Forvis Mazars IT Risk & Compliance - PCI Compliance Services

Forvis Mazars is a Qualified Security Assessor (QSA) company credentialed by the Payment Card Industry (PCI) Security Standards Council (SSC) to perform PCI Data Security Standards (DSS) assessments. With version 4.0.1 of the DSS now in effect, organizations must ensure they have implemented all new requirements to protect cardholder data and avoid fines or operating restrictions from banks and card brands.

The Importance of Protecting Cardholder Data: Threat actors target point-of-sale and e-commerce merchants with purpose-built malware, and service providers such as payment processors and cloud services face numerous threats that could affect their customers. PCI DSS is a global standard applicable to all merchants and service providers, balancing people, process, and technology security controls focused on systems, networks, facilities, and processes that store, process, or transmit cardholder data.

Service Offerings:

1. PCI DSS Assessment - Thorough assessment of the in-scope environment against PCI DSS requirements, gathering evidence to support compliance and producing a detailed Report on Compliance (ROC) and Attestation of Compliance (AOC) for fully compliant entities.

2. PCI Self-Assessment Questionnaire (SAQ) Validation - For organizations eligible to complete an SAQ, Forvis Mazars assesses them similarly to those requiring an ROC, producing the SAQ as the report deliverable and the attestation portion as the assessor.

3. PCI Approved Scanning Vendor (ASV) Vulnerability Scanning - As a certified ASV provider, Forvis Mazars performs quarterly external vulnerability scanning and remediation scanning services to support the annual ASV scanning requirement of the PCI DSS.

4. PCI DSS Readiness Consulting - Holistic gap assessment and consulting services tailored to help organizations scope their cardholder data environment, identify issues that impair compliance, and define road maps for remediating gaps.

5. PCI Remediation - Extensive consulting and remediation services to resolve areas of noncompliance, including development of policy documents, guidance for improving system security practices, application security or cryptography controls, managed security services, and penetration testing.

The Forvis Mazars team has deep experience in payment card security and compliance, dating to before the advent of PCI DSS when individual card brands operated their predecessor compliance standards. Their experienced QSAs deliver technical acumen, assessment rigor, and business strategy to help organizations meet requirements and mitigate the risks of a data breach.

Forvis Mazars PCI Compliance Services are designed to support organizations operating within Amazon Web Services (AWS) environments, including workloads hosted on services such as Amazon EC2, Amazon S3, Amazon RDS, Amazon VPC, AWS Lambda, and other native AWS infrastructure components. Our assessments and advisory services align PCI DSS requirements with the AWS Shared Responsibility Model, helping clients evaluate configurations, access controls, network segmentation, logging (e.g., AWS CloudTrail and Amazon CloudWatch), encryption, and key management (e.g., AWS KMS).

We assist organizations in defining and validating PCI scopes within AWS, implementing secure architectures, and ensuring that cloud-native controls are appropriately designed and operating effectively to support PCI DSS compliance.