WOLF & CO Case Studies Personalized PCI DSS for Ensured Compliance

Personalized PCI DSS for Ensured Compliance


Payment technology is evolving rapidly—across the globe, organizations are developing and deploying new technologies to solve persistent problems in the security and efficiency of electronic payment transactions. But with innovation comes responsibility. Protecting cardholder data and remaining compliant with the extensive Payment Card Industry Data Security Standard (PCI DSS) requirements is crucial, and must be considered by fintech organizations that deploy solutions that touch the credit card data environment (CDE) or could impact the security of the CDE. It’s imperative that fintech organizations with PCI DSS responsibilities partner with a PCI DSS Qualified Security Assessor Company (QSAC). The QSAC can help with the initial scoping, readiness review, consultation on remediation efforts, and production of the Attestation of Compliance (AOC) and Report on Compliance (ROC).

Bottomline Technologies, a payment technology vendor and a Forbes Top 50 Fintech, has several solutions designed to help companies send and receive payments. These platforms simplify the transaction processing related to accounts payable and digital banking. Knowing the level of detail required of a formal PCI DSS assessment, the company turned to Wolf to help them through the upcoming processes.

Bottomline had two different applications that needed to undergo PCI DSS assessments and obtain a Service Provider ROC. The company had performed internal reviews, but this was going to be the first formal PCI DSS assessment for these platforms. The company needed to understand exactly what to do to become PCI DSS compliant, including:

  • How to train staff and other members of the workforce that interacted with the cardholder data environment (CDE)
  • How to understand the evidence and artifacts needed to show that controls were in place and operating effectively through a period of time
  • What policies and procedures needed to be developed and implemented


Wolf’s QSA team worked diligently to assist the company in this effort. We created an aggressive schedule and framework to keep the project timeline tight and deliver the assessment on time.

“When we originally looked for a QSAC, we were looking for a firm that would grow with us and not just conduct ‘checkbox’ audits,” said Michael Weathers, Chief Information Security Officer at Bottomline Technologies. “We needed a partner that would be responsive to our needs and be a trusted security and audit advisor for us. Our extensive diligence helped us choose Wolf. Now, four years into the relationship, we know we made the right choice.”


After performing a detailed readiness review which allowed Bottomline to remediate the noted gaps, both platforms obtained ROCs. We offered Bottomline a true value-add experience, helping the company face specific PCI challenges and other security and compliance issues. We’ve continued to work with Bottomline over the years to ensure changes to either platform are in compliance with the additional controls added to the PCI DSS.

“Wolf has proven to be an outstanding partner for Bottomline with regards to PCI DSS compliance,” said Weathers. “Their attention to the nuances of our PCI scope were excellent, and their tailored approach helped us ensure our compliance. Wolf was very open to safely engaging us during the pandemic to address the specific challenges brought on by COVID-19. Those efforts showed Wolf’s true value as a partner. We’ve been very pleased with our relationship, and have further engaged Wolf to address our SOC 1, SOC 2, and compliance areas.”


  • A thorough audit allowed the company to operate with confidence knowing they have proper PCI DSS policies and procedures in place
  • Industry experts helped navigate a complex regulatory environment, analyzing their systems and providing comprehensive solutions to ensure compliance and initiate innovation
  • Trust established during the initial review led to subsequent successful engagements