After discussing the new, more stringent PCI (Payment Card Industry) guidelines several times, including last month, let's dig even deeper. Two companies involved in both ends of the PCI process graciously talked to me about what one did to pass, and how the other evaluated its progress to get a passing grade on its assessment.

“Technically, companies don't undergo PCI audits, but PCI assessments,” said Rick Dakin, President and CEO of Coalfire Systems, a security group focusing on compliance assessment and management solutions. Audits have more stringent legal liabilities attached.

But don't get the idea a PCI “assessment” is a snap to pass, because it's not. Jeremy Segale is VP Operations for PaySimple, a service company specializing in auto-recurring billing, eChecks, online payments, and credit card processing. The company does so many transactions at such volume it is a Tier 1 Merchant and requires an on-site assessment. “We started on January eighth,” said Segale, “and the process was finalized March first.”

Segale made a 12 page worksheet, one for every major security area check demanded by PCI, and did an internal pre-audit. Those 12 pages contained 136 major points to check. Some security details were satisfied by the data center hosting their servers, such as physical server access restrictions to maintain data security.

PaySimple did a “gap analysis” before Coalfire arrived, said Segale, “just on a pass/fail basis for internal use only.” Things he hadn't considered, like “screen shots showing domain management of user access,” caught them by surprise on the first trip through the checklist.

Rick Dakin of Coalfire said his company started as an early ASP (Application Service Provider, the forerunner of Software as a Service) back before the Internet bubble burst. After it did, he focused on the security parts of the business and moved into compliance, which now takes 100% of the company's attention.

“The compliance business still needs a trained eye,” said Dakin, “and you can make it as a boutique firm in compliance management.” Coalfire has 40 auditors, plus support staff, in offices in New York, Seattle, and Boulder, Colo. “The Big Four accounting firms aren't in compliance because the PCI standards are not at AICPA (American Institute of Certified Public Accountants) levels.”