Mountain Media Utilizes ControlScan QSA to Complete PCI Compliance Validation

The Challenge: Achieving Level 1 Service Provider PCI Compliance

Mountain Media, a website design, development and marketing firm that serves small- to mid-sized e-commerce merchants, was an early adopter of the PCI Data Security Standard (PCI DSS). Understanding the connection between credit card data security and the livelihood of its own—as well as its customers’—business, Mountain Media made Level 1 PCI compliance a priority.

In late 2011, Mountain Media conducted its own security gap assessment to understand the remediation work necessary to maintain a Level 1 service provider status. Upon completion of the gap assessment, the company realized its need to engage the services of a Qualified Security Assessor (QSA) so their compliance could be independently validated. This third-party attestation would assure Mountain Media’s customers and payment partners that the company is a trusted e-commerce solution provider.

The Solution: Partnering with a Trusted PCI Service Provider

In his search for a reliable PCI compliance partner, Mountain Media President & CTO Scott Fultz recalled the previous success the company had experienced when working with ControlScan as a referral partner for PCI compliance solutions. Upon learning that ControlScan had added security consulting services to its portfolio and that it now had QSAs on staff, Fultz jumped at the chance to work with an organization that Mountain Media already knew and trusted.

“PCI compliance is an ongoing process of self-improvement,” said Fultz. “Partnering with ControlScan was an easy choice, because they had been there for us in the past.”

Supported by a team of QSAs and security consultants, ControlScan’s security consulting services help guide small and midsized businesses through the compliance process with as little—or as much—assistance as needed.  The company has divided its security consulting services into two focus areas: 1) Security Assessment Services that ensure solutions are in place and policies and procedures exist in order to satisfy the PCI DSS, and 2) Security Engineering Services that provide technical testing and guidance to clients.

Mountain Media took advantage of ControlScan’s security assessment services focus area to review the company’s gap assessment and help address overall security as it relates to Level 1 PCI compliance. This included reviewing and updating the company’s documentation, as well as creating a comprehensive Report on Compliance (RoC), to meet the requirements set forth by the PCI Security Standards Council.

“ControlScan acted as a true partner throughout the audit process,” said Fultz. “[Their QSA] was very aware of the challenges a smaller gateway provider sometimes has. He helped us address PCI in an affordable way.”

The Result: Successful Compliance and a Long-Term Partnership

“Our advance preparation, as well as the guidance we received from ControlScan, made the overall process run cost effectively and efficiently,” said Fultz. “We completed the PCI validation process with the knowledge that all of our bases were covered.”

According to Fultz, the most important thing a small merchant can do to prepare for a PCI audit is to keep IT process and security documentation organized and up-to-date. Because it takes PCI compliance so seriously, Mountain Media has dedicated an entire section of its website to educating its current and potential customers.

“As our company has progressed and grown, ControlScan has worked with us to meet our data security needs,” said Fultz. “We feel confident recommending ControlScan to our merchant-customers because of our own positive experience working with their people and solutions.”

Today, Mountain Media is a part of the ControlScan SmartSolutions Partner Program, enabling its customers to also take full advantage of the ControlScan PCI 1-2-3 program so they too can achieve PCI compliance.