OPEM-09

Describe how long your organization has conducted business in this area.

Explanation

This question is asking about your organization's experience and history in handling payment card data and related security compliance. The PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for organizations that handle credit card information. The question aims to assess your organization's maturity and experience in dealing with payment card processing and the associated security requirements. Organizations with longer experience in this area are often presumed to have more established processes, better understanding of the risks, and more mature security controls. When answering this question, you should: 1. Specify the exact number of years your organization has been handling payment card data 2. Describe in what capacity you've been processing payments (e.g., as a merchant, service provider, payment processor) 3. Mention any relevant milestones in your PCI compliance journey 4. Include information about the volume or scale of payment processing if significant This question helps the assessor understand your organization's experience level with PCI compliance requirements and payment card handling, which can indicate your likely familiarity with security best practices in this domain.

Guidance

Include the number of years and in what capacity.

Example Responses

Example Response 1

Our organization has been processing credit card payments for 12 years, since our founding in 2011 We operate as a Level 1 merchant (processing over 6 million transactions annually) and have maintained continuous PCI DSS compliance since 2013 We initially started as an e-commerce platform handling direct card payments, and in 2017 expanded to also provide payment processing services to third-party merchants, operating as a service provider in that capacity We have successfully completed annual PCI DSS assessments with a Qualified Security Assessor (QSA) for the past 9 consecutive years.

Example Response 2

Secure Payment Solutions has been operating in the payment card industry for 7 years We began as a payment gateway provider in 2016, facilitating e-commerce transactions for small to medium businesses In 2019, we expanded our services to include point-of-sale systems for physical retail locations We have maintained PCI DSS compliance as a Level 2 Service Provider since 2017, processing approximately 1-6 million transactions annually Our compliance program has matured significantly over this period, with our dedicated security team growing from 2 to 15 specialists focused on payment security and compliance.

Example Response 3

Our company is relatively new to payment card processing We launched our e-commerce platform 10 months ago and began accepting credit card payments at that time Prior to this, our founding team worked at various financial technology companies, but our organization itself has limited experience with PCI DSS compliance We are currently working with a QSA to complete our first formal assessment and expect to achieve compliance within the next quarter In the meantime, we've implemented tokenization through a third-party provider to minimize our exposure to cardholder data while we build out our security program.

Context

Tab
Case-Specific
Category
Payment Card Industry Data Security Standard (PCI DSS)

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron