Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a moving target. Technology changes, businesses grow and hackers get smarter. The standard has evolved to meet this constant change – but many organizations establish compliance goals to go further, choosing a state of continuous monitoring to facilitate ongoing data security. That's where PCI Plus comes in.


  • Medium and large enterprises that are risk-minded understand the importance of becoming compliant with PCI DSS. These organizations know that achieving compliance is merely the foundation for security – not the end game. As a result, they want to augment the best practices already in place for PCI validation to help ensure customer and brand protection.

    SecureTrust has created the PCI Plus Risk Assessment to address a stringent risk approach, enabling organizations to further mitigate risk and address a rapidly changing threat environment. PCI Plus enables your organization to execute a security strategy that achieves compliance as an outcome rather than the primary objective. In this way, compliance and securing data are factored into your security investment instead of just showing up as a checkbox.

  • The objectives for the PCI Plus are to:

    • Strengthen segmentation and security between the corporate environment and the cardholder data environment (CDE).
    • Know exactly where cardholder data lies – and when the environment or data changes.
    • Increase the likelihood of incident detection at the time of (or soon after) a security event.
  • Intrusion to Detection in Days


  • A PCI Plus Risk Assessment helps you more fully integrate PCI compliance objectives into your IT risk and security management programs.

    • Anticipate Threats

      PCI DSS is a set of best practices to help standardize the protection of data. However, because your cardholder data environment (CDE) and the threats to it are unique, this risk assessment helps you beat attackers to the punch by identifying threats relevant and specific to your business.

    • Sharpen Focus on Known Threats

      With guidance from our Global Compliance and Risk Services team, the risk assessment helps you better understand attacks, including their sources, sequences and tools that are used.

    • Establish Continuous Compliance

      An outcome of the risk assessment is to help you understand what to focus on to achieve continuous compliance. An organization acting this way is positioned to be a company that is secure - and avoids the financial repercussions and negative media coverage that goes with a data breach.

    • Improve Breach Readiness

      Our Managed Security Testing ensures that you're identifying holes in your environment before hackers do. By combining the PCI Plus Risk Assessment with our SpiderLabs penetration testing expertise, Trustwave can merge knowledge of your business processes with offensive technical security testing.

How It Works

  • Each assessment begins by working with a SecureTrust consultant to identify the assets that are in scope for the PCI Plus approach. From here, SecureTrust identifies the threats and associated vulnerabilities, determines their severity and impact on cardholder data, as well as the likelihood of an exploit occurring, given existing security controls.

  • The SecureTrust risk assessment approach incorporates proven methodologies to ensure that industry best practices are followed. Having conducted significantly more assessments than any other qualified security assessor (QSA), we have the depth and breadth to help our customers go beyond a basic PCI DSS assessment.

    We start with a targeted risk assessment on the cardholder data environment (CDE) to identify threats and vulnerabilities specific to processing. From there, an in-depth penetration test through our Managed Security Testing takes into account systems adjacent to the CDE.

    application screenshot

    An important step in this assessment is to help your organization focus on the areas where PCI may fall short, including turning on the right Trustwave technology to go beyond an assessment. These products (such as SIEM, Data Loss Prevention and Secure Web Gateway) handle the 'wall of data' that many organizations face. These technologies work together to help monitor, and ultimately thwart, changes to or leakage of the CDE, as well as preventing the influx of malware into the corporate environment.

    We staff these engagements with a rotating model and an iterative validation process that includes annual validation, but also identifies areas to be re-validated quarterly or semi-annually. This process takes the emphasis off the all-too-common "point-in-time" validation cycle, and helps push your organization toward continuous compliance. The engagement deliverable is a PCI Plus Risk Assessment report that is priority ranked for your business.

    It includes:

    • Overall risk ranking relative to cardholder data environment
    • High-level breakdown of security control gaps
    • Recommendations for risk mitigation
    application screenshot