Contact Us
Contact Us

PCI Assessment

Back to Home

Is Your Organization PCI Compliant?

Achieving initial PCI Compliance can be a daunting task, as there are many aspects of the PCI requirements that are confusing or open to interpretation. Maintaining PCI Compliance requires you to keep your security program up to date and perform several activities throughout the year. In either situation, Triaxiom Security can help you get compliant through a Report on Compliance (RoC) or Self Assessment Questionnaire (SAQ).

 

We’re A Qualified Security Assessor (QSA) Company

Triaxiom has been approved by the PCI Security Standards Council (SSC) to validate an organization’s compliance with the PCI Data Security Standard (DSS). Triaxiom provides PCI consulting, penetration testing, and assists organizations with their QSA On-Site evaluations for organizations all around the United States. Triaxiom audits and assesses both service providers and merchants, and we partner with them to maintain compliance year after year.

Why We’re Different

Responsive

At Triaxiom, we understand you have deadlines to meet for PCI compliance. Not only do we provide focused attention to your individual needs, we do it on time. Responsiveness is our goal so you can focus on other aspects of your business.

Comprehensive

Triaxiom is certified and able to provide the entire suite of services necessary for your compliance efforts. From penetration testing and consulting, to level-one audits resulting in a Report on Compliance (RoC), we have you covered.

Focused on Risk

Our QSAs are also penetration testers. This unique approach allows your auditors to understand and better explain the risks associated with each control or proposed solution.

Request PCI Audit

QSA-e1768830717793
CREST-PT-1024x471-1024x471-1-e1768830360458
CISSP-e1615480843818-354x150-1
CISA-e1615481523404-144x150-1
offsec-student-certified-emblem-rgb-oscp-1564x200-1
1RsWtbuY8uvRDNqWSfedVtw-e1615473283111
offsec-student-certified-emblem-rgb-oswe-e1615473511392
GXPN-logo
GSEC-e1615478885919
gcih-gold-e1615478639456
gwapt-gold-e1615478676518
eCPPTv2-e1615479026388
eWPTv1-e1615479052861
eWPTX-logo
CRTO-logo-300x300-1

Explore The PCI Compliance Services We Provide

PCI QSA Onsite Assessment
PCI Gap Analysis
External Penetration Test
Internal Penetration Test
Web Application Penetration Test
Vulnerability Scanning

PCI QSA Onsite Assessment

Triaxiom will perform a full PCI QSA assessment including onsite validation of all security controls, as required by PCI DSS. This assessment starts with scope analysis, to accurately determine the scope of PCI in the target environment and identify any potential methods for scope reduction. During onsite validation, technical security controls and physical walkthroughs will be conducted to gather evidence supporting the implementation of security controls. Additionally, interview sessions will be scheduled with all necessary parties during the onsite assessment to cover those requirements.

PCI Gap Analysis

During a PCI Gap Analysis, you will be paired with a certified PCI Qualified Security Assessor (QSA) to evaluate your company’s compliance. If your company is required to fill out a Self-Assessment Questionnaire (SAQ), we will assist you in selecting the appropriate SAQ, determining the scope of PCI within your network, evaluating your current state of compliance, and filling out the SAQ. If you are preparing for a Report on Compliance (ROC) audit, we will provide you with a full gap-analysis, identifying where you might fall short and providing the steps you need to take to become compliant before your final audit.

External Penetration Test

An external penetration test emulates an attacker trying to break into your network from the outside. The goal of the engineer performing this assessment is to breach the perimeter and prove they have internal network access. This test includes:

  • Open source reconnaissance against the organization
  • Full port scan covering all TCP ports and the top 1,000 UDP ports of the targets in scope
  • Full vulnerability scan of the targets
  • Manual and automated exploit attempts
  • Password attacks

Internal Penetration Test

An internal penetration test emulates an attacker on the inside of your network. This could be either an attacker who is successful in breaching the perimeter through another method or a malicious insider. The goal of the engineer in this module is to gain root and/or domain administrator level access on the network, and gain access to sensitive files. Activities include:

  • Active and Passive network reconnaissance including traffic sniffing, port scanning, LDAP enumeration, SMB enumeration, etc.
  • Vulnerability scan on all in-scope targets
  • Spoofing attacks such as ARP cache poisoning, LLMNR/NBNS spoofing, etc.
  • Manual and automated exploit attempts
  • Shared resource enumeration
  • Password attacks
  • Pivoting attacks

Web Application Penetration Test

A web application penetration test is an in-depth penetration test on both the unauthenticated and authenticated portions of your website. The engineer will test for all of the OWASP Top-10 critical security flaws, as well as a variety of other potential vulnerabilities based on security best practice. Activities include:

  • Website mapping techniques such as spidering
  • Directory enumeration
  • Automated and manual tests for injection flaws on all input fields
  • Directory traversal testing
  • Malicious file upload and remote code execution
  • Password attacks and testing for vulnerabilities in the authentication mechanisms
  • Session attacks, including hijacking, fixation, and spoofing attempts
  • Other tests depending on specific site content and languages

Vulnerability Scanning

Vulnerability scanning is a regular, automated process that identifies the potential points of compromise on a network. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. Our engineers will conduct this scan for you and use our expertise to remove false positives and produce a risk-prioritized report.

Trusted By Organizations Across All Verticals

As a trusted security partner for organizations ranging from small start-ups to the Fortune 500, we pride ourselves on providing what you need to make data-driven decisions to optimize your resources and navigate the current cybersecurity landscape. With clients in every major vertical, we understand the unique challenges you face and how to tailor our assessments to meet your needs.

Triaxiom Security are experts at their craft. We have partnered with them on a multi-year engagement to identify our security weaknesses throughout our environment. Additionally, we are engaged with them to help us maintain PCI compliance on an annual basis. Their engineers have been extremely responsive and helpful every time we reach out, even if it is not part of an ongoing assessment. They truly are a part of our security team!

Chief Information Security Officer | Fortune 300 Retailer

We are extremely happy with the depth and breadth of the test Triaxiom performed, their attention to detail, and the great write-up of vulnerabilities that were discovered. They found vulnerabilities that were overlooked by other companies we used in the past. In today’s challenging and evolving security environment, getting a clean bill of health is great, but being able to keep up with best practices and quickly remediate vulnerabilities is absolutely critical. I’m very happy that we have an even more secure system and that we signed a three year commitment with Triaxiom Security.

CTO | SaaS Provider

We were pleasantly surprised by the penetration test, the professionalism and, more so, the effectiveness of the team. Regardless of the difficulty in securing the funds, the results were exceedingly thorough and we’re busily working on remediations, thanks to the helpful report. The results from their penetration test are the most useful tool to discover high-value actionable tasks which can keep us safe.

CISO | Higher Education University
section-bottom2-e1768828555490

PCI Audit FAQs

Unfortunately, this one is a hard question to answer for every circumstance given the wide disparity in environments. In general, the price of a PCI audit will depend on two primary factors. First, if you are a merchant or service provider. Service providers are subject to more requirements, which cause the audit take longer. Additionally, if you are a level one merchant that requires a completed Report on Compliance (ROC), that type of assessment takes much longer and is much more involved than a lower-level merchant who can complete a Self Assessment Questionnaire (SAQ). Further, even if you need a level one assessment, the number of requirements in-scope will directly correlate to the time it will take to complete and subsequently the price you should expect to pay. To give some rough budgetary numbers, the price of a PCI gap analysis resulting in a completed SAQ for a merchant will typically cost around $12,000. On the other end of the spectrum, a level one assessment for a service provider resulting in a completed ROC will cost around $46,000.

While the timeline varies, a typical PCI Gap analysis resulting in a completed SAQ takes about a week. On the other end of the spectrum, a full level one assessment will take around 6 weeks to complete. A lot of the timeline is dependent on how quickly we get the information we need from you and the size/complexity of the in-scope environment, so please let us know if there is a hard deadline, and we can work with you to expedite the process as much as possible.

The primary thing that can go wrong with a PCI audit is to fail the audit, of course. Our goal is to work with you to proactively prevent your organization from failing. For organizations that are new to PCI, we often recommend doing pre-consulting to prepare for your upcoming audit. Additionally, during the audit, if we find small issues that can be corrected, we will provide you with action items and, as long as they are completed prior to the end of the audit, we can sign off on those.

In the event that there are too many significant or complex issues to pass the PCI audit, we will provide you with a roadmap to meeting compliance, and then complete another audit when you are ready.

Our engineers have industry leading certifications including:

  • PCI Qualified Security Assessor (QSA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Ethical Hacker (C|EH)
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Web Expert (OSWE)
  • GIAC Security Essentials Certified (GSEC)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Web Application Penetration Tester (GWAPT)

Get A PCI Audit Quote

 Find and fix vulnerabilities that ACTUALLY impact your business and compliance goals faster.

Get A Quote

GettyImages-1094914600-1