexpoIT can assist organizations with conducting their annual risk assessment, as required in PCI DSS 3.2 control 12.2. Our PCI Risk Assessments allow organizations to focus explicitly on their cardholder data and quickly identify risks and threats that may not be identified through other security related assessments (e.g. Vulnerability Assessments).

PCI Penetration Test – Our PCI Penetration Tests are conducted in accordance with and support of PCI DSS 3.2 Requirement 11.3. Specifically, our approach is standards based, includes testing from both inside and outside of the cardholder data environment (CDE), includes testing to validate segmentation and scope-reduction controls, and includes both application-layer and network layer tests.


expoIT provides formal deliverables for each of our PCI DSS tasks.


  • Gap Analysis Report
  • Report of Compliance
  • Attestation of Compliance
  • PCI Risk Assessment Report
  • PCI Penetration Test Report

In addition, project includes, as part of each engagement, an out brief call to discuss the findings and answer any questions your organization may have. Contact one of expoIT’s Enterprise Consultants today for a free consultation listing of services, options and budget expectations.

Because…Solid Security begins with knowing. Excels by doing.