PCI DSS: the shield to protect against bank data leaks

XMCO supports you in your PCI DSS certification project by providing you with a set of tools and advice.

  • 1 – Context taking

  • 2 – Sensibilization

  • 3 – Meeting

  • 4 – Findings

The GRC team supports you in this challenge

The team monitors compliance actions on a daily basis and helps you draft the mandatory documents

  • Monitoring of compliance actions on a daily basis

    XMCO can intervene throughout the compliance process to:
    • Follow the evolution of construction sites
    • Respond to structuring questions
    • Popularize and explain certain requirements
    • Guiding and validating technical and organizational developments
    • Contact your bank to summarize the actions in progress
    • Perform technical checks (PanBuster, configuration review, etc)…

  • Awareness and training of your teams

    XMCO can also work with your teams to make them aware of the challenges of the PCI DSS standard and also to train developers in secure development methods. This training aims to give you the keys to secure development methods to meet the 6.5.x requirements of the standard (XSS, SQL Injection, error management, etc.).

  • Internal and external penetration tests

    XMCO offers to carry out the external and internal penetration tests required by the PCI DSS standard (11.3.x requirements). These tests will be conducted in black box and gray box to simulate the different types of populations with access to the environment (unauthenticated attacker on the Internet, external client, internal employee, platform administrator).

  • Segmentation test

    The objective is to demonstrate the effectiveness of the isolation and filtering mechanism(s) put in place to separate the CDE (Cardholder Data Environment) equipment from other internal networks. We will carry out these tests according to different locations (outside the CDE, from the servers connected to the CDE, from the VLAN of the administrators, etc.).

  • Documentation writing

    We offer assistance in drafting the expected documentation so that it can be presented during the certification audit.

We perform intrusion tests and audits

  • External and internal technical audits

    You will know which internal or external vulnerabilities and scenarios can put your customers’ card data at risk.

  • Segmentation tests

    They will be used to demonstrate the effectiveness of the isolation and filtering mechanisms put in place to separate the Cardholder Data Environment equipment from other internal networks.

  • Monitoring of tests by a QSA consultant

    The GRC Team offers you relevant advice and opinions relating to the context of the audited scope.

On to the last step: certification

  • Pre-audit

    Interviews, configuration statements and documentary analysis allowing you to best prepare for the certification audit.

  • Certification Audit

    Following the correction of points of non-compliance discovered during the pre-audit, the QSAs carry out the audit on all the requirements of the standard: Technical and physical security, organization/process and documentation.

  • Writing official documents

    Finally, the QSAs will write the official documents (SAQ, ROC, AOC) validating your certification!

An expert team

A pragmatic approach accompanying you from the construction of your project to the final certification.

  • A proven methodology for more than 10 years

  • The use of tools simplifying exchanges and audits

  • A team of 6 QSA experts in different fields (monetics, retail, ecommerce, hosting, etc.)

Our team uses its own tools to best support our customers.

  • Fgraph
    Audit of network flows

  • Portail PCI
    Workflow for monitoring actions and non-conformities

  • PANBuster
    Finding Card Number Leaks

  • Snap
    Audit of system configurations (Linux, Windows, etc.)

You are in good hands

XMCO certifies over 45 companies every year

  • “Security should not be a brake but a business accelerator.”

    What made the difference compared to other PCI players was the understanding of our business and its challenges, but also the technical knowledge of XMCO consultants. We have been able to establish a relationship of trust and we benefit from a personalized approach and a strong reactivity on their part.

    Grégoire Maux

    Head of Operational Security Team – Monext

  • “This certification is an important strategic asset by reassuring our customers.”

    We are very satisfied with the support, the audit, the risk-oriented approach and the practical recommendations. In addition, we work in a secure way: their portal is a real gain in time and readability. The bonus is being able to work with a French market player!

    Sarah Letri

    IT Compliance Manager – CDiscount

  • “Being PCI DSS certified is inherent to our business model”

    With XMCO we have constructive dialogues, feedback from competent consultants. All recommendations and justifications are relevant. It’s quite pleasant!


    Security Engineer and PCI DSS Manager – PayPlug

  • “PCI DSS by design!”

    We have chosen, from the outset, to be accompanied by XMCO on the PCI DSS, the level of service is excellent and we always have relevant explanations.

    Franck Mechineau, CEO and Co-founder and Christophe LeCoq, CISO


  • “As early as 2007, we identified the strategic dimension of PCI DSS certification”

    XMCO employees supported us in transforming this issue into a decisive competitive advantage at the global level. They accompany our teams to satisfy the high level of certification of the standard. Their global vision of the protection of sensitive data, combined with their technical mastery, have acted as a catalyst for the energy of all our employees.

    French Key Account

  • Logo de marque partenaire
  • Logo de marque partenaire
  • Logo de marque partenaire
  • Logo de marque partenaire

Any questions ?

  • What types of companies can you help?

    Thanks to its expertise and pragmatic vision, XMCO has gained the trust of many players in all areas: Payment Service Providers (PSP), Hosting and outsourcing providers, E-payment gateways, Call centers, e-merchants, Online games, Retail, Travel operators, SaaS software, GDS

  • Can you help me define my scope?

    Of course, through a scratch analysis, we will define the certification scope with you, and we will do our best to reduce it as much as possible.

Can’t find an answer?

Make an appointment with an expert

To go further

  • Do you carry out less than 6 million banking transactions?

    You can self-assess PCI DSS with our Evidence solution.

    Discover Evidence
  • Training: Introduction to the PCI DSS standard

    Master the basics of the PCI DSS standard and the particularities of the SAQ.

    Fundamentals of PCI DSS certification