Regulations and Compliance

See how risk-based Managed Detection & Response can help you with compliance — regardless of your industry

NYDFS Security Regulation FAQ


With a flurry of new regulations and requirements announced by the New York Department of Financial Services (NYDFS) and SEC, make sure you are up to date on the latest in order to ensure your organization is meeting all the new requirements.
Join Ron Pelletier and Richard Borden to learn:
  • The cyber regulation standards and if there are any commonalities
  • What you need to do to meet SEC requirements
  • The difference between privacy regulations and information security regulations
  • What are the Department of Labor (DOL) guidelines, and how does it apply to cybersecurity
  • How a cybersecurity provider can help you meet new security regulations
Watch a clip of the conversation or find the full FAQ here.

Insurance and Legal Partners

Pondurance works with legal and insurance firms, brokers and agents to help their clients improve their cybersecurity posture and reduce cybersecurity risks.

Reach out to us to learn more

If you suspect you have an active breach, please contact us at 888-385-1720.

silhouette 29 flipped


Reducing the Costs To Comply With CMMC

Join Doug Howard, CEO of Pondurance, and Yong-Gon Chon, Treasurer of the Board of Directors at CMMC-AB, to get tips on reducing costs when preparing and applying for CMMC 2.0 and hear them share and address the top questions.

Successfully Navigating Through CMMC: What You Need to Know

Cybersecurity Maturity Model Certification (CMMC) is a unified assessment model released by the Department of Defense in response to the growing threat of cyberattacks and data theft from its supply chain vendors. Join us as we discuss CMMC in a panel webinar with Doug Howard, CEO of Pondurance, and Evan Wolff, a partner at Crowell & Moring LLP

yongong photo

Achieving CMMC 2.0 Compliance

cmmc badge

Are you processing controlled unclassified information for Department of Defense clients and required to meet Defense Federal Acquisition Regulation Supplement requirements? Pondurance is here to help you achieve CMMC 2.0 compliance and better understand the gaps in your processes, capabilities, and practices.

Are You Looking for Specfic HIPAA Regulations?

Additional Resources

PCI DSS Compliance

Hundreds of millions of people worldwide pay for goods and services with credit or debit cards every day. Any organization working with cardholder data (CHD) must implement security policies, technology, and processes to ensure its systems are protected from breach and theft of CHD. Because of the critical nature of this data and the potential impact it can have on the lives of so many, the Payment Card Industry Data Security Standard (PCI DSS) was established to regulate protection standards for merchants, financial institutions, point-of-sale vendors, and technology developers that create and operate the global infrastructure for processing payments. Compliance with PCI DSS is mandatory for these businesses and costly for those who violate the standards (even if they do so unknowingly).

As part of Pondurance’s cyber risk and regulatory compliance assessment services, we offer a focused review of your IT systems environment to identify areas of risk and maturity as they relate to PCI DSS compliance. At the conclusion of the assessment, Pondurance either conducts a Self-Assessment Questionnaire (SAQ) or delivers a Report on Compliance (ROC) accompanied by an Attestation of Compliance (AoC). If your organization is out of compliance, we offer a tailored, prioritized approach to helping you get compliant quickly.

The Pondurance PCI Assessment is conducted by our team of security experts, partnering directly with you, and guiding you through the process. A team of Pondurance experts embeds with your multidisciplinary teams and analyzes your current PCI DSS compliance posture, documenting our results in the Payment Card Industry Security Standards Council (PCI SSC) SAQ or ROC template. This outlines a set of desired outcomes for proper handling of CHD with categorized references to how they can be achieved.

What is a PCI Assessment

A PCI assessment refers to the process of evaluating and validating an organization’s compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to protect cardholder data and ensure the secure handling of credit card transactions.

The PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), and compliance with these standards is mandatory for any organization that handles, processes, or stores payment card data, regardless of its size.

There are several types of PCI assessments, Pondurance provides including:

Self-Assessment Questionnaire (SAQ): This is a self-assessment tool provided by the PCI SSC that helps merchants and service providers determine their level of compliance based on their specific payment processing methods.

On-Site Assessment: Conducted by a Qualified Security Assessor (QSA) for Level 1 merchants (those processing over a certain number of transactions annually) and for service providers.

Report on Compliance (ROC): This is an extensive assessment report performed by a QSA for Level 1 merchants and service providers. It involves a detailed review of the organization’s security controls and practices.

Internal Security Assessment: Some organizations conduct internal assessments to evaluate their PCI compliance but, in most cases, they are not sufficient for official compliance validation.

What is the PCI compliance Process? How do I become PCI Compliant?
The PCI assessment process typically involves evaluating various aspects of an organization’s security practices, including network security, access controls, encryption, physical security, and policies and procedures related to cardholder data protection. The assessment helps identify any vulnerabilities or gaps in security that need to be addressed to achieve and maintain compliance.

Like other cybersecurity and compliance practices and the use of assessments, PCI compliance is an ongoing process, and organizations need to regularly assess their security measures, maintain documentation, and address any identified issues to stay compliant with the PCI DSS. Non-compliance can result in financial penalties, loss of card processing privileges, and reputational damage.

If you are a merchant or service provider seeking to undergo a PCI assessment, it’s recommended to work with a QSA or a qualified security professional to ensure a thorough and accurate evaluation of your organization’s PCI compliance.

What is a Certiface Quality Security Assessor (QSA)?

A Certified Qualified Security Assessor (QSA) is an individual who has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess the compliance of organizations with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of security standards designed to protect cardholder data and ensure the secure handling of credit card transactions.

QSAs play a crucial role in the PCI compliance process, especially for Level 1 merchants (those processing a large number of transactions annually) and service providers. They are responsible for conducting on-site assessments and validating the security practices and controls implemented by organizations to protect payment card data.

How Does an Organization Become a QSA?

To become a Certified QSA, an individual must meet certain requirements set by the PCI SSC and undergo rigorous training and testing. The certification process includes the following steps:

Experience: Individuals seeking QSA certification typically need to have a background in information security, IT auditing, or a related field. They must have relevant experience in conducting security assessments.

Training: Aspiring QSAs must complete specific PCI SSC-approved training programs that cover the PCI DSS standards, assessment procedures, and reporting requirements.

Examination: After completing the required training, individuals must pass a challenging exam administered by the PCI SSC to demonstrate their knowledge and understanding of the PCI DSS and assessment methodologies.

Application: Once the training and exam are successfully completed, the individual or their employer may apply to the PCI SSC for QSA certification.

Requalification: QSAs are required to recertify periodically by participating in ongoing training and passing recertification exams to ensure they stay up to date with the evolving PCI DSS standards.

Pondurance is a certified QSA (Qualified Security Assessor) and here is why you need a QSA for your PCI compliance assessment.
When an organization engages a Certified QSA for PCI compliance assessment, the QSA conducts a thorough review of the organization’s security controls, policies, and procedures. They produce a Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ) depending on the organization’s level and scope of compliance.

Engaging a Certified QSA for PCI compliance assessments provides organizations with confidence that the assessment is conducted by a qualified and impartial professional who possesses the necessary knowledge and expertise to evaluate their security measures effectively.

As a Certified Quality Security Assessor, Pondurance offers a focused review of your IT systems environment to identify areas of risk and maturity as they relate to Payment Card Industry Data Security Standard (PCI DSS) compliance. At the conclusion of the assessment, Pondurance either conducts a Self-Assessment Questionnaire (SAQ) or delivers a Report on Compliance (ROC) accompanied by an Attestation of Compliance (AoC). If your organization is out of compliance, we offer a tailored, prioritized approach to helping you get in compliance quickly.

As your certified QSA, and experts in cybersecurity and incident response, Pondurance offers a broader look at your cybersecurity through customized cybersecurity risk assessments that also align with your PCI DSS Assessments.

Assessment and Gap Analysis: Pondurance can assess your organization’s current security controls and practices to identify gaps and areas that need improvement to meet PCI DSS requirements while identifying cybersecurity vulnerabilities.

Remediation Guidance: Pondurance can provide guidance and recommendations on how to address the identified issues and can also implement the necessary security measures to become compliant. Beyond PCI DSS assessments, Pondurance can identify and prioritize cybersecurity risks, recommend risk mitigation strategies and implement the strategies to address your specific, unique business needs.

Policy and Procedure Development: Pondurance can help in developing security policies and procedures aligned with PCI DSS requirements. As well as help with incident response planning, testing the plan through tabletop exercises and working to remediate vulnerabilities.

Security Monitoring and Incident Response: Maintaining PCI compliance often requires continuous monitoring of security systems and a robust incident response plan to detect and respond to security breaches promptly. Pondurance has a long history of helping organizations maintain compliance and mature their cybersecurity posture, through protecting their networks and data from cyber criminals.

Reporting and Documentation: Pondurance can assist in preparing the necessary reports and documentation required for PCI compliance validation.

As your cybersecurity partner, Pondurance ensures that the assessment and compliance process is conducted thoroughly and accurately. PCI compliance is not a one-time event; it’s an ongoing effort to safeguard payment card data and maintain a secure environment for cardholder information.

PCI compliance may be the first step in your organizations journey, with a cybersecurity partner like Pondurance, you have the ability to ensure compliance and improve your cybersecurity. As technology continues to evolve, so do the methods of cyber threats and attacks. Organizations of all sizes, and industries are increasingly finding themselves vulnerable to sophisticated cybercriminals seeking to exploit weaknesses in their security defenses. In response to these growing challenges, many organizations realize they need support and guidance on where and how to get started beyond compliance needs on their cybersecurity journey.

Pondurance takes a consultative approach with each organization and maps out a customized, flexible roadmap designed to provide the steps needed to get customers protected quickly and to help each customer feel confident in their ability to maintain compliance, reduce their risk, and protect their organization.

For more information on how Pondurance can assist you in your PCI DSS compliance reach out for a no-obligation conversation here.

Related Content